CGRC PRACTICE TEST 2

The correct answer is:

Information System Owner (ISO)

This is the correct answer, see the discussion area for more details or look at the reference used for this question.

DISCUSSION:

The Information System Owner has primary responsibility along with the Information Security Architect when seclecting the security controls for the information system and document the controls in the security plan.

SECURITY CONTROL SELECTION

TASK 2-2:  Select the security controls for the information system and document the controls in the security plan.
Primary Responsibility:  Information Security Architect; Information System Owner.
Supporting Roles:  Authorizing Official or Designated Representative; Information Owner/Steward; Information System Security Officer; Information System Security Engineer.
System Development Life Cycle Phase:  Initiation (concept/requirements definition).

The following answers are incorrect:

• Information System Security Officer (ISSO). This is not the correct answer.
• Enterprise Architect. This is not the correct answer.
• Authorizing Official (AO). This is not the correct answer.

The correct answer is:

NIST SP 800-115

Technical Guide to Information Security Testing and Assessment – https://csrc.nist.gov/publications/detail/sp/800-115/final 

DISCUSSION:

An information security assessment is the process of determining how effectively an entity being assessed (e.g., host, system, network, procedure, person—known as the assessment object) meets specific security objectives. Three types of assessment methods can be used to accomplish this—testing, examination, and interviewing. Testing is the process of exercising one or more assessment objects under specified conditions to compare actual and expected behaviors. An examination is the process of checking, inspecting, reviewing, observing, studying, or analyzing one or more assessment objects to facilitate understanding, achieve clarification, or obtain evidence. Interviewing is the process of conducting discussions with individuals or groups within an organization to facilitate understanding, achieve clarification, or identify the location of evidence. Assessment results are used to support the determination of security control effectiveness over time.

This document is a guide to the basic technical aspects of conducting information security assessments. It presents technical testing and examination methods and techniques that an organization might use as part of an assessment and offers insights to assessors on their execution and the potential impact they may have on systems and networks. For an assessment to be successful and have a positive impact on the security posture of a system (and ultimately the entire organization), elements beyond the execution of testing and examination must support the technical process. Suggestions for these activities—including a robust planning process, root cause analysis, and tailored reporting—are also presented in this guide.

The following answers are incorrect:

• NIST 800-53A – Assessing Security and Privacy Controls – guide for test procedures – https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-53ar4.pdf
• NIST 800-137 – Information Security Continuous Monitoring for Federal Information Systems and Organizations (2011) – https://csrc.nist.gov/publications/detail/sp/800-137/final
• NIST 800-18 Rev 1 – Guide for Developing Security Plans for Federal Information Systems (2006) – https://csrc.nist.gov/publications/detail/sp/800-18/rev-1/final

The correct answer is:

Information System Owner (ISO)

TASK 3-2: Document the security control implementation, as appropriate, in the security plan, providing a functional description of the control implementation (including planned inputs, expected behavior, and expected outputs).

Primary Responsibility: Information System Owner or Common Control Provider.

Supporting Roles: Information Owner/Steward; Information System Security Officer; Information System Security Engineer.

NIST 800-37 Rev 1, Page 29

 

Common Control Provider (CCP)

TASK 3-2: Document the security control implementation, as appropriate, in the security plan, providing a functional description of the control implementation (including planned inputs, expected behavior, and expected outputs).

Primary Responsibility: Information System Owner or Common Control Provider.

Supporting Roles: Information Owner/Steward; Information System Security Officer; Information System Security Engineer.

NIST 800-37 Rev 1, Page 29

 

The following answers are incorrect:

Information System Security Officer (ISSO)

TASK 3-2: Document the security control implementation, as appropriate, in the security plan, providing a functional description of the control implementation (including planned inputs, expected behavior, and expected outputs).

Primary Responsibility: Information System Owner or Common Control Provider.

Supporting Roles: Information Owner/Steward; Information System Security Officer; Information System Security Engineer.

 

Information Security Tech Writer (ISTW)

TASK 3-2: Document the security control implementation, as appropriate, in the security plan, providing a functional description of the control implementation (including planned inputs, expected behavior, and expected outputs).

Primary Responsibility: Information System Owner or Common Control Provider.

Supporting Roles: Information Owner/Steward; Information System Security Officer; Information System Security Engineer.

NIST 800-37 Rev 1, Page 29

The correct answer is:

The Information System Owner (ISO)

TASK 1-3: Register the information system with appropriate organizational program/management offices.

Primary Responsibility: Information System Owner.

Supporting Roles: Information System Security Officer.

