01. According to the Risk Management Framework (RMF), which role has a primary responsibility to report the security status of the information system to the authorizing official (AO) and other appropriate organizational officials on an ongoing basis in accordance with the monitoring strategy?
a) Information system security officer (ISSO)
b) Common control provider
c) Independent assessor
d) Senior information assurance officer (SIAO)
02. Which authorization approach considers time elapsed since the authorization results were produced, the environment of operation, the criticality/sensitivity of the information, and the risk tolerance of the other organization?
d) Site specific
03. When should the information system owner document the information system and authorization boundary description in the security plan?
a) After security controls are implemented
b) While assembling the authorization package
c) After security categorization
d) When reviewing the security control assessment plan
04. Information developed from Federal Information Processing Standard (FIPS) 199 may be used as an input to which authorization package document?
a) Security assessment report (SAR)
b) System security plan (SSP)
c) Plan of actions and milestones (POA&M)
d) Authorization decision document
05. Why is security control volatility an important consideration in the development of a security control monitoring strategy?
a) It identifies needed security control monitoring exceptions.
b) It indicates a need for compensating controls.
c) It establishes priority for security control monitoring.
d) It provides justification for revisions to the configuration management and control plan.
06. System authorization is now used to refer to which of the following terms?
a) System security declaration
b) Certification and accreditation
c) Security test and evaluation
d) Continuous monitoring
07. Documenting the description of the system in the system security plan is the primary responsibility of which Risk Management Framework (RMF) role?
a) Authorizing official (AO)
b) Information owner
c) Information system security officer (ISSO)
d) Information system owner
08. When an authorizing official (AO) submits the security authorization decision, what responses should the information system owner (ISO) expect to receive?
a) Authorized to operate (ATO) or denial authorization to operate (DATO), the conditions for the authorization placed on the information system and owner, and the authorization termination date
b) Authorized to Operate (ATO) or Denial Authorization to Operate (DATO), the list of security controls accessed, and an system contingency plan
c) Authorized to operate (ATO) or denial authorization to operate (DATO), and the conditions for the authorization placed on the information system and owner
d) A plan of action and milestones (POA&M), the conditions for the authorization placed on the information system and owner, and the authorization termination date
09. Who determines the required level of independence for security control assessors?
a) Information system owner (ISO)
b) Information system security manager (ISSM)
c) Authorizing official (AO)
d) Information system security officer (ISSO)
10. What key information is used by the authorizing official (AO) to assist with the risk determination of an information system (IS)?
a) Security authorization package (SAP)
b) Plan of action and milestones (POA&M)
c) Security plan (SP)
d) Interconnection security agreement (ISA)