- Which document establishes the organization-wide risk management strategy, including risk tolerance and risk appetite, that guides all RMF activities?
- The Security Assessment Report
- The System Security Plan
- The Plan of Action and Milestones
- The risk management strategy issued by senior leadership
Correct answer: The risk management strategy issued by senior leadership
The organization-wide risk management strategy, set by senior leadership, defines risk tolerance and appetite and drives all subsequent RMF tasks across the enterprise.
- Under NIST RMF, who holds the ultimate responsibility for accepting the security risk of operating an information system?
- System Owner
- Authorizing Official
- Chief Information Officer
- Information System Security Officer
Correct answer: Authorizing Official
The Authorizing Official (AO) is the senior official with authority to formally accept risk and grant authorization to operate the system.
- Which framework is primarily referenced by NIST SP 800-37 to organize the lifecycle of system authorization?
- ISO 9001
- COBIT
- ITIL
- Risk Management Framework (RMF)
Correct answer: Risk Management Framework (RMF)
NIST SP 800-37 defines the Risk Management Framework, a seven-step lifecycle for managing security and privacy risk and authorizing systems.
- What is the primary purpose of establishing a common control provider role within a risk management program?
- To approve authorization packages
- To audit all system controls annually
- To define the organizational risk appetite
- To develop, implement, and maintain controls inheritable by multiple systems
Correct answer: To develop, implement, and maintain controls inheritable by multiple systems
A common control provider is responsible for controls that can be inherited by many systems, reducing duplication and ensuring consistent implementation.
- Which international standard provides a framework for an organization's overall risk management process independent of any industry?
- ISO/IEC 27001
- ISO 31000
- NIST SP 800-53
- FIPS 200
Correct answer: ISO 31000
ISO 31000 provides generic principles and guidelines for risk management that apply across any organization or sector.
- In the RMF, the Prepare step at the organization level is intended primarily to do what?
- Authorize the system to operate
- Assess control effectiveness
- Establish context and priorities for managing security and privacy risk
- Select baseline controls for a single system
Correct answer: Establish context and priorities for managing security and privacy risk
The Prepare step establishes a context, priorities, and common foundation (roles, risk strategy, control baselines) for executing the RMF effectively.
- Which of the following best describes 'risk tolerance' in a risk management program?
- The frequency of control assessments
- The level of risk an organization is willing to accept in pursuit of its objectives
- The maximum dollar value of any single asset
- The total number of vulnerabilities allowed per system
Correct answer: The level of risk an organization is willing to accept in pursuit of its objectives
Risk tolerance is the degree of variance from risk appetite that an organization is willing to accept while pursuing its mission and objectives.
- A governance program defines accountability primarily through which mechanism?
- Technical control baselines
- Vulnerability scanning schedules
- Encryption key rotation policies
- Assigned roles, responsibilities, and authorities
Correct answer: Assigned roles, responsibilities, and authorities
Governance establishes accountability by clearly assigning roles, responsibilities, and authorities so decisions and oversight are traceable.
- Which NIST publication catalogs the security and privacy controls used across the RMF?
- NIST SP 800-37
- NIST SP 800-53
- NIST SP 800-30
- NIST SP 800-18
Correct answer: NIST SP 800-53
NIST SP 800-53 provides the catalog of security and privacy controls that organizations select, tailor, and implement.
- The concept of 'risk framing' in NIST SP 800-39 is intended to produce what outcome?
- A penetration test report
- A signed authorization decision
- A risk management strategy describing how the organization assesses, responds to, and monitors risk
- A list of system vulnerabilities
Correct answer: A risk management strategy describing how the organization assesses, responds to, and monitors risk
Risk framing establishes the context and assumptions and results in a risk management strategy guiding how risk is assessed, responded to, and monitored.
- Which of the following is a key benefit of integrating privacy into the risk management program rather than treating it separately?
- It eliminates the need for security controls
- It ensures privacy risks are identified and managed alongside security risks throughout the lifecycle
- It removes the need for an authorizing official
- It reduces the number of required controls to zero
Correct answer: It ensures privacy risks are identified and managed alongside security risks throughout the lifecycle
Integrating privacy ensures privacy risks are addressed consistently with security risks across all RMF steps rather than as an afterthought.
- Senior leadership commitment is most critical to a risk management program because it provides which of the following?
- Detailed scan configurations
- Source code for applications
- Resources, authority, and organizational direction for managing risk
- Hardware procurement contracts
Correct answer: Resources, authority, and organizational direction for managing risk
Leadership commitment supplies the resources, authority, and strategic direction needed for an effective enterprise risk management program.
- Which standard is most associated with establishing and maintaining an Information Security Management System (ISMS)?
- COSO ERM
- ISO/IEC 27001
- FIPS 199
- NIST SP 800-60
Correct answer: ISO/IEC 27001
ISO/IEC 27001 specifies the requirements for establishing, implementing, maintaining, and continually improving an ISMS.
- What is the main purpose of identifying legal, regulatory, and contractual requirements during program establishment?
- To ensure the program addresses applicable compliance obligations
- To define network topology
- To set the encryption algorithm
- To eliminate the need for controls
Correct answer: To ensure the program addresses applicable compliance obligations
Identifying applicable legal, regulatory, and contractual requirements ensures the program is designed to meet all mandatory compliance obligations.
- In a risk management program, 'inherent risk' refers to which of the following?
- Risk that has been formally accepted
- Risk transferred to a third party
- Risk remaining after controls are applied
- Risk present before any controls or mitigations are applied
Correct answer: Risk present before any controls or mitigations are applied
Inherent risk is the level of risk that exists before any controls or other mitigating actions are considered.
- Which step of the RMF is responsible for determining the categorization of an information system based on impact?
- Authorize
- Assess
- Categorize
- Monitor
Correct answer: Categorize
The Categorize step uses FIPS 199 and SP 800-60 to determine the impact level of the system and the information it processes.
- Under FIPS 199, the security category of an information type is expressed in terms of impact to which three objectives?
- Cost, schedule, scope
- People, process, technology
- Confidentiality, integrity, availability
- Detect, respond, recover
Correct answer: Confidentiality, integrity, availability
FIPS 199 categorizes information and systems by the potential impact (low, moderate, high) to confidentiality, integrity, and availability.
- When applying the high-water mark to a system categorization, the system impact level is determined by which of the following?
- The highest impact value among all information types and objectives
- The most frequently occurring impact value
- The average of all information type impact levels
- The lowest impact value among all security objectives
Correct answer: The highest impact value among all information types and objectives
The high-water mark sets the overall system impact level to the highest impact value found across all information types and security objectives.
- Which NIST publication assists in mapping information types to provisional impact levels?
- NIST SP 800-37
- FIPS 200
- NIST SP 800-137
- NIST SP 800-60
Correct answer: NIST SP 800-60
NIST SP 800-60 provides guidance for mapping types of information and systems to security categories and provisional impact levels.
- Defining the authorization boundary primarily serves which purpose?
- To determine the encryption standard
- To set the system's IP address range
- To assign user access privileges
- To establish the scope of protection and what is included in the authorization decision
Correct answer: To establish the scope of protection and what is included in the authorization decision
The authorization boundary defines what components are part of the system, scoping the controls, assessment, and the authorization decision.
- Which document captures the system description, boundary, environment, and the controls planned or in place?
- Plan of Action and Milestones
- Security Assessment Report
- Risk Assessment Report
- System Security Plan
Correct answer: System Security Plan
The System Security Plan (SSP) documents the system characteristics, authorization boundary, operating environment, and the selected and implemented controls.
- When determining the scope of a system, identifying data flows is important primarily because it helps to do what?
- Schedule employee training
- Choose the programming language
- Set the marketing budget
- Identify where information enters, traverses, and leaves the boundary so controls can be properly placed
Correct answer: Identify where information enters, traverses, and leaves the boundary so controls can be properly placed
Understanding data flows reveals entry, transit, and exit points so that protection requirements and controls can be properly assigned within and at the boundary.
- A moderate-impact rating for integrity means a loss of integrity could be expected to have what effect?
- A limited adverse effect
- A catastrophic adverse effect
- No adverse effect
- A serious adverse effect
Correct answer: A serious adverse effect
Under FIPS 199, moderate impact corresponds to a serious adverse effect on organizational operations, assets, or individuals.
- Which of the following is most important when documenting the operating environment of a system?
- The physical, logical, and threat environment in which the system operates
- The vendor's marketing claims
- The number of help desk tickets
- The CEO's preferences
Correct answer: The physical, logical, and threat environment in which the system operates
Documenting the physical, logical, and threat environment ensures controls are appropriate for actual operating conditions and risks.
- Why is identifying system interconnections critical when defining scope?
- Interconnections can extend risk and require agreements and controls at connection points
- It sets the procurement schedule
- It determines the office floor plan
- It chooses the database vendor
Correct answer: Interconnections can extend risk and require agreements and controls at connection points
Interconnections can propagate risk between systems and require interconnection agreements and appropriate controls at the connection points.
- Categorization of a system should be reviewed and approved by which role?
- The vendor support team
- Only the help desk
- A random employee
- The system owner in coordination with the authorizing official
Correct answer: The system owner in coordination with the authorizing official
The system owner determines categorization with input from stakeholders, and it is reviewed and approved consistent with organizational risk decisions, ultimately supporting the AO.
- Which factor would most likely raise the confidentiality impact level of a system?
- The system runs an old operating system
- The system processes large volumes of sensitive personally identifiable information
- The system has a slow network connection
- The system has many user accounts
Correct answer: The system processes large volumes of sensitive personally identifiable information
Processing sensitive PII raises the confidentiality impact because unauthorized disclosure could cause serious harm to individuals or the organization.
- What is the role of the information owner in scoping a system?
- To establish rules for appropriate use and protection of the information
- To configure the firewall
- To approve the system budget
- To write all source code
Correct answer: To establish rules for appropriate use and protection of the information
The information owner establishes the rules for appropriate use and protection of the information, informing categorization and control needs.
- When a system inherits controls from a common control provider, the authorization boundary documentation should do what?
- Exclude all common controls from the SSP
- List only system-specific controls
- Clearly indicate which controls are inherited, hybrid, or system-specific
- Ignore the inherited controls
Correct answer: Clearly indicate which controls are inherited, hybrid, or system-specific
Documentation should clearly identify control implementation as common (inherited), hybrid, or system-specific so responsibility is unambiguous.
- Which of the following best defines the 'security control baseline'?
- A predefined minimum set of controls associated with a system's impact level
- A custom set of controls invented per project
- A network diagram
- A list of vulnerabilities
Correct answer: A predefined minimum set of controls associated with a system's impact level
A baseline is the predefined minimum set of controls (low, moderate, or high) selected based on the system's categorization before tailoring.
- Tailoring a control baseline may include all of the following EXCEPT?
- Assigning organization-defined parameters
- Ignoring all baseline controls without justification
- Selecting compensating controls
- Applying scoping considerations
Correct answer: Ignoring all baseline controls without justification
Tailoring includes scoping, compensating controls, and setting parameters with documented rationale; arbitrarily ignoring controls without justification is not valid tailoring.
- A compensating control is selected when which condition exists?
- A baseline control cannot be implemented but equivalent protection is needed
- The system has no users
- The control is already implemented perfectly
- The baseline control is too easy to implement
Correct answer: A baseline control cannot be implemented but equivalent protection is needed
Compensating controls provide equivalent or comparable protection when a primary baseline control cannot be implemented as specified.
- Which document is reviewed and approved at the conclusion of the control selection step?
- The data center lease
- Penetration test results
- The incident response runbook
- The System Security Plan containing the selected controls
Correct answer: The System Security Plan containing the selected controls
The SSP, documenting the selected and tailored controls, is reviewed and approved to confirm the planned controls are acceptable before implementation.
- Overlays in control selection are best described as what?
- Specialized sets of controls and parameters tailored for a community of interest or technology
- Network diagrams
- User access lists
- Vulnerability scan templates
Correct answer: Specialized sets of controls and parameters tailored for a community of interest or technology
Overlays provide a fully specified set of controls, enhancements, and parameters tailored for specific communities, missions, or technologies.
- When developing a continuous monitoring strategy during control selection, which element is essential?
- The marketing plan
- Defining metrics, frequencies, and the controls to be monitored over time
- The vendor's stock price
- The number of office printers
Correct answer: Defining metrics, frequencies, and the controls to be monitored over time
A continuous monitoring strategy must define what controls are monitored, the metrics, and the frequency to maintain ongoing situational awareness.
- Scoping considerations during tailoring allow an organization to do what?
- Adjust applicability of controls based on factors like technology, environment, and mission
- Skip the assessment step
- Eliminate the SSP entirely
- Avoid documenting decisions
Correct answer: Adjust applicability of controls based on factors like technology, environment, and mission
Scoping lets organizations refine applicability of controls based on operational, technical, and environmental considerations with documented rationale.
- Which of the following is the primary input used to select the initial control baseline?
- The system's security categorization (impact level)
- The number of servers
- The application's color scheme
- The system's user count
Correct answer: The system's security categorization (impact level)
The security categorization (low, moderate, high) determines which baseline of controls is initially selected before tailoring.
- Privacy controls are selected primarily to address which type of risk?
- Hardware failure risk
- Network latency risk
- Risks to individuals arising from the processing of PII
- Software licensing risk
Correct answer: Risks to individuals arising from the processing of PII
Privacy controls address risks to individuals resulting from the creation, collection, use, processing, storage, and disposal of PII.
- An organization-defined parameter in a control allows what?
- Skipping the control
- Removing the control from the catalog
- Hiding the control from auditors
- Specifying values such as time periods or frequencies appropriate to the organization
Correct answer: Specifying values such as time periods or frequencies appropriate to the organization
Organization-defined parameters let the organization specify values (e.g., frequency, thresholds) to fit operational needs while keeping the control intact.
- Why must control selection decisions and their rationale be documented?
- To support traceability, accountability, and approval of the security posture
- To increase the page count of the SSP
- To delay the project
- To confuse assessors
Correct answer: To support traceability, accountability, and approval of the security posture
Documenting decisions and rationale provides traceability and supports informed review and approval of the planned security and privacy posture.
- Control enhancements in NIST SP 800-53 serve what function?
- They replace the entire baseline
- They weaken the base control
- They add functionality or increase the strength of a base control
- They eliminate documentation requirements
Correct answer: They add functionality or increase the strength of a base control
Control enhancements augment a base control by adding capability or increasing strength to address higher protection needs.
- When a moderate-impact system selects its baseline, enhancements not included in the moderate baseline may still be added through which action?
- Lowering the impact level
- Supplementing the baseline based on risk assessment results
- Removing the SSP
- Ignoring the categorization
Correct answer: Supplementing the baseline based on risk assessment results
Organizations may supplement the baseline with additional controls or enhancements when a risk assessment indicates the need for greater protection.
- Approval of the security plan before implementation primarily confirms what?
- The assessment is finished
- The system is decommissioned
- The selected controls are acceptable and the plan is complete and consistent
- The system is already authorized to operate
Correct answer: The selected controls are acceptable and the plan is complete and consistent
Reviewing and approving the SSP confirms the planned controls are complete, consistent, and acceptable before resources are committed to implementation.
- What is the primary objective of the Implement step in the RMF?
- To put the selected security and privacy controls into operation and document the implementation
- To categorize the system
- To accept the residual risk
- To decommission the system
Correct answer: To put the selected security and privacy controls into operation and document the implementation
The Implement step deploys the selected controls and documents how each control is implemented in the system and its environment.
- During implementation, the description of how each control is implemented should be recorded where?
- Only in email
- Nowhere, it is verbal
- In the System Security Plan
- In the vendor's brochure
Correct answer: In the System Security Plan
The SSP is updated to reflect the actual implementation details of each control so assessors and the AO can understand the as-built security posture.
- Which principle suggests that security should be built into a system rather than added afterward?
- Defense by default deny only
- Least functionality only
- Security by design
- Security by obscurity
Correct answer: Security by design
Security by design integrates protections throughout the development lifecycle rather than bolting them on after deployment, reducing cost and risk.
- When implementing inherited common controls, the system owner should do what?
- Mark them as not applicable
- Coordinate with the common control provider and document the inheritance
- Reimplement them entirely
- Ignore them
Correct answer: Coordinate with the common control provider and document the inheritance
Inherited controls are implemented by the common control provider; the system owner documents the inheritance and verifies it meets the system's needs.
- The principle of least privilege during implementation means what?
- Allowing anonymous access
- Granting users only the access necessary to perform their duties
- Granting all users admin rights
- Disabling all access
Correct answer: Granting users only the access necessary to perform their duties
Least privilege limits each user's access to only what is required for their role, reducing the attack surface and potential damage.
- Configuration management during control implementation primarily ensures what?
- More user accounts
- Lower hardware costs
- That system changes are controlled, documented, and do not undermine security
- Faster internet speeds
Correct answer: That system changes are controlled, documented, and do not undermine security
Configuration management ensures changes are authorized, tracked, and assessed so the security posture is maintained as the system evolves.
- Which document is often produced to provide detailed, repeatable procedures for operating a control?
- A marketing flyer
- A purchase order
- Standard operating procedures or implementation guidance
- A press release
Correct answer: Standard operating procedures or implementation guidance
Standard operating procedures provide repeatable, documented steps for consistently operating and maintaining implemented controls.
- Defense in depth as an implementation strategy is best described as what?
- Relying solely on user training
- A single strong firewall
- Encrypting only the homepage
- Layering multiple, complementary controls so failure of one does not expose the system
Correct answer: Layering multiple, complementary controls so failure of one does not expose the system
Defense in depth layers diverse, complementary controls so that the failure or bypass of one control does not compromise the entire system.
- When a control cannot be fully implemented as planned, what is the appropriate action?
- Mark the system as high impact
- Document the deficiency, plan remediation, and reflect it in the POA&M as appropriate
- Delete it from the SSP silently
- Tell no one
Correct answer: Document the deficiency, plan remediation, and reflect it in the POA&M as appropriate
Implementation gaps should be documented, tracked in the POA&M, and communicated so the risk is understood and remediation is planned.
- Secure baseline configurations for operating systems are typically derived from which type of source?
