Sample Questions and Answers
Which document includes implementation details and responsible parties for each control?
ATO
B. SAR
C. SSP
D. SIA
Answer: C. SSP
Explanation: The SSP provides detailed implementation info for each control.
Which assessment method includes verifying control functionality through execution?
Testing
B. Interview
C. Analysis
D. Examination
Answer: A. Testing
Explanation: Testing confirms control effectiveness through active execution or simulation.
What is the role of a control assessor?
Authorize the system
B. Monitor user access
C. Evaluate control implementation and effectiveness
D. Define encryption protocols
Answer: C. Evaluate control implementation and effectiveness
Explanation: The assessor conducts independent reviews to determine control adequacy.
Which publication defines security categorizations based on potential impact?
SP 800-53
B. FIPS 199
C. SP 800-60
D. SP 800-30
Answer: B. FIPS 199
Explanation: FIPS 199 sets the foundation for categorizing systems based on confidentiality, integrity, and availability impact levels.
A Security Authorization Package includes which of the following?
Privacy impact assessments
B. SSP, SAR, and POA&M
C. Continuous Monitoring Plan
D. Encryption algorithm details
Answer: B. SSP, SAR, and POA&M
Explanation: These core documents provide the AO with necessary information for authorization.
During the Select step, controls are:
Tested
B. Authorized
C. Identified and tailored
D. Monitored
Answer: C. Identified and tailored
Explanation: Controls are chosen and adjusted based on system categorization and environment.
An ATO signifies that:
Controls are perfect
B. The system is risk-free
C. The AO accepts the system’s residual risk
D. All controls are common controls
Answer: C. The AO accepts the system’s residual risk
Explanation: ATOs indicate the AO has reviewed the risk and approves operation.
What is the key input into developing a continuous monitoring strategy?
SSP
B. Risk tolerance and organizational priorities
C. Employee access lists
D. POA&M
Answer: B. Risk tolerance and organizational priorities
Explanation: These factors drive decisions about monitoring scope and frequency.
What is the purpose of system categorization?
Determine training needs
B. Define technical architecture
C. Establish impact levels that guide control selection
D. Plan for future upgrades
Answer: C. Establish impact levels that guide control selection
Explanation: Categorization ensures controls align with potential impact to the organization.
Which of the following best defines a control assessment finding?
A policy document
B. A fully implemented control
C. A discovered weakness or deficiency
D. An encryption algorithm
Answer: C. A discovered weakness or deficiency
Explanation: Findings identify areas where controls are ineffective or absent.
The Plan of Action and Milestones (POA&M) is used to:
Track funding approvals
B. Document system architecture
C. Outline plans to correct deficiencies
D. Record completed authorizations
Answer: C. Outline plans to correct deficiencies
Explanation: The POA&M records known issues and planned mitigation steps.
Continuous monitoring should be tailored to:
System platform
B. Budget size
C. Risk posture and control volatility
D. Employee preferences
Answer: C. Risk posture and control volatility
Explanation: Monitoring frequency and depth should reflect system risk and control stability.
Who is responsible for maintaining the SSP?
System Owner
B. AO
C. Risk Executive
D. User
Answer: A. System Owner
Explanation: The system owner ensures the SSP stays up to date.
What type of control is antivirus software?
Preventive
B. Corrective
C. Detective
D. Physical
Answer: C. Detective
Explanation: Antivirus tools detect and alert on malicious activity.
What best describes the purpose of NIST SP 800-37?
Guide control assessment
B. Define encryption standards
C. Provide RMF implementation guidance
D. Establish categorization
Answer: C. Provide RMF implementation guidance
Explanation: SP 800-37 outlines each step in the Risk Management Framework.
What RMF step evaluates the effectiveness of the security controls?
Select
B. Assess
C. Monitor
D. Categorize
Answer: B. Assess
Explanation: In this step, controls are evaluated to ensure they’re implemented correctly and operating as intended.
Reviews
There are no reviews yet.