nerdexam
(ISC)2

CISSP-ISSEP · Question #29

You work as a security manager for BlueWell Inc. You are going through the NIST SP 800-37 C&A methodology, which is based on four well defined phases. In which of the following phases of NIST SP 800-3

The correct answer is B. Initiation. Option B (Initiation) is correct because the Initiation phase is the first of the four C&A phases and is where security categorization takes place - the organization uses FIPS 199 to classify the information system based on the potential impact (low, moderate, high) of a breach t

Risk Management

Question

You work as a security manager for BlueWell Inc. You are going through the NIST SP 800-37 C&A methodology, which is based on four well defined phases. In which of the following phases of NIST SP 800-37 C&A methodology does the security categorization occur?

Options

  • AContinuous Monitoring
  • BInitiation
  • CSecurity Certification
  • DSecurity Accreditation

How the community answered

(42 responses)
  • A
    2% (1)
  • B
    90% (38)
  • C
    5% (2)
  • D
    2% (1)

Explanation

Option B (Initiation) is correct because the Initiation phase is the first of the four C&A phases and is where security categorization takes place - the organization uses FIPS 199 to classify the information system based on the potential impact (low, moderate, high) of a breach to confidentiality, integrity, or availability.

Why the distractors are wrong:

  • A (Continuous Monitoring) is the final phase, focused on ongoing oversight of security controls after accreditation - categorization has long since been completed.
  • C (Security Certification) is the third phase, where security controls are assessed and tested for effectiveness - not where the system is initially categorized.
  • D (Security Accreditation) is the fourth phase, where the Authorizing Official makes the formal risk-acceptance decision to authorize system operation - again, well after categorization.

Memory tip: Think of the phases in order as I-C-A-C (Initiation → Certification → Accreditation → Continuous Monitoring), and remember that categorization comes first because you must know what you're protecting before you can certify or accredit anything - just like labeling a box before deciding how to secure it.

Topics

#NIST SP 800-37#Risk Management Framework (RMF)#Security Categorization#Certification & Accreditation (C&A)

Community Discussion

No community discussion yet for this question.

Full CISSP-ISSEP Practice