Conduct a security impact assessment to evaluate effects on controls is correct.

When a configuration change may affect system security controls NIST continuous monitoring guidance requires evaluating the effects on the control baseline and the system risk posture before making changes to documentation or operations. Performing a security impact assessment lets Brightwell identify which controls remain effective which controls need retesting and what mitigation or compensating controls are required.

The results will tell the organization whether it needs to update the system security plan adjust the plan of actions and milestones or initiate formal reauthorization under the risk management framework. The assessment therefore informs next steps and helps maintain an accurate control baseline.

Cloud Security Command Center is incorrect because the question asks for the proper NIST aligned process to evaluate control impact and not for a specific vendor product or tool. A tool might be useful later but it does not replace the required impact assessment.

Update the system security plan without further analysis is incorrect because updating the plan before understanding the change could record inaccurate information and miss necessary mitigations. You must assess impact first and then update plans based on assessment findings.

Trigger the incident response process and isolate the system is incorrect because a configuration change alone is not necessarily a security incident. Incident response is appropriate when there is evidence of compromise. First perform a security impact assessment to determine whether isolation or incident handling is required.

Full AWS Practitioner Certification Question