CISSP · Question #1420
Which of the following addresses requirements of security assessments during software acquisition?
The correct answer is D. Software assurance policy. Security assessments during software acquisition are governed by software assurance policies, which define requirements for evaluating the security and trustworthiness of third-party or acquired software.
Question
Options
- ASoftware configuration management (SCM)
- BData loss prevention (DLP) policy
- CContinuous monitoring
- DSoftware assurance policy
How the community answered
(70 responses)- A3% (2)
- B3% (2)
- C6% (4)
- D89% (62)
Why each option
Security assessments during software acquisition are governed by software assurance policies, which define requirements for evaluating the security and trustworthiness of third-party or acquired software.
Software configuration management (SCM) focuses on controlling and tracking changes to software after it has been acquired or developed, not on evaluating security risks during the acquisition process itself.
A data loss prevention (DLP) policy is designed to prevent unauthorized exfiltration or exposure of sensitive data and does not address the security vetting of software being acquired from vendors.
Continuous monitoring is an operational security practice used to maintain ongoing visibility into a deployed system's security posture, and does not govern the security assessment requirements prior to or during software acquisition.
A software assurance policy establishes the security requirements, vetting procedures, and risk assessment criteria that must be applied when acquiring software from external vendors or sources. It directly addresses the need to evaluate software for vulnerabilities, supply chain risks, and compliance with security standards before procurement. This aligns with frameworks like NIST SP 800-161 and CMMC, which mandate software assurance as part of acquisition security.
Concept tested: Software assurance policy requirements during software acquisition
Source: https://csrc.nist.gov/publications/detail/sp/800-161/rev-1/final
Topics
Community Discussion
No community discussion yet for this question.