nerdexam
(ISC)2

CISSP · Question #11

The configuration management and control task of the certification and accreditation process is incorporated in which phase of the System Development Life Cycle (SDLC)?

The correct answer is A. System acquisition and development. Configuration management and control, as part of the certification and accreditation (C&A) process, is established during the System Acquisition and Development phase of the SDLC to ensure security controls are built into the system from the start.

Submitted by fatema_kw· Mar 5, 2026Security Operations

Question

The configuration management and control task of the certification and accreditation process is incorporated in which phase of the System Development Life Cycle (SDLC)?

Options

  • ASystem acquisition and development
  • BSystem operations and maintenance
  • CSystem initiation
  • DSystem implementation

How the community answered

(30 responses)
  • A
    73% (22)
  • B
    3% (1)
  • C
    17% (5)
  • D
    7% (2)

Why each option

Configuration management and control, as part of the certification and accreditation (C&A) process, is established during the System Acquisition and Development phase of the SDLC to ensure security controls are built into the system from the start.

ASystem acquisition and developmentCorrect

During the System Acquisition and Development phase, security requirements including configuration management and control are formally defined, planned, and implemented as part of the certification and accreditation process. This phase is where baseline configurations are established and security controls are integrated into the design and development of the system, making it the appropriate phase to incorporate C&A configuration management tasks per NIST guidance.

BSystem operations and maintenance

System Operations and Maintenance involves ongoing monitoring and change management after deployment, not the initial establishment of configuration management and control baselines required by C&A.

CSystem initiation

System Initiation is the earliest phase focused on defining the system's purpose, scope, and high-level security categorization, not the detailed configuration management and control activities tied to C&A.

DSystem implementation

System Implementation focuses on installing and activating the system in the operational environment, which occurs after configuration management and control have already been established in the development phase.

Concept tested: C&A configuration management within SDLC phases

Source: https://csrc.nist.gov/publications/detail/sp/800-64/rev-2/final

Topics

#configuration management#C&A#SDLC#system maintenance

Community Discussion

No community discussion yet for this question.

Full CISSP Practice