Certified Secure Software Lifecycle Professional (CSSLP) — Question 94

You work as a security manager for BlueWell Inc. You are going through the NIST SP 800-37 C&A methodology, which is based on four well defined phases. In which of the following phases of NIST SP 800-37 C&A methodology does the security categorization occur?

Answer options

• A. Security Accreditation
• B. Security Certification
• C. Continuous Monitoring
• D. Initiation

Correct answer: D

Explanation

The security categorization occurs during the Initiation phase of the NIST SP 800-37 C&A methodology, where assets are identified and categorized based on their impact levels. The other phases, such as Security Accreditation and Security Certification, focus on different aspects of the compliance and validation processes, while Continuous Monitoring is about ongoing assessments after the initial categorization.