CAP Continuous Monitoring and System Lifecycle

Question 1

What is the primary goal of an Information Security Continuous Monitoring (ISCM) program?

Accepted Answer

To maintain ongoing awareness of information security, vulnerabilities, and threats

Answer

To replace the need for ATOs entirely

Answer

To automate all security control implementation

Answer

To reduce the number of security staff required

Question 2

NIST SP 800-137 provides guidance on which topic?

Accepted Answer

Information Security Continuous Monitoring (ISCM) for federal systems

Answer

Security categorization

Answer

Incident response

Answer

Penetration testing methodology

Question 3

In the context of continuous monitoring, what is a 'security metric'?

Accepted Answer

A quantifiable measure used to assess the effectiveness of security controls over time

Answer

A financial cost associated with a security breach

Answer

A vulnerability severity score

Answer

A user access log entry

Question 4

How does continuous monitoring support the RMF Monitor step?

Accepted Answer

It provides ongoing data to ensure controls remain effective and risks are within acceptable levels

Answer

It replaces the need for security assessments

Answer

It automatically grants ATOs without human review

Answer

It eliminates the need for a POA&M

Question 5

Which tool is commonly used in US federal agencies to automate continuous monitoring data collection?

Accepted Answer

Continuous Diagnostics and Mitigation (CDM) Dashboard

Answer

FedRAMP Portal

Answer

NIST Cybersecurity Framework Tool

Answer

OMB MAX Portal

Question 6

Under an ongoing authorization approach, how often must a full re-authorization be conducted?

Accepted Answer

When risk exceeds defined thresholds rather than on a fixed schedule

Answer

Every six months

Answer

Every year

Answer

Every five years regardless of risk