CISSP-ISSEP · Question #109
Which of the following phases of NIST SP 800-37 C&A methodology examines the residual risk for acceptability, and prepares the final security accreditation package?
The correct answer is D. Security Accreditation. Security Accreditation (D) is correct because this phase is where the Authorizing Official (AO) reviews the complete security package, evaluates residual risk to determine if it is at an acceptable level, and then issues the final accreditation decision - typically an Authorizati
Question
Which of the following phases of NIST SP 800-37 C&A methodology examines the residual risk for acceptability, and prepares the final security accreditation package?
Options
- AInitiation
- BSecurity Certification
- CContinuous Monitoring
- DSecurity Accreditation
How the community answered
(24 responses)- A4% (1)
- B4% (1)
- D92% (22)
Explanation
Security Accreditation (D) is correct because this phase is where the Authorizing Official (AO) reviews the complete security package, evaluates residual risk to determine if it is at an acceptable level, and then issues the final accreditation decision - typically an Authorization to Operate (ATO), Interim ATO, or Denial of ATO.
Why the distractors are wrong:
- A. Initiation - This phase focuses on preparation: documenting the system, reviewing existing security controls, and planning the C&A effort. No risk acceptability decision is made here.
- B. Security Certification - This phase assesses whether security controls are correctly implemented and effective, but it does not make the final authorization decision; it feeds findings into the accreditation package.
- C. Continuous Monitoring - This occurs after accreditation is granted and involves ongoing tracking of the security posture over the system's lifecycle.
Memory tip: Link the word "Accreditation" to "Authorization" - both start with "A" and both represent the official final approval. The AO signs off on residual risk in the Accreditation phase, making it the gateway between assessment and operation.
Topics
Community Discussion
No community discussion yet for this question.