ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Question

A financial services firm has finished a security assessment of a new trading platform. The assessor delivered the Security Assessment Report, and the system owner completed the Plan of Action and Milestones documenting residual risks. Under a standard risk management framework, what action finalizes formal approval to operate the system?

The configuration management board approves the updated baseline and archives all change records.
The designated authorizing official issues and signs an Authorization to Operate letter accepting the documented residual risks.
The development team updates the system security plan to include recent functional design documentation.
The security control assessor conducts complete retesting of every item listed in the POA&M until no findings remain.

Report Issue

Answer Description

Under frameworks such as NIST SP 800-37, the final step before a system can be placed into production is the risk acceptance decision by the designated Authorizing Official (AO). The AO reviews the security authorization package-which includes the System Security Plan, Security Assessment Report, and POA&M-and, if the residual risk is acceptable, issues and signs an Authorization to Operate (ATO) letter. This formalizes management's acceptance of responsibility and grants approval to operate. Approving a configuration baseline, retesting every POA&M item, or merely updating documentation are supporting activities, but none of them in isolation provide the formal authorization required for operation.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.