CAP Review Questions

33. When an authorizing official (AO) submits the security authorization decision, what responses should the information system owner (ISO) expect to receive? A. Authorized to operate (ATO) or denial authorization to operate (DATO), the conditions for the authorization placed on the information system and owner, and the authorization termination date B. Authorized to Operate (ATO) or Denial Authorization to Operate (DATO), the list of security controls accessed, and an system contingency plan C. Authorized to operate (ATO) or denial authorization to operate (DATO), and the conditions for the authorization placed on the information system and owner D. A plan of action and milestones (POA&M), the conditions for the authorization placed on the information system and owner, and the authorization termination date

A. Authorized to operate (ATO) or denial authorization to operate (DATO), the conditions for the authorization placed on the information system and owner, and the authorization termination date. The original security authorization package that contains supporting documentation has been presented to the authorizing official (AO). The AO will make a decision based on the system security posture, operational need, and its functionality. See CAP® CBK® Chapter 6 Information System Authorization, NIST Guidance on Authorization of Information Systems, Task 5-4: Perform Risk Assessment; NIST SP 800-37, Revision 1, Step 5—Authorize Information System, Task 5-4: Risk Acceptance.

40. Which of the following are phases of the National Institute of Standards and Technology (NIST) Risk Management Framework? A. Categorize, select, implement, authorize B. Assess, certify, accredit, manage C. Prepare, execute, authorize, monitor D. Assess, mitigate, authorize, monitor

A. Categorize, select, implement, authorize The six steps of the RMF are categorize, select, implement, assess, authorize, and monitor. See CAP® CBK® Chapter 1 Authorization of Information Systems. NIST SP 800-37, Revision 1, NIST's Risk Management Framework (RMF); NIST SP-800-37, Revision 1, Chapter 2—The Fundamentals, 2.1 Integrated Organization-Wide Risk Assessment.

24. Which role has the supporting responsibility to coordinate changes to the system, assess the security impact and update the system security plan? A. Information system security officer (ISSO) B. Information system owner (ISO) C. Common control provider D. Senior agency information security officer

A. Information system security officer (ISSO) Per NIST SP 800-37, Revision 1, Appendix D Roles and Responsibilities, D.10, the Information System Security Officer is the only role listed that has a supporting responsibility in each of the activities in question, and NIST Chapter 3—The Process—elaborates on the RMF tasks, primary responsibility, and supporting roles. Coordination of changes to the system is an activity in RMF Task 6-1: Information System and Environment Changes. Assessment of security impact is an activity in RMF Task 6-2: Ongoing Security Control Changes. Updates to the security plan are an activity in RMF Task 6-4: Key Updates.

3. Which authorization approach considers time elapsed since the authorization results were produced, the environment of operation, the criticality/sensitivity of the information, and the risk tolerance of the other organization? A. Leveraged B. Single C. Joint D. Site specific

A. Leveraged With this approach, the leveraging organization considers risk factors such as the time elapsed since the authorization results were originally produced; the current environment of operation (if different from the environment of operation reflected in the authorization package); the criticality/sensitivity of the information to be processed, stored, or transmitted (if different from the state of the original authorization); as well as the overall risk tolerance of the leveraging organization (in the event that the risk tolerance posture has changed over time). See NIST SP 800-37, Revision 1, Appendix F.9 Authorization Approaches.

29. In the case of a complex information system, where a "leveraged authorization" that involves two agencies will be conducted, what is the minimum number of system boundaries/accreditation boundaries that can exist? A. Only one. B. Only two, because there are two agencies. C. At least two. D. A leveraged authorization cannot be conducted with more than one agency involved.