- Random user preferences
- Social media posts
- Vendor advertisements
- Hardening guides and benchmarks such as those from NIST, DISA STIGs, or CIS
Correct answer: Hardening guides and benchmarks such as those from NIST, DISA STIGs, or CIS
Secure baselines are commonly built from recognized hardening guides and benchmarks (e.g., CIS Benchmarks, DISA STIGs) to ensure consistent, defensible configurations.
- Why is it important to integrate privacy controls into the implementation step rather than after authorization?
- To make the system slower
- To avoid documenting controls
- To reduce the control count
- To ensure PII protections are operational and verifiable before the system handles real data
Correct answer: To ensure PII protections are operational and verifiable before the system handles real data
Implementing privacy controls early ensures PII protections are functional and assessable before the system processes actual personal data.
- Which activity is part of implementing access control on a system?
- Configuring authentication, authorization, and account management mechanisms
- Buying new monitors
- Updating the company logo
- Painting the server room
Correct answer: Configuring authentication, authorization, and account management mechanisms
Implementing access control involves configuring authentication, authorization, and account management to enforce who can access what resources.
- The implementation of audit logging controls primarily supports which later RMF activity?
- Boundary definition
- Control selection
- Continuous monitoring and detection of unauthorized activity
- Categorization
Correct answer: Continuous monitoring and detection of unauthorized activity
Audit logging produces records that support continuous monitoring, incident detection, and accountability after the system is operational.
- What is the main goal of the Assess step in the RMF?
- To categorize the system
- To grant authorization
- To determine whether controls are implemented correctly, operating as intended, and producing the desired outcome
- To select controls
Correct answer: To determine whether controls are implemented correctly, operating as intended, and producing the desired outcome
The Assess step evaluates whether controls are implemented correctly, operating as intended, and meeting the security and privacy requirements.
- Which document is developed to guide how each control will be evaluated during assessment?
- System disposal plan
- Authorization decision document
- Security Assessment Plan
- Plan of Action and Milestones
Correct answer: Security Assessment Plan
The Security Assessment Plan defines the scope, methods, objects, and procedures the assessor will use to evaluate each control.
- The results of the control assessment are documented in which deliverable?
- Risk Management Strategy
- Configuration Management Plan
- System Security Plan
- Security Assessment Report
Correct answer: Security Assessment Report
The Security Assessment Report (SAR) documents the findings, including any deficiencies, from the assessment of the controls.
- NIST SP 800-53A provides what for the assessment process?
- The risk framing strategy
- The control catalog
- Assessment procedures and methods for evaluating controls
- The categorization guidance
Correct answer: Assessment procedures and methods for evaluating controls
NIST SP 800-53A provides assessment procedures, methods (examine, interview, test), and objects for evaluating the controls in SP 800-53.
- Which three assessment methods are defined in NIST SP 800-53A?
- Examine, interview, test
- Plan, do, check
- Scan, patch, reboot
- Detect, respond, recover
Correct answer: Examine, interview, test
The three assessment methods are examine (review artifacts), interview (talk to personnel), and test (exercise the control to observe behavior).
- To preserve objectivity, who should ideally conduct the security control assessment?
- The marketing team
- Any random user
- The developer who built the control
- An independent assessor not responsible for developing or operating the controls
Correct answer: An independent assessor not responsible for developing or operating the controls
Independence of the assessor reduces conflicts of interest and increases credibility of the assessment results, supporting a sound authorization decision.
- A finding of 'other than satisfied' on a control means what?
- The control fully meets the objective
- The control is not applicable
- The control has a deficiency requiring documentation and potential remediation
- The system is decommissioned
Correct answer: The control has a deficiency requiring documentation and potential remediation
An 'other than satisfied' determination indicates a deficiency or weakness that must be documented and considered for remediation or risk acceptance.
- What is the purpose of an assessment of inherited controls?
- To ignore them
- To confirm the common controls meet the inheriting system's requirements and rely on the provider's assessment where appropriate
- To re-implement them
- To delete the SSP
Correct answer: To confirm the common controls meet the inheriting system's requirements and rely on the provider's assessment where appropriate
Assessment of inherited controls confirms the common control provider's controls satisfy the inheriting system's needs, often leveraging the provider's assessment results.
- Why might an organization perform a partial reassessment of controls?
- Because all controls always pass
- Because reassessment is never needed
- Because changes to the system or environment can affect specific controls' effectiveness
- Because the SSP is too short
Correct answer: Because changes to the system or environment can affect specific controls' effectiveness
System or environmental changes can affect the effectiveness of specific controls, warranting targeted reassessment rather than a full reassessment.
- Before the formal assessment, conducting an initial review of artifacts helps to do what?
- Authorize the system
- Skip the SAR
- Identify obvious deficiencies early and improve assessment efficiency
- Eliminate the need for testing
Correct answer: Identify obvious deficiencies early and improve assessment efficiency
An initial review of documentation can reveal obvious gaps early, allowing remediation and a more efficient, focused formal assessment.
- The assessment objective for a control describes what?
- The vendor of the control
- The set of determination statements that, if met, indicate the control is effective
- The color of the dashboard
- The cost of the control
Correct answer: The set of determination statements that, if met, indicate the control is effective
An assessment objective consists of determination statements; satisfying them indicates the control is implemented correctly and operating as intended.
- What should an assessor do when a tested control behaves differently than documented in the SSP?
- Document the discrepancy as a finding and capture the actual behavior
- Ignore the discrepancy
- Rewrite the SSP secretly
- Authorize the system immediately
Correct answer: Document the discrepancy as a finding and capture the actual behavior
Discrepancies between documented and actual behavior are recorded as findings so the true security posture is reflected in the SAR.
- Why is assessor competence important to the integrity of the assessment?
- Competent assessors produce accurate, defensible findings that support risk decisions
- It increases marketing reach
- It shortens the SSP
- It reduces the price of hardware
Correct answer: Competent assessors produce accurate, defensible findings that support risk decisions
Competent assessors apply appropriate methods correctly, producing accurate and defensible findings that the AO relies on for risk decisions.
- Following the assessment, remediation of selected findings before authorization is intended to do what?
- Change the categorization
- Delete the SAR
- Reduce risk to an acceptable level prior to the authorization decision
- Increase residual risk
Correct answer: Reduce risk to an acceptable level prior to the authorization decision
Remediating findings before authorization reduces residual risk, improving the likelihood of an authorization decision and lowering exposure.
- What is the main deliverable that an Authorizing Official reviews to make the authorization decision?
- The authorization package (SSP, SAR, and POA&M)
- The marketing plan
- The network cable inventory
- The vendor invoice
Correct answer: The authorization package (SSP, SAR, and POA&M)
The authorization package typically includes the SSP, the SAR, and the POA&M, providing the AO the information needed to make a risk-based decision.
- A POA&M (Plan of Action and Milestones) documents what?
- Planned remediation actions, resources, and milestones for known weaknesses
- The marketing budget
- User passwords
- The system's color scheme
Correct answer: Planned remediation actions, resources, and milestones for known weaknesses
The POA&M tracks identified weaknesses, planned corrective actions, responsible parties, resources, and milestones for remediation.
- Which authorization outcome allows a system to operate while accepting the documented residual risk?
- Categorization
- Authorization to Operate (ATO)
- Denial of authorization
- System decommission
Correct answer: Authorization to Operate (ATO)
An Authorization to Operate (ATO) permits the system to operate based on the AO's acceptance of the documented residual risk.
- Residual risk is best defined as which of the following?
- Risk transferred to insurance only
- Risk that does not exist
- Risk remaining after controls and mitigations have been applied
- Risk before any controls
Correct answer: Risk remaining after controls and mitigations have been applied
Residual risk is the level of risk that remains after security and privacy controls and other mitigations have been implemented.
- What does the AO produce to formally communicate the authorization decision?
- A penetration test
- An authorization decision document
- A budget spreadsheet
- A categorization worksheet
Correct answer: An authorization decision document
The authorization decision document records the decision (e.g., ATO), the terms and conditions, and the authorization termination date.
- Which factor would most likely lead an AO to issue a denial of authorization?
- All controls satisfied with no findings
- A complete POA&M with minor items
- Unacceptable residual risk that cannot be mitigated to within risk tolerance
- A well-documented SSP
Correct answer: Unacceptable residual risk that cannot be mitigated to within risk tolerance
A denial of authorization occurs when residual risk exceeds the organization's risk tolerance and cannot be adequately mitigated.
- The authorization termination date primarily serves what purpose?
- It defines the encryption key length
- It sets the warranty period of hardware
- It establishes when the authorization expires absent ongoing authorization or reauthorization
- It schedules employee vacations
Correct answer: It establishes when the authorization expires absent ongoing authorization or reauthorization
The authorization termination date defines when the ATO expires, prompting reauthorization unless an ongoing authorization process is in place.
- Ongoing authorization (as opposed to periodic reauthorization) relies most heavily on what?
- Annual hardware refresh
- Marketing analytics
- A one-time assessment
- A robust continuous monitoring program providing near real-time risk information
Correct answer: A robust continuous monitoring program providing near real-time risk information
Ongoing authorization depends on continuous monitoring that supplies current risk information so the AO can make time-relevant risk decisions.
- The risk executive (function) supports the authorization process primarily by doing what?
- Writing application code
- Configuring routers
- Managing payroll
- Providing an organization-wide view to ensure risk decisions are consistent across the enterprise
Correct answer: Providing an organization-wide view to ensure risk decisions are consistent across the enterprise
The risk executive function ensures risk-based decisions are consistent across the organization and aligned with the enterprise risk strategy.
- When the AO accepts a system with open POA&M items, this indicates what?
- The system has no weaknesses
- The assessment was skipped
- The AO has accepted the residual risk of the open items based on planned remediation
- The system must be shut down
Correct answer: The AO has accepted the residual risk of the open items based on planned remediation
Accepting a system with open POA&M items means the AO judges the residual risk acceptable given the planned, scheduled remediation actions.
- Which of the following is a valid reason to require reauthorization of a system?
- A new company logo
- A change in office coffee supplier
- A significant change to the system or its environment that affects security posture
- A minor typo in the SSP
Correct answer: A significant change to the system or its environment that affects security posture
Significant changes that affect the system's security posture or risk can trigger reauthorization to re-evaluate and re-accept risk.
- A common control authorization differs from a system authorization in that it does what?
- Authorizes a single application only
- Eliminates the need for an AO
- Replaces the SSP
- Authorizes controls intended to be inherited by multiple systems
Correct answer: Authorizes controls intended to be inherited by multiple systems
Common controls are authorized once so that multiple systems can inherit them, supporting efficiency and consistency across the organization.
- Why is it important that the authorization decision be made by a senior official with budgetary and operational authority?
- So they can run the help desk
- So they can write code
- Because accepting risk requires authority over mission, resources, and consequences
- Because juniors cannot read reports
Correct answer: Because accepting risk requires authority over mission, resources, and consequences
Risk acceptance must be made by someone with sufficient authority and accountability over the mission, resources, and the consequences of operating the system.
- An interim or conditional authorization might be granted under what circumstance?
- When there is no AO
- When operation is needed but certain conditions or remediations must be met within a set timeframe
- When all controls are fully satisfied
- When the system is decommissioned
Correct answer: When operation is needed but certain conditions or remediations must be met within a set timeframe
A conditional or time-limited authorization allows operation while specified conditions are met or critical remediations are completed within a defined period.
- The primary objective of the Monitor step in the RMF is to do what?
- Decommission the system
- Categorize the system
- Select the initial baseline
- Maintain ongoing awareness of the security posture and support risk-based decisions over time
Correct answer: Maintain ongoing awareness of the security posture and support risk-based decisions over time
Continuous monitoring maintains ongoing awareness of vulnerabilities, threats, and control effectiveness to support timely risk decisions throughout the system lifecycle.
- Which NIST publication provides guidance specifically on information security continuous monitoring (ISCM)?
- NIST SP 800-18
- NIST SP 800-60
- FIPS 199
- NIST SP 800-137
Correct answer: NIST SP 800-137
NIST SP 800-137 provides guidance for developing an Information Security Continuous Monitoring strategy and program.
- Configuration management within continuous monitoring helps detect what?
- Stock prices
- Marketing trends
- Employee birthdays
- Unauthorized or unintended changes that could affect the security posture
Correct answer: Unauthorized or unintended changes that could affect the security posture
Configuration management monitoring detects unauthorized or unexpected changes so their security impact can be assessed and addressed.
- Which of the following best describes the purpose of security metrics in continuous monitoring?
- To replace the SSP
- To provide measurable indicators of control effectiveness and security posture trends
- To decorate dashboards
- To eliminate assessments
Correct answer: To provide measurable indicators of control effectiveness and security posture trends
Metrics provide measurable, repeatable indicators that reveal trends in control effectiveness and overall security posture to inform decisions.
- When continuous monitoring reveals a new significant vulnerability, the appropriate response includes what?
- Lowering the system categorization
- Assessing its risk impact and updating the POA&M and reporting to the AO as needed
- Deleting the monitoring tool
- Ignoring it until the next audit
Correct answer: Assessing its risk impact and updating the POA&M and reporting to the AO as needed
New significant findings should be risk-assessed, tracked in the POA&M, and reported to the AO so risk decisions remain current.
- The frequency of monitoring a given control should be primarily driven by what?
- The number of office locations
- The vendor's preference
- The size of the IT budget
- The control's volatility and its contribution to risk
Correct answer: The control's volatility and its contribution to risk
Monitoring frequency is risk-based, driven by how often a control changes (volatility) and how critical it is to managing risk.
- Ongoing assessment of a subset of controls each period rather than all at once is an example of what?
- A continuous monitoring strategy that distributes assessments over time
- Control selection
- Decommissioning
- Categorization
Correct answer: A continuous monitoring strategy that distributes assessments over time
Distributing control assessments over time is a core element of a continuous monitoring strategy, maintaining coverage without a single large reassessment.
- Continuous monitoring information is reported to the AO primarily so that the AO can do what?
- Choose office furniture
- Make ongoing, time-relevant risk acceptance decisions
- Write source code
- Schedule lunches
Correct answer: Make ongoing, time-relevant risk acceptance decisions
Reporting current monitoring information enables the AO to make ongoing, informed risk decisions, supporting ongoing authorization.
- Which activity is part of the system disposal or decommissioning sub-task of the Monitor step?
- Selecting the baseline
- Securely sanitizing media and removing the system from operation when retired
- Categorizing the system
- Drafting the SAR
Correct answer: Securely sanitizing media and removing the system from operation when retired
When a system is retired, the Monitor step includes secure disposal activities such as media sanitization and updating documentation to reflect removal from operation.
- Automation in continuous monitoring is valuable primarily because it does what?
- Removes the need for an SSP
- Increases the system categorization
- Eliminates the need for any human judgment
- Enables more frequent, consistent, and timely collection of security-relevant data
Correct answer: Enables more frequent, consistent, and timely collection of security-relevant data
Automation supports more frequent, consistent, and timely data collection, improving situational awareness while still requiring human analysis and decisions.
- A change to the system that is determined to be significant during continuous monitoring may trigger which action?
- Deletion of the POA&M
- Automatic denial of all access
- Lowering of the impact level without analysis
- Reassessment of affected controls and possible reauthorization
Correct answer: Reassessment of affected controls and possible reauthorization
Significant changes can affect security posture, prompting reassessment of affected controls and, if warranted, reauthorization of the system.
- Why should continuous monitoring results feed back into the risk management strategy?
- To inflate documentation
- To avoid assessments
- Because real-world data helps refine risk assumptions, priorities, and the monitoring program itself
- To bypass the AO
Correct answer: Because real-world data helps refine risk assumptions, priorities, and the monitoring program itself
Monitoring results provide real-world evidence that informs and refines the organization's risk assumptions, priorities, and monitoring strategy over time.
- Status reporting in a continuous monitoring program should be tailored to what?
- The weather
- The vendor's logo
- The office layout
- The information needs of different stakeholders, from technical staff to executives
Correct answer: The information needs of different stakeholders, from technical staff to executives
Effective status reporting is tailored to the audience, giving technical detail to operators and summarized risk posture to executives and the AO.
- An updated System Security Plan during continuous monitoring should reflect what?
- The current state of controls, including changes made since authorization
- Only the original design
- The cafeteria menu
- Marketing updates
Correct answer: The current state of controls, including changes made since authorization
The SSP is a living document that should be kept current to reflect changes to controls and the system since authorization.
- Which of the following is the best example of an organizational governance output that informs continuous monitoring frequency?
- The office seating chart
- A vendor's sales brochure
- Organizational risk tolerance and monitoring policy
- An employee's calendar
Correct answer: Organizational risk tolerance and monitoring policy
Organizational risk tolerance and monitoring policy, products of governance, guide how frequently and intensively controls are monitored.
- When continuous monitoring shows residual risk has increased beyond tolerance, the AO may do what?
- Ignore the change
- Lower the categorization without analysis
- Delete the monitoring program
- Reconsider the authorization, potentially issuing a denial or requiring remediation
Correct answer: Reconsider the authorization, potentially issuing a denial or requiring remediation
If residual risk rises beyond tolerance, the AO can revisit the authorization, requiring remediation or, in extreme cases, withdrawing authorization.
- NIST Special Publication 800-37, Revision 2 is the primary publication that does which of the following?
- Defines the lifecycle process for managing security and privacy risk and authorizing information systems and common controls
- Specifies the minimum security requirements for federal information systems by impact level
- Establishes the methodology for conducting an information security risk assessment
- Provides the catalog of security and privacy controls used to protect systems
Correct answer: Defines the lifecycle process for managing security and privacy risk and authorizing information systems and common controls
NIST SP 800-37, Revision 2 establishes the Risk Management Framework (RMF), the disciplined, structured, and flexible lifecycle process for managing security and privacy risk and for authorizing information systems and common controls to operate. The control catalog is found in SP 800-53, the risk assessment methodology is in SP 800-30, and minimum security categorization requirements derive from FIPS 199/200, not from SP 800-37 itself.
- How many steps make up the NIST Risk Management Framework as defined in SP 800-37, Revision 2?
Correct answer: Seven
Seven steps make up the RMF in SP 800-37, Revision 2. Revision 1 contained six steps (Categorize, Select, Implement, Assess, Authorize, Monitor); Revision 2 added the Prepare step at the front of the lifecycle, bringing the total to seven. Answers citing five, six, or eight reflect either the older revision or a miscount.
- What is the correct order of the seven RMF steps in NIST SP 800-37, Revision 2?