DISCUSSION:

INFORMATION SYSTEM REGISTRATION

TASK 1-3:  Register the information system with appropriate organizational program/management offices.
Primary Responsibility:  Information System Owner.
Supporting Roles:  Information System Security Officer.
System Development Life Cycle Phase:  Initiation (concept/requirements definition).
Supplemental Guidance: 

The registration process begins by identifying the information system (and subsystems, if appropriate) in the system inventory and establishes a relationship between the information system and the parent orgoverning organization that owns, manages, and/or controls the system. Information system registration, in accordance
with organizational policy, uses information in the system identification section of the security plan to inform the parent or governing organization of: (i) the existence of the information system; (ii) the key characteristics of the system; and (iii) any security implications for the organization due to the ongoing operation of the system. Information
system registration provides organizations with an effective management/tracking tool that is necessary for security status reporting in accordance with applicable laws, Executive Orders, directives, policies, standards, guidance, or regulations. Those subsystems that are more dynamic in nature (e.g., subsystems in net-centric architectures) may not be present throughout all phases of the system development life cycle. Such subsystems are registered either as a subset of a well-defined information system or a method of registration for dynamic subsystems is implemented that includes as much information as feasible. Some information about dynamic subsystems is known prior to the subsystem manifesting itself in the information system (e.g., assumptions and constraints specified in the security plan). However, more detailed information may not be known until the subsystem manifests itself.

The following answers are incorrect:

The Information System Registrar. This is not the task of the registrar.

The Information Custodian. This is not a task assigned to the Custodian

The Information System Security Officer (ISSO). This is not a role done by the ISSO

The correct answer is:

 

Information Owner / Steward

TASK 1-1: Categorize the information system and document the results of the security categorization in the security plan.

Primary Responsibility: Information System Owner; Information Owner/Steward.

Supporting Roles: Risk Executive (Function); Authorizing Official or Designated Representative; Chief Information Officer; Senior Information Security Officer; Information System Security Officer.

Information System Owner (ISO)

TASK 1-1: Categorize the information system and document the results of the security categorization in the security plan.

Primary Responsibility: Information System Owner; Information Owner/Steward.

Supporting Roles: Risk Executive (Function); Authorizing Official or Designated Representative; Chief Information Officer; Senior Information Security Officer; Information System Security Officer.

The following answers are incorrect:

 

Authorizing Official

TASK 1-1: Categorize the information system and document the results of the security categorization in the security plan.

Primary Responsibility: Information System Owner; Information Owner/Steward.

Supporting Roles: Risk Executive (Function); Authorizing Official or Designated Representative; Chief Information Officer; Senior Information Security Officer; Information System Security Officer.

 

Information System Security Engineer

TASK 1-1: Categorize the information system and document the results of the security categorization in the security plan.

Primary Responsibility: Information System Owner; Information Owner/Steward.

Supporting Roles: Risk Executive (Function); Authorizing Official or Designated Representative; Chief Information Officer; Senior Information Security Officer; Information System Security Officer.

The correct answer is:

 

Information System Owner

TASK 5-2: Assemble the security authorization package and submit the package to the authorizing official for adjudication.

Primary Responsibility: Information System Owner or Common Control Provider.

Supporting Roles: Information System Security Officer; Security Control Assessor.

NIST SP 800-37 Rev 1, page 34

 

Common Control Provider

TASK 5-2: Assemble the security authorization package and submit the package to the authorizing official for adjudication.

Primary Responsibility: Information System Owner or Common Control Provider.

Supporting Roles: Information System Security Officer; Security Control Assessor.

NIST SP 800-37 Rev 1, page 34

The following answers are incorrect:

 

Authorizing Official

TASK 5-2: Assemble the security authorization package and submit the package to the authorizing official for adjudication.

Primary Responsibility: Information System Owner or Common Control Provider.

Supporting Roles: Information System Security Officer; Security Control Assessor.

NIST SP 800-37 Rev 1, page 34

 

Information Security Architect

TASK 5-2: Assemble the security authorization package and submit the package to the authorizing official for adjudication.

Primary Responsibility: Information System Owner or Common Control Provider.

Supporting Roles: Information System Security Officer; Security Control Assessor.

 

The correct answer is:

The Security Control Assessor

The Security Control Assessor is responsible to: Assess the technical, management, and operational security controls employed within and inherited by the information system in accordance with the organization-defined monitoring strategy.

DISCUSSION:

Whenever we’re talking about actually assessing the controls, we’re going to select the Security Control Assessor ROLE – remember, in your organization, it may very well be the Information System Security Officer who holds that role as an additional duty – but the responsibility lies in their Security Control Assessor hat.

The security control assessor a comprehensive assessment of the management, operational, and technical security controls and control enhancements employed within or inherited by an information system to determine the overall effectiveness of the controls (i.e., the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system). Security control assessors also provide an assessment of the severity of weaknesses or deficiencies discovered in the information system and its environment of operation and recommend corrective actions to address identified vulnerabilities.

