Which activity is explicitly part of the C&A process in the material?

Prepare for the FISMA Interview Test. Get familiar with key topics and enhance your knowledge with flashcards and multiple-choice questions. Study effectively and be ready for your exam!

Multiple Choice

Which activity is explicitly part of the C&A process in the material?

Explanation:
The key idea here is understanding what Certification and Accreditation (C&A) involves. In the FISMA/RMF context, the process starts by understanding how sensitive and critical the system and its data are—this is done through security categorization. Reviewing the system’s security categorization is an explicit early activity in C&A because it sets the baseline for what security controls are needed and how rigorously they must be applied. Without confirming the categorization, you wouldn’t know the appropriate protection level or the standards against which the system will be evaluated and authorized. Penetration testing on all components is a form of security testing and assessment, which typically happens as part of validating the controls and during the security assessment phase, not as the core, explicit step of C&A itself. Drafting user training manuals belongs to training and awareness activities, which support ongoing security but aren’t a formal C&A activity. Managing supplier risk contracts relates to vendor risk management and procurement processes, not the C&A workflow. So, the activity that is explicitly part of the C&A process is reviewing the system’s security categorization, because it anchors the entire authorization effort and determines the controls and assessment requirements.

The key idea here is understanding what Certification and Accreditation (C&A) involves. In the FISMA/RMF context, the process starts by understanding how sensitive and critical the system and its data are—this is done through security categorization. Reviewing the system’s security categorization is an explicit early activity in C&A because it sets the baseline for what security controls are needed and how rigorously they must be applied. Without confirming the categorization, you wouldn’t know the appropriate protection level or the standards against which the system will be evaluated and authorized.

Penetration testing on all components is a form of security testing and assessment, which typically happens as part of validating the controls and during the security assessment phase, not as the core, explicit step of C&A itself. Drafting user training manuals belongs to training and awareness activities, which support ongoing security but aren’t a formal C&A activity. Managing supplier risk contracts relates to vendor risk management and procurement processes, not the C&A workflow.

So, the activity that is explicitly part of the C&A process is reviewing the system’s security categorization, because it anchors the entire authorization effort and determines the controls and assessment requirements.

More Multiple Choice Questions
Subscribe

Get the latest from Passetra

You can unsubscribe at any time. Read our privacy policy