CISSP-ISSEP · Question #110
Which of the following are the phases of the Certification and Accreditation (C&A) process? Each correct answer represents a complete solution. Choose two.
The correct answer is B. Initiation C. Continuous Monitoring. Certification and Accreditation (C&A), as defined by NIST SP 800-37, consists of four phases: Initiation, Security Certification, Security Accreditation, and Continuous Monitoring - making B and C correct. Initiation kicks off the process by establishing the scope, gathering syst
Question
Which of the following are the phases of the Certification and Accreditation (C&A) process? Each correct answer represents a complete solution. Choose two.
Options
- AAuditing
- BInitiation
- CContinuous Monitoring
- DDetection
How the community answered
(25 responses)- A4% (1)
- B92% (23)
- D4% (1)
Explanation
Certification and Accreditation (C&A), as defined by NIST SP 800-37, consists of four phases: Initiation, Security Certification, Security Accreditation, and Continuous Monitoring - making B and C correct. Initiation kicks off the process by establishing the scope, gathering system documentation, and assigning roles, while Continuous Monitoring ensures ongoing security posture is maintained after accreditation is granted.
Auditing (A) is a general security activity and audit technique, but it is not a named phase within the C&A framework. Detection (D) belongs to incident response and monitoring methodologies (like the NIST Cybersecurity Framework), not the C&A phase structure.
Memory tip: Think of C&A as a lifecycle - it starts (Initiation) and never fully stops (Continuous Monitoring). The two bookend phases are the ones most likely to appear on exams precisely because they define the boundaries of the process.
Topics
Community Discussion
No community discussion yet for this question.