ISC2 ISSEP Exam - Topic 2 Question 1 Discussion

The Special Publication (SP) is the guideline that is recommended for engineering, protecting, managing, processing, and controlling national security and sensitive (although unclassified) information. Answer option D is incorrect. The Department of Defense Information Assurance

Certification and Accreditation Process (DIACAP) is a process defined by the United States

Department of Defense (DoD) for managing risk. DIACAP replaced the former process, known as

DITSCAP (Department of Defense Information Technology Security Certification and Accreditation

Process), in 2006. DoD Instruction (DoDI) 8510.01 establishes a standard DoD-wide process with a

set of activities, general tasks, and a management structure to certify and accredit an Automated

Information System (AIS) that will maintain the Information Assurance (IA) posture of the Defense

Information Infrastructure (DII) throughout the system's life cycle. The DIACAP process is different

from DITSCAP or NIACAP. Its overall process is similar to other C&A activities. The DIACAP process

consists of five phases, which are as follows:

1.Initiate and Plan IA C&A. This phase consists of the following activities:

Register system with DoD Component IA Program.

Assign IA controls.

Assemble DIACAP team.

Develop DIACAP strategy.

Initiate IA implementation plan.

2.Implement and Validate Assigned IA Controls: This phase consists of the following activities:

Execute and update IA implementation plan. Conduct validation activities. Combine validation

results in DIACAP scorecard. 3.Make Certification Determination and Accreditation Decisions: This

phase consists of the following activities:

Analyze residual risk.Issue certification determination.Make accreditation decision.

4.Maintain Authority to Operate and Conduct Reviews: This phase consists of the following activities:

Initiate and update lifecycle implementation plan for IA controls.

Maintain situational awareness.Maintain IA posture.

5.Decommission System: This phase consists of the following activities:

Conduct activities related to the disposition of the system data and objects.

Answer option A is incorrect. FIPS emphasizes on design, implementation, and approval of

cryptographic algorithms.Answer option C is incorrect. NISTIRs (Internal Reports) illustrate the study of a technical nature of interest to focused audience. NISTIRs consist of interim or final reports on work made by NIST for external sponsors, including government and non-government sponsors.