The correct source is the Business Impact Analysis (BIA). A BIA provides context about which systems and applications are most critical to business operations, regulatory compliance, and customer obligations. While CVSS scores indicate severity in technical terms, they do not reflect the business impact of exploitation. For example, a medium-severity vulnerability on a critical payment system may pose more business risk than a high-severity vulnerability on a test server.
Option A (third-party risk review) focuses on vendor security posture, not internal remediation priorities.
Option C (incident response playbook) guides response during active incidents, not vulnerability prioritization. Option D (crisis management plan) addresses executive-level communications during crises, not technical risk assessment.
By combining vulnerability scan data with BIA context, security teams can prioritize remediation efforts based on business-critical systems, ensuring the highest-risk vulnerabilities are remediated first. This aligns with CAS-005's guidance on risk-based prioritization of remediation efforts.

Limiting the platform's abilities to only non-sensitive functions helps to mitigate risks associated with AI operations. By ensuring that the AI-enabled digital worker is only allowed to perform tasks that do not involve sensitive or critical data, the organization reduces the potential impact of any security breaches or misuse.
Enhancing the training model's effectiveness (Option B) is important but does not directly address security guardrails. Granting the system the ability to self-govern (Option C) could increase risk as it may act beyond the organization's control. Requiring end-user acknowledgement of organizational policies (Option D) is a good practice but does not implement technical guardrails to secure the AI environment.
References:
CompTIA Security+ Study Guide
NIST SP 800-53 Rev. 5, "Security and Privacy Controls for Information Systems and Organizations" ISO/IEC 27001, "Information Security Management"

The best approach is to use Terraform scripts while creating golden images (A). Terraform is an Infrastructure as Code (IaC) tool that allows organizations to automate infrastructure deployment consistently across environments. A golden image is a pre-configured, patched, and hardened system image used as a standard baseline. By creating golden images via Terraform scripts, the company ensures that every microservice instance is deployed on an already-updated and secure OS. This eliminates the need for repeatedly patching the base OS before code deployment.
Option B (cron job with apt-update) applies patches but introduces delays (every 30 days) and lacks consistency across new deployments. Option C (snapshots) saves deployment states but risks replicating outdated or unpatched images. Option D (centralized update server) is useful but still requires updates post-deployment, which slows the rollout of microservices.
By automating golden image creation through Terraform, the company gains efficiency, repeatability, and security assurance, aligning with DevSecOps principles and CAS-005 cloud-native best practices.

To improve the vulnerability management process in an environment where new devices/IPs are added and dropped regularly, the company should perform regular discovery scanning throughout the IT landscape using the vulnerability management tool. Here's why:
Accurate Asset Inventory: Regular discovery scans help maintain an up-to-date inventory of all assets, ensuring that the vulnerability management process includes all relevant devices and IPs.
Consistency in Reporting: By continuously discovering and scanning new and existing assets, the company can generate consistent and comprehensive vulnerability reports that reflect the current state of the network.
Proactive Management: Regular scans enable the organization to proactively identify and address vulnerabilities on new and existing assets, reducing the window of exposure to potential threats.
References:
CompTIA Security+ SY0-601 Study Guide by Mike Chapple and David Seidl
NIST Special Publication 800-40: Guide to Enterprise Patch Management Technologies CIS Controls: Control 1 - Inventory and Control ofHardware Assets

The question states that security scanning and quality assurance (QA) in the CI/CD pipeline have been completed with no issues, indicating that the code in the test branch is ready for production. According to the CompTIA SecurityX CAS-005 study guide (Domain 2: Security Operations, 2.3), in a secure CI/CD pipeline, once code passes automated security scans, QA, and other checks (e.g., unit testing, peer reviews), the next step is to merge the tested branch into the main branch for deployment to production.
Option B:Threat modeling is typically performed earlier, during design or development, not after passing CI
/CD checks.
Option C:Unit testing is part of the CI/CD pipeline and should already be completed.
Option D:Peer reviews are conducted before or during the test phase, not after QAand security scans are clear.
Option A:Merging the test branch to the main branch is the logical next step to prepare for production deployment.
Reference:
CompTIA SecurityX CAS-005 Official Study Guide, Domain 2: Security Operations, Section 2.3: "Manage secure software development lifecycles, including CI/CD pipelines." CAS-005 Exam Objectives, 2.3: "Analyze secure deployment processes in CI/CD environments."