CSSLP · Question #81
CSSLP Question #81: Real Exam Question with Answer & Explanation
The correct answer is C: Continuous Monitoring. Establishing configuration management and control procedures to document changes to an information system is a key activity within the Continuous Monitoring phase of the NIST SP 800-37 Risk Management Framework (RMF).
Question
Della works as a security engineer for BlueWell Inc. She wants to establish configuration management and control procedures that will document proposed or actual changes to the information system. Which of the following phases of NIST SP 800-37 C&A methodology will define the above task?
Options
- AInitiation
- BSecurity Certification
- CContinuous Monitoring
- DSecurity Accreditation
Explanation
Establishing configuration management and control procedures to document changes to an information system is a key activity within the Continuous Monitoring phase of the NIST SP 800-37 Risk Management Framework (RMF).
Common mistakes.
- A. The Initiation phase involves defining and categorizing the information system and selecting applicable security controls, not establishing ongoing change management procedures.
- B. Security Certification involves assessing and evaluating the security controls of an information system to determine if they are implemented correctly and effectively.
- D. Security Accreditation is the formal declaration by a designated approving authority that an information system is authorized to operate, based on the security assessment and risk determination, rather than defining ongoing change control processes.
Concept tested. NIST RMF Continuous Monitoring phase
Reference. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf
Topics
Community Discussion
No community discussion yet for this question.