A. Only one. Security authorizations are issued for single information systems; however, an existing information system may be leveraged by another agency provided that a review of the system security plan of the owing agency by the leveraging agency determines that adequate security and an interagency agreement are in place. See CAP® CBK® Chapter 1 Security Authorization of Information Systems, NIST SP 800-37, Revision 1, Guidance on System Boundary Definition; NIST SP 800-37, Revision 1, paragraphs 2.3.2 Boundaries for Complex Information Systems, 2.3.3 Changing Technologies and the Effect of Information System Boundaries, External Subsystems, and Appendix I Security Controls in External Environments.

32. What key information is used by the authorizing official (AO) to assist with the risk determination of an information system (IS)? A. Security authorization package (SAP) B. Plan of action and milestones (POA&M) C. Security plan (SP) D. Interconnection security agreement (ISA)

A. Security authorization package (SAP) A security authorization package (SAP) contains the security plan, security assessment report, and the plan of action and milestones. The information in these key documents is used by authorizing officials to make risk-based authorization decisions. See CAP® CBK® Chapter 5 Assessment of Security Controls, NIST Guidance on Assessment of Security Control Effectiveness, Task 4-3: Prepare Security Assessment Report; NIST SP 800-37, Revision 1, Step 5—Authorize Information System, Task 5-3: Risk Determination.

18. An information system is currently in the initiation phase of the system development life cycle (SDLC) and has been categorized high impact. The information system owner wants to inherit common controls provided by another organizational information system that is categorized moderate impact. How does the information system owner ensure that the common controls will provide adequate protection for the information system? A. Supplement the common controls with system-specific or hybrid controls to achieve the required protection for the system. B. Ask the common control provider for the system security plan for the common controls. C. Consult with the information system security engineer and the information security architect. D. Perform rigorous testing of the common controls to determine if they provide adequate protection.

A. Supplement the common controls with system-specific or hybrid controls to achieve the required protection for the system. NIST SP 800-37, Revision 1, RMF Step 2—Select Security Controls, Task 2-1 Common Control Identification, explicitly states each of the three activities associated with inheriting common controls, including "Supplement the common controls with system-specific or hybrid controls to achieve the required protection for the system." The other answers do not ensure that the common controls will provide appropriate protection for a high-impact information system. See also CAP® CBK® Chapter 3,Task 2-1: Identify Common Controls.

38. During an annual assessment, numerous high-risk findings are discovered on a critical organizational system. The system's Federal Information Processing Standard (FIPS) 199 rating is "high" integrity, "high" confidentiality, and "low" availability. The organization has a very low risk tolerance. What is the best decision that should be made in this situation? A. The authorizing official should deny operation of the system until risk is reduced to an acceptable level. B. The information system owner should resolve issues as quickly as possible while keeping the system up. C. The security control assessor should implement immediate compensating controls. D. The chief information security officer should scope and tailor the weak controls to ensure proper function.

A. The authorizing official should deny operation of the system until risk is reduced to an acceptable level. Given the FIPS 199 categorization, the best approach is to shut down the system and resolve the weaknesses. Informed risk-based decisions during continuous monitoring must be made by the authorizing official in coordination with the risk executive function. Given the high impact, the system should not be kept in operation by the information system owner (answer B) as this forces the organization to continue to accept risk. The security control assessor should not implement any changes to the system (answer C) as this will question their independence. The chief information security officer (CISO) is not responsible for resolving control issues (answer D) since that is the responsibility of the system owner. See NIST SP 800-37, Revision 1, Appendix D Roles and Responsibilities, D.6 Authorizing Official; CAP® CBK® Chapter 66 Information System Authorization, System Authorization Decision Making, the Authorization Letter. A special case of a denial of authorization to operate is an authorization rescission. Authorizing officials can rescind a previous authorization decision at any time if there is a specific violation of (1) federal/organizational security policies, directives, regulations, standards, guidance, or practices; or (2) the terms and conditions of the original authorization. For example, failure to maintain an effective continuous monitoring program may be grounds for rescinding an authorization decision. Authorizing officials consult with the risk executive (function) and the senior information security officer before rescinding security authorizations.

