CSC - Cybersecurity Compliance NIST Risk Management Framework Questions and Answers

Question 1

A federal agency is deploying a new information system that will process, store, and transmit personally identifiable information (PII). According to the NIST Risk Management Framework (RMF), which of the following steps must be completed FIRST to determine the necessary level of security controls?

Accepted Answer

Categorize the information system based on impact.

Answer

The NIST RMF is a sequential process. The 'Categorize' step (Step 2) is critical and must be performed early in the lifecycle. This step involves assessing the potential adverse impact on the organization's assets and operations, individuals, other organizations, and the Nation if the information and the information system were to be compromised (i.e., a loss of confidentiality, integrity, or availability). The result of the categorization determines the selection of baseline security controls in the next step.

Question 2

Which step of the NIST Risk Management Framework (RMF) involves a formal, risk-based decision by a senior official to permit the operation of an information system?

Accepted Answer

Authorize

Answer

The 'Authorize' step (Step 6) is the point at which a senior official, the Authorizing Official (AO), makes a formal, risk-based decision on whether to permit the operation of an information system. This decision is based on the review of an authorization package, which includes the system security plan, security assessment report, and plan of action and milestones (POA&M).

Question 3

A financial institution is implementing the NIST RMF. During the 'Select' step, the security team identifies a set of controls that are applicable to multiple information systems across the enterprise. What is the correct term for these types of controls?

Accepted Answer

Common controls

Answer

In the 'Select' step of the RMF, controls that can be inherited by one or more organizational systems are designated as 'common controls'. These are controls that are managed and implemented by a central entity and can be leveraged by multiple systems, reducing redundant effort and ensuring consistency.

Question 4

As part of the ongoing maintenance of a system's security posture under the NIST RMF, an organization continuously tracks changes, conducts ongoing security assessments, and reports on the security state of the system. Which RMF step are these activities most characteristic of?

Accepted Answer

Monitor

Answer

The 'Monitor' step (Step 7) involves continuously monitoring the security controls in the information system and its environment of operation to determine if the controls are effective in their application. These activities, such as ongoing assessments and reporting, provide the organization with an up-to-date understanding of its security and privacy posture to manage risk in near real-time.

Question 5

Which of the following best describes the primary purpose of the 'Prepare' step in the NIST Risk Management Framework (RMF)?

Accepted Answer

To establish the context and foundation for managing security and privacy risk at both the organization and system levels.

Answer

The 'Prepare' step (Step 1) is foundational and focuses on activities at both the organization and system levels to ensure that the organization is ready to manage its security and privacy risks. This includes establishing a risk management strategy, identifying key roles, determining risk tolerance, and identifying common controls.

(CSC) Cybersecurity Compliance Certification Practice Test

(CSC) Cybersecurity Compliance Certification Practice Test

CSC - Cybersecurity Compliance NIST Risk Management Framework Questions and Answers