Security Certification and Accreditation of Federal Information Systems

C.

NIST has developed a suite of documents for conducting Certification & Accreditation (C&A)

These documents are as follows: NIST Special Publication 800-37: This document is a guide for the security certification and accreditation of Federal Information Systems.

NIST Special Publication 800-53: This document provides a guideline for security controls for Federal Information Systems.

NIST Special Publication 800-53A.

This document consists of techniques and procedures for verifying the effectiveness of security controls in Federal Information System.

NIST Special Publication 800-59: This document is a guideline for identifying an information system as a National Security System.

NIST Special Publication 800-60: This document is a guide for mapping types of information and information systems to security objectives and risk levels.

As a security engineer working for BlueWell Inc., you would use NIST Special Publication 800-37 as a guide for the security certification and accreditation of Federal Information Systems.

NIST SP 800-37, "Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach," provides guidance for implementing the Risk Management Framework (RMF) for federal information systems. The RMF is a structured process that helps organizations manage information security risk, including the selection, implementation, assessment, and monitoring of security controls.

NIST SP 800-37 provides a comprehensive approach to security certification and accreditation that includes the following steps:

1. Categorize the information system and the information processed, stored, and transmitted by the system.
2. Select security controls for the system based on the risk assessment.
3. Implement the selected security controls.
4. Assess the effectiveness of the security controls.
5. Authorize the information system for operation.
6. Monitor the security controls on an ongoing basis.

NIST SP 800-60, "Guide for Mapping Types of Information and Information Systems to Security Categories," provides guidance for categorizing information and information systems based on their impact levels. NIST SP 800-53, "Security and Privacy Controls for Federal Information Systems and Organizations," provides a catalog of security and privacy controls that can be used to protect federal information systems. NIST SP 800-59, "Guidance for Identifying an Information System as a National Security System," provides guidance for identifying information systems that require special handling because of their national security implications.

While each of these NIST Special Publications plays a role in the security certification and accreditation of federal information systems, NIST SP 800-37 provides the most comprehensive guidance on the Risk Management Framework and the process of certifying and accrediting federal information systems. Therefore, the correct answer to the question is C. NIST Special Publication 800-37.