The following answers are incorrect:

• The Authorizing Official’s Designated Representative. This is not the responsibility of The Authorizing Official’s Designated Representative
• Information System Security Officer. This is not the responsibility of the Information System Security Officer
• The Information System Owner (ISO) and the Common Control Provider (CCP). This is not the responsibility of The Information System Owner (ISO) and the Common Control Provider (CCP)

The correct answer is:

Common Control Provider (CCP)

This is the correct answer.  Please see the Discussion section for more details or consult the reference used for this question.

DISCUSSION:

SECURITY CONTROL IMPLEMENTATION
TASK 3-1:  Implement the security controls specified in the security plan.
Primary Responsibility:  Information System Owner or Common Control Provider.
Supporting Roles:  Information Owner/Steward; Information System Security Officer; Information System Security Engineer.
System Development Life Cycle Phase:  Development/Acquisition; Implementation.

The following answers are incorrect:

• Certifying Agent / Authority. This is not the correct answer.
• Information System Security Engineer. This is not the correct answer.
• Information System Security Officer (ISSO). This is not the correct answer.

The correct answer is:

The Information System Owner and/or the Common Control Provider

The Information System Owner and/or the Common Control Provider conduct the initial remediation actions on security controls based on the findings and recommendations of the security assessment report and reassess remediated control(s), as appropriate.

DISCUSSION:

REMEDIATION ACTIONS
TASK 4-4:  Conduct initial remediation actions on security controls based on the findings and recommendations of the security assessment report and reassess remediated control(s), as appropriate.
Primary Responsibility:  Information System Owner or Common Control Provider; Security Control Assessor.
Supporting Roles:  Authorizing Official or Designated Representative; Chief Information Officer; Senior Information Security Officer; Information Owner/Steward; Information System Security Officer; Information System Security Engineer; Security Control Assessor.
System Development Life Cycle Phase:  Development/Acquisition; Implementation.

Supplemental Guidance: The security assessment report provides visibility into specific weaknesses and deficiencies in the security controls employed within or inherited by the information system that could not reasonably be resolved during system development or that are discovered post-development. Such weaknesses and deficiencies are potential vulnerabilities if exploitable by a threat source. The findings generated during the security control assessment provide important information that facilitates a disciplined and structured approach to mitigating risks in accordance with organizational priorities.

The following answers are incorrect:

• The Common Control Provider and the Chief Information Officer. This is not the correct answer.
• The Information System Owner and the Chief Information Security Officer. This is not the correct answer.
• The Security Assessment Technical Expert and the Security Control Assessor. This is not the correct answer.

The correct answer is:

Security Control Assessor

The Security Control Assessor prepares the security assessment report documenting the issues, findings, and recommendations from the security control assessment.

DISCUSSION:

SECURITY ASSESSMENT REPORT
TASK 4-3:   Prepare the security assessment report documenting the issues, findings, and recommendations from the security control assessment.
Primary Responsibility:  Security Control Assessor.
Supporting Roles:  Information System Owner or Common Control Provider; Information System Security Officer.
System Development Life Cycle Phase:  Development/Acquisition; Implementation.
Supplemental Guidance: 

The results of the security control assessment, including recommendations for correcting any weaknesses or deficiencies in the controls, are documented in the security assessment report.

The security assessment report is one of three key documents in the security authorization package developed for authorizing officials.

The assessment report includes information from the assessor necessary to determine the effectiveness of the security controls employed within or inherited by the information system based upon the assessor’s findings.

The security assessment report is an important factor in an authorizing official’s determination of risk to organizational operations and assets, individuals, other organizations, and the Nation.

Security control assessment results are documented at a level of detail appropriate for the assessment in accordance with the reporting format prescribed by organizational and/or federal policies. The reporting format is also appropriate for the type of security control assessment conducted (e.g., developmental testing and evaluation, self-assessments, independent verification and validation, independent assessments supporting the security authorization process or subsequent reauthorizations, assessments during continuous monitoring, assessments subsequent to remediation actions, independent audits/evaluations).

The following answers are incorrect:

• Information System Security Officer. This is not the correct answer.
• Information System Owner (ISO). This is not the correct answer.
• Independent Assessment Writer. This is not the correct answer.

The correct answer is:

The Information System Owner

The Information System Owner Prepares the plan of action and milestones based on the findings and recommendations of the security assessment report excluding any remediation actions taken.

DISCUSSION:

PLAN OF ACTION AND MILESTONES

TASK 5-1:   Prepare the plan of action and milestones based on the findings and recommendations of the security assessment report excluding any remediation actions taken.
Primary Responsibility:  Information System Owner or Common Control Provider.

Supporting Roles:  Information Owner/Steward; Information System Security Officer.

System Development Life Cycle Phase:  Implementation.

Supplemental Guidance:  The plan of action and milestones, prepared