Which of the following assessment methodologies defines a six-step technical security evaluation?

A.
FIPS 102

B.
DITSCAP

C.
FITSAF

D.
OCTAVE

Explanation:

Federal Information Processing Standard (FIPS) 102 defines four roles. These roles are of accreditor, program manager, certification manager, and evaluator. FIPS 102 certifies an application by executing a six step security evaluation:
1.Planning
2.Data collection
3.Basic evaluation
4.Detailed evaluation
5.Report of findings
6.Accreditation

Answer option D is incorrect. OCTAVE stands for Operationally Critical Threat, Asset, and Vulnerability Evaluation. It is a suite of tools, techniques, and methods for risk-based information security strategic assessment and planning. OCTAVE methods are founded on the OCTAVE criteria. An OCTAVE criterion is a standard approach for a risk-driven and practice-based information security evaluation. It establishes the fundamental principles and attributes of risk management. The three OCTAVE methods are as follows:
Original OCTAVE method
OCTAVE-S
OCTAVE-Allegro

Answer option C is incorrect. FITSAF stands for Federal Information Technology Security Assessment Framework. It is a methodology for assessing the security of information systems. It provides an approach for federal agencies. It determines how federal agencies are meeting existing policy and establish goals. The main advantage of FITSAF is that it addresses the requirements of Office of Management and Budget (OMB). It also addresses the guidelines provided by the National Institute of Standards and Technology (NIsT).

Answer option B is incorrect. The Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) is a process defined by the United States Department of Defense (DoD) for managing risk. DIACAP replaced the former process, known as DITSCAP (Department of Defense Information Technology Security Certification and Accreditation Process), in 2006.

DoD Instruction (DoDI) 8510.01 establishes a standard DoD-wide process with a set of activities, general tasks, and a management structure to certify and accredit an Automated Information System (AIS) that will maintain the Information Assurance (IA) posture of the Defense Information Infrastructure (DII) throughout the system’s life cycle.

DIACAP applies to the acquisition, operation, and sustainment of any DoD system that collects, stores, transmits, or processes unclassified or classified information since December 1997. It identifies four phases:

1.System Definition
2.Verification
3.Validation
4.Re-Accreditation