CISSP-ISSEP · Question #29
You work as a security manager for BlueWell Inc. You are going through the NIST SP 800-37 C&A methodology, which is based on four well defined phases. In which of the following phases of NIST SP 800-3
The correct answer is B. Initiation. Option B (Initiation) is correct because the Initiation phase is the first of the four C&A phases and is where security categorization takes place - the organization uses FIPS 199 to classify the information system based on the potential impact (low, moderate, high) of a breach t
Question
You work as a security manager for BlueWell Inc. You are going through the NIST SP 800-37 C&A methodology, which is based on four well defined phases. In which of the following phases of NIST SP 800-37 C&A methodology does the security categorization occur?
Options
- AContinuous Monitoring
- BInitiation
- CSecurity Certification
- DSecurity Accreditation
How the community answered
(42 responses)- A2% (1)
- B90% (38)
- C5% (2)
- D2% (1)
Explanation
Option B (Initiation) is correct because the Initiation phase is the first of the four C&A phases and is where security categorization takes place - the organization uses FIPS 199 to classify the information system based on the potential impact (low, moderate, high) of a breach to confidentiality, integrity, or availability.
Why the distractors are wrong:
- A (Continuous Monitoring) is the final phase, focused on ongoing oversight of security controls after accreditation - categorization has long since been completed.
- C (Security Certification) is the third phase, where security controls are assessed and tested for effectiveness - not where the system is initially categorized.
- D (Security Accreditation) is the fourth phase, where the Authorizing Official makes the formal risk-acceptance decision to authorize system operation - again, well after categorization.
Memory tip: Think of the phases in order as I-C-A-C (Initiation → Certification → Accreditation → Continuous Monitoring), and remember that categorization comes first because you must know what you're protecting before you can certify or accredit anything - just like labeling a box before deciding how to secure it.
Topics
Community Discussion
No community discussion yet for this question.