- Categorize, Prepare, Select, Assess, Implement, Authorize, Monitor
- Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor
- Prepare, Select, Categorize, Implement, Authorize, Assess, Monitor
- Categorize, Select, Implement, Assess, Authorize, Prepare, Monitor
Correct answer: Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor
The correct sequence is Prepare, Categorize, Select, Implement, Assess, Authorize, and Monitor. Prepare establishes organizational and system-level readiness before categorization begins, and Monitor sustains the authorization over time. The other sequences misplace Prepare, which always comes first, or invert Categorize and Select.
- The Risk Management Framework is best described as which of the following?
- A checklist of mandatory technical safeguards that all systems must implement
- A scoring model that calculates a single numeric risk rating for each system
- A contractual standard that cloud service providers must meet to sell to the government
- A structured, repeatable lifecycle process for integrating security and privacy risk management into the system development life cycle
Correct answer: A structured, repeatable lifecycle process for integrating security and privacy risk management into the system development life cycle
The Risk Management Framework is a structured, repeatable, and flexible lifecycle process that integrates security and privacy risk management activities into the system development life cycle. It is not a fixed safeguard checklist, a numeric scoring model, or a procurement contract standard; FedRAMP, by contrast, is the program that governs cloud provider authorizations.
- Which RMF step is intended to carry out essential activities at the organization, mission/business process, and information system levels to ready the enterprise to manage its security and privacy risks?
- Categorize
- Prepare
- Authorize
- Select
Correct answer: Prepare
The Prepare step carries out essential activities at the organization, mission/business process, and information system levels to make the enterprise ready to execute the RMF. It was added in SP 800-37 Revision 2 to promote communication, prioritization, and reuse before categorization. Categorize, Select, and Authorize each occur later in the lifecycle and address narrower, system-specific outcomes.
- Which of the following is an organization-level outcome expected from the RMF Prepare step?
- Categorization of the information system based on impact analysis
- Selection of the baseline security controls for a specific information system
- Establishment of the organization-wide risk management strategy and determination of risk tolerance
- Continuous monitoring of control effectiveness after authorization
Correct answer: Establishment of the organization-wide risk management strategy and determination of risk tolerance
Establishing the organization-wide risk management strategy, including the determination of organizational risk tolerance, is an organization-level outcome of the Prepare step. Baseline control selection happens in the Select step, impact-based categorization happens in Categorize, and ongoing effectiveness monitoring happens in Monitor.
- In NIST risk management terminology, the distinction between risk appetite and risk tolerance is best captured by which statement?
- Risk appetite is the broad amount of risk an organization is willing to pursue toward its objectives, while risk tolerance is the acceptable level or variation of risk in specific situations
- Risk appetite is set by the system owner, while risk tolerance is set by the assessor
- Risk appetite applies only to financial risk, while risk tolerance applies only to cybersecurity risk
- Risk appetite is the residual risk after controls, while risk tolerance is the risk before controls are applied
Correct answer: Risk appetite is the broad amount of risk an organization is willing to pursue toward its objectives, while risk tolerance is the acceptable level or variation of risk in specific situations
Risk appetite expresses the broad amount and type of risk an organization is willing to pursue or accept in pursuit of its mission and objectives, while risk tolerance expresses the acceptable level or permissible variation of risk in specific situations. Residual versus inherent risk is a different distinction, and neither concept is limited to a single risk category or set by the assessor.
- An agency's risk management strategy states that no single system outage may exceed four hours and that data loss must stay within a one-hour recovery window. These quantified boundaries are an expression of which concept?
- Threat modeling
- Risk tolerance
- Inherent risk
- Risk appetite
Correct answer: Risk tolerance
Quantified, situation-specific boundaries such as a maximum outage duration or recovery window express risk tolerance, the acceptable level or variation of risk in specific circumstances. Risk appetite is the broader, more strategic statement of how much risk the organization will pursue overall, while inherent risk and threat modeling describe risk conditions rather than acceptance thresholds.
- FISMA, the law that drives federal adoption of the RMF, primarily requires federal agencies to do which of the following?
- Obtain cyber insurance covering the full replacement cost of every system
- Encrypt all federal data at rest using a single government-approved algorithm
- Develop, document, and implement an agency-wide information security program to protect their information and information systems
- Outsource information security operations to an accredited third-party provider
Correct answer: Develop, document, and implement an agency-wide information security program to protect their information and information systems
FISMA requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and systems that support its operations and assets, including those provided by other agencies or contractors. It does not mandate a single encryption algorithm, compulsory outsourcing, or cyber insurance.
- Which entity is responsible for developing the standards and guidelines, including FIPS 199 and the SP 800 series, that agencies use to meet FISMA compliance?
- The Office of Management and Budget (OMB)
- The National Institute of Standards and Technology (NIST)
- The Government Accountability Office (GAO)
- The Department of Homeland Security (DHS)
Correct answer: The National Institute of Standards and Technology (NIST)
NIST develops the standards and guidelines, such as the FIPS publications and the SP 800 series, that agencies follow to meet FISMA requirements. OMB oversees agency implementation and reporting, GAO audits federal programs, and DHS provides operational cybersecurity support, but the technical standards themselves are NIST's responsibility.
- Under FISMA and related guidance, how often are federal agencies generally required to report on the effectiveness of their information security programs?
- Annually
- Every five years
- Only when a major incident occurs
- Every three years
Correct answer: Annually
FISMA establishes annual reporting on the effectiveness of agency information security programs, with results provided to OMB and Congress. Triennial and five-year cycles do not match the FISMA reporting cadence, and reporting is continuous and scheduled rather than triggered solely by incidents, though major incidents carry their own additional reporting obligations.
- NIST SP 800-39 organizes information security risk management into three tiers. Which set correctly names those tiers from highest to lowest?
- Organization, mission/business process, and information system
- Federal, state, and local
- Strategic, tactical, and operational
- Executive, managerial, and technical
Correct answer: Organization, mission/business process, and information system
SP 800-39 defines three tiers: Tier 1 the organization level, Tier 2 the mission/business process level, and Tier 3 the information system level. This layered structure ensures risk decisions made at the top inform and constrain decisions made below. The other groupings are not the tier model defined in SP 800-39.
- NIST SP 800-39 defines four components of the overall risk management process. Which of the following is one of those four components?
- Documenting risk
- Categorizing risk
- Authorizing risk
- Framing risk
Correct answer: Framing risk
Framing risk is one of the four components of the SP 800-39 risk management process, alongside assessing, responding to, and monitoring risk. Categorizing and authorizing are RMF steps from SP 800-37, and documenting is an activity that supports each component rather than a component in its own right.
- In the risk framing component of SP 800-39, an organization makes explicit its assumptions, constraints, risk tolerances, and priorities and trade-offs. These elements collectively produce which output?
- The authorization decision
- The risk management strategy
- The plan of action and milestones
- The system security plan
Correct answer: The risk management strategy
Framing risk, by making assumptions, constraints, risk tolerances, and priorities and trade-offs explicit, produces the organizational risk management strategy that governs how risk is assessed, responded to, and monitored. The system security plan, plan of action and milestones, and authorization decision are system-level RMF artifacts that the strategy guides, not the output of framing.
- Which document, primarily referenced for conducting risk assessments, supplies the methodology for identifying threat sources, vulnerabilities, likelihood, and impact in support of RMF risk decisions?
- NIST SP 800-53
- NIST SP 800-18
- NIST SP 800-30
- NIST SP 800-37
Correct answer: NIST SP 800-30
NIST SP 800-30 provides the guide for conducting risk assessments, including the steps for identifying threat sources and events, vulnerabilities, likelihood, and impact. SP 800-53 is the control catalog, SP 800-37 is the RMF lifecycle, and SP 800-18 covers system security plan development.
- A program manager wants to assign accountability for a set of controls that multiple systems will inherit rather than implement individually. Within the risk management program, this responsibility is best assigned to which role?
- An information system owner
- An authorizing official designated representative
- A common control provider
- A security control assessor
Correct answer: A common control provider
A common control provider is responsible for developing, implementing, assessing, and maintaining controls that are inherited by multiple systems. An information system owner is accountable for a specific system, the security control assessor independently evaluates controls, and the authorizing official designated representative acts on behalf of the AO; none of those roles owns inheritable common controls.
- Within RMF roles and responsibilities, who is responsible for the development and maintenance of the system security plan and ensures the system is deployed and operated in accordance with the agreed-upon controls?
- Risk executive (function)
- Security control assessor
- Information system owner
- Authorizing official
Correct answer: Information system owner
The information system owner is responsible for developing and maintaining the system security plan and for ensuring the system is operated according to the selected and agreed-upon controls. The authorizing official accepts risk, the security control assessor independently evaluates control effectiveness, and the risk executive function provides organization-wide risk oversight.
- The risk executive (function) described in NIST guidance primarily serves which purpose within the risk management program?
- Granting the final authorization to operate for every individual information system
- Providing an organization-wide, holistic view of risk so that risk decisions across systems remain consistent with the enterprise risk strategy
- Writing the system-level contingency and incident response plans
- Performing the independent technical assessment of each system's security controls
Correct answer: Providing an organization-wide, holistic view of risk so that risk decisions across systems remain consistent with the enterprise risk strategy
The risk executive (function) ensures an organization-wide, holistic perspective on risk so that risk-based decisions across individual systems remain consistent with the enterprise's strategic goals and risk tolerance. Independent assessment belongs to the assessor, authorization to the authorizing official, and system-level plans to the system owner and supporting staff.
- FedRAMP applies the RMF and NIST controls specifically to which type of system, providing a government-wide approach to authorization?
- Personal mobile devices issued to federal employees
- Classified national security systems
- Cloud products and services used by federal agencies
- Industrial control systems in critical infrastructure
Correct answer: Cloud products and services used by federal agencies
FedRAMP, the Federal Risk and Authorization Management Program, provides a standardized, government-wide approach to security assessment, authorization, and continuous monitoring for cloud products and services used by federal agencies. It is not the program for classified national security systems, industrial control systems, or personal mobile device management.
- An organization is establishing its risk management program and must decide how much it relies on automated tooling versus manual review for control assessment, given limited staff. Documenting this decision as part of risk framing reflects which framing element?
- Risk tolerance
- Priorities and trade-offs
- Constraints
- Risk assumptions
Correct answer: Priorities and trade-offs
Deciding how to balance competing approaches, such as automated tooling versus manual review given limited resources, is a priorities and trade-offs framing element in SP 800-39. Constraints describe boundaries on available alternatives, risk assumptions describe beliefs about threats and likelihood, and risk tolerance describes acceptable levels of risk, none of which captures the act of weighing competing options against each other.
- During Prepare at the system level, the organization conducts a system-level risk assessment that informs later categorization and control selection. Which publication's methodology supports this assessment?
- FIPS 200
- NIST SP 800-60
- NIST SP 800-137
- NIST SP 800-30
Correct answer: NIST SP 800-30
The system-level risk assessment performed during Prepare uses the methodology in NIST SP 800-30. SP 800-60 maps information types to impact levels for categorization, FIPS 200 specifies minimum security requirements, and SP 800-137 governs continuous monitoring, so none of those provides the risk assessment methodology itself.
- Which statement best describes residual risk in the context of a risk management program?
- The risk that remains after security and privacy controls have been implemented
- The risk that an organization deliberately chooses to avoid entirely
- The risk transferred to a third party through a contract
- The total risk present before any controls are applied
Correct answer: The risk that remains after security and privacy controls have been implemented
Residual risk is the risk remaining after controls have been implemented to reduce the initial exposure. Risk before any controls is inherent risk, risk shifted to another party is transferred risk, and risk eliminated by not engaging in the activity is avoided risk. The authorizing official accepts residual risk when granting an authorization.
- Risk response in NIST SP 800-39 includes selecting from a defined set of courses of action. Which of the following is one of those recognized risk response options?
- Risk framing
- Risk authorization
- Risk categorization
- Risk mitigation
Correct answer: Risk mitigation
Risk mitigation is one of the recognized risk response courses of action in SP 800-39, along with accepting, avoiding, transferring, and sharing risk. Categorization and authorization are RMF steps, and framing is a separate component of the risk management process that precedes and informs the response, not a response option itself.
- An authorizing official decides that the cost of additional controls outweighs the value of further risk reduction and formally agrees to operate the system at its current risk level. This is an example of which risk response?
- Risk avoidance
- Risk acceptance
- Risk mitigation
- Risk transfer
Correct answer: Risk acceptance
Formally agreeing to operate at the current residual risk level rather than spending more to reduce it is risk acceptance. Risk avoidance would mean not operating the system at all, risk transfer would shift the consequence to another party such as an insurer, and risk mitigation would apply additional controls to lower the risk.
- How does integrating privacy into the RMF, as reflected in SP 800-37 Revision 2, change the scope of the risk management program?
- It limits the program to systems that store classified national security information
- It removes the need for an authorizing official to make a risk decision
- It requires consideration of risks to individuals arising from the processing of personally identifiable information, not just risks to organizational operations
- It replaces security controls with a separate privacy-only control catalog
Correct answer: It requires consideration of risks to individuals arising from the processing of personally identifiable information, not just risks to organizational operations
Revision 2 integrates privacy by requiring the program to address risks to individuals that arise from the authorized processing of personally identifiable information, broadening the scope beyond organizational mission and asset risk. Security and privacy controls coexist within the single SP 800-53 catalog, the program is not limited to classified systems, and the authorizing official's risk decision remains central.
- A common control that is inherited by many systems is later found to be ineffective. Within the risk management program, what is the most significant consequence of this finding?
- The control automatically converts to a system-specific control
- Only the common control provider's own system is affected
- The finding is recorded but cannot affect any system's authorization
- The weakness propagates to every system that inherited the control, amplifying organizational risk
Correct answer: The weakness propagates to every system that inherited the control, amplifying organizational risk
Because a common control is inherited by many systems, a deficiency in it propagates to all of those systems, amplifying risk across the organization and potentially affecting multiple authorizations. The impact is not confined to the provider, it can absolutely affect inheriting systems' authorizations, and the control does not automatically reclassify itself.
- Which FIPS publication establishes the standards for categorizing information and information systems by potential impact, providing the foundation that the RMF Categorize step relies on?
- FIPS 200
- FIPS 201
- FIPS 140-3
- FIPS 199
Correct answer: FIPS 199
FIPS 199 establishes standards for security categorization of information and information systems based on the potential impact (low, moderate, high) to confidentiality, integrity, and availability. FIPS 200 specifies minimum security requirements, FIPS 140-3 addresses cryptographic module validation, and FIPS 201 covers personal identity verification.
- An organization wants its information security risk management program to align with a globally recognized, sector-agnostic standard for establishing an information security management system. Which standard best fits this goal?
- ISO/IEC 27001
- COBIT 2019
- PCI DSS
- NIST SP 800-37
Correct answer: ISO/IEC 27001
ISO/IEC 27001 is the international standard for establishing, implementing, maintaining, and continually improving an information security management system (ISMS) and is sector-agnostic. SP 800-37 is the U.S. federal RMF, COBIT focuses on IT governance and management, and PCI DSS is specific to the payment card industry.
- Within a governance structure, which mechanism most directly ensures that information security risk decisions remain aligned with the organization's mission and strategic objectives over time?
- A signed acceptable use policy acknowledged by all employees
- Periodic vulnerability scans performed by the operations team
- Oversight by senior leadership and a risk executive function that link risk decisions to mission priorities
- A documented incident response runbook maintained by the SOC
Correct answer: Oversight by senior leadership and a risk executive function that link risk decisions to mission priorities
Governance ensures alignment between risk decisions and mission through senior leadership oversight and a risk executive function that translate strategic objectives and risk tolerance into consistent, organization-wide risk decisions. Vulnerability scans, incident runbooks, and acceptable use policies are operational or control-level activities that support, but do not themselves provide, this strategic alignment.
- FIPS 199 is the federal standard that primarily governs which activity within the RMF?
- Establishing the security category of information and information systems based on potential impact
- Conducting the assessment of control effectiveness before authorization
- Selecting the minimum set of security and privacy controls for a system
- Granting the authorization decision and accepting residual risk
Correct answer: Establishing the security category of information and information systems based on potential impact
Establishing the security category of information and information systems based on potential impact is the purpose of FIPS 199, Standards for Security Categorization of Federal Information and Information Systems. FIPS 199 defines how to assign low, moderate, or high impact values; it does not select controls (that is FIPS 200 and SP 800-53), assess them, or render the authorization decision.
- Under FIPS 199, the potential impact value assigned to each security objective must be one of which set of values?
- Acceptable, tolerable, intolerable
- Critical, major, minor, negligible
- Low, moderate, high (or not applicable for confidentiality)
- Tier 1, Tier 2, Tier 3
Correct answer: Low, moderate, high (or not applicable for confidentiality)
Low, moderate, high (or not applicable for confidentiality) are the only acceptable potential-impact values under FIPS 199. A loss producing a limited adverse effect is low, a serious adverse effect is moderate, and a severe or catastrophic adverse effect is high. The 'not applicable' value can apply only to confidentiality for information types (e.g., publicly available information); it cannot be used for integrity or availability, and it cannot be applied at the system level.
- When determining a FIPS 199 impact level, what distinguishes a moderate-impact rating from a high-impact rating for a given security objective?
- Moderate applies only to availability, while high applies only to confidentiality
- Moderate means a serious adverse effect, while high means a severe or catastrophic adverse effect
- Moderate means a limited adverse effect, while high means a serious adverse effect
- Moderate requires encryption, while high requires multifactor authentication
Correct answer: Moderate means a serious adverse effect, while high means a severe or catastrophic adverse effect
Moderate means a serious adverse effect, while high means a severe or catastrophic adverse effect, per the FIPS 199 definitions of potential impact. Low corresponds to a limited adverse effect. These levels describe the expected consequence to organizational operations, assets, or individuals from a loss of confidentiality, integrity, or availability, and they are not tied to specific controls or to a single objective.
- An analyst writes the security category of an information type as SC = {(confidentiality, MODERATE), (integrity, LOW), (availability, LOW)}. What does this expression communicate?
