You work as a security manager for BlueWell Inc. You are going through the NIST SP 800-37 C&A
methodology, which is based on four well defined phases. In which of the following phases of
NIST SP 800-37 C&A methodology does the security categorization occur?
A.
Security Accreditation
B.
Security Certification
C.
Continuous Monitoring
D.
Initiation
Explanation:
The various phases of NIST SP 800-37 C&A are as follows: Phase 1: Initiation- This
phase includes preparation, notification and resource identification. It performs the security plan
analysis, update, and acceptance. Phase 2: Security Certification- The Security certification phase
evaluates the controls and documentation. Phase 3: Security Accreditation- The security
accreditation phase examines the residual risk for acceptability, and prepares the final security
accreditation package. Phase 4: Continuous Monitoring-This phase monitors the configuration
management and control, ongoing security control verification, and status reporting and
documentation.