The configuration management and control task of the certification and accreditation process is incorporated in which phase of the System Development Life Cycle (SDLC)?
A. System acquisition and development
B. System operations and maintenance
C. System initiation
D. System implementation
Answer is D
Implementation Phase –
– Inspection and Acceptance – ensures that the organization validates and verifies that the
functionality described in the specification is included in the deliverables.
– Security Control Integration – ensures that security controls are integrated at the operational
site where the information system is to be deployed for operation. Security control settings and
switches are enabled in accordance with vendor instructions and available security
implementation guidance.
– Security Certification – ensures that the controls are effectively implemented through
established verification techniques and procedures and gives organization officials confidence
that the appropriate safeguards and countermeasures are in place to protect the organization’s
information system. Security certification also uncovers and describes the known vulnerabilities
in the information system.
– Security Accreditation – provides the necessary security authorization of an information system
to process, store, or transmit information that is required. This authorization is granted by a senior
organization official and is based on the verified effectiveness of security controls to some agreed
upon level of assurance and an identified residual risk to agency assets or operations.
Phase = operations and maintenance
NIST SP800-64: Preform configuration management and control:
Configuration management and control procedures are critical to establishing an initial baseline of
hardware, software, and firmware components for the information system and subsequently for
controlling and maintaining an accurate inventory of any changes to the system. Changes to the
hardware, software, or firmware of a system can have a significant security impact.
Documenting information system changes and assessing the potential impact on the security of
the system on an ongoing basis is an essential aspect of maintaining the security accreditation.
According NIST https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-64.pdf:
Security certification and accreditation is part of Implementation Phase;
Configuration management is part of Operations / Maintenance Phase.
The link referenced in the answer indicates that the correct answer is B.
Under “4.) Operations Maintenance Phase” is says “Configuration management activities are conducted to ensure consistency of the program”