Della works as a security engineer for BlueWell Inc. She wants to establish configuration
management and control procedures that will document proposed or actual changes to the
information system. Which of the following phases of NIST SP 800-37 C&A methodology will define
the above task?
Part of your change management plan details what should happen in the change control system for
your project. Theresa, a junior project manager, asks what the configuration management activities
are for scope changes. You tell her that all of the following are valid configuration management
activities except for which one?
Certification and Accreditation (C&A or CnA) is a process for implementing information security. It is
a systematic procedure for evaluating, describing, testing, and authorizing systems prior to or after a system is in operation. Which of the following statements are true about Certification and
Accreditation? Each correct answer represents a complete solution. Choose two.