25. Who is primarily responsible for the development of system-specific procedures? A. The system owner B. The information systems security officer (ISSO) C. The system architect D. The system administrator

A. The system owner The system owner is normally the official responsible for developing and approving system-specific procedures. This is because system owners have the most knowledge of the system and know what procedures are needed and what they need to address. See CAP® CBK® Chapter 4, The Problem with Procedures.

31. System authorization is now used to refer to which of the following terms? A. System security declaration B. Certification and accreditation C. Security test and evaluation D. Continuous monitoring

B. Certification and accreditation NIST SP 800-37, Revision 1, substitutes use of the term certification and accreditation with security authorization. Answer A is a distracter. Answer C relates to another term changed by NIST SP 800-37, Revision 1 (this term was replaced by security controls assessment). Answer D is a distracter as it relates to Step 6 of the Risk Management Framework. See CAP® CBK® Chapter 1 Security Authorization of Information Systems, Introduction, Defining System Authorization, and Chapter 9 The Future of Information System Authorization.

37. According to the Risk Management Framework (RMF), which role has a primary responsibility to report the security status of the information system to the authorizing official (AO) and other appropriate organizational officials on an ongoing basis in accordance with the monitoring strategy? A. Information system security officer (ISSO) B. Common control provider C. Independent assessor D. Senior information assurance officer (SIAO)

B. Common control provider NIST SP 800-37, Revision 1, Risk Management Framework (RMF) Task 6-5 states that the information system owner and the common control provider have the primary responsibility to report the security status of an information system to the authorizing official (AO). See also CAP® CBK® Chapter 7 Security Controls Monitoring, NIST Guidance on Ongoing Monitoring of Security Controls, Task 6-5: Report Security Status.

13. The registration of the system directly follows which Risk Management Framework (RMF) task? A. Categorize the system B. Describe the system C. Review and approve the system security plan D. Select security controls

B. Describe the system Refer to NIST 800-37, Revision 1, Step 1 (Categorize the Information System), Task 1-3 (Information System Registration), which describes the system registration process. See also CAP® CBK® Chapter 1, Task 3-1: Register the Information System.

8. Which of the following specifies security requirements for federal information and information systems in 17 security-related areas that represent a broad-based, balanced information security program? A. Federal Information Processing Standard (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems B. FIPS 200, Minimum Security Requirements for Federal Information and Information Systems C. Committee on National Security Systems (CNSS) Instruction No. 1253, Security Categorization and Control Selection for National Security Systems D. Section 3541 Title 44 U.S.C. Federal Information Security Management Act of 2002

B. FIPS 200, Minimum Security Requirements for Federal Information and Information Systems FIPS 200 Minimum Security Requirements for Federal Information and Information Systems specified minimum security requirements for federal information and information systems in 17 security-related areas that represent a broad-based, balanced information security program. The other selections do not reference those 17 security-related areas. (now 18 in SP 800-53 rev 4) See also CAP® CBK® Chapter 3, Minimum Security Baselines, and Selecting Baseline Controls.

20. A large organization has a documented information security policy that has been reviewed and approved by senior officials and is readily available to all organizational staff. This information security policy explicitly addresses each of the 17 control families in NIST SP 800-53, Revision 3 (4). Some system owners also established procedures for the technical class of security controls on certain of their systems. In their respective system security plans, control AC-1 Access Control Policy and Procedures (a technical class security control) must be identified as what type of control? A. Fully inheritable B. Hybrid C. System specific D. Inherited

B. Hybrid NIST SP 800-53, Revision 3, 2.3 Common Controls, states: "Organizations assign a hybrid status to a security control when one part of the control is deemed to be common and another part of the control is deemed to be system-specific. For example, an organization may implement the Incident Response Policy and Procedures security control (IR-1) as a hybrid control with the policy portion of the control deemed to be common and the procedures portion of the control deemed to be system-specific." Note that all NIST SP 800-53 XX-1 controls specify the requirements for a formal policy as well as formal procedures.

