CISSP-ISSEP · Question #139
Numerous information security standards promote good security practices and define frameworks or systems to structure the analysis and design for managing information security controls. Which of the f
The correct answer is A. CA Certification, Accreditation, and Security Assessments C. IR Incident Response D. SA System and Services Acquisition. Options A, C, and D are all security control families defined in NIST SP 800-53, the primary U.S. Federal Government standard mandated by FISMA - CA (Security Assessment and Authorization), IR (Incident Response), and SA (System and Services Acquisition) are each recognized contr
Question
Numerous information security standards promote good security practices and define frameworks or systems to structure the analysis and design for managing information security controls. Which of the following are the U.S. Federal Government information security standards? Each correct answer represents a complete solution. Choose all that apply.
Options
- ACA Certification, Accreditation, and Security Assessments
- BInformation systems acquisition, development, and maintenance
- CIR Incident Response
- DSA System and Services Acquisition
How the community answered
(25 responses)- A88% (22)
- B12% (3)
Explanation
Options A, C, and D are all security control families defined in NIST SP 800-53, the primary U.S. Federal Government standard mandated by FISMA - CA (Security Assessment and Authorization), IR (Incident Response), and SA (System and Services Acquisition) are each recognized control families within that framework. Option B ("Information systems acquisition, development, and maintenance") is the distractor because it describes a control domain from ISO/IEC 27001/27002, an international standard, not a U.S. federal one - the phrasing is a giveaway since NIST SP 800-53 uses "System and Services Acquisition" (SA), not this longer ISO-style wording.
Memory tip: If an answer choice sounds like ISO 27001 language (longer, descriptive phrases like "acquisition, development, and maintenance"), it's likely not a U.S. federal standard. NIST SP 800-53 families use short, two-letter codes (CA, IR, SA, AC, etc.) - remember "NIST = short codes, ISO = long phrases" to quickly spot the distractor.
Topics
Community Discussion
No community discussion yet for this question.