CAP Continuous Monitoring and System Lifecycle

Question 1

What is the primary goal of an Information Security Continuous Monitoring (ISCM) program?

Accepted Answer

To maintain ongoing awareness of information security, vulnerabilities, and threats

Answer

ISCM maintains situational awareness of the security posture so organizations can make risk-based decisions in a timely manner.

Question 2

NIST SP 800-137 provides guidance on which topic?

Accepted Answer

Information Security Continuous Monitoring (ISCM) for federal systems

Answer

NIST SP 800-137 provides guidance for developing an ISCM strategy and program for federal information systems and organizations.

Question 3

In the context of continuous monitoring, what is a 'security metric'?

Accepted Answer

A quantifiable measure used to assess the effectiveness of security controls over time

Answer

Security metrics provide measurable data on control effectiveness, enabling organizations to track trends and make informed risk decisions.

Question 4

How does continuous monitoring support the RMF Monitor step?

Accepted Answer

It provides ongoing data to ensure controls remain effective and risks are within acceptable levels

Answer

Continuous monitoring feeds ongoing assurance to the AO that the system's security posture remains acceptable between formal re-authorizations.

Question 5

Which tool is commonly used in US federal agencies to automate continuous monitoring data collection?

Accepted Answer

Continuous Diagnostics and Mitigation (CDM) Dashboard

Answer

CISA's CDM program provides federal agencies with tools, integration services, and a dashboard to automate continuous monitoring.

CAP - Certified Accreditation Professional Practice Test