CAP Security Authorization Documentation

Question 1

What is the primary purpose of a System Security Plan (SSP)?

Accepted Answer

To describe security requirements and document controls implemented for an information system

Answer

To list all software vulnerabilities found during testing

Answer

To track remediation milestones for security weaknesses

Answer

To define the organization's overall security policy

Question 2

Which artifact in the authorization package summarizes the findings from security control testing?

Accepted Answer

Security Assessment Report (SAR)

Answer

System Security Plan (SSP)

Answer

POA&M

Answer

Authorization Decision Document

Question 3

What are the three core documents that make up a standard RMF authorization package?

Accepted Answer

SSP, SAR, and POA&M

Answer

SSP, ATO, and FIPS 199

Answer

SAR, POA&M, and ATO

Answer

FIPS 199, SSP, and SAR

Question 4

What information must a System Security Plan include about the system boundary?

Accepted Answer

A description of the authorization boundary defining which components are within scope

Answer

Only the IP addresses of networked devices

Answer

The physical location of all servers

Answer

A list of all user account names

Question 5

Which section of the SSP typically describes how the system processes, stores, or transmits federal information?

Accepted Answer

System Description / Operational Environment

Answer

Control Implementation Summary

Answer

POA&M Appendix

Answer

Authorization Decision

Question 6

What does the term 'authorization boundary' mean in the context of an SSP?

Accepted Answer

The logical or physical perimeter defining all system components under a single ATO

Answer

The network perimeter defended by a firewall

Answer

The organizational boundary between agencies

Answer

The scope of a penetration test