5. In what phases of the Risk Management Framework (RMF) and system development life cycle (SDLC), respectively, does documentation of control implementation start? A. Categorization and initiation B. Implement security controls and development/acquisition C. Authorization and operations/maintenance D. Monitor and sunset

B. Implement security controls and development/acquisition Security control documentation that describes how system-specific, hybrid, and common controls are implemented are part of the RMF Step 3—implement security controls and the SDLC development/acquisition; implementation phases. The documentation formalizes plans and expectations regarding the overall functionality of the information system. The functional description of the security control implementation includes planned inputs, expected behavior, and expected outputs where appropriate, typically for those technical controls that are employed in the hardware, software, or firmware components of the information system. See CAP® CBK® Chapter 4, Application of Security Controls, Task 3-1: Implement Security Controls; NIST SP 800-37, Revision 1, Step 3, Task 3-1: Security Control Implementation.

26. An initial remediation action was taken by the information system owner (ISO) based on findings from the security assessment report (SAR). What is the next appropriate step based on the Risk Management Framework (RMF)? A. ISO documents the remedial action in the security plan. B. Include the remediation action taken by information system owner as an addendum to the SAR. C. Information system security officer (ISSO) documents the remediation action and informs the ISO. D. Remedial action taken is sent for review to the ISSO.

B. Include the remediation action taken by information system owner as an addendum to the SAR. According to Supplemental Guidance to Risk Management Framework Step 4—Assess Security Controls, Task 4-4 Remedial Actions, "Organizations can prepare an optional addendum to the SAR that is transmitted to the authorizing official. The optional addendum provides ISO and common control providers an opportunity to respond to the initial findings of assessors. The addendum may include, for example, information regarding initial remediation actions taken by the ISO or common control providers in response to assessor findings, or provide an owner's perspective on the findings (e.g., including additional explanatory material, rebutting certain findings, and correcting the record). The addendum to the SAR does not change or influence, in any manner, the initial assessor findings provided in the original report. Information provided in the addendum is considered by authorizing officials in their risk-based authorization decisions." Also see CAP® CBK® Chapter 5, Task 4-4: Conduct Remediation Action.

1. During which Risk Management Framework (RMF) step is the system security plan initially approved? A. RMF Step 1 Categorize Information System B. RMF Step 2 Select Security Controls C. RMF Step 3 Implement Security Controls D. RMF Step 5 Authorize Information System

B. RMF Step 2 Select Security Controls The system security plan is first approved by the authorizing official or AO designated representative during execution of RMF Step 2, Task 2-4. Security Plan Approval. See: CAP® CBK® Chapter 2, Task 2-4: Approval Security Plan; NIST SP800-37, Revision 1, RMF Step 2, Task 2-4: Security Plan Approval.

34. What should the system owner use to prioritize mitigation actions when developing the plan of action and milestones (POA&M)? A. Budget constraints B. Risk assessment results C. Continuous monitoring strategy D. Recommendations of the information owners

B. Risk assessment results The prioritization of POA&M items is guided by the risk assessment results. While budget constraints (answer A) may factor into overall decisions, they should not be the primary prioritization as no consideration of impact is given. A continuous monitoring strategy (answer C) is important but is not the correct method to prioritize POA&M items as it focuses only on operations and maintenance. Information owners may be biased in which areas of a system or weaknesses may relate to their information (answer D) and therefore should not be involved in POA&M prioritization.

15. Information developed from Federal Information Processing Standard (FIPS) 199 may be used as an input to which authorization package document? A. Security assessment report (SAR) B. System security plan (SSP) C. Plan of actions and milestones (POA&M) D. Authorization decision document

B. System security plan (SSP) NIST 800-37, Revision 1, RMF Step 1, Task 1-1 (Categorize Information System) uses the results of an FIPS 199 (Standards for Security Categorization of Federal Information and Information Systems) analysis as input to the system security plan. The POA&M (answer C) includes the corrective actions planned for remediation of a weakness discovered during assessment, and the SAR (answer A) includes the assessment results and recommendations for correcting weaknesses discovered during assessment, while the authorization decision document (answer D) is the decision made by the authorizing official to the information system owner to allow or disallow the information system to operate. See also CAP® CBK® Chapter 2, Task 1-1: Categorize and Document the Information System.