- The system must implement exactly three controls
- The number of interconnections the system maintains
- The potential impact level assigned to each of the three security objectives for that information type
- The order in which controls will be assessed during the Assess step
Correct answer: The potential impact level assigned to each of the three security objectives for that information type
The potential impact level assigned to each of the three security objectives for that information type is exactly what the FIPS 199 SC expression communicates. The generalized form is SC = {(confidentiality, impact), (integrity, impact), (availability, impact)}, where each impact value is low, moderate, or high (or not applicable for confidentiality of an information type). It conveys impact, not control counts, interconnections, or assessment sequencing.
- A system processes one information type categorized as {C: LOW, I: MODERATE, A: LOW} and a second categorized as {C: MODERATE, I: LOW, A: HIGH}. Applying the high-water mark, what is the overall system security category?
- {C: LOW, I: LOW, A: LOW}
- {C: MODERATE, I: MODERATE, A: HIGH}
- {C: MODERATE, I: MODERATE, A: MODERATE}
- {C: HIGH, I: HIGH, A: HIGH}
Correct answer: {C: MODERATE, I: MODERATE, A: HIGH}
{C: MODERATE, I: MODERATE, A: HIGH} is correct because the high-water mark sets each objective to the highest value found among all information types for that same objective. Confidentiality takes the higher of LOW and MODERATE (MODERATE), integrity takes the higher of MODERATE and LOW (MODERATE), and availability takes the higher of LOW and HIGH (HIGH). The high-water mark is applied per objective, not by forcing every objective to the single highest value seen anywhere.
- After applying the high-water mark to derive the three objective impact values, how is the single overall impact level of the system commonly determined for control-baseline selection?
- By averaging the three objective impact values
- By taking the highest of the three objective impact values
- By taking the lowest of the three objective impact values
- By taking the confidentiality value only
Correct answer: By taking the highest of the three objective impact values
Taking the highest of the three objective impact values yields the overall system impact level used to choose a control baseline. For example, a system with confidentiality moderate, integrity moderate, and availability high is an overall high-impact system. Averaging or taking the lowest value would understate the protection the system actually requires.
- Which RMF step is responsible for security categorization, and which document provides the methodology used to carry it out?
- The Categorize step, using FIPS 199 supported by SP 800-60
- The Select step, using SP 800-53
- The Authorize step, using SP 800-37
- The Monitor step, using SP 800-137
Correct answer: The Categorize step, using FIPS 199 supported by SP 800-60
The Categorize step, using FIPS 199 supported by SP 800-60, is correct. FIPS 199 sets the categorization standard, and SP 800-60 provides the methodology and catalog for mapping information types to provisional impact levels. SP 800-53 supports control selection in the Select step, while SP 800-37 governs the overall RMF and authorization.
- What is the primary purpose of NIST SP 800-60 within the security categorization process?
- To define the steps of the Risk Management Framework
- To provide a catalog of information types with recommended provisional impact levels for confidentiality, integrity, and availability
- To specify continuous monitoring metrics and frequencies
- To list the minimum security requirements for each impact level
Correct answer: To provide a catalog of information types with recommended provisional impact levels for confidentiality, integrity, and availability
Providing a catalog of information types with recommended provisional impact levels for confidentiality, integrity, and availability is the core purpose of SP 800-60. It helps practitioners identify the information types a system handles and start from a recommended impact value, which they then adjust based on context. Minimum requirements come from FIPS 200, the RMF steps from SP 800-37, and monitoring guidance from SP 800-137.
- When using SP 800-60, why are the impact levels it assigns to information types described as 'provisional' rather than final?
- They expire automatically after one year
- They apply only to availability and never to confidentiality or integrity
- They must be approved by the assessor before the Categorize step begins
- They are starting recommendations that organizations adjust based on situational and operational context
Correct answer: They are starting recommendations that organizations adjust based on situational and operational context
Provisional impact levels are starting recommendations that organizations adjust based on situational and operational context. SP 800-60 provides a recommended value for each information type, but the system owner reviews factors such as aggregation, special handling, and mission sensitivity, then raises or confirms the value to reach a final categorization. The provisional label reflects this adjustment step, not an expiration or an approval gate.
- An organization has completed FIPS 199 categorization for a new system. According to the sequencing of federal standards, what is the next standard applied, and what does it govern?
- FIPS 186, which governs digital signature algorithms
- FIPS 200, which establishes the minimum security requirements for the categorized impact level
- FIPS 201, which governs personal identity verification credentials
- FIPS 140, which governs cryptographic module validation
Correct answer: FIPS 200, which establishes the minimum security requirements for the categorized impact level
FIPS 200, which establishes the minimum security requirements for the categorized impact level, follows FIPS 199 in sequence. FIPS 199 determines the impact level, and FIPS 200 then requires organizations to meet minimum security requirements across the control families, implemented through the SP 800-53 baselines. The other FIPS publications address cryptography and identity credentials, not categorization-driven minimum requirements.
- A practitioner is asked to summarize the difference between FIPS 199 and FIPS 200. Which statement is accurate?
- FIPS 199 applies to private companies, while FIPS 200 applies only to contractors
- FIPS 199 categorizes information and systems by impact, while FIPS 200 sets minimum security requirements based on that categorization
- FIPS 199 and FIPS 200 are interchangeable names for the same categorization standard
- FIPS 199 selects the actual controls, while FIPS 200 categorizes the system
Correct answer: FIPS 199 categorizes information and systems by impact, while FIPS 200 sets minimum security requirements based on that categorization
FIPS 199 categorizes information and systems by impact, while FIPS 200 sets minimum security requirements based on that categorization. Categorization with FIPS 199 must come first because FIPS 200 uses the resulting impact level to drive the minimum requirements across control families. The two are distinct, sequential standards, not interchangeable, and both apply to federal information systems.
- In SP 800-37 Rev. 2, the set of system elements included within the authorization boundary primarily serves what function?
- It fixes the dollar value of the system for budgeting
- It determines which assessor is assigned to the engagement
- It sets the frequency of continuous monitoring activities
- It defines the system, establishing the scope of what will be authorized
Correct answer: It defines the system, establishing the scope of what will be authorized
Defining the system and establishing the scope of what will be authorized is the function of the authorization boundary in SP 800-37 Rev. 2. The set of system elements included within the boundary is what the boundary delineates, and that delineation is the scope the authorizing official will accept risk for. Assessor assignment, monitoring frequency, and budgeting are separate activities.
- An architect is deciding which system elements belong inside a single authorization boundary. According to SP 800-37 Rev. 2 guidance, which grouping rationale is most appropriate?
- Group elements that were deployed in the same calendar quarter
- Group elements that are generally under the same direct management and support related mission functions or reside in the same operating environment
- Group elements purchased from the same vendor regardless of function
- Group elements solely by their network IP address range
Correct answer: Group elements that are generally under the same direct management and support related mission functions or reside in the same operating environment
Grouping elements that are generally under the same direct management and support related mission functions or reside in the same operating environment is the rationale SP 800-37 Rev. 2 offers for defining an authorization boundary. Considerations include elements that process, store, and transmit similar types of information categorized at the same impact level and operate under common management. Vendor, deployment date, or IP range alone are not the basis for boundary inclusion.
- A cloud-hosted application relies on a FedRAMP-authorized platform for its underlying infrastructure controls. When the application team defines its own authorization boundary, how should those inherited platform services be treated?
- They automatically raise the application's impact level to high
- They are excluded from all documentation because the provider owns them
- They must be fully re-implemented and re-tested inside the application boundary
- They are identified as leveraged or inherited from the provider's authorization, with the application boundary documenting the inheritance and any customer responsibilities
Correct answer: They are identified as leveraged or inherited from the provider's authorization, with the application boundary documenting the inheritance and any customer responsibilities
Identifying inherited platform services as leveraged from the provider's authorization, with the application boundary documenting the inheritance and any customer responsibilities, is the correct treatment. In FedRAMP and RMF, a system can inherit common or provider-managed controls; the boundary documentation must show what is inherited and clarify the customer-responsible portions, often via a responsibility matrix. Re-implementing inherited controls or omitting them from documentation both misrepresent the true scope.
- What is NIST Special Publication 800-53?
- A guide for conducting quantitative risk assessments of federal systems
- A standard that assigns systems a low, moderate, or high impact level
- A catalog of security and privacy controls that organizations select, tailor, and implement to protect information systems
- A regulation requiring annual penetration testing of government networks
Correct answer: A catalog of security and privacy controls that organizations select, tailor, and implement to protect information systems
NIST SP 800-53 is a catalog of security and privacy controls for information systems and organizations. In the RMF Select step practitioners draw from this catalog to choose, tailor, and document the controls that will protect the system. Categorization into impact levels is the work of FIPS 199, not SP 800-53 itself.
- How many control families are defined in NIST SP 800-53 Revision 5?
Correct answer: 20
NIST SP 800-53 Revision 5 organizes its controls into 20 families. Revision 4 had 18; Revision 5 added two: PT (PII Processing and Transparency) and SR (Supply Chain Risk Management). Knowing the count and structure helps a practitioner navigate the catalog during the Select step.
- Which two control families were newly introduced in NIST SP 800-53 Revision 5 compared to Revision 4?
- PM (Program Management) and PL (Planning)
- RA (Risk Assessment) and CA (Assessment, Authorization, and Monitoring)
- PT (PII Processing and Transparency) and SR (Supply Chain Risk Management)
- AC (Access Control) and AU (Audit and Accountability)
Correct answer: PT (PII Processing and Transparency) and SR (Supply Chain Risk Management)
The PT (Personally Identifiable Information Processing and Transparency) and SR (Supply Chain Risk Management) families are the two added in Revision 5. The others listed existed in prior revisions. Their addition reflects the integration of privacy and supply chain considerations into control selection.
- A CGRC practitioner is documenting which of the 20 NIST SP 800-53 control families a selected control belongs to. A control requiring multifactor authentication for system access would fall under which family identifier?
- IA (Identification and Authentication)
- SC (System and Communications Protection)
- AU (Audit and Accountability)
- AC (Access Control)
Correct answer: IA (Identification and Authentication)
Multifactor authentication is addressed in the IA (Identification and Authentication) family, which covers verifying the identity of users and devices. Access Control (AC) governs what an authenticated subject may do, System and Communications Protection (SC) addresses boundary and transmission protection, and Audit and Accountability (AU) covers logging.
- What is a System Security Plan (SSP) in the context of the RMF?
- A report listing the findings of an independent control assessment
- The primary document that describes the system, its boundary and environment, and the security and privacy controls selected to protect it
- A tracking document of unresolved weaknesses and their remediation milestones
- The signed decision granting a system authorization to operate
Correct answer: The primary document that describes the system, its boundary and environment, and the security and privacy controls selected to protect it
The System Security Plan describes the system, its authorization boundary and operating environment, and the controls selected and planned to protect it. The assessment findings live in the Security Assessment Report, weaknesses in the POA&M, and the decision in the authorization decision document. The SSP is the central artifact produced during the Select step.
- During the RMF Select step, an organization finalizes which document as the primary output capturing the selected and tailored controls and how they will be implemented?
- The Plan of Action and Milestones
- The Security Assessment Report
- The Risk Assessment Report
- The System Security Plan
Correct answer: The System Security Plan
The System Security Plan (SSP) is the primary output of the Select step, capturing the selected and tailored controls and the planned implementation approach. The SAR comes from the Assess step, the POA&M tracks weaknesses after assessment, and the Risk Assessment Report informs but is not the SSP. An SSP in RMF is the blueprint the assessor and authorizing official rely on.
- What is the primary purpose of FIPS 200 within the RMF?
- It defines the continuous monitoring strategy for authorized systems
- It specifies minimum security requirements across 17 areas and mandates a risk-based process for selecting controls from SP 800-53
- It categorizes systems as low, moderate, or high based on potential impact
- It provides the procedures assessors use to evaluate control effectiveness
Correct answer: It specifies minimum security requirements across 17 areas and mandates a risk-based process for selecting controls from SP 800-53
FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, establishes minimum security requirements across security-related areas and requires organizations to select controls from SP 800-53 through a risk-based process. Categorization is the role of FIPS 199, assessment procedures come from SP 800-53A, and monitoring guidance from SP 800-137. FIPS 200 is the mandatory trigger for control selection.
- In what sequence do FIPS 199 and FIPS 200 operate when an organization begins control selection?
- FIPS 200 categorizes the system, then FIPS 199 selects controls
- FIPS 199 categorizes the system by impact, then FIPS 200 requires selecting a corresponding control baseline from SP 800-53
- FIPS 199 and FIPS 200 are applied only after controls are assessed
- FIPS 200 sets impact levels and FIPS 199 sets minimum requirements
Correct answer: FIPS 199 categorizes the system by impact, then FIPS 200 requires selecting a corresponding control baseline from SP 800-53
FIPS 199 is applied first to categorize the system by potential impact (low, moderate, high), and FIPS 200 then mandates that the organization select a baseline of controls commensurate with that categorization. The categorization output of FIPS 199 directly drives which SP 800-53B baseline FIPS 200 requires.
- Which publication contains the actual low, moderate, and high control baselines that an organization selects based on its system categorization?
- NIST SP 800-53A
- NIST SP 800-53B
- NIST SP 800-37
- FIPS 199
Correct answer: NIST SP 800-53B
NIST SP 800-53B is the companion publication that provides the low, moderate, and high security control baselines plus a privacy baseline. SP 800-53 is the control catalog itself, SP 800-53A provides assessment procedures, and SP 800-37 defines the RMF process. The Select step pulls the starting baseline from SP 800-53B.
- A system has been categorized as moderate impact under FIPS 199. Which control baseline must the organization use as its starting point for control selection?
- The high baseline, to be conservative
- The low baseline, then add controls only if breaches occur
- The moderate baseline in NIST SP 800-53B
- A custom baseline created from scratch for the system
Correct answer: The moderate baseline in NIST SP 800-53B
A moderate-impact categorization maps to the moderate baseline in SP 800-53B, which is the required starting point before tailoring. Selecting the high baseline would over-control without justification, the low baseline would under-protect, and there is no need to build from scratch when standardized baselines exist. The categorization determines the baseline.
- What primarily distinguishes the low, moderate, and high control baselines from one another?
- They contain progressively more controls and control enhancements to match increasing potential impact
- They differ only in the documentation format required
- They correspond to short, medium, and long authorization periods
- They apply to small, medium, and large organizations respectively
Correct answer: They contain progressively more controls and control enhancements to match increasing potential impact
The low, moderate, and high baselines contain increasing numbers of controls and enhancements, reflecting the greater protection needed as the potential impact of a compromise rises. The baselines are tied to the FIPS 199 impact level of the system, not to organization size, documentation format, or authorization duration.
- What is the defining characteristic of a common control as opposed to a system-specific control?
- It is implemented once at the organizational level and can be inherited by multiple systems
- It is unique to a single system and cannot be reused
- It is always automated rather than procedural
- It applies only to low-impact systems
Correct answer: It is implemented once at the organizational level and can be inherited by multiple systems
A common control is developed, implemented, and maintained at the organizational level and inherited by multiple systems, such as facility physical security or an enterprise security awareness program. A system-specific control is implemented for and unique to one system. The distinction drives who is responsible for the control and how inheritance is documented.
- A facility's physical access control and the enterprise incident response capability protect every system housed there. How should these controls most appropriately be designated during control selection?
- As compensating controls for a failed baseline
- As common controls inherited by the systems in the facility
- As system-specific controls for each individual system
- As controls that may be excluded from each system's SSP
Correct answer: As common controls inherited by the systems in the facility
Facility physical access control and an enterprise incident response capability are classic common controls, implemented once and inherited by all systems they protect. Designating them system-specific would force redundant implementation, they are not compensating controls, and they must still appear in each system's SSP as inherited. Identifying common controls reduces duplication and cost.
- What is control inheritance in the RMF?
- The automatic application of the high baseline to all interconnected systems
- The transfer of authorization authority from one official to another
- A system receiving protection from a control implemented and managed by another entity, such as a common control provider
- The reuse of assessment results from a prior fiscal year without review
Correct answer: A system receiving protection from a control implemented and managed by another entity, such as a common control provider
Control inheritance occurs when a system relies on a control that is provided and managed by another entity, typically a common control provider, rather than implementing it itself. It is not about baselines, authority transfer, or stale assessment reuse. Inherited controls must be documented in the inheriting system's SSP so responsibility is clear.
- A control that is partially provided as a common control by the organization and partially implemented by the individual system is best described as which type?
- An organization-defined parameter
- A compensating control
- A hybrid control
- A purely common control
Correct answer: A hybrid control
A hybrid control is one for which part of the implementation is inherited as a common control and part is system-specific. For example, an organization may provide a baseline incident response policy (common) while each system implements its own response procedures (system-specific). Documenting controls as common, hybrid, or system-specific clarifies who is accountable for each part.
- What does control tailoring in NIST SP 800-53 allow an organization to do?
- Skip controls the organization finds inconvenient without justification
- Replace the entire control catalog with vendor-supplied defaults
- Modify a baseline by applying scoping, assigning parameters, adding or removing controls, and selecting compensating controls with documented rationale
- Lower the system's FIPS 199 categorization to reduce the workload
Correct answer: Modify a baseline by applying scoping, assigning parameters, adding or removing controls, and selecting compensating controls with documented rationale
Tailoring adjusts a starting baseline through scoping decisions, assigning organization-defined parameters, supplementing or removing controls, and applying compensating controls, all with documented rationale. It does not permit discarding controls arbitrarily or manipulating the categorization. Tailoring produces a control set fitted to the system while preserving traceability.
- During tailoring, an organization determines that a mobile device control in the baseline does not apply because the system has no mobile devices and none can connect. Which tailoring action is being applied?
- Raising the system to the high baseline
- Adding a compensating control
- Assigning an organization-defined parameter
- A scoping consideration that removes a non-applicable control with documented justification
Correct answer: A scoping consideration that removes a non-applicable control with documented justification
Determining that a control does not apply because the underlying technology or condition is absent is a scoping consideration, a recognized tailoring action that removes the control with documented justification. It is not a compensating control, a parameter assignment, or a baseline change. Scoping keeps the control set relevant to the actual system.
- What is a control overlay in the NIST control selection process?
- A summary of assessment findings overlaid on the SSP
- A fully specified set of controls, enhancements, and parameter values tailored for a specific community of interest, mission, or technology
- A temporary waiver allowing a system to operate without certain controls
- A network diagram showing how controls connect
Correct answer: A fully specified set of controls, enhancements, and parameter values tailored for a specific community of interest, mission, or technology
An overlay is a fully specified, reusable set of controls, enhancements, and parameter assignments tailored for a particular community, mission, technology, or environment, such as a cloud or industrial control system overlay. It is not a diagram, a waiver, or a findings summary. Overlays promote consistent, repeatable tailoring across similar systems.
