nerdexam
(ISC)2

CISSP · Question #271

Which of the following is a strategy of grouping requirements in developing a Security Test and Evaluation (ST&E)?

The correct answer is B. Management, operational, and technical. Security Test and Evaluation (ST&E) organizes security requirements into three control families: management, operational, and technical, aligned with NIST SP 800-53 control classifications.

Submitted by yousef_jo· Mar 5, 2026Security Assessment and Testing

Question

Which of the following is a strategy of grouping requirements in developing a Security Test and Evaluation (ST&E)?

Options

  • ATactical, strategic, and financial
  • BManagement, operational, and technical
  • CDocumentation, observation, and manual
  • DStandards, policies, and procedures

How the community answered

(50 responses)
  • A
    4% (2)
  • B
    86% (43)
  • C
    8% (4)
  • D
    2% (1)

Why each option

Security Test and Evaluation (ST&E) organizes security requirements into three control families: management, operational, and technical, aligned with NIST SP 800-53 control classifications.

ATactical, strategic, and financial

Tactical, strategic, and financial are business planning or budgeting categories, not a recognized grouping framework used in ST&E or NIST security control families.

BManagement, operational, and technicalCorrect

NIST SP 800-53 and ST&E methodologies categorize security controls into management (administrative governance and oversight), operational (day-to-day procedures and human factors), and technical (hardware/software mechanisms) groupings. This tripartite structure provides a comprehensive framework for evaluating all dimensions of an information system's security posture. ST&E test plans are designed around these three families to ensure complete coverage of security requirements.

CDocumentation, observation, and manual

Documentation, observation, and manual describe assessment methods or techniques used during testing (i.e., how tests are conducted), not a strategy for grouping security requirements.

DStandards, policies, and procedures

Standards, policies, and procedures represent a hierarchy of governance documents, not a recognized ST&E requirement grouping strategy as defined by NIST or related frameworks.

Concept tested: ST&E security requirements grouping strategy NIST controls

Source: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final

Topics

#Security testing#ST&E#Security control categories

Community Discussion

No community discussion yet for this question.

Full CISSP Practice