SFPC - Security Fundamentals Professional Risk Management Framework Questions and Answers

Question 1

An information system has been through the 'Assess' step of the Risk Management Framework (RMF). The assessment found several non-compliant security controls. What is the primary purpose of the Plan of Action and Milestones (POA&M) document created at this stage?

Accepted Answer

To track the tasks, resources, and timelines required to correct identified weaknesses.

Answer

The Plan of Action and Milestones (POA&M) is a corrective action plan used to track and manage the remediation of security weaknesses and vulnerabilities identified during a security control assessment. It details the specific tasks, necessary resources, milestones, and completion dates for addressing non-compliant controls.

Question 2

A senior management official is presented with an authorization package that includes the System Security Plan (SSP), the Security Assessment Report (SAR), and a Plan of Action and Milestones (POA&M). By signing the Authorization to Operate (ATO), what is this official formally doing?

Accepted Answer

Accepting the remaining residual risk of operating the information system.

Answer

The 'Authorize' step of the RMF culminates in a senior official, the Authorizing Official (AO), making a formal decision. By granting an Authorization to Operate (ATO), the AO is formally accepting the security and privacy risk to the organization based on the implementation of controls and the plan to address remaining weaknesses, which is known as residual risk.

Question 3

Which RMF step involves determining the potential impact on confidentiality, integrity, and availability of an information system and its data if there were a security breach?

Accepted Answer

Categorize

Answer

The 'Categorize' step is the part of the RMF where the system and the information it processes are evaluated based on the potential impact of a loss of confidentiality, integrity, and availability. This categorization (e.g., as Low, Moderate, or High impact) informs the selection of appropriate security controls in the next step.

Question 4

A system owner is preparing the key documentation for a new information system undergoing the RMF process. Which document provides a detailed overview of the security requirements and describes the specific controls in place or planned to meet those requirements?

Accepted Answer

System Security Plan (SSP)

Answer

The System Security Plan (SSP) is the formal document that provides a comprehensive overview of a system's security requirements and details the security controls implemented or planned to meet them. It is a foundational document in the authorization package.

Question 5

During which step of the Risk Management Framework are security controls actually installed, configured, and integrated into the information system?

Accepted Answer

Implement

Answer

The 'Implement' step is the phase of the RMF where the security controls selected in the previous step are put into practice. This involves the practical application and configuration of technical safeguards and the establishment of non-technical processes.

SFPC - Security Fundamentals Professional Certification Practice Test

SFPC - Security Fundamentals Professional Certification Practice Test

SFPC - Security Fundamentals Professional Risk Management Framework Questions and Answers