19. An effective security control monitoring strategy for an information system includes A. monitoring the security controls of interconnecting information systems outside the authorization boundary. B. active involvement by authorizing officials in the ongoing management of information system-related security risks. C. the annual assessment of all security controls in the information system. D. all controls listed in NIST SP 800-53, Revision 3.

B. active involvement by authorizing officials in the ongoing management of information system-related security risks. NIST SP 800-37, Revision 1, explicitly states (Appendix G, Monitoring Strategy): "An effective organization- wide continuous monitoring program includes: 1 Configuration management and control processes for organizational information systems; 2 Security impact analyses on proposed or actual changes to organizational information systems and environments of operation; Assessment of selected security controls (including system-specific, hybrid, and common controls) based on the organization-defined continuous monitoring strategy; 3 Security status reporting to appropriate organizational officials; and Active involvement by authorizing officials in the ongoing management of information system related security risks."

35. According to NIST SP 800-39, when an organization responds to risk by eliminating the activities or technologies that are the basis for the risk, that organization is A. accepting the risk. B. avoiding the risk. C. transferring the risk. D. mitigating the risk.

B. avoiding the risk. See NIST SP 800-39, Managing Information Security Risk, Chapter 3—The Process, Step 3 Risk Response, Task 3-1: Risk Response Identification, Responding to Risk; CAP® CBK® Chapter 4 Application of Security Controls, Remediation Planning, Managing Risk.

14. When should the information system owner document the information system and authorization boundary description in the security plan? A. After security controls are implemented B. While assembling the authorization package C. After security categorization D. When reviewing the security control assessment plan

C. After security categorization During RMF Step 1, Task 1-2 (Information System Description) and CAP® CBK® Chapter 2, Task 1- 2, the information system owner should describe the information system (including system boundary) and document the description in the security plan, including attachments to the plan, or references to other standard sources for information generated as part of the system development life cycle. The information system description and authorization boundary are prerequisites to security control implementation (answer A), to review of the security control assessment plan (answer D), and to the start of system authorization tasks (answer B).

30. Who determines the required level of independence for security control assessors? A. Information system owner (ISO) B. Information system security manager (ISSM) C. Authorizing official (AO) D. Information system security officer (ISSO)

C. Authorizing official (AO) The authorizing official, or designated representative, determines the required level of independence for security control assessors based on the results of the security categorization process for the information system and the ultimate risk to organizational operations and assets, individuals, other organizations, and the nation. The authorizing official determines if the level of assessor independence is sufficient to provide confidence that the assessment results produced are sound and can be used to make a risk-based decision on whether to place the information system into operation or continue its operation. See CAP® CBK® Chapter 5 Assessment of Security Controls, NIST Guidance on Assessment of Security Control Effectiveness, Task 4-1: Prepare for Controls Assessment, and Task 4-2: Assess Security Controls; NIST SP 800-37, Revision 1, Supplemental Guidance to Step 4 Assess Security Controls, Task 4-1 Assessment Preparation.

10. When an authorization to operate (ATO) is issued, which of the following roles authoritatively accepts residual risk on behalf of the organization? A. Information owner B. Chief information security officer (CISO) C. Authorizing official (AO) D. AO or the AO's designated representative (DR)

C. Authorizing official (AO) The explicit acceptance of risk is the responsibility of the authorizing official and cannot be delegated to other officials within the organization. The authorizing official considers many factors when deciding if the risk to organizational operations (including mission, function, image, or reputation), organizational assets, individuals, other organizations, and the nation, is acceptable. Balancing security considerations with mission and operational needs is paramount to achieving an acceptable authorization decision. The authorizing official issues an authorization decision for the information system and the common controls inherited by the system after reviewing all of the relevant information and, if appropriate, consulting with other organizational officials, including the organization's risk executive (function). Also see the CAP® CBK® Chapter 6, Authorizing Decisions.