- An agency operating many similar cloud-based systems wants a consistent, reusable tailored control set so each project does not tailor from scratch. Which mechanism best meets this need?
- Lowering each system to the low baseline
- Removing the continuous monitoring strategy requirement
- Issuing a separate compensating control for each system
- Developing or adopting a control overlay for that technology
Correct answer: Developing or adopting a control overlay for that technology
A control overlay provides a reusable, fully specified tailored control set for a defined community or technology, ideal for many similar cloud systems. Lowering baselines, scattering compensating controls, or dropping monitoring would not achieve consistency and would weaken protection. Overlays standardize and accelerate the Select step across like systems.
- What is the main activity of the Select step in the NIST Risk Management Framework?
- Determining the potential impact level of the system and its information
- Choosing, tailoring, and documenting the security and privacy controls needed to protect the system based on its categorization
- Evaluating whether implemented controls are operating as intended
- Formally accepting the residual risk of operating the system
Correct answer: Choosing, tailoring, and documenting the security and privacy controls needed to protect the system based on its categorization
The Select step chooses a control baseline, tailors it, and documents the resulting controls and the continuous monitoring strategy in the SSP. Determining impact level is Categorize, evaluating implemented controls is Assess, and accepting residual risk is Authorize. Select translates the categorization into a concrete, documented control set.
- Which RMF step immediately precedes the Select step and provides its key input?
- Monitor, which provides ongoing status reports
- Assess, which provides control findings
- Authorize, which provides the risk acceptance decision
- Categorize, which determines the impact level that drives baseline selection
Correct answer: Categorize, which determines the impact level that drives baseline selection
Categorize immediately precedes Select and supplies the FIPS 199 impact level that determines which SP 800-53B baseline is chosen. Assess, Authorize, and Monitor all come later in the lifecycle. Without the categorization output, the organization cannot determine the correct starting baseline for selection.
- NIST SP 800-37 Revision 2 added an alternative to starting from a predefined baseline. What is this alternative control selection approach?
- An approach that authorizes the system without an assessment
- An approach that eliminates the need for a System Security Plan
- An approach that automatically inherits all controls from a parent system
- An organization-generated control selection that builds the control set from the catalog using a risk-based analysis rather than a predefined baseline
Correct answer: An organization-generated control selection that builds the control set from the catalog using a risk-based analysis rather than a predefined baseline
Revision 2 of SP 800-37 introduced an organization-generated control selection approach, allowing organizations to build a control set directly from the catalog using risk analysis instead of starting from a predefined SP 800-53B baseline. It does not remove the SSP, skip assessment, or force blanket inheritance. This flexibility supports systems where standard baselines fit poorly.
- Beyond selecting controls, the Select step requires the organization to develop which forward-looking element documented in the SSP?
- A continuous monitoring strategy defining which controls are monitored, the metrics, and the frequency
- The system disposal and media sanitization plan
- The independent assessor's signed Security Assessment Report
- The final authorization decision document
Correct answer: A continuous monitoring strategy defining which controls are monitored, the metrics, and the frequency
The Select step requires developing a continuous monitoring strategy that defines which controls will be monitored, the associated metrics, and the monitoring frequency, so ongoing oversight is planned from the outset. The authorization decision, the assessor's SAR, and disposal activities belong to later steps. Planning monitoring early enables ongoing authorization later.
- When privacy controls are selected, NIST SP 800-53B provides which dedicated construct to identify the controls supporting an organization's privacy program?
- An automatic exemption from the security baseline
- A requirement to omit all PT-family controls
- A privacy control baseline distinct from the security baselines
- A separate FIPS 199 privacy impact level
Correct answer: A privacy control baseline distinct from the security baselines
SP 800-53B includes a privacy control baseline, distinct from the low, moderate, and high security baselines, identifying controls that support the privacy program where PII is processed. There is no separate FIPS 199 privacy impact level, no automatic exemption, and the PT family is specifically relevant to privacy, not omitted. The privacy baseline guides privacy control selection.
- An assessor reviewing an SSP finds a baseline control marked as not selected, but the rationale field is blank. Why is this a control selection deficiency?
- The SSP is not required to list controls that were not selected
- Baseline controls can never be removed under any circumstance
- Only the authorizing official may write tailoring rationale
- Removing or not selecting a baseline control requires documented justification to preserve traceability of tailoring decisions
Correct answer: Removing or not selecting a baseline control requires documented justification to preserve traceability of tailoring decisions
Any tailoring action that removes or declines a baseline control must include documented justification so the decision is traceable and defensible. Baseline controls can be tailored out when properly justified, the system owner and supporting roles document rationale (not solely the AO), and the SSP must reflect tailoring decisions. Missing rationale breaks the audit trail of the Select step.
- Why must the System Security Plan and the selected controls be reviewed and approved before the system moves into the Implement step?
- To grant the system its authorization to operate
- To confirm the planned controls are complete, consistent, and acceptable before resources are committed to building them
- To set the system's FIPS 199 impact level
- To finalize the assessment findings for the AO
Correct answer: To confirm the planned controls are complete, consistent, and acceptable before resources are committed to building them
Reviewing and approving the SSP at the end of Select confirms the planned controls are complete, consistent, and acceptable before implementation resources are spent. It does not grant the ATO (that is Authorize), produce assessment findings (Assess), or set the impact level (Categorize). This gate prevents costly rework from building an inadequate control set.
- In NIST SP 800-37 Rev 2, the Implement step (RMF step 4) consists of which two primary tasks?
- Control Implementation and Update Control Implementation Information
- Categorize System and Document Security Categorization
- Select Controls and Document Planned Control Implementations
- Assessment Preparation and Control Assessment
Correct answer: Control Implementation and Update Control Implementation Information
The Implement step contains Task I-1 (Control Implementation) and Task I-2 (Update Control Implementation Information). Task I-1 puts the selected controls into operation; Task I-2 updates the security and privacy plans with the as-implemented details so they reflect what was actually deployed. Control selection and assessment belong to the Select and Assess steps, not Implement.
- During the Implement step, residual risk is most accurately defined as which of the following?
- The risk present before any controls are applied
- The portion of risk transferred to a third party or insurer
- The maximum amount of risk the organization is willing to accept
- The risk that remains after security and privacy controls and other mitigations have been applied
Correct answer: The risk that remains after security and privacy controls and other mitigations have been applied
Residual risk is the risk that remains after the selected controls have been implemented and any other mitigations applied. It is what the authorizing official ultimately weighs when deciding whether to authorize the system. Risk before controls is inherent risk, and the amount of risk an organization will accept is its risk tolerance or appetite.
- NIST SP 800-37 Rev 2 directs that controls be implemented in a manner consistent with which engineering guidance?
- The service management practices of ITIL
- The financial accounting controls of SOX
- Systems security engineering principles, such as those in NIST SP 800-160 Volume 1
- The project scheduling methods of PMBOK
Correct answer: Systems security engineering principles, such as those in NIST SP 800-160 Volume 1
The Implement step references systems security engineering methodologies and concepts found in NIST SP 800-160 Volume 1 so that controls are integrated soundly into the system rather than bolted on. Applying engineering principles during implementation increases the assurance that controls will operate correctly. SOX, PMBOK, and ITIL are not the engineering references RMF points to for control implementation.
- An organization is implementing controls for a system but cannot obtain direct visibility into how a commercial off-the-shelf (COTS) product enforces them. SP 800-37 suggests the organization should preferentially do what?
- Mark the affected controls as not applicable
- Refuse to use any COTS products in federal systems
- Select products that have been tested, evaluated, or validated by approved independent third-party assessment facilities
- Lower the system's impact categorization to avoid the controls
Correct answer: Select products that have been tested, evaluated, or validated by approved independent third-party assessment facilities
When organizations lack direct control over how a COTS product implements security functions, SP 800-37 recommends choosing products that have been tested, evaluated, or validated by approved, independent third-party assessment facilities. This provides assurance the product's controls work as claimed. Marking controls not applicable or lowering categorization to dodge requirements is not legitimate tailoring.
- A system owner discovers that an inherited common control does not fully satisfy the inheriting system's requirements. The correct implementation response is to do what?
- Remove the control objective from the system's security plan
- Transfer authorization responsibility to the common control provider
- Identify and implement compensating or supplementary controls to close the gap
- Re-implement the entire common control independently for this system
Correct answer: Identify and implement compensating or supplementary controls to close the gap
When an inherited common control is inadequate for a specific system, the system owner identifies and implements compensating or supplementary system-specific controls to address the residual gap. The inheritance still applies for what the common control covers; only the shortfall is supplemented. Deleting the objective or wholesale re-implementation would be inefficient and is not what RMF prescribes.
- What is the primary purpose of Task I-2, Update Control Implementation Information, in the Implement step?
- To select a new baseline of controls based on categorization
- To revise the security and privacy plans so they reflect how each control was actually implemented
- To define the system's authorization boundary
- To grant the system an authorization to operate
Correct answer: To revise the security and privacy plans so they reflect how each control was actually implemented
Task I-2 updates the security and privacy plans so the documented implementation matches the as-built system, including any deviations made during implementation. Accurate plans give assessors and the authorizing official a true picture of the security posture. Selecting a baseline, authorizing, and defining the boundary occur in other RMF steps.
- During implementation, mandatory configuration settings for system components should be established in accordance with what?
- Each administrator's personal preferences
- Federal and organizational policies, often using standardized secure configuration checklists
- The lowest-effort default settings shipped by the vendor
- Whatever settings the help desk finds most convenient
Correct answer: Federal and organizational policies, often using standardized secure configuration checklists
SP 800-37 requires that mandatory configuration settings be established and implemented in accordance with federal and organizational policies, frequently drawing on standardized secure configuration checklists such as the United States Government Configuration Baseline. Vendor defaults and individual preferences are not authoritative sources for secure configuration during implementation.
- An information system security engineer is implementing a control and must decide between two technologies that meet the requirement at different costs and risk levels. SP 800-37 indicates this decision should be informed primarily by what?
- Risk assessment results that support cost, benefit, and risk trade-off analysis
- The personal familiarity of the implementation team with each tool
- The marketing reputation of the vendors
- The alphabetical order of the product names
Correct answer: Risk assessment results that support cost, benefit, and risk trade-off analysis
Risk assessment results inform the cost, benefit, and risk trade-off decisions made when choosing among technologies or policies to implement a control. Grounding the choice in risk keeps implementation aligned with the organization's risk strategy. Vendor reputation and team familiarity may be practical factors but are not the decision driver RMF specifies.
- Why does NIST encourage conducting an initial assessment of controls during the development or implementation phase rather than waiting for the formal Assess step?
- To eliminate the need for the formal Security Assessment Report
- To allow the system owner to skip authorization
- To identify and correct deficiencies earlier, when remediation is typically less costly
- To increase the system's impact categorization
Correct answer: To identify and correct deficiencies earlier, when remediation is typically less costly
Performing initial assessments during development or implementation lets organizations find weaknesses early, when fixing them is usually far less expensive and disruptive than after deployment. It does not replace the formal Assess step or its Security Assessment Report; it complements them by reducing the number of late-stage findings.
- Which artifact is the primary place to record how each implemented control actually functions within the system and its environment?
- The Plan of Action and Milestones
- The authorization decision document
- The risk management strategy
- The System Security Plan (and associated privacy plan)
Correct answer: The System Security Plan (and associated privacy plan)
The System Security Plan, together with the privacy plan, is where the implementation details of each control are documented so that assessors and the authorizing official understand the as-built posture. The POA&M tracks weaknesses, the authorization decision document records the AO's decision, and the risk management strategy is an organization-level governance product.
- A control implementation is most defensible when it aligns with which two architectures referenced by the Implement step?
- The marketing architecture and the sales architecture
- The enterprise architecture and the security/privacy architecture
- The vendor architecture and the competitor architecture
- The seating architecture and the parking architecture
Correct answer: The enterprise architecture and the security/privacy architecture
SP 800-37 calls for implementing controls consistent with the organization's enterprise architecture and the system's security and privacy architecture. This alignment ensures controls fit the broader technical environment and the intended protection design rather than being deployed in isolation. The other pairings are not RMF concepts.
- When implementing controls for personally identifiable information, the privacy program should ensure that privacy controls are which of the following?
- Implemented and operational so PII protections can be verified before the system processes real data
- Replaced entirely by security controls
- Deferred until after the authorization decision
- Documented only verbally to save time
Correct answer: Implemented and operational so PII protections can be verified before the system processes real data
Privacy controls should be implemented and made operational during the Implement step so that protections for PII are functional and assessable before the system handles actual personal data. Deferring them past authorization or substituting security controls would leave individuals' privacy risks unaddressed during the very period the system goes live.
- In a FedRAMP authorization, the Control Implementation Summary primarily communicates what about each control?
- The exact dollar cost of implementing the control
- The number of users assigned to the system
- The marketing benefits of the cloud platform
- Whether the control is implemented by the cloud provider, the customer, shared, or inherited
Correct answer: Whether the control is implemented by the cloud provider, the customer, shared, or inherited
A FedRAMP Control Implementation Summary indicates the responsibility for each control: provider-implemented, customer-responsible, shared, or inherited from another authorization. This clarifies who must implement and maintain each control across the shared-responsibility boundary. Cost, marketing, and user counts are not what the summary conveys.
- A team implements a technical control but cannot complete it fully before the assessment due to a vendor dependency. The most appropriate action during implementation is to do what?
- Conceal the gap so the assessor does not find it
- Delete the control from the security plan
- Mark the control as fully satisfied to avoid delay
- Document the deficiency, plan remediation, and ensure it is captured for the POA&M
Correct answer: Document the deficiency, plan remediation, and ensure it is captured for the POA&M
When a control cannot be fully implemented, the deficiency should be documented along with a remediation plan and tracked so it can be reflected in the POA&M. This keeps the security posture transparent and allows the authorizing official to make an informed risk decision. Concealing, falsely marking satisfied, or deleting the control are all improper.
- The principle of least functionality, applied during control implementation, directs an organization to do what?
- Configure systems to provide only essential capabilities and disable unnecessary functions, ports, and services
- Grant every user administrative rights for convenience
- Install as many software packages as possible
- Allow all network protocols by default
Correct answer: Configure systems to provide only essential capabilities and disable unnecessary functions, ports, and services
Least functionality means configuring the system to provide only the capabilities essential to its mission and disabling unnecessary functions, ports, protocols, and services. This shrinks the attack surface. Granting broad admin rights, installing extra software, and allowing all protocols increase risk and contradict the principle.
- When implementing controls, separation of duties is enforced primarily to achieve what?
- Prevention of any single individual from controlling all phases of a critical process, reducing fraud and error
- Lower hardware procurement costs
- Faster system performance
- Elimination of the need for audit logging
Correct answer: Prevention of any single individual from controlling all phases of a critical process, reducing fraud and error
Separation of duties divides critical tasks among multiple people so that no single individual can carry out and conceal a damaging action, reducing the risk of fraud and error. It is a structural control implemented through role and access design. It does not affect performance or hardware cost and complements, rather than replaces, audit logging.
- A common pitfall during implementation is configuration drift. Configuration drift refers to what?
- The gradual divergence of a system's actual configuration from its approved secure baseline over time
- The deliberate hardening of a server before deployment
- The planned migration of a system to a new data center
- The scheduled rotation of encryption keys
Correct answer: The gradual divergence of a system's actual configuration from its approved secure baseline over time
Configuration drift is the gradual, often undocumented divergence of a system's running configuration from its approved secure baseline as undocumented changes accumulate. It undermines the assurance gained at implementation, which is why configuration management and monitoring are essential. Key rotation, data-center migration, and hardening are distinct, intentional activities.
- After implementing controls, an organization documents detailed, repeatable operating steps for a control. This documentation is best described as what?
- An authorization decision document
- A security categorization worksheet
- A risk management strategy
- A standard operating procedure
Correct answer: A standard operating procedure
A standard operating procedure provides the repeatable, step-by-step guidance needed to operate and maintain an implemented control consistently. Procedural documentation is part of how many controls (such as those with operational elements) are actually satisfied. The other artifacts serve authorization, categorization, and governance, not day-to-day control operation.
- When implementing controls for a system that inherits common controls, the SSP should clearly designate each control's implementation as which of the following?
- Low, moderate, or high cost
- Public, internal, or confidential
- Mandatory, optional, or deprecated
- Common (inherited), hybrid, or system-specific
Correct answer: Common (inherited), hybrid, or system-specific
The SSP should label each control as common (inherited from a provider), hybrid (partly inherited and partly system-specific), or system-specific so responsibility for implementation and maintenance is unambiguous. This designation prevents gaps where each party assumes the other implemented a control. The other groupings are not how RMF classifies control implementation responsibility.
- During implementation, applying secure baseline configurations from sources such as DISA STIGs or CIS Benchmarks primarily helps achieve what?
- An increase in the system's authorization period
- A lower security categorization
- A reduction in the number of required control families
- A consistent, defensible hardened starting state across like systems
Correct answer: A consistent, defensible hardened starting state across like systems
Hardening guides such as DISA STIGs and CIS Benchmarks give organizations a consistent, recognized, and defensible secure configuration to apply across similar systems during implementation. They standardize how configuration-related controls are met. They do not change the control families required, the authorization period, or the categorization.
- Implementing the audit and accountability control family during the Implement step most directly enables which downstream capability?
- Categorizing the system under FIPS 199
- Selecting the initial control baseline
- Defining the authorization boundary
- Generating and protecting records that support later detection of and accountability for system activity
Correct answer: Generating and protecting records that support later detection of and accountability for system activity
Implementing audit and accountability controls produces and protects the log records needed to detect unauthorized activity and establish accountability once the system operates. These records feed continuous monitoring and incident response. Boundary definition, baseline selection, and categorization occur in earlier RMF steps, not as a result of audit logging.
- An implementer must set an organization-defined parameter such as a password lifetime within a control. This parameter should be set based on what?
