nerdexam
(ISC)2

CISSP-ISSEP · Question #8

You work as a security engineer for BlueWell Inc. Which of the following documents will you use as a guide for the security certification and accreditation of Federal Information Systems?

The correct answer is B. NIST Special Publication 800-37. NIST SP 800-37 is the correct guide because it specifically defines the Risk Management Framework (RMF) - the formal process for security certification and accreditation (now called "authorization") of Federal Information Systems, covering categorization, control selection, imple

Risk Management

Question

You work as a security engineer for BlueWell Inc. Which of the following documents will you use as a guide for the security certification and accreditation of Federal Information Systems?

Options

  • ANIST Special Publication 800-59
  • BNIST Special Publication 800-37
  • CNIST Special Publication 800-60
  • DNIST Special Publication 800-53

How the community answered

(32 responses)
  • A
    3% (1)
  • B
    88% (28)
  • C
    3% (1)
  • D
    6% (2)

Explanation

NIST SP 800-37 is the correct guide because it specifically defines the Risk Management Framework (RMF) - the formal process for security certification and accreditation (now called "authorization") of Federal Information Systems, covering categorization, control selection, implementation, assessment, authorization, and monitoring.

  • A (800-59) is wrong - it defines criteria for determining whether a system qualifies as a "national security system," not how to certify/accredit it.
  • C (800-60) is wrong - it maps information and systems to security categories (FIPS 199 impact levels), a prerequisite step but not the C&A guide itself.
  • D (800-53) is wrong - it provides the catalog of security and privacy controls to select and implement, not the certification/accreditation process framework.

Memory tip: Think "37 = authorize to operate" - the number 37 is close to "3-7 steps" in the RMF process (Categorize, Select, Implement, Assess, Authorize, Monitor), which is exactly what 800-37 defines.

Topics

#NIST Publications#Risk Management Framework (RMF)#Certification & Accreditation (C&A)#Federal Information Security

Community Discussion

No community discussion yet for this question.

Full CISSP-ISSEP Practice