Della works as a security engineer for BlueWell Inc.
She wants to establish configuration management and control procedures that will document proposed or actual changes to the information system.
Which of the following phases of NIST SP 800-37 C&A methodology will define the above task?
Click on the arrows to vote for the correct answer
A. B. C. D.C.
The various phases of NIST SP 800-37 C&A are as follows: Phase 1: Initiation- This phase includes preparation, notification and resource identification.
It performs the security plan analysis, update, and acceptance.
Phase 2: Security Certification- The Security certification phase evaluates the controls and documentation.
Phase 3: Security Accreditation- The security accreditation phase examines the residual risk for acceptability, and prepares the final security accreditation package.
Phase 4: Continuous Monitoring-This phase monitors the configuration management and control, ongoing security control verification, and status reporting and documentation.
The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-37 is a risk management framework that provides guidelines and recommendations for organizations to manage their information system security risks. The Certification and Accreditation (C&A) process is a part of this framework, and it involves several phases.
The given task of establishing configuration management and control procedures that will document proposed or actual changes to the information system falls under the security control implementation phase of the C&A process. This phase is also referred to as the security engineering phase, where the security controls are designed, implemented, and tested.
The security control implementation phase involves three main steps:
Develop Security Control Implementation Plan: In this step, the security controls identified in the security control selection phase are designed and implemented. The security control implementation plan is a document that describes how the controls will be implemented, tested, and verified.
Implement Security Controls: In this step, the security controls are implemented according to the implementation plan. The implementation process must be documented, and any deviations from the plan must be reported and resolved.
Verify Security Control Effectiveness: In this step, the implemented security controls are tested and evaluated to determine their effectiveness in mitigating the identified risks. The testing process must be documented, and any weaknesses or vulnerabilities found must be reported and addressed.
Therefore, the phase of the NIST SP 800-37 C&A methodology that defines the task of establishing configuration management and control procedures that will document proposed or actual changes to the information system is the security control implementation phase.