SFPC - Security Fundamentals Professional Risk Management Framework Questions and Answers

Question 1

An information system has been through the 'Assess' step of the Risk Management Framework (RMF).
The assessment found several non-compliant security controls.
What is the primary purpose of the Plan of Action and Milestones (POA&M) document created at this stage?

Accepted Answer

To track the tasks, resources, and timelines required to correct identified weaknesses.

Answer

To serve as the formal authorization decision for the system to operate.

Answer

To provide a detailed technical description of the system's architecture and boundaries.

Answer

To document the system's information categorization and impact levels.

Question 2

A senior management official is presented with an authorization package that includes the System Security Plan (SSP), the Security Assessment Report (SAR), and a Plan of Action and Milestones (POA&M). By signing the Authorization to Operate (ATO), what is this official formally doing?

Accepted Answer

Accepting the remaining residual risk of operating the information system.

Answer

Certifying that all security controls have been implemented perfectly.

Answer

Approving the budget for the next three years of security operations.

Answer

Confirming that all items in the POA&M have been fully remediated.

Question 3

Which RMF step involves determining the potential impact on confidentiality, integrity, and availability of an information system and its data if there were a security breach?

Accepted Answer

Categorize

Answer

Select

Answer

Assess

Answer

Monitor

Question 4

A system owner is preparing the key documentation for a new information system undergoing the RMF process. Which document provides a detailed overview of the security requirements and describes the specific controls in place or planned to meet those requirements?

Accepted Answer

System Security Plan (SSP)

Answer

Plan of Action and Milestones (POA&M)

Answer

Security Assessment Report (SAR)

Answer

Authorization to Operate (ATO)

Question 5

During which step of the Risk Management Framework are security controls actually installed, configured, and integrated into the information system?

Accepted Answer

Implement

Answer

Select

Answer

Assess

Answer

Authorize

Question 6

Which of the following activities is the primary focus of the 'Monitor' step in the Risk Management Framework?

Accepted Answer

Continuously tracking changes to the system and assessing control effectiveness over time.

Answer

Performing the initial authorization of the system.

Answer

Selecting the initial baseline of security controls.

Answer

Developing the initial System Security Plan (SSP).