Certified Administrative Professional (CAP) Practice Exam 2025 – Your All-in-One Guide to Exam Mastery!

The chosen answer is A, NIST SP 800-60, because it is specifically designed to assist organizations in categorizing information types and identifying their potential impact levels. This document provides a framework for classifying information based on the sensitivity of the data and the potential harm that could result from unauthorized access or disclosure. It incorporates a risk management approach, ensuring that information is classified appropriately to align with the organization's security needs and compliance requirements.

In contrast, NIST SP 800-53 focuses on security and privacy controls for federal information systems and organizations, offering a comprehensive set of management, operational, and technical controls. NIST SP 800-115 is centered on technical security assessments and does not address categorization directly. Lastly, NIST SP 800-37 outlines the Risk Management Framework (RMF) for information systems, providing guidance on integrating security into the system development lifecycle, but it doesn't specifically categorize information types in the same way as NIST SP 800-60 does.