nerdexam
(ISC)2

CISSP · Question #1420

Which of the following addresses requirements of security assessments during software acquisition?

The correct answer is D. Software assurance policy. Security assessments during software acquisition are governed by software assurance policies, which define requirements for evaluating the security and trustworthiness of third-party or acquired software.

Submitted by obi.ng· Mar 5, 2026Software Development Security

Question

Which of the following addresses requirements of security assessments during software acquisition?

Options

  • ASoftware configuration management (SCM)
  • BData loss prevention (DLP) policy
  • CContinuous monitoring
  • DSoftware assurance policy

How the community answered

(70 responses)
  • A
    3% (2)
  • B
    3% (2)
  • C
    6% (4)
  • D
    89% (62)

Why each option

Security assessments during software acquisition are governed by software assurance policies, which define requirements for evaluating the security and trustworthiness of third-party or acquired software.

ASoftware configuration management (SCM)

Software configuration management (SCM) focuses on controlling and tracking changes to software after it has been acquired or developed, not on evaluating security risks during the acquisition process itself.

BData loss prevention (DLP) policy

A data loss prevention (DLP) policy is designed to prevent unauthorized exfiltration or exposure of sensitive data and does not address the security vetting of software being acquired from vendors.

CContinuous monitoring

Continuous monitoring is an operational security practice used to maintain ongoing visibility into a deployed system's security posture, and does not govern the security assessment requirements prior to or during software acquisition.

DSoftware assurance policyCorrect

A software assurance policy establishes the security requirements, vetting procedures, and risk assessment criteria that must be applied when acquiring software from external vendors or sources. It directly addresses the need to evaluate software for vulnerabilities, supply chain risks, and compliance with security standards before procurement. This aligns with frameworks like NIST SP 800-161 and CMMC, which mandate software assurance as part of acquisition security.

Concept tested: Software assurance policy requirements during software acquisition

Source: https://csrc.nist.gov/publications/detail/sp/800-161/rev-1/final

Topics

#software assurance#software acquisition#security policy

Community Discussion

No community discussion yet for this question.

Full CISSP Practice