- The vendor's default with no review
- The organization's policy and risk-based requirements for that control
- The shortest value the software allows
- A random value chosen at deployment time
Correct answer: The organization's policy and risk-based requirements for that control
Organization-defined parameters, such as time periods, frequencies, or thresholds, should be populated based on the organization's policy and risk-based requirements rather than arbitrary or default values. Setting them deliberately ensures the implemented control matches the intended protection level. Random or unreviewed default values undermine the control's effectiveness.
- A privacy control such as data minimization is implemented to accomplish what during the Implement step?
- Disabling all logging of access to PII
- Encrypting only the system's public-facing pages
- Ensuring the system collects, uses, and retains only the PII necessary for the authorized purpose
- Maximizing the amount of PII collected for future use
Correct answer: Ensuring the system collects, uses, and retains only the PII necessary for the authorized purpose
Data minimization is implemented so the system collects, processes, and retains only the PII that is directly relevant and necessary for the authorized purpose, reducing privacy risk to individuals. Collecting more PII than needed increases exposure. Selective encryption and disabling access logs are unrelated to, and would conflict with, sound minimization and accountability.
- During implementation, why is it important to verify that implemented controls satisfy not only security but also assurance requirements?
- Assurance requirements increase the marketing value of the system
- Assurance requirements lower the system's impact level
- Assurance provides grounds for confidence that controls are implemented correctly and operating as intended
- Assurance requirements eliminate the need for an authorizing official
Correct answer: Assurance provides grounds for confidence that controls are implemented correctly and operating as intended
Assurance requirements provide the basis for confidence that controls are implemented correctly, operating as intended, and producing the desired outcome. Addressing them during implementation, for example through evidence and engineering rigor, makes the eventual assessment and authorization more credible. Assurance does not change categorization or remove the authorizing official's role.
- A system owner is coordinating implementation of inherited controls with a common control provider. The owner's key responsibility in this coordination is to do what?
- Remove the inherited controls from continuous monitoring
- Take over operation of the provider's controls
- Confirm the inherited controls meet the system's needs and document the inheritance in the system's plan
- Assess the provider's controls without any provider input
Correct answer: Confirm the inherited controls meet the system's needs and document the inheritance in the system's plan
The system owner must confirm that the inherited common controls actually meet the inheriting system's requirements and document the inheritance relationship in the system security plan. The common control provider operates and maintains those controls; the owner relies on and records that inheritance while supplementing any gaps. The owner does not take over or unilaterally assess the provider's controls.
- Implementing the principle of fail-secure in a control means the system should do what when a component fails?
- Immediately delete all audit logs
- Default to granting maximum access to keep operations running
- Default to a protected state that denies access or preserves security rather than exposing the system
- Automatically lower the system categorization
Correct answer: Default to a protected state that denies access or preserves security rather than exposing the system
Fail-secure design ensures that when a control component fails, the system defaults to a protected state, for example denying access, rather than failing open and exposing resources. Implementing this behavior preserves security even during malfunction. Failing open, deleting logs, or changing categorization would all increase risk.
- When implementing controls, the use of trusted, verified software supply chain practices most directly mitigates which risk?
- The risk of high electricity costs
- The risk of slow user interfaces
- The risk that compromised or tampered components are introduced into the system during implementation
- The risk of insufficient office space
Correct answer: The risk that compromised or tampered components are introduced into the system during implementation
Verifying the integrity and provenance of software and components during implementation mitigates supply chain risk, the chance that malicious or tampered components are introduced into the system. This is increasingly addressed by supply chain risk management controls in SP 800-53. The other options are operational or facilities concerns, not supply chain security.
- Encrypting data at rest and data in transit are examples of implementing controls that primarily protect which security objective?
- Availability only
- Authorization timeliness
- Categorization accuracy
- Confidentiality (and integrity, in the case of authenticated encryption)
Correct answer: Confidentiality (and integrity, in the case of authenticated encryption)
Implementing encryption for data at rest and in transit protects confidentiality by preventing unauthorized disclosure, and with authenticated encryption it also supports integrity by detecting tampering. It does not by itself ensure availability, and it is unrelated to categorization accuracy or authorization timing.
- A hybrid control is implemented in a way that means which of the following?
- The control is implemented twice for redundancy
- The control is implemented by an external auditor
- The control is implemented entirely by a common control provider
- Part of the control is inherited from a common control provider and part is implemented by the system
Correct answer: Part of the control is inherited from a common control provider and part is implemented by the system
A hybrid control is one for which part of the implementation is provided as a common (inherited) control and part is implemented and maintained by the specific system. Documenting which portion is inherited and which is system-specific prevents responsibility gaps. It is not fully inherited, not duplicated for redundancy, and not implemented by an auditor.
- While implementing controls, an organization realizes the as-built implementation differs from what the approved security plan described. The correct response is to do what?
- Cancel the authorization process entirely
- Leave the plan unchanged and proceed silently
- Re-categorize the system to a lower level
- Update the security and privacy plans to reflect the actual implementation and the rationale
Correct answer: Update the security and privacy plans to reflect the actual implementation and the rationale
When implementation differs from the approved plan, Task I-2 requires updating the security and privacy plans so they accurately reflect the as-built implementation, including the rationale for the deviation. Accurate plans are essential for a valid assessment and authorization. Proceeding silently or arbitrarily re-categorizing would misrepresent the security posture.
- During implementation, a Plan of Action and Milestones entry for a deficiency should at minimum include which of the following?
- The vendor's stock ticker symbol
- The marketing budget for the next quarter
- The weakness, the planned corrective action, responsible party, required resources, and a milestone completion date
- The personal phone numbers of all employees
Correct answer: The weakness, the planned corrective action, responsible party, required resources, and a milestone completion date
A POA&M entry should identify the weakness, the planned corrective action to remediate it, the party responsible, the resources required, and a scheduled milestone or completion date. These elements let management and the authorizing official track remediation of residual deficiencies. Budgets, phone numbers, and stock symbols are not POA&M content.
- Implementing controls in accordance with defense in depth means an organization does what?
- Disables logging to reduce overhead
- Relies on a single perimeter firewall as the only safeguard
- Layers multiple complementary controls so the failure or bypass of one does not compromise the system
- Encrypts only the login page
Correct answer: Layers multiple complementary controls so the failure or bypass of one does not compromise the system
Defense in depth layers diverse, complementary controls across the system so that if one control fails or is bypassed, others still provide protection. Implementing controls this way avoids single points of failure. Relying on one firewall, encrypting only one page, or disabling logging would leave significant gaps.
- After controls are implemented and the security plan is updated, which RMF step immediately follows to evaluate whether the controls work as intended?
- Categorize
- Select
- Prepare
- Assess
Correct answer: Assess
The Assess step immediately follows Implement; it evaluates whether the implemented controls are in place correctly, operating as intended, and producing the desired outcome. Categorize, Select, and Prepare all precede Implement in the RMF sequence, so they would not come after implementation is complete.
- In the RMF Assess step, what is the primary purpose of NIST SP 800-53A?
- To define the risk tolerance and impact levels used to categorize an information system
- To provide assessment procedures, including assessment objectives, methods, and objects, for evaluating controls
- To grant the system an authorization to operate after risk acceptance
- To establish the minimum baseline of controls that every federal system must implement
Correct answer: To provide assessment procedures, including assessment objectives, methods, and objects, for evaluating controls
NIST SP 800-53A provides standardized assessment procedures used to evaluate the controls drawn from SP 800-53. Each procedure pairs an assessment objective with potential methods (examine, interview, test) and objects, giving assessors a repeatable way to determine whether a control is implemented correctly and operating as intended. Defining baselines and impact levels belongs to SP 800-53/FIPS 199, and authorization decisions occur in the Authorize step, not in 800-53A.
- A security control assessor must determine whether a control is producing the desired outcome. According to NIST SP 800-53A, what does the determination statement within an assessment procedure express?
- A discrete, evidence-based judgment that an assessment objective has or has not been met
- The recommended remediation timeline for any deficiency found
- The dollar value of the residual risk if the control fails
- The frequency at which the control must be reassessed during monitoring
Correct answer: A discrete, evidence-based judgment that an assessment objective has or has not been met
A determination statement expresses a discrete, evidence-based judgment about whether a specific assessment objective has been satisfied. SP 800-53A decomposes each control into determination statements so the assessor can render an objective finding supported by the evidence collected through examine, interview, and test methods. Remediation timelines and reassessment frequency are downstream activities, not part of the determination statement itself.
- Which sequence correctly reflects the order of tasks in the RMF Assess step under NIST SP 800-37 Rev 2?
- Categorize system, select controls, assess controls, authorize system
- Develop assessment plan, select assessor, conduct assessments, report findings
- Select assessor, develop assessment plan, conduct assessments, prepare assessment reports, take remediation actions, develop plan of action and milestones
- Conduct assessments, select assessor, develop POA&M, authorize
Correct answer: Select assessor, develop assessment plan, conduct assessments, prepare assessment reports, take remediation actions, develop plan of action and milestones
The Assess step proceeds as assessor selection (A-1), assessment plan development and approval (A-2), control assessments (A-3), assessment reports (A-4), remediation actions (A-5), and plan of action and milestones (A-6). The assessor is chosen and the plan approved before any testing begins so that scope and independence are settled up front. Categorize and Select are earlier RMF steps, and authorization is a separate step.
- What is the primary objective of the Assess step of the Risk Management Framework?
- To document the system boundary and information types
- To determine whether implemented controls are correct, operating as intended, and producing the desired outcome
- To continuously monitor the security posture after the system goes live
- To select an appropriate set of controls based on the system's impact level
Correct answer: To determine whether implemented controls are correct, operating as intended, and producing the desired outcome
The Assess step determines whether the controls are implemented correctly, operating as intended, and producing the desired outcome relative to the system's security and privacy requirements. This determination produces the evidence the authorizing official needs to make a risk-based decision. Control selection happens in the Select step, and ongoing oversight belongs to the Monitor step.
- During the assessor-selection task of the Assess step, an authorizing official needs an independent assessment of a high-impact system. What level of assessor independence best supports this?
- The system owner, who is most familiar with the control implementations
- An assessor from the same team that implemented the controls, to leverage system knowledge
- Any qualified contractor, regardless of relationship to the development team
- An assessor free from any conflict of interest and without responsibility for developing or operating the controls being assessed
Correct answer: An assessor free from any conflict of interest and without responsibility for developing or operating the controls being assessed
An assessor free from conflicts of interest and not responsible for developing, implementing, or operating the controls provides the independence needed for a high-impact system. Independence increases the credibility of the assessment results and the authorizing official's confidence in the risk decision. Using the implementation team or system owner introduces bias that undermines the integrity of the findings.
- What is a security assessment report (SAR) in the RMF?
- A document conveying the findings of the control assessment, including the status of each assessment objective and any weaknesses identified
- A plan describing how each control will be tested before the assessment begins
- A schedule of remediation milestones for correcting deficiencies
- A formal acceptance of residual risk signed by the authorizing official
Correct answer: A document conveying the findings of the control assessment, including the status of each assessment objective and any weaknesses identified
A security assessment report (SAR) conveys the results of the control assessment, documenting whether each assessment objective was satisfied or other than satisfied and describing weaknesses or deficiencies found. It is a key input to the authorization decision and to the plan of action and milestones. The pre-assessment testing approach is the assessment plan, and formal risk acceptance is the authorization decision, not the SAR.
- The plan of action and milestones (POA&M) developed in the Assess step is primarily used to do what?
- Define the assessment methods the assessor will apply to each control
- Replace the security assessment report as the authorization artifact
- List every control selected during the Select step
- Describe the planned remediation actions, resources, and timelines for correcting control deficiencies
Correct answer: Describe the planned remediation actions, resources, and timelines for correcting control deficiencies
The POA&M describes the planned actions, responsible parties, resources, and milestone dates for correcting weaknesses identified during the assessment. It allows the authorizing official to accept a system with known deficiencies while tracking their remediation over time. The POA&M complements the SAR rather than replacing it, and it does not define assessment methods or list the full control set.
- NIST SP 800-53A defines three assessment methods. Which set correctly names them?
- Review, approve, and authorize
- Examine, interview, and test
- Scan, audit, and certify
- Identify, protect, and detect
Correct answer: Examine, interview, and test
The three assessment methods in SP 800-53A are examine, interview, and test. Examine inspects artifacts such as documents and configurations, interview questions personnel, and test exercises objects to compare actual versus expected behavior. The other lists describe RMF steps or CSF functions, not assessment methods.
- An assessor reviews a system's contingency plan document and configuration settings without exercising the system. Which SP 800-53A assessment method is being used?
- Examine
- Interview
- Authorize
- Test
Correct answer: Examine
Examine is the method of reviewing, inspecting, or analyzing assessment objects such as documents, policies, mechanisms, or settings to verify a control. Because the assessor is inspecting artifacts rather than exercising functionality or questioning people, this is examination. Interview involves discussion with individuals, and test involves actively exercising an object to observe behavior.
- An assessor runs a series of inputs against an access-control mechanism and compares the actual behavior to the expected behavior defined in the assessment objective. Which assessment method is this?
- Interview
- Examine
- Test
- Categorize
Correct answer: Test
Test is the method of exercising an assessment object under specified conditions to compare actual behavior with expected behavior. Running inputs against a mechanism to observe how it responds is testing. Examine reviews artifacts and interview questions people, neither of which involves actively exercising the mechanism.
- In SP 800-53A terminology, the documents, mechanisms, activities, and individuals that an assessor evaluates are collectively called what?
- Control baselines
- Assessment objects
- Determination statements
- Assessment objectives
Correct answer: Assessment objects
Assessment objects are the specific items an assessor acts upon: specifications (documents), mechanisms (hardware/software/firmware), activities (processes), and individuals (people). Methods are applied to these objects to gather evidence. The assessment objective states what must be achieved, and the determination statement records the judgment, but neither is the object itself.
- What is the primary role of the Security Control Assessor in the RMF?
- To author the system security plan and select the control baseline
- To define the organization's risk tolerance and impact thresholds
- To conduct a comprehensive evaluation of the controls and document the results in the assessment report
- To accept residual risk and issue the authorization to operate
Correct answer: To conduct a comprehensive evaluation of the controls and document the results in the assessment report
The Security Control Assessor conducts a comprehensive, independent evaluation of the implemented controls and documents the results in the security assessment report. Their job is to provide objective evidence about control effectiveness, not to author the system security plan, accept risk, or set organizational risk tolerance, which are responsibilities of the system owner, authorizing official, and senior leadership respectively.
- An assessment objective in SP 800-53A is best described as which of the following?
- The continuous monitoring frequency for the control
- The list of artifacts the system owner must submit before assessment
- The acceptable level of residual risk for the system
- A statement of what a control assessment is intended to determine about a specific control
Correct answer: A statement of what a control assessment is intended to determine about a specific control
An assessment objective states what the assessment is intended to determine regarding a specific control, decomposing the control into one or more determination statements. It guides which methods and objects the assessor uses to gather evidence. Submission of artifacts, residual-risk thresholds, and monitoring frequency are separate concerns outside the objective's definition.
- A finding of 'other than satisfied' on an assessment objective indicates what?
- The control is no longer applicable and was removed from the baseline
- The control was assessed and the evidence fully supports the objective being met
- The control was inherited and therefore not assessed
- The assessor identified that the objective was not met, or could not be fully evaluated, and a potential weakness exists
Correct answer: The assessor identified that the objective was not met, or could not be fully evaluated, and a potential weakness exists
An 'other than satisfied' determination means the assessor found that the objective was not met, or had insufficient information to fully evaluate it, signaling a potential weakness or deficiency that must be documented in the SAR. A fully supported objective would be marked 'satisfied.' Inheritance and inapplicability are handled differently and are not what this finding represents.
- Before fieldwork begins, the assessment plan must be reviewed and approved. Who typically approves the security assessment plan?
- The authorizing official or designated representative
- The continuous monitoring team
- The assessor who wrote it
- The control implementers
Correct answer: The authorizing official or designated representative
The authorizing official or their designated representative reviews and approves the assessment plan to confirm the scope, methods, and level of effort are appropriate before testing begins. This approval establishes agreement on what will be assessed and to what depth. The assessor proposes the plan, but self-approval would undermine the oversight that approval is meant to provide.
- An organization is assessing a cloud service it consumes and wants to avoid re-testing controls already evaluated by another authorizing official. Which concept supports accepting those existing assessment results?
- Categorization
- Remediation
- Reciprocity
- Tailoring
Correct answer: Reciprocity
Reciprocity allows an organization to accept the assessment and authorization results produced by another organization rather than duplicating the work, provided the context and risk posture are acceptable. It conserves resources and underpins programs like FedRAMP, where one assessment can serve many agencies. Categorization, tailoring, and remediation are distinct RMF activities unrelated to accepting another party's results.
- In the FedRAMP context, which party performs the independent security assessment of a cloud service offering?
- A Third Party Assessment Organization (3PAO)
- The cloud service provider's own development team
- The system's end users
- The General Services Administration directly for every system
Correct answer: A Third Party Assessment Organization (3PAO)
A Third Party Assessment Organization (3PAO) performs the independent assessment of a cloud service offering under FedRAMP, producing the security assessment report that supports authorization. Independence from the provider is required so results are credible. The provider's own team lacks the needed independence, and end users do not conduct formal assessments.
- The depth and coverage attributes that SP 800-53A applies to assessment methods primarily determine what?
- The authorization boundary of the system
- Which controls are selected for the system baseline
- The dollar cost of the assessment contract
- The rigor and scope with which each method is applied (basic, focused, or comprehensive)
Correct answer: The rigor and scope with which each method is applied (basic, focused, or comprehensive)
Depth and coverage are attributes that describe the rigor and scope of an assessment method, expressed at basic, focused, or comprehensive levels. Higher-impact systems generally warrant greater depth and coverage to provide more assurance. These attributes shape how thoroughly a method is applied, not control selection, contract cost, or boundary definition.
- An assessor evaluates controls that the system inherits from a common control provider. What is the appropriate approach?
- Mark all inherited controls as not applicable
- Re-test every inherited control from scratch as if it were system-specific
- Skip the assessment because inherited controls are always compliant
- Rely on the common control provider's assessment evidence and assess only the system-specific portions or interfaces
Correct answer: Rely on the common control provider's assessment evidence and assess only the system-specific portions or interfaces
For inherited controls, the assessor relies on the common control provider's existing assessment evidence and focuses effort on any system-specific implementation details or hybrid portions. This avoids duplicating work already completed at the provider level while still confirming the inheritance is valid for this system. Re-testing everything wastes resources, and inherited controls are neither automatically non-applicable nor automatically compliant.
