A. Kerberos does not address availability

The question was asking for a TRUE statement and the only correct
statement is "Kerberos does not address availability".
Kerberos addresses the confidentiality and integrity of information. It does not directly
address availability.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control
systems (page 42).

a user ID and static password for network access

For networked applications, the Terminal Access Controller Access Control
System (TACACS) employs a user ID and a static password for network access.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 44.

Preventative Controls

In the Operations Security domain, Preventative Controls are designed to
prevent unauthorized intruders from internally or externally accessing the system, and to
lower the amount and impact of unintentional errors that are entering the system.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 217.

you are.

Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation

 David Bell and Leonard LaPadula

It was David Bell and Leonard LaPadula who, in 1973, first described the
DoD multilevel military security policy in abstract, formal terms. The Bell-LaPadula is a
Mandatory Access Control (MAC) model concerned with confidentiality. Rivest, Shamir and
Adleman (RSA) developed the RSA encryption algorithm. Whitfield Diffie and Martin
Hellman published the Diffie-Hellman key agreement algorithm in 1976. David Clark and
David Wilson developed the Clark-Wilson integrity model, more appropriate for security in
commercial activities.
Source: RUSSEL, Deborah & GANGEMI, G.T. Sr., Computer Security Basics, O'Reilly,
July 1992 (pages 78,109).

SESAME

Secure European System for Applications in a Multi-vendor Environment
(SESAME) was developed to address some of the weaknesses in Kerberos and uses
public key cryptography for the distribution of secret keys and provides additional access
control support.
Reference:
TIPTON, Harold, Official (ISC)2 Guide to the CISSP CBK (2007), page 184.
ISC OIG Second Edition, Access Controls, Page 111

passphrase

A passphrase is a sequence of characters that is usually longer than the
allotted number for a password.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, 2001, John Wiley & Sons, page 37.

 Continuous authentication

Continuous authentication is a type of authentication that provides protection
against impostors who can see, alter, and insert information passed between the claimant
and verifier even after the claimant/verifier authentication is complete. These are typically
referred to as active attacks, since they assume that the imposter can actively influence the
connection between claimant and verifier. One way to provide this form of authentication is
to apply a digital signature algorithm to every bit of data that is sent from the claimant to the
verifier. There are other combinations of cryptography that can provide this form of
authentication but current strategies rely on applying some type of cryptography to every bit
of data sent. Otherwise, any unprotected bit would be suspect. Robust authentication relies
on dynamic authentication data that changes with each authenticated session between a
claimant and a verifier, but does not provide protection against active attacks. Encrypted authentication is a distracter.
Source: GUTTMAN, Barbara & BAGWILL, Robert, NIST Special Publication 800-xx,
Internet Security Policy: A Technical Guide, Draft Version, May 25, 2000 (page 34).

 what part of body to be used and how to accomplish identification that is viable

Today implementation of fast, accurate reliable and user-acceptable
biometric identification systems is already taking place. Unique physical attributes or
behavior of a person are used for that purpose.
From: TIPTON, Harold F. & KRAUSE, MICKI, Information Security Management
Handbook, 4th Edition, Volume 1, Page 7.

 Something you know and a password

Something you know and a password fits within only one of the three ways authentication could be done. A password is an example of something you know, thereby
something you know and a password does not constitute a two-factor authentication as
both are in the same category of factors.
A two-factor (strong) authentication relies on two different kinds of authentication factors
out of a list of three possible choice:
something you know (e.g. a PIN or password),
something you have (e.g. a smart card, token, magnetic card),
something you are is mostly Biometrics (e.g. a fingerprint) or something you do (e.g.
signature dynamics).
TIP FROM CLEMENT:
On the real exam you can expect to see synonyms and sometimes sub-categories under
the main categories. People are familiar with Pin, Passphrase, Password as subset of Something you know.
However, when people see choices such as Something you do or Something you are they
immediately get confused and they do not think of them as subset of Biometrics where you
have Biometric implementation based on behavior and physilogical attributes. So
something you do falls under the Something you are category as a subset.
Something your do would be signing your name or typing text on your keyboard for
example.
Strong authentication is simply when you make use of two factors that are within two
different categories.
Reference(s) used for this question:
Shon Harris, CISSP All In One, Fifth Edition, pages 158-159