CAP Security Authorization Documentation

Question 1

What is the primary purpose of a System Security Plan (SSP)?

Accepted Answer

To describe security requirements and document controls implemented for an information system

Answer

The SSP is the central document describing system characteristics, the security environment, and how controls are implemented.

Question 2

Which artifact in the authorization package summarizes the findings from security control testing?

Accepted Answer

Security Assessment Report (SAR)

Answer

The SAR documents the results of the security assessment, including findings, evidence, and recommendations.

Question 3

What are the three core documents that make up a standard RMF authorization package?

Accepted Answer

SSP, SAR, and POA&M

Answer

The authorization package submitted to the AO consists of the System Security Plan, Security Assessment Report, and Plan of Action and Milestones.

Question 4

What information must a System Security Plan include about the system boundary?

Accepted Answer

A description of the authorization boundary defining which components are within scope

Answer

The SSP must clearly define the authorization boundary to establish what hardware, software, and services are in scope for the assessment.

Question 5

Which section of the SSP typically describes how the system processes, stores, or transmits federal information?

Accepted Answer

System Description / Operational Environment

Answer

The system description section explains the system's purpose, data flows, and operational context including what information it handles.

CAP - Certified Accreditation Professional Practice Test