CSSLP Question #140: Real Exam Question with Answer & Explanation

The correct answer is D: Initiation. In the NIST SP 800-37 C&A methodology, the security categorization of an information system occurs during the Initiation phase.

Secure Software Lifecycle Management

Question

You work as a security manager for BlueWell Inc. You are going through the NIST SP 800-37 C&A methodology, which is based on four well defined phases. In which of the following phases of NIST SP 800-37 C&A methodology does the security categorization occur?

Options

ASecurity Accreditation
BSecurity Certification
CContinuous Monitoring
DInitiation

Explanation

In the NIST SP 800-37 C&A methodology, the security categorization of an information system occurs during the Initiation phase.

Common mistakes.

A. Security Accreditation is the formal declaration by a designated approving authority, occurring much later in the process.
B. Security Certification involves a technical evaluation of the security controls, which happens in later phases like Certification and Accreditation, not during initiation.
C. Continuous Monitoring is an ongoing phase that happens after the system has been authorized and ensures security controls remain effective, not where initial categorization occurs.

Concept tested. NIST SP 800-37 C&A phases - Security Categorization

Reference. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-37.pdf

Topics

#NIST SP 800-37#Risk Management Framework#Security Categorization#C&A Phases

Community Discussion

No community discussion yet for this question.

Full CSSLP Practice Browse All CSSLP Questions