CISSP-ISSEP · Question #79
Which of the following DITSCAP C&A phases takes place between the signing of the initial version of the SSAA and the formal accreditation of the system?
The correct answer is B. Phase 2. Phase 2 (Verification) is correct because it spans the period after the initial SSAA (System Security Authorization Agreement) is signed at the end of Phase 1 and before the system receives its formal accreditation - making it the bridge between definition and validation. During
Question
Which of the following DITSCAP C&A phases takes place between the signing of the initial version of the SSAA and the formal accreditation of the system?
Options
- APhase 3
- BPhase 2
- CPhase 4
- DPhase 1
How the community answered
(33 responses)- A3% (1)
- B94% (31)
- D3% (1)
Explanation
Phase 2 (Verification) is correct because it spans the period after the initial SSAA (System Security Authorization Agreement) is signed at the end of Phase 1 and before the system receives its formal accreditation - making it the bridge between definition and validation. During Phase 2, the evolving system design is verified against the SSAA requirements to ensure the security posture is being built correctly.
Phase 1 (Definition) is wrong because it produces the initial SSAA - it precedes the signing, not the period after it. Phase 3 (Validation) is wrong because it is the phase where the fully integrated system is formally tested and evaluated, culminating in the accreditation decision itself - it is not between those two events but rather concludes with one of them. Phase 4 (Post Accreditation) is wrong because it begins after formal accreditation and covers ongoing maintenance and monitoring.
Memory tip: Think of the four phases as "Define → Verify → Validate → Maintain." Phase 2 (Verify) is sandwiched in the middle - after you've defined and agreed on security requirements (SSAA) but before you formally prove and approve the system (accreditation).
Topics
Community Discussion
No community discussion yet for this question.