CAP Documentation and Authorization Artifacts

Question 1

Which document in the authorization package describes known vulnerabilities and the schedule to fix them?

Accepted Answer

Plan of Action and Milestones

Answer

System Security Plan

Answer

Security Assessment Report

Answer

Authorization Decision Letter

Question 2

What is the minimum set of documents typically included in an authorization package?

Accepted Answer

SSP, SAR, and POA&M

Answer

SSP only

Answer

SAR and POA&M only

Answer

SSP and ATO letter only

Question 3

What information is typically included in the authorization boundary diagram?

Accepted Answer

All hardware, software, and data flows within the system boundary

Answer

Employee organizational chart

Answer

Only external connections

Answer

Vendor contracts and SLAs

Question 4

A Privacy Impact Assessment (PIA) is required under which federal law before collecting or using personally identifiable information?

Accepted Answer

E-Government Act of 2002

Answer

FISMA

Answer

Privacy Act of 1974

Answer

HIPAA

Question 5

What is the purpose of a System of Records Notice (SORN)?

Accepted Answer

To publicly notify citizens about federal systems that collect and use their personal data

Answer

To document system vulnerabilities

Answer

To list authorized system users

Answer

To grant database access permissions

Question 6

Which section of the System Security Plan describes the system's purpose, architecture, and operating environment?

Accepted Answer

System Identification

Answer

Security Control Implementation

Answer

Rules of Behavior

Answer

Interconnections