23. The initial security plan for a new application has been approved. What is the next activity in the Risk Management Framework (RMF)? A. Develop a strategy for the continuous monitoring of security control effectiveness. B. Assemble the security authorization package. C. Implement the security controls specified in the security plan. D. Assess a selected subset of the security controls inherited by the information system.

C. Implement the security controls specified in the security plan. Reviewing and approving the security plan is Task 2-4 in Step 2 of the Risk Management Framework. The next task is RMF Step 3, Task 3-1: Implement the security controls specified in the security plan.

28. Prior to completion of the security assessment report (SAR), what type of analysis is performed when agile, iterative development is used? A. Regression analysis B. Interim assessment C. Incremental assessment D. Executive assessment

C. Incremental assessment An incremental assessment is appropriate when iterative development processes such as agile development are employed. This typically results in an iterative assessment as each cycle is conducted. Even when iterative development is not employed, organizations may choose to begin assessing security controls prior to the complete implementation of all security controls listed in the security plan. This type of incremental assessment is appropriate if it is more efficient or cost effective to do so. See CAP® CBK® Task 4-2: Assess Security Controls; see also Supplemental Guidance to NIST SP 800-37, Revision 1, Step 4 Assess Security Controls, Task 4-2: Security Control Assessment. - (CAP CBK ISC2) Iterative development (e.g., agile development) typically includes iterative assessment with each cycle. Assessment of security controls in commercial off-the-shelf (COTS) information technology products used with a system may also be conducted iteratively.

2. Which organizational official is responsible for the procurement, development, integration, modification, operation, maintenance, and disposal of an information system? A. Information system security engineer (ISSE) B. Chief information officer (CIO) C. Information system owner (ISO) D. Information security architect

C. Information system owner (ISO) According to National Institute of Standards and Technology Special Publication (NIST SP) 800-37, Revision 1, Appendix D.9 Information System Owner, the information system owner is an organizational official responsible for the procurement, development, integration, modification, operation, maintenance, and disposal of an information system. The information system owner serves as the focal point for the information system. In that capacity, the information system owner (ISO) serves both as an owner and as the central point of contact between the authorization process and the owners of components of the system. See also CAP® CBK® Chapter 1, System Authorization Roles and Responsibilities, Primary Roles and Responsibilities.

17. Why is security control volatility an important consideration in the development of a security control monitoring strategy? A. It identifies needed security control monitoring exceptions. B. It indicates a need for compensating controls. C. It establishes priority for security control monitoring. D. It provides justification for revisions to the configuration management and control plan.

C. It establishes priority for security control monitoring. According to NIST SP 800-37, Revision 1, Appendix G.2 Selection of Security Controls for Monitoring: "Priority for security control monitoring is given to the controls that have the greatest volatility and the controls that have been identified in the organization's plan of action and milestones." Also see the CAP® CBK® Chapter 3 Establishment of the Security Control Baseline/NIST Guidance on Security Controls Selection, Task 2-3: Develop Monitoring Strategy.

39. Which National Institute of Standards and Technology Special Publication (NIST SP) 800 series document is concerned with continuous monitoring for federal information systems and organizations? A. SP 800-26 B. SP 800-64 C. SP 800-137 D. SP 800-144

C. SP 800-137 NIST SP 800-137, published September 2011, is titled, "Continuous Monitoring for Federal Information Systems and Organizations." See also CAP® CBK® Chapter 7 Security Controls Monitoring, NIST Guidance on Ongoing Monitoring of Security Controls, Task 6-7 Information System Removal and Decommissioning.

