CAP CAP Security Documentation & Authorization Artifacts

Question 1

Which document serves as the primary artifact in the NIST RMF that describes the security controls implemented in an information system?

Accepted Answer

System Security Plan (SSP)

Answer

The System Security Plan (SSP) is the primary security documentation artifact that describes how an information system implements required security controls.

Question 2

What is the primary purpose of a Plan of Action and Milestones (POA&M) in the RMF process?

Accepted Answer

To track and remediate identified security weaknesses and deficiencies

Answer

A POA&M documents identified security weaknesses, the resources required to fix them, scheduled completion dates, and responsible parties for remediation.

Question 3

Who is responsible for signing and issuing an Authorization to Operate (ATO) for a federal information system?

Accepted Answer

Authorizing Official (AO)

Answer

The Authorizing Official (AO) is the senior federal official with the authority to accept residual risk and issue an ATO for an information system.

Question 4

Which RMF artifact documents the results of security control assessments performed by an independent assessor?

Accepted Answer

Security Assessment Report (SAR)

Answer

The Security Assessment Report (SAR) documents the findings and recommendations of the security control assessor after evaluating implemented controls.

Question 5

What type of authorization boundary defines the scope of an information system for RMF documentation purposes?

Accepted Answer

Authorization boundary

Answer

The authorization boundary defines all components (hardware, software, data, and users) that are included within the scope of the security authorization package.

(CAP) Certified Authorization Professional Practice Test

(CAP) Certified Authorization Professional Practice Test

CAP CAP Security Documentation & Authorization Artifacts