- During an assessment, the assessor finds that a control's actual behavior differs from what the system security plan describes. What should the assessor do?
- Ignore it because the plan is only a draft reference
- Document the discrepancy as a finding in the security assessment report
- Immediately revoke the system's authorization
- Update the system security plan to match the observed behavior on the spot
Correct answer: Document the discrepancy as a finding in the security assessment report
The assessor documents the discrepancy between documented and observed behavior as a finding in the SAR, providing the evidence needed for risk-based decisions and remediation. The assessor's role is to report objectively, not to rewrite the system security plan, which is the system owner's responsibility, and the assessor does not revoke authorizations.
- Why is reusing prior assessment evidence beneficial when controls have not changed since the last assessment?
- It eliminates the need for any authorization decision
- It removes the controls from continuous monitoring
- It conserves resources and supports a more efficient, risk-based assessment without re-testing unchanged controls
- It guarantees the controls are now effective
Correct answer: It conserves resources and supports a more efficient, risk-based assessment without re-testing unchanged controls
Reusing valid prior evidence for unchanged controls conserves assessor time and organizational resources while still supporting a sound risk-based decision. The assessor focuses effort on changed, new, or higher-risk controls. Reuse does not eliminate the authorization decision, guarantee effectiveness, or exempt controls from ongoing monitoring.
- The interview method in SP 800-53A is most appropriate for assessing which kind of evidence?
- The cryptographic strength of a stored key
- Whether personnel understand and can describe how a procedural control is carried out
- The exact configuration value set on a firewall
- The binary output of an automated vulnerability scanner
Correct answer: Whether personnel understand and can describe how a procedural control is carried out
Interview is best suited to learning whether personnel understand and consistently perform procedural or awareness-based activities, since those depend on people rather than artifacts or mechanisms. Configuration values and cryptographic strength are better verified through examine or test, and scanner output is a test artifact, not an interview subject.
- In the remediation-actions task (A-5) of the Assess step, controls that are remediated during the assessment window are typically handled how?
- They are deferred to the next full reauthorization
- They are automatically added to the POA&M with no further testing
- They are excluded from the SAR entirely
- They may be reassessed to confirm the deficiency was corrected, and the updated result is reflected in the SAR
Correct answer: They may be reassessed to confirm the deficiency was corrected, and the updated result is reflected in the SAR
When deficiencies are remediated during the assessment, the assessor may reassess the affected controls and update the SAR to reflect the corrected status. This reduces the residual risk presented to the authorizing official and may keep items off the POA&M. Remediated controls are not excluded from the report, and confirmed corrections do not need to wait for reauthorization.
- An authorizing official receives a SAR listing several 'other than satisfied' findings with associated risk ratings. What is the SAR's main contribution to the authorization decision?
- It provides the evidence-based picture of control effectiveness and weaknesses that informs the risk-acceptance decision
- It grants the authorization automatically once findings are below a threshold
- It selects which controls should be added to the baseline
- It replaces the need for a plan of action and milestones
Correct answer: It provides the evidence-based picture of control effectiveness and weaknesses that informs the risk-acceptance decision
The SAR gives the authorizing official an evidence-based picture of how effectively controls are implemented and what weaknesses remain, which directly informs whether residual risk is acceptable. The authorizing official, not the report, makes the risk-acceptance decision, and the SAR works alongside the POA&M rather than replacing it. Control selection occurs earlier in the Select step.
- Which document specifies the scope, controls to be assessed, methods, objects, and level of effort for an upcoming assessment?
- The security assessment report
- The security/privacy assessment plan
- The plan of action and milestones
- The system categorization document
Correct answer: The security/privacy assessment plan
The assessment plan specifies the scope, the controls to be assessed, the methods and objects to be used, and the expected level of effort, and it is approved before fieldwork begins. The assessment report captures results after the work, the POA&M tracks remediation, and the categorization document addresses impact level, none of which define the upcoming assessment's scope.
- An assessor must choose assessment methods for a moderate-impact control. SP 800-53A guidance indicates the choice of methods and their depth should be driven primarily by what?
- The vendor's recommendation
- The assessor's personal preference
- Whichever method is fastest to complete
- The assurance required, which is informed by the system's impact level and risk
Correct answer: The assurance required, which is informed by the system's impact level and risk
Method selection and the applied depth and coverage are driven by the level of assurance required, which is informed by the system's impact level and associated risk. Higher impact generally calls for more rigorous and comprehensive methods. Personal preference, speed, or vendor recommendation are not the basis for determining assessment rigor.
- When documenting a weakness in the SAR, including the assessor's recommendation and a description of the deficiency primarily helps whom?
- The vendor's marketing team
- The end users of the system
- Only the assessor's own records
- The system owner and authorizing official, by enabling informed remediation and risk decisions
Correct answer: The system owner and authorizing official, by enabling informed remediation and risk decisions
Describing each deficiency and providing recommendations helps the system owner plan remediation and helps the authorizing official weigh residual risk during the authorization decision. The SAR is an actionable decision-support artifact, not merely the assessor's private notes, and its audience is the risk decision-makers, not vendors or end users.
- An organization conducts an assessment of only a subset of controls following a significant configuration change rather than a full reassessment. This partial assessment is most consistent with which RMF principle?
- Removing the changed controls from the baseline
- A risk-based, ongoing approach that targets the controls affected by change
- Deferring all assessment until the next three-year reauthorization
- Mandatory full reassessment of all controls after any change
Correct answer: A risk-based, ongoing approach that targets the controls affected by change
Assessing only the controls affected by a change reflects the risk-based, ongoing nature of the RMF, concentrating effort where risk has shifted. Full reassessment of every control after any change is inefficient and unnecessary, changed controls are not dropped from the baseline, and waiting years to assess change-affected controls would leave risk unmanaged.
- A control marked 'satisfied' in the SAR conveys what to the authorizing official?
- The control is exempt from continuous monitoring
- The evidence collected supports a determination that the assessment objective was met
- The residual risk for the entire system is now zero
- The control will never need to be reassessed again
Correct answer: The evidence collected supports a determination that the assessment objective was met
A 'satisfied' determination means the collected evidence supports the judgment that the assessment objective was met for that control. It is a per-objective finding, not a statement that the control is permanently effective, exempt from monitoring, or that overall system risk is eliminated. Continuous monitoring still applies after authorization.
- Which combination of methods would give an assessor the strongest assurance that an audit-logging control is both configured and actually working?
- Examine the logging configuration and test the system to confirm events are captured as expected
- Examine the policy document only
- Interview the system administrator only
- Test alone with no review of documented requirements
Correct answer: Examine the logging configuration and test the system to confirm events are captured as expected
Combining examine (reviewing the logging configuration against requirements) with test (confirming actual events are captured) provides the strongest assurance that the control is both correctly set and operating as intended. Any single method leaves a gap: interview or examining a policy verifies intent but not behavior, and testing without reviewing requirements lacks a documented expected result to compare against.
- In the RMF Authorize step under NIST SP 800-37 Rev 2, the first task assembles a set of artifacts and submits them to the decision-maker. What is the deliverable of this assembly task?
- The continuous monitoring strategy submitted to the risk executive
- The tailored control baseline submitted to the assessor
- The system categorization worksheet submitted to the system owner
- The authorization package submitted to the authorizing official
Correct answer: The authorization package submitted to the authorizing official
Assembling and submitting the authorization package to the authorizing official is the deliverable of the first Authorize-step task (R-1). The package gives the AO the documented basis for the risk-based decision; baseline tailoring belongs to the Select step and categorization to the Categorize step.
- Beyond the SSP, SAR, and POA&M, which additional element is commonly included in an authorization package to give the authorizing official a concise, decision-oriented overview of the system's risk posture?
- The vendor's source code repository
- An executive summary
- The procurement statement of work
- The data center floor plan
Correct answer: An executive summary
An executive summary is commonly added to the authorization package so the authorizing official can quickly grasp the system's overall risk posture and key issues before reviewing the detailed SSP, SAR, and POA&M. It supports a faster, focused risk decision; procurement, facility, and code artifacts are not part of the core package.
- Which task of the Authorize step analyzes and determines the risk arising from the operation or use of the system, producing a risk determination as its output?
- The risk analysis and determination task
- The authorization package assembly task
- The control implementation task
- The authorization reporting task
Correct answer: The risk analysis and determination task
The risk analysis and determination task (R-2) evaluates the security and privacy risk of operating or using the system and yields a documented risk determination. That determination, alongside the package, feeds the risk-response and authorization-decision tasks; control implementation occurs earlier, in the Implement step.
- After the risk is determined, the Authorize step calls for identifying and implementing a preferred course of action toward that risk. Which task performs this, and what are its typical outcomes?
- The risk response task, which may result in accepting, mitigating, transferring, or avoiding the risk
- The monitoring task, which results in updated dashboards
- The categorization task, which results in a low, moderate, or high impact level
- The assessment task, which results in pass or fail findings
Correct answer: The risk response task, which may result in accepting, mitigating, transferring, or avoiding the risk
The risk response task (R-3) identifies and implements the preferred course of action for the determined risk, with outcomes that can include accepting, mitigating, sharing or transferring, or avoiding the risk. It sits between risk determination and the authorization decision; impact levels and assessment findings are products of earlier RMF steps.
- The final substantive task of the Authorize step supports OMB reporting and organization-wide risk management requirements after a decision is rendered. What is this task?
- Control selection
- System categorization
- Authorization reporting
- Boundary definition
Correct answer: Authorization reporting
Authorization reporting (R-5) communicates the authorization decision and supporting information to satisfy OMB reporting and organization-wide risk management needs. It follows the decision and feeds enterprise risk oversight; selection, categorization, and boundary definition all occur in earlier RMF steps.
- A security professional argues that the authorization boundary should be settled during the Authorize step. Why is this reasoning incorrect under NIST SP 800-37 Rev 2?
- Boundaries apply only to common control providers
- The authorization boundary is established earlier (during Prepare and Categorize) and is a precondition the authorization package relies on, not a product of the Authorize step
- Authorization boundaries are never documented in the RMF
- Boundaries are defined only by the independent assessor during assessment
Correct answer: The authorization boundary is established earlier (during Prepare and Categorize) and is a precondition the authorization package relies on, not a product of the Authorize step
The authorization boundary is established earlier in the RMF (in the Prepare and Categorize activities) and is documented in the SSP that the Authorize step relies upon; the Authorize step uses the boundary, it does not define it. Defining the boundary at authorization time would mean the assessment and package did not match what is being authorized.
- An organization adopts ongoing authorization for a system. Rather than fixing a single expiration date, the authorizing official reviews risk at defined intervals and whenever certain events occur. These two review drivers are best described as which pairing?
- Vendor-driven and budget-driven
- Audit-driven and award-driven
- Patch-driven and personnel-driven
- Time-driven and event-driven
Correct answer: Time-driven and event-driven
Ongoing authorization relies on time-driven reviews (at predefined intervals) and event-driven reviews (triggered by significant changes or incidents). This pairing lets the authorizing official keep the authorization current using continuous monitoring data rather than a one-time termination date.
- Under NIST SP 800-37 Rev 2, who has the authority to recommend an authorization decision to the authorizing official but cannot themselves accept the risk or sign the authorization?
- The end users of the system
- The authorizing official designated representative
- The hardware vendor
- The independent assessor
Correct answer: The authorizing official designated representative
The authorizing official designated representative (AODR) can carry out many AO activities, including preparing and coordinating the package and developing a recommended decision, but cannot accept risk or sign the authorization decision document; that authority is reserved to the authorizing official alone. The assessor remains independent and never accepts risk.
- Two or more authorizing officials from different organizations review a single authorization package and agree to share responsibility for the risk decision on a system that crosses organizational lines. What is this arrangement called?
- A denial of authorization
- A common control authorization
- A joint authorization
- A type authorization
Correct answer: A joint authorization
A joint authorization is when multiple authorizing officials from different organizations share the authorization decision and the associated risk responsibility for a single system, often because the system supports more than one organization's mission. It differs from type authorization (one system deployed at many sites) and common control authorization (inheritable controls).
- A consuming agency leverages another organization's existing authorization package to authorize a shared service for its own use, accepting the inherited risk and documenting any additional agency-specific controls. This is best described as which kind of authorization?
- An impact-level reclassification
- A provisional categorization
- A leveraged authorization
- A control assessment
Correct answer: A leveraged authorization
A leveraged authorization reuses an existing authorization (such as a cloud provider's package) so the consuming organization accepts the inherited risk and adds any controls specific to its own use. It avoids duplicating the full RMF on the shared service while keeping the consuming organization accountable for its portion of the risk.
- As of 2024, the FedRAMP Joint Authorization Board (JAB) was dissolved and its provisional authorization role was replaced. Which body now governs FedRAMP, and what authorization path is emphasized going forward?
- The system owner, with emphasis on vendor self-attestation
- The FedRAMP Board, with emphasis on strengthening agency authorizations
- The JAB continues unchanged, with emphasis on provisional authorizations
- The independent assessor, with emphasis on self-authorization
Correct answer: The FedRAMP Board, with emphasis on strengthening agency authorizations
In 2024 the JAB was replaced by the FedRAMP Board (established under OMB M-24-15 and the FY23 NDAA). The JAB Provisional ATO path was retired, and the program moved to agency authorizations and a new program authorization path (signed by the FedRAMP Director). Agency authorizations are the primary path for new cloud services, with program authorizations available for widely reusable services. The other three options are factually incorrect.
- In the FedRAMP context, why was a Joint Authorization Board P-ATO historically labeled 'provisional' rather than a full authorization to operate?
- Because it expired after only 30 days
- Because it covered only privacy controls
- Because the board could review and recommend a package but could not accept risk on behalf of any individual agency, which each agency must still do via its own ATO
- Because it was issued by the cloud provider itself
Correct answer: Because the board could review and recommend a package but could not accept risk on behalf of any individual agency, which each agency must still do via its own ATO
A P-ATO was provisional because the board reviewed the package and deemed it acceptable for the federal community but could not accept risk for any particular agency; each agency still had to issue its own ATO leveraging that package. Risk acceptance is inherently an agency authorizing official responsibility.
- Within FedRAMP, which independent entity performs the security assessment that produces the SAR used in the cloud service's authorization package?
- The cloud service provider's marketing team
- The consuming agency's help desk
- The Office of Management and Budget
- An accredited third-party assessment organization (3PAO)
Correct answer: An accredited third-party assessment organization (3PAO)
An accredited third-party assessment organization (3PAO) independently assesses the cloud service and produces the assessment results that go into the authorization package. Independence of the assessor is essential so the authorizing official can rely on the findings when accepting risk.
- An authorizing official wants to grant an ATO but notes that one external system the candidate system connects to has not been assessed. Which package element documents the terms of that connection and the shared responsibilities for managing its risk?
- The data center lease
- The hardware warranty
- The user acceptance survey
- The interconnection agreement (such as an ISA/MOU)
Correct answer: The interconnection agreement (such as an ISA/MOU)
An interconnection agreement, such as an Interconnection Security Agreement paired with a Memorandum of Understanding/Agreement, documents the terms, responsibilities, and risk-sharing for a connection between systems. The authorizing official considers it when judging the risk introduced by external connections before authorizing.
- A senior privacy official must concur on the authorization decision for a system that processes personally identifiable information. Under federal RMF guidance, which role provides this privacy-specific risk perspective in the Authorize step?
- The network operations technician
- The senior agency official for privacy (SAOP)
- The configuration manager
- The procurement officer
Correct answer: The senior agency official for privacy (SAOP)
The senior agency official for privacy (SAOP) provides the privacy risk perspective and is involved in authorization decisions for systems processing PII, ensuring privacy risk is appropriately considered alongside security risk. Operational and procurement roles do not hold this privacy-authority function.
- An authorizing official signs an ATO but explicitly directs that no additional high-risk data be added to the system and that a specific compensating control be sustained for the authorization to remain valid. What part of the authorization decision document captures these restrictions?
- The terms and conditions of the authorization
- The system categorization level
- The assessment method matrix
- The control inheritance table
Correct answer: The terms and conditions of the authorization
The terms and conditions section of the authorization decision document captures restrictions and required actions the system owner must honor for the authorization to stay valid. These conditions bound how the system may operate; categorization and assessment methods are products of earlier steps and are not where operating restrictions are recorded.
- What primarily distinguishes an authorization to use (ATU) from a leveraged authorization decision when a federal agency relies on an externally provided service?
- An ATU is the consuming organization's decision to accept and use a system already authorized by another organization, whereas a leveraged authorization reuses an existing package as the basis for issuing a new authorization for the consuming environment
- An ATU applies only to hardware and a leveraged authorization only to software
- An ATU is issued by the assessor and a leveraged authorization by the vendor
- An ATU never requires risk acceptance while a leveraged authorization always denies operation
Correct answer: An ATU is the consuming organization's decision to accept and use a system already authorized by another organization, whereas a leveraged authorization reuses an existing package as the basis for issuing a new authorization for the consuming environment
An ATU is the consuming organization's decision to accept the risk of and approve the use of a system another organization already assessed and authorized, while a leveraged authorization reuses that prior package as the foundation for the consuming organization's own authorization of its use. Both rely on an existing authorization rather than re-running the full RMF, but they frame the consuming organization's decision differently.
- During the Authorize step the authorizing official concludes that a specific course of action is needed before risk can be accepted: deploy session encryption and disable a legacy protocol. Recording the chosen course of action for the determined risk corresponds to which Authorize-step activity?
- Control selection
- Risk response
- Authorization reporting
- Security categorization
Correct answer: Risk response
Choosing and recording the course of action for the determined risk, such as mitigating it by deploying encryption and removing a legacy protocol, is the risk response activity (R-3) of the Authorize step. Reporting communicates the eventual decision, while selection and categorization happen earlier in the framework.
- An organization operating under DevSecOps wants authorizations to keep pace with frequent releases instead of re-running a full point-in-time reauthorization for each change. Which authorization approach best aligns with this goal?