21. When determining the applicability of a specific security control, the security professional should utilize which type of guidance? A. Categorization guidance B. Selection guidance C. Scoping guidance D. Remediation guidance

C. Scoping guidance References: NIST SP 800-18, Section 2.5.1 "Scoping guidance provides an agency with specific terms and conditions on the applicability and implementation of individual security controls in the security control baselines defined in NIST SP 800-53"; NIST SP 800-37, Revision 1, RMF Step 2—Select Security Controls, Task 2-2 Security Control Selection, Supplemental Guidance; NIST SP 800-53, Revision 3, 3.3 Selecting Security Controls, "Tailoring the Baseline Security Controls"; CAP® CBK® Chapter 3 Establishment of the Security Control Baseline/NIST Guidance on Security Controls Selection, Task 2-2: Select Security Controls.

9. After a monthly change control board meeting at which the team determined the security impact of proposed changes to an application, what would be the team's next action? A. Prepare the plan of action and milestones based on the findings and recommendations of the security assessment report excluding any remediation actions taken. B. Prepare the security assessment report documenting the issues, findings, and recommendations from the security control assessment. C. Update the security plan, security assessment report, and plan of action and milestones based on the results of the change control board's security impact analysis. D. Assess a selected subset of the security controls employed within and inherited by the application in accordance with the organization-defined monitoring strategy.

C. Update the security plan, security assessment report, and plan of action and milestones based on the results of the change control board's security impact analysis. This question refers to NIST SP 800-37, Revision 1, RMF Task 6-1: Information System and Environment Changes, so the correct answer is C. Answer D refers to RMF Task 6-2. Answer A refers to RMF Task 5-1. Answer B refers to RMF Task 4-3. See CAP® CBK® Chapter 7, Task 6-1: Analyze Impact of Information System and Environment Changes.

6. The tiers of the National Institute of Standards and Technology (NIST) risk management framework are A. operational, management, system. B. confidentiality, integrity, availability. C. organization, mission/business process, information system. D. prevention, detection, recovery.

C. organization, mission/business process, information system. According to NIST SP 800-39, 2.2 Multitiered Risk Management, the three tiers of the RMF are organization, mission/business process, and information systems. Answer A ("operational, management, system") is a distracter. Answer B ("confidentiality, integrity, availability") refers to security impacts of information and systems determined during categorization. Answer D relates to a common typology for security controls. See also CAP® CBK® Chapter 1, Fundamentals of Information Systems Risk Management, Guidance on Organization-Wide Risk Management.

7. National Institute of Standards and Technology (NIST) guidance classifies security controls as A. production, development. and test. B. people, process, and technology. C. system-specific, common and hybrid. D. technical, administrative, and program.

C. system-specific, common and hybrid. According to NIST SP 800-37, Revision 1, Chapter Two—The Fundamentals, 2.4 Security Control Allocation, security control allocation classifies controls as either system specific, common controls, or a hybrid with qualities of each. Answer A relates to operating environments. Answer B is a common taxonomy for security components. Answer D is a common taxonomy for types of security controls but is not used in NIST guidance. See also CAP® CBK® Chapter 1, Fundamentals of Information Systems Risk Management.

11. When attempting to categorize a system, which two Risk Management Framework (RMF) starting point inputs should be accounted for? A. Federal laws and organizational policies B. Federal laws and Office of Management and Budget (OMB) policies C. Federal Information Security Management Act (FISMA) and the Privacy Act D. Architectural descriptions and organizational inputs

D. Architectural descriptions and organizational inputs Architectural descriptions and organizational inputs are critical input to the system categorization process, as depicted in the NIST SP 800-37, Revision 1, RMF Figure 2-2, and in NIST SP 800-53, Revision3, Section 3.1, Figure 3.1. See also CAP® CBK® Chapter 1, Task 1-2: Describe the Information System.

