nerdexam
(ISC)2

CISSP · Question #814

Changes to a Trusted Computing Base (TCB) system that could impact the security posture of that system and trigger a recertification activity are documented in the

The correct answer is A. security impact analysis.. Changes to a Trusted Computing Base (TCB) that may affect its security posture must be formally documented through a security impact analysis, which evaluates whether the change necessitates recertification or reaccreditation.

Submitted by layla.eg· Mar 5, 2026Security Architecture and Engineering

Question

Changes to a Trusted Computing Base (TCB) system that could impact the security posture of that system and trigger a recertification activity are documented in the

Options

  • Asecurity impact analysis.
  • Bstructured code review.
  • Croutine self assessment.
  • Dcost benefit analysis.

How the community answered

(27 responses)
  • A
    93% (25)
  • C
    4% (1)
  • D
    4% (1)

Why each option

Changes to a Trusted Computing Base (TCB) that may affect its security posture must be formally documented through a security impact analysis, which evaluates whether the change necessitates recertification or reaccreditation.

Asecurity impact analysis.Correct

A security impact analysis (SIA) is the formal process used to evaluate how proposed or implemented changes to a system - especially a high-assurance system like a TCB - affect its security controls and overall security posture. NIST SP 800-37 and SP 800-128 specifically require organizations to conduct an SIA before implementing configuration changes to determine whether those changes trigger a need for recertification or reauthorization of the system.

Bstructured code review.

A structured code review is a software quality and security assurance technique focused on examining source code for vulnerabilities or defects, not a mechanism for documenting system-level changes that impact security posture or trigger recertification.

Croutine self assessment.

A routine self-assessment is a periodic evaluation of security controls against a baseline, not a targeted documentation activity specifically triggered by changes to a TCB that could alter its security posture.

Dcost benefit analysis.

A cost-benefit analysis is a financial and operational decision-making tool used to weigh the costs versus benefits of a security control or project, and has no formal role in documenting security-impacting changes to a TCB for recertification purposes.

Concept tested: Security impact analysis for TCB change management

Source: https://csrc.nist.gov/publications/detail/sp/800-128/final

Topics

#Trusted Computing Base#TCB#security impact analysis

Community Discussion

No community discussion yet for this question.

Full CISSP Practice