CISSP-ISSEP · Question #146
Della works as a security engineer for BlueWell Inc. She wants to establish configuration management and control procedures that will document proposed or actual changes to the information system. Whi
The correct answer is D. Continuous Monitoring. Continuous Monitoring (D) is correct because this phase of NIST SP 800-37 explicitly covers ongoing configuration management and control - tracking proposed and actual changes to the information system, analyzing the security impact of those changes, and maintaining an up-to-date
Question
Della works as a security engineer for BlueWell Inc. She wants to establish configuration management and control procedures that will document proposed or actual changes to the information system. Which of the following phases of NIST SP 800-37 C&A methodology will define the above task?
Options
- ASecurity Certification
- BSecurity Accreditation
- CInitiation
- DContinuous Monitoring
How the community answered
(26 responses)- A4% (1)
- C4% (1)
- D92% (24)
Explanation
Continuous Monitoring (D) is correct because this phase of NIST SP 800-37 explicitly covers ongoing configuration management and control - tracking proposed and actual changes to the information system, analyzing the security impact of those changes, and maintaining an up-to-date security posture after accreditation is granted.
Why the distractors are wrong:
- A. Security Certification focuses on formally assessing and testing implemented security controls to determine their effectiveness - it's about evaluating controls, not tracking system changes.
- B. Security Accreditation is the official management decision (by the Designated Approving Authority) to authorize the system to operate at an acceptable level of risk - a one-time authorization decision, not an ongoing change-tracking process.
- C. Initiation prepares for the C&A process by defining the system boundary, identifying resources, and developing the security plan - it's the planning phase before any formal assessment occurs.
Memory tip: Think "CM² rule" - Configuration Management lives in Continuous Monitoring. Both involve tracking what's happening to the system over time, after the system is already authorized. If the task is about watching for changes, it's Continuous Monitoring.
Topics
Community Discussion
No community discussion yet for this question.