22. When making a determination regarding the adequacy of the implementation of inherited controls for their respective systems, an information system owner (ISO) can refer to the authorization package prepared by which of the following? A. Information owner/steward (IO) B. Information system security engineer (ISSE) C. Information systems security officer (ISSO) D. Common control provider (CCP)

D. Common control provider (CCP) The common control provider is responsible for the planning, development, implementation, assessment, authorization, and maintenance of common security controls inherited by other information systems. The common control provider is responsible for documenting those common controls in a system security plan. Information owners, ISSEs, ISSOs, and other security roles are not responsible for preparing authorization packages. Refer to CAP® CBK® Chapter 4, Task 3-1: Implement Security Controls; NIST SP 800-37, Revision 1, Step 3, Task 3-1: Security Control Implementation.

12. Documenting the description of the system in the system security plan is the primary responsibility ofwhich Risk Management Framework (RMF) role? A. Authorizing official (AO) B. Information owner C. Information system security officer (ISSO) D. Information system owner

D. Information system owner NIST SP 800-37, Revision 1, Appendix D.9 Information System Owner, and CAP® CBK® Chapter 1,Primary Roles and Responsibilities, both describe the information system owner as the role with the primary responsibility of documenting the description of the system in the system security plan.

16. An organization's information systems are a mix of Windows and UNIX systems located in a single computer room. Access to the computer room is restricted by the use of door locks that require proximity cards and personal identification numbers (PINs). Only a small percentage of the organizations employees have access to the computer room. The computer room access restriction is an example of what type of security control relative to the hardware in the computer room? A. Managerial B. System specific C. Technical D. Inherited

D. Inherited The computer room access restriction is a physical security control by itself, but it is a control inherited by all information systems located in the computer room that are protected by it. See: NIST SP 800- 53, Revision 3, 2.3 Common Controls, Appendix G, PM-1 Supplemental Guidance; CAP® CBK® Chapter 1, Guidance on Security Control Allocation.

27. Which of the following control families belongs to the management class of security controls? A. Media protection B. Configuration management C. Access control D. Risk assessment

D. Risk assessment The RA Risk Assessment family of controls is of the management class. Media protection and configuration management are operational controls. Access control is a technical control. Refer to NIST SP 800-53, Revision 3, Appendix F Security Control Catalog for listings of security controls with family and class categories.

4. System authorization programs are marked by frequent failure due to, among other things, poor planning, poor systems inventory, failure to fix responsibility at the system level, and A. inability to work with remote teams. B. lack of a program management office. C. insufficient system rights. D. lack of management support.

D. lack of management support. Lack of management support results from failure to connect system authorization to budgeting for resources, as well as excessive paperwork, lack of enforcement, and poor timing and, among others. See CAP® CBK® Chapter 1, Why System Authorization Programs Fail.

36. An effective continuous monitoring program can be used to A. meet the Federal Information Processing Standard (FIPS) Publication 200 requirement for monthly risk assessments. B. meet an organization's requirement for periodic information assurance training of all computer users. C. replace information system security audit logs. D. support the Federal Information Security Management Act (FISMA) requirement for annual assessment of the security controls in information systems.

D. support the Federal Information Security Management Act (FISMA) requirement for annual assessment of the security controls in information systems. FISMA has a requirement for annual assessment of information systems. FIPS Publication 200 Minimum Security Requirements for Federal Information and Information Systems (answer A) does not have a requirement for monthly risk assessments. Continuous monitoring of systems is not a task performed by all of an organization's computer users and is not an information assurance training activity (answer B). Continuous monitoring does not collect the same data as audit logs and therefore does not replace the requirement for audit logs (answer C). See CAP® CBK® Chapter 7 Security Controls Monitoring, NIST Guidance on Ongoing Monitoring of Security Controls, Task 6-2: Conduct Ongoing Security Control Assessments; NIST SP 800-37, Revision 1, Step 6 Monitor Security Controls, Task 6-2: Ongoing Security Control Assessments.