CISSP-ISSEP · Question #201
The Phase 4 of DITSCAP C&A is known as Post Accreditation. This phase starts after the system has been accredited in Phase 3. What are the process activities of this phase? Each correct answer represe
The correct answer is A. Security operations C. Change management D. Compliance validation E. System operations F. Maintenance of the SSAA. DITSCAP Phase 4 (Post Accreditation) is the operational and sustainment phase - once a system is accredited, it must be continuously managed to preserve that accreditation. The five correct activities (A, C, D, E, F) represent this ongoing lifecycle: Security operations ensures s
Question
The Phase 4 of DITSCAP C&A is known as Post Accreditation. This phase starts after the system has been accredited in Phase 3. What are the process activities of this phase? Each correct answer represents a complete solution. Choose all that apply.
Options
- ASecurity operations
- BContinue to review and refine the SSAA
- CChange management
- DCompliance validation
- ESystem operations
- FMaintenance of the SSAA
How the community answered
(24 responses)- A71% (17)
- B29% (7)
Explanation
DITSCAP Phase 4 (Post Accreditation) is the operational and sustainment phase - once a system is accredited, it must be continuously managed to preserve that accreditation. The five correct activities (A, C, D, E, F) represent this ongoing lifecycle: Security operations ensures security controls remain active, System operations keeps the system running within its approved parameters, Change management governs modifications so they don't invalidate accreditation, Compliance validation periodically confirms the system still meets its security requirements, and Maintenance of the SSAA updates the System Security Authorization Agreement to reflect the current state of the system.
Option B ("Continue to review and refine the SSAA") is incorrect because "reviewing and refining" the SSAA is characteristic of the earlier phases - particularly Phase 2 (Verification), where the SSAA is actively developed and shaped. In Phase 4, the SSAA is not being refined; it is being maintained to track changes to an already-approved system. The distinction is subtle but deliberate: refinement implies ongoing design iteration, while maintenance implies upkeep of an approved baseline.
Memory tip: Think of Phase 4 as "keeping the lights on and the paperwork current." Use the acronym SCCME - Security ops, Change management, Compliance validation, Maintenance of SSAA, E (system Employment/operations). If an answer involves developing or refining the SSAA, it belongs to an earlier phase, not Post Accreditation.
Topics
Community Discussion
No community discussion yet for this question.