EXAM STUDY MATERIALS July 23, 2024 4:26 PM CAP Review Questions Exam Questions With Verified Answers 1. During which Risk Management Framework (RMF) step is the system security plan initially approved? A. RMF Step 1 Categorize Information System B. RMF Step 2 Select Security Controls C. RMF Step 3 Implement Security Controls D. RMF Step 5 Authorize Information System - answer✔✔B. RMF Step 2 Select Security Controls The system security plan is first approved by the authorizing official or AO designated representative during execution of RMF Step 2, Task 2 -4. Security Plan Approval. See: CAP® CBK® Chapter 2, Task 2 -4: Approval Security Plan; NIST SP800 -37, Revision 1, RMF Step 2, Task 2 -4: Security Plan Approval. 2. Which organizational official is responsible for the procurement, development, integration, modification, operation, maintenance, and disposal of an information system? A. Information system security engine er (ISSE) B. Chief information officer (CIO) C. Information system owner (ISO) D. Information security architect - answer✔✔C. Information system owner (ISO) According to National Institute of Standards and Technology Special Publication (NIST SP) 800-37, Revision 1, Appendix D.9 Information System Owner, the information system owner is an organizational official responsible for the procurement, development, integration, modification, operation, maintenance, and disposal of an information system. The inform ation system owner serves as the focal point for the information system. In that capacity, the EXAM STUDY MATERIALS July 23, 2024 4:26 PM information system owner (ISO) serves both as an owner and as the central point of contact between the authorization process and the owners of components of the system. See also CAP® CBK® Chapter 1, System Authorization Roles and Responsibilities, Primary Roles and Responsibilities. 3. Which authorization approach considers time elapsed since the authorization results were produced, the environment of operation, t he criticality/sensitivity of the information, and the risk tolerance of the other organization? A. Leveraged B. Single C. Joint D. Site specific - answer✔✔A. Leveraged With this approach, the leveraging organization considers risk factors such as the ti me elapsed since the authorization results were originally produced; the current environment of operation (if different from the environment of operation reflected in the authorization package); the criticality/sensitivity of the information to be processe d, stored, or transmitted (if different from the state of the original authorization); as well as the overall risk tolerance of the leveraging organization (in the event that the risk tolerance posture has changed over time). See NIST SP 800 -37, Revision 1, Appendix F.9 Authorization Approaches. 4. System authorization programs are marked by frequent failure due to, among other things, poor planning, poor systems inventory, failure to fix responsibility at the system level, and A. inability to work with r emote teams. B. lack of a program management office. C. insufficient system rights. D. lack of management support. - answer✔✔D. lack of management support. Lack of management support results from failure to connect system authorization to budgeting for resources, as well as excessive paperwork, lack of enforcement, and poor timing and, among others. See CAP® CBK® Chapter 1, Why System Authorization Programs Fail. EXAM STUDY MATERIALS July 23, 2024 4:26 PM 5. In what phases of the Risk Management Framework (RMF) and system development life cycle (SDLC), respectively, does documentation of control implementation start? A. Categorization and initiation B. Implement security controls and development/acqu isition C. Authorization and operations/maintenance D. Monitor and sunset - answer✔✔B. Implement security controls and development/acquisition Security control documentation that describes how system -specific, hybrid, and common controls are implemented a re part of the RMF Step 3 —implement security controls and the SDLC development/acquisition; implementation phases. The documentation formalizes plans and expectations regarding the overall functionality of the information system. The functional description of the security control implementation includes planned inputs, expected behavior, and expected outputs where appropriate, typically for those technical controls that are employed in the hardware, software, or firmware components of the information system . See CAP® CBK® Chapter 4, Application of Security Controls, Task 3 -1: Implement Security Controls; NIST SP 800 -37, Revision 1, Step 3, Task 3 -1: Security Control Implementation. 6. The tiers of the National Institute of Standards and Technology (NIST) ris k management framework are A. operational, management, system. B. confidentiality, integrity, availability. C. organization, mission/business process, information system. D. prevention, detection, recovery. - answer✔✔C. organization, mission/business proc ess, information system. According to NIST SP 800 -39, 2.2 Multitiered Risk Management, the three tiers of the RMF are organization, mission/business process, and information systems. Answer A ("operational, management, system") is a distracter. Answer B ( "confidentiality, integrity, availability") refers to security impacts of information and systems determined during categorization. Answer D relates to a common typology for security controls.
