Question 15 - ISC2 CISSP-ISSEP Real Exam Questions [Jan 2026 Update]

Q: 15

Certification and Accreditation (C&A or CnA) is a process for implementing information security. Which of the following is the correct order of C&A phases in a DITSCAP assessment

Options

Correct Answer:

Explanation

The DoD Information Technology Security Certification and Accreditation Process (DITSCAP) is a standardized, four-phase methodology. The process begins with Phase 1: Definition, where the system's mission, architecture, and security requirements are documented in the System Security Authorization Agreement (SSAA). This is followed by Phase 2: Verification, where the system's design and development are checked for compliance with the SSAA. Phase 3: Validation involves testing the fully integrated system to confirm it meets the documented security requirements, leading to a certification determination. Finally, Phase 4: Post Accreditation involves the ongoing monitoring and management of the accredited system's security posture throughout its operational lifecycle.

Why Incorrect

A. This option incorrectly places Validation before Verification. Verification of system compliance occurs during development, before the final validation of the integrated system.

B. This option incorrectly starts with Verification. The process must begin with the Definition phase to establish the security requirements and operational context.

C. This option incorrectly starts with Verification and reverses the order of other phases. The Definition phase is the foundational first step.

References

1. U.S. Department of Defense. (1997

December 30). DoD Instruction 5200.40: DoD Information Technology Security Certification and Accreditation Process (DITSCAP). Section E2.1.2. This instruction officially defines the four phases and their sequence: "The DITSCAP is a dynamic and iterative process that consists of four phases: Phase 1

Definition; Phase 2

Verification; Phase 3

Validation; and Phase 4

Post Accreditation."

2. Wilson

R. L. (2002). A Comparison of the new DoD C&A processes: DITSCAP and NIACAP. SANS Institute InfoSec Reading Room. Page 5. The paper outlines the DITSCAP lifecycle

stating

"The DITSCAP is a four-phased process. The phases are Definition

Verification

Validation

and Post Accreditation."

3. Naval Postgraduate School. (n.d.). CS3670: Secure Computer Systems

Lecture 10 - Certification and Accreditation. Courseware slides describe the DITSCAP process

explicitly listing the phases in the correct order: 1. Definition

2. Verification

3. Validation

4. Post Accreditation.

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE