Della works as a security engineer for BlueWell Inc. She wants to establish configuration
management and control procedures that will document proposed or actual changes to the
information system. Which of the following phases of NIST SP 800-37 C&A methodology will
define the above task?
A.
Initiation
B.
Security Certification
C.
Continuous Monitoring
D.
Security Accreditation
Explanation:
The various phases of NIST SP 800-37 C&A are as follows:
Phase 1: Initiation- This phase includes preparation, notification and resource identification. It
performs the security plan analysis, update, and acceptance. Phase 2: Security Certification- The
Security certification phase evaluates the controls and documentation. Phase 3: Security
Accreditation- The security accreditation phase examines the residual risk for acceptability, and
prepares the final security accreditation package. Phase 4: Continuous Monitoring-This phase
monitors the configuration management and control, ongoing security control verification, and
status reporting and documentation.