- Ongoing authorization driven by continuous monitoring of the pipeline and controls
- Permanent authorization that never re-evaluates risk
- Denial of authorization for any system that changes
- Reverting to a one-time assessment with no monitoring
Correct answer: Ongoing authorization driven by continuous monitoring of the pipeline and controls
Ongoing authorization, fed by continuous monitoring of the pipeline and control effectiveness, lets the authorizing official make time-relevant risk decisions as the system changes, which suits rapid DevSecOps release cadences. A permanent or one-time approach would ignore evolving risk, and denial is not a way to accommodate change.
- A system has been operating under an ATO when a major architecture change significantly alters its risk. The authorizing official reviews the change-specific risk and re-confirms acceptance without restarting the entire RMF. This decision is best characterized as what?
- A denial of authorization to operate
- A new categorization at a higher impact level
- A common control authorization
- A reauthorization based on the significant change
Correct answer: A reauthorization based on the significant change
Re-confirming risk acceptance after a significant change that materially affects the security posture is a reauthorization, which can be focused on the change rather than restarting the whole framework. It is distinct from categorization (which sets impact level) and from a denial, and it is event-driven by the significant change.
- Why is it inaccurate to say that an authorization to operate certifies a system as 'secure' or 'compliant with zero risk'?
- Because the assessor, not the AO, guarantees zero risk
- Because authorizations are only issued for systems that have never been assessed
- Because an ATO is an explicit acceptance of residual risk judged tolerable, not a guarantee that no weaknesses or risk remain
- Because compliance is irrelevant to authorization
Correct answer: Because an ATO is an explicit acceptance of residual risk judged tolerable, not a guarantee that no weaknesses or risk remain
An ATO is a risk-acceptance decision in which the authorizing official judges the residual risk tolerable, often with open POA&M items, so it never certifies the absence of weaknesses or risk. Treating an ATO as a guarantee of perfect security misrepresents the risk-based nature of the decision.
- The risk executive (function) reviews an authorization recommendation and notes the proposed risk acceptance conflicts with the enterprise risk tolerance set by senior leadership. What is the most appropriate result of this input?
- The independent assessor overrides the authorizing official
- The authorizing official reconsiders the decision so it aligns with organization-wide risk tolerance before authorizing
- The POA&M is deleted to remove the conflict
- The system is automatically reclassified to low impact
Correct answer: The authorizing official reconsiders the decision so it aligns with organization-wide risk tolerance before authorizing
The risk executive (function) provides an enterprise view, so a conflict with organizational risk tolerance should prompt the authorizing official to reconsider and align the decision before signing. The risk executive informs and harmonizes decisions but does not override the AO, and the assessor never holds decision authority.
- An authorizing official receives a package and must decide among the recognized RMF authorization outcomes. Which of the following is NOT one of the authorization decisions defined in NIST SP 800-37 Rev 2?
- Provisional control selection
- Denial of authorization
- Common control authorization
- Authorization to operate
Correct answer: Provisional control selection
Provisional control selection is not an RMF authorization decision; control selection occurs in the Select step, not the Authorize step. The four recognized authorization decisions in NIST SP 800-37 Rev 2 are: authorization to operate, authorization to use, common control authorization, and denial of authorization.
- OMB Circular A-130 and FISMA establish the policy basis requiring federal systems to be authorized before operating. In RMF terms, what core obligation do these authorities impose on agencies in the Authorize step?
- That a senior agency official formally accept risk and authorize the system before it operates, and periodically re-evaluate that authorization
- That only the assessor sign off on the system
- That every control achieve a perfect assessment score before operation
- That systems never connect to any external service
Correct answer: That a senior agency official formally accept risk and authorize the system before it operates, and periodically re-evaluate that authorization
Under FISMA and OMB Circular A-130, a senior agency official must formally accept the security and privacy risk and authorize a system before it operates, then keep that authorization current over time. The policies require risk-based authorization, not perfect control scores, and the decision is the official's, not the assessor's.
- After signing an ATO, an authorizing official wants assurance that the risk posture they accepted will not silently degrade between formal reviews. Which downstream RMF activity is the authorization decision designed to feed in order to sustain it?
- The independent control assessment that produced the SAR
- The continuous monitoring (Monitor) activities that track control effectiveness and changes over time
- The initial categorization of information types
- The first selection of the control baseline
Correct answer: The continuous monitoring (Monitor) activities that track control effectiveness and changes over time
The authorization decision feeds the Monitor step, where continuous monitoring tracks control effectiveness, system changes, and risk so the accepted posture stays valid and supports ongoing authorization. Categorization, baseline selection, and the initial assessment all precede authorization and do not sustain it after the decision.
- A common control provider's controls are authorized so other systems can inherit them. When a system owner builds their authorization package, how should they treat these inherited common controls?
- Ignore the common controls entirely because they are someone else's responsibility
- Reference the common control authorization and inherit the documented risk, focusing their own assessment on system-specific and hybrid controls
- Deny their own authorization because common controls exist
- Re-implement and re-assess each common control independently as if it were system-specific
Correct answer: Reference the common control authorization and inherit the documented risk, focusing their own assessment on system-specific and hybrid controls
A system owner references the existing common control authorization and inherits the documented risk for those controls, concentrating their own assessment effort on system-specific and hybrid controls. This avoids duplicated work while still making the authorizing official aware of the inherited risk; the common controls are not re-assessed in full or ignored.
- During continuous monitoring, an agency proposes to add a new collection of personal data to an already authorized system. What is the purpose of the privacy impact assessment (PIA) the agency conducts before proceeding?
- To request that the authorizing official immediately revoke the system's authorization to operate
- To certify that the system contains no personally identifiable information of any kind
- To replace the system security plan as the primary authorization artifact
- To analyze how the personally identifiable information will be collected, used, stored, and shared, and to evaluate the privacy risks and the controls that mitigate them
Correct answer: To analyze how the personally identifiable information will be collected, used, stored, and shared, and to evaluate the privacy risks and the controls that mitigate them
A privacy impact assessment analyzes how personally identifiable information is collected, maintained, used, stored, and disseminated, and it examines the resulting privacy risks and the protections that mitigate them. It is an ongoing compliance activity triggered when a system's handling of PII changes, not a tool to revoke authorization or replace the system security plan, and it presumes PII is present rather than certifying its absence.
- An organization wants to maintain near real-time awareness of its systems' security and privacy posture rather than relying only on a point-in-time assessment every three years. Which process is designed to provide this ongoing awareness?
- The initial categorization of the information system under FIPS 199
- The selection of a control baseline from NIST SP 800-53
- Continuous monitoring, which provides ongoing observation of security and privacy control effectiveness and the threat environment to support risk-based decisions
- A one-time penetration test conducted at the end of the system life cycle
Correct answer: Continuous monitoring, which provides ongoing observation of security and privacy control effectiveness and the threat environment to support risk-based decisions
Continuous monitoring is the ongoing process of maintaining awareness of security and privacy control effectiveness, vulnerabilities, and the threat environment so that leaders can make timely, risk-based decisions. A one-time penetration test, the initial FIPS 199 categorization, and baseline selection are discrete earlier-step activities, not the continuous awareness mechanism that sustains an authorization over time.
- Before deciding whether a new federal information system requires a full privacy impact assessment, a privacy office completes a short questionnaire that determines whether the system collects personally identifiable information. What is this preliminary questionnaire called?
- A plan of action and milestones
- A security assessment report
- A privacy threshold analysis
- A risk executive review
Correct answer: A privacy threshold analysis
A privacy threshold analysis is the preliminary questionnaire used to determine whether a system contains personally identifiable information and, therefore, whether a full privacy impact assessment or a system of records notice is required. A plan of action and milestones tracks remediation, a security assessment report documents control assessment results, and a risk executive review is an organizational governance activity, none of which serve as the initial privacy screening filter.
- A compliance analyst is asked to explain the difference between a privacy threshold analysis (PTA) and a privacy impact assessment (PIA). Which statement correctly distinguishes them?
- The PTA is a brief screening that determines whether a PIA is needed, while the PIA is the in-depth analysis of privacy risks and mitigations
- The PTA is a detailed risk analysis, while the PIA is only a one-line screening checkbox
- The PTA authorizes the system to operate, while the PIA decommissions it
- The PTA and PIA are identical documents with different names used by different agencies
Correct answer: The PTA is a brief screening that determines whether a PIA is needed, while the PIA is the in-depth analysis of privacy risks and mitigations
The privacy threshold analysis is a short screening that determines whether a system handles personally identifiable information and thus whether a fuller analysis is required, while the privacy impact assessment is the comprehensive examination of how PII is handled and how privacy risks are mitigated. The PTA serves as the filter that triggers the PIA; they are distinct documents with different depth, and neither one grants nor revokes an authorization to operate.
- A privacy threshold analysis concludes that a federal system retrieves records by individuals' names and Social Security numbers. Which additional compliance artifact does the Privacy Act of 1974 most likely require the agency to publish?
- A system of records notice in the Federal Register
- A new control baseline tailoring report
- A waiver from the FIPS 199 categorization requirement
- A memorandum of understanding with the cloud service provider
Correct answer: A system of records notice in the Federal Register
A system of records notice published in the Federal Register is required by the Privacy Act of 1974 whenever an agency maintains a system from which records are retrieved by an individual's name or identifier such as a Social Security number. It informs the public of the system's existence, purpose, categories of individuals and records, and routine uses. A FIPS 199 waiver, a tailoring report, and a vendor memorandum address other concerns and do not satisfy the Privacy Act publication mandate.
- Which statement best describes ongoing authorization as introduced in the RMF Monitor step?
- The system is permanently authorized once and never reassessed
- The authorizing official continually reviews continuous monitoring output and makes rolling, risk-based authorization decisions instead of waiting for a fixed reauthorization date
- The assessor, not the authorizing official, decides whether the system remains authorized
- Authorization is automatically transferred to the system owner after deployment
Correct answer: The authorizing official continually reviews continuous monitoring output and makes rolling, risk-based authorization decisions instead of waiting for a fixed reauthorization date
Ongoing authorization means the authorizing official uses continuous monitoring results to make recurring, risk-based authorization decisions on a rolling basis rather than relying solely on a periodic, time-driven reauthorization. It does not make authorization permanent, does not transfer the decision to the system owner, and keeps the authorization decision with the authorizing official rather than the assessor.
- Continuous monitoring in the RMF (the Monitor step) is best characterized by which of the following?
- An ongoing program that observes control effectiveness, system and environment changes, and risk so authorization decisions stay current
- A process limited to scanning for malware on endpoints
- A single annual audit performed only by an external third party
- An activity that ends once the system receives its initial authorization to operate
Correct answer: An ongoing program that observes control effectiveness, system and environment changes, and risk so authorization decisions stay current
Continuous monitoring in the RMF is an ongoing program that watches control effectiveness, changes to the system and its environment, and evolving risk so the authorization remains current. It is broader than a single annual external audit or endpoint malware scanning, and rather than ending at initial authorization, it is precisely what sustains the authorization throughout the operations and maintenance phase.
- An organization's information security continuous monitoring (ISCM) strategy must define monitoring frequencies for its controls. According to NIST guidance, which factor should most influence how often a particular control is monitored?
- The alphabetical order of the control identifier within its family
- The calendar quarter in which the system was first deployed
- The personal preference of the system administrator on duty
- The volatility of the control and the criticality of the system, balanced against the organization's risk tolerance
Correct answer: The volatility of the control and the criticality of the system, balanced against the organization's risk tolerance
Monitoring frequency should be driven by how volatile a control is, how critical the system and the information are, and the organization's risk tolerance, so that higher-risk or fast-changing controls are checked more often. Control identifiers, administrator preference, and the deployment quarter are arbitrary and do not reflect risk, so they are not the basis for setting ISCM frequencies.
- During continuous monitoring, an assessment identifies a control deficiency that cannot be remediated immediately. Where is this weakness, along with the planned corrective actions, resources, and milestone dates, documented?
- In the FIPS 199 categorization worksheet
- In the system of records notice
- In the plan of action and milestones (POA&M)
- In the privacy threshold analysis
Correct answer: In the plan of action and milestones (POA&M)
The plan of action and milestones records identified weaknesses together with the corrective actions, required resources, and scheduled completion dates, and it is continually updated during the Monitor step. A privacy threshold analysis screens for PII, a FIPS 199 worksheet documents impact categorization, and a system of records notice serves Privacy Act transparency, so none of those track remediation of control deficiencies.
- A federal agency uses a cloud service authorized through FedRAMP. To maintain that authorization, the cloud service provider must submit which artifacts to the agency and the FedRAMP program on a recurring basis?
- A marketing brochure describing the cloud service's features
- A one-time security assessment report that is never updated again
- Monthly continuous monitoring deliverables, including updated vulnerability scans and an updated plan of action and milestones
- Only the original system security plan from the initial authorization
Correct answer: Monthly continuous monitoring deliverables, including updated vulnerability scans and an updated plan of action and milestones
FedRAMP continuous monitoring requires the cloud service provider to submit recurring deliverables, typically monthly, that include updated vulnerability scan results and a current plan of action and milestones so the agency can confirm risk remains acceptable. A static one-time assessment report, only the original system security plan, or marketing materials would not give the authorizing official the ongoing evidence needed to sustain the authorization.
- In an information security continuous monitoring program, security metrics and dashboards are most valuable for what compliance-maintenance purpose?
- Permanently replacing the need for any control assessments
- Guaranteeing that no vulnerabilities will ever be discovered
- Setting the official impact level of the system under FIPS 199
- Communicating the current security and privacy status to decision-makers so they can prioritize responses and resources
Correct answer: Communicating the current security and privacy status to decision-makers so they can prioritize responses and resources
Metrics and dashboards translate monitoring data into a current picture of security and privacy status so authorizing officials and leadership can prioritize responses and allocate resources. They support, rather than replace, control assessments; they cannot guarantee an absence of vulnerabilities; and the FIPS 199 impact level is set during categorization, not derived from monitoring dashboards.
- During the Monitor step, an agency detects an unauthorized configuration change on a production server. Which response is most consistent with continuous monitoring expectations?
- Immediately decommission the system without analysis
- Investigate the change through root-cause analysis, assess its security and privacy impact, and respond to the resulting risk
- Wait until the next scheduled three-year reauthorization to address it
- Ignore the change because the system already has an authorization to operate
Correct answer: Investigate the change through root-cause analysis, assess its security and privacy impact, and respond to the resulting risk
Detecting an unauthorized change should trigger investigation and root-cause analysis, an assessment of the security and privacy impact, and a risk response such as remediation or documented acceptance. An existing authorization does not excuse inaction, immediate decommissioning is disproportionate without analysis, and deferring to a distant reauthorization defeats the near-real-time purpose of continuous monitoring.
- A privacy threshold analysis is updated when a system changes. What is the primary reason a PTA should be revisited during continuous monitoring rather than completed only once?
- Because changes to the system's data, scope, or use of personally identifiable information may newly trigger a PIA or a SORN
- Because the PTA must be re-signed alphabetically by every system user each year
- Because the PTA sets the control monitoring frequency for every control family
- Because the PTA replaces the security assessment report at each reauthorization
Correct answer: Because changes to the system's data, scope, or use of personally identifiable information may newly trigger a PIA or a SORN
A privacy threshold analysis should be revisited when a system changes because new data collection, expanded scope, or new uses of personally identifiable information can newly require a privacy impact assessment or a system of records notice. The PTA is a privacy screening tool; it does not require annual user signatures, does not set technical control monitoring frequencies, and does not substitute for the security assessment report.
- An authorizing official reviews continuous monitoring results showing that residual risk has risen but remains within the organization's risk tolerance. Which decision is most appropriate?
- Delegate the authorization decision to the security control assessor
- Maintain the ongoing authorization while directing continued monitoring and any needed remediation through the POA&M
- Immediately issue a denial of authorization regardless of the risk level
- Stop all monitoring activity because the system is still authorized
Correct answer: Maintain the ongoing authorization while directing continued monitoring and any needed remediation through the POA&M
When residual risk increases but stays within tolerance, the authorizing official can maintain the ongoing authorization while directing continued monitoring and tracking any remediation in the plan of action and milestones. Denying authorization is unwarranted when risk is acceptable, the authorization decision cannot be delegated to the assessor, and halting monitoring would remove the very basis for the ongoing authorization.
- Which Monitor step activity ensures that the system security plan, security assessment report, and plan of action and milestones reflect the system's actual current state during operations?
- Publishing the system of records notice for the first time
- Keeping the authorization package updated based on continuous monitoring results
- Conducting the one-time pre-authorization assessment only
- Performing the initial selection of the control baseline
Correct answer: Keeping the authorization package updated based on continuous monitoring results
Keeping the authorization package current means updating the system security plan, security assessment report, and plan of action and milestones as continuous monitoring reveals changes, so the documentation matches the system's real security and privacy posture. Baseline selection and the initial pre-authorization assessment occur earlier in the life cycle, and first publication of a system of records notice is a Privacy Act transparency action, not the package-maintenance task.
- An organization is deciding whether to automate portions of its continuous monitoring program. What is the strongest justification for using automated tools such as vulnerability scanners and configuration baselines?
- They increase the frequency and consistency of monitoring and reduce the cost and delay of manual checks, enabling more timely risk decisions
- They remove the need to document any results or findings
- They convert a high-impact system into a low-impact system
- They eliminate the authorizing official's responsibility for risk decisions
Correct answer: They increase the frequency and consistency of monitoring and reduce the cost and delay of manual checks, enabling more timely risk decisions
Automation strengthens continuous monitoring by enabling more frequent, consistent checks at lower cost and with less delay than manual review, which supports more timely, risk-based decisions. It does not transfer the authorizing official's accountability for risk, does not remove the requirement to document findings, and has no effect on the system's FIPS 199 impact level.
- A system reaches the end of its life cycle and is being retired. Which continuous monitoring (Monitor step) sub-task governs the secure handling of this transition?
- Selecting the authorizing official for the system
- Initial control selection from the NIST SP 800-53 catalog
- The first execution of the privacy threshold analysis
- System disposal, which includes media sanitization, data destruction, and updating or archiving documentation
Correct answer: System disposal, which includes media sanitization, data destruction, and updating or archiving documentation
The system disposal sub-task of the Monitor step governs secure retirement, ensuring media are sanitized, data are destroyed appropriately, and documentation is updated or archived so residual risk is managed even as the system is removed. Control selection and the initial privacy threshold analysis occur far earlier, and naming an authorizing official is a preparatory governance action, not a disposal activity.