CISSP-ISSEP · Question #8
You work as a security engineer for BlueWell Inc. Which of the following documents will you use as a guide for the security certification and accreditation of Federal Information Systems?
The correct answer is B. NIST Special Publication 800-37. NIST SP 800-37 is the correct guide because it specifically defines the Risk Management Framework (RMF) - the formal process for security certification and accreditation (now called "authorization") of Federal Information Systems, covering categorization, control selection, imple
Question
You work as a security engineer for BlueWell Inc. Which of the following documents will you use as a guide for the security certification and accreditation of Federal Information Systems?
Options
- ANIST Special Publication 800-59
- BNIST Special Publication 800-37
- CNIST Special Publication 800-60
- DNIST Special Publication 800-53
How the community answered
(32 responses)- A3% (1)
- B88% (28)
- C3% (1)
- D6% (2)
Explanation
NIST SP 800-37 is the correct guide because it specifically defines the Risk Management Framework (RMF) - the formal process for security certification and accreditation (now called "authorization") of Federal Information Systems, covering categorization, control selection, implementation, assessment, authorization, and monitoring.
- A (800-59) is wrong - it defines criteria for determining whether a system qualifies as a "national security system," not how to certify/accredit it.
- C (800-60) is wrong - it maps information and systems to security categories (FIPS 199 impact levels), a prerequisite step but not the C&A guide itself.
- D (800-53) is wrong - it provides the catalog of security and privacy controls to select and implement, not the certification/accreditation process framework.
Memory tip: Think "37 = authorize to operate" - the number 37 is close to "3-7 steps" in the RMF process (Categorize, Select, Implement, Assess, Authorize, Monitor), which is exactly what 800-37 defines.
Topics
Community Discussion
No community discussion yet for this question.