Certified Governance Risk and Compliance (CGRC) Practice Exam 2025 - Free CGRC Practice Questions and Study Guide

The requirement for general support systems to be fully certified before use comes from the Federal Information Security Modernization Act (FISMA). FISMA mandates that federal agencies secure their information and information systems by implementing a comprehensive framework that includes assessment and authorization processes. This means that systems must be evaluated to ensure they meet specific security standards before they are operational, making full certification a prerequisite for their use.

This focus on certification and authorization aims to protect federal information from unauthorized access and potential threats, thereby establishing the importance of compliance with established security protocols.

The other choices, while related to information security, serve different purposes. NIST (National Institute of Standards and Technology) provides guidelines and standards that support the implementation of FISMA but does not directly require certification itself. FIPA (Federal Information Processing Act) relates to the use of federal information processing but doesn't specifically address the certification of systems. FIPS (Federal Information Processing Standards) sets standards for federal computer systems but does not impose the requirement for certification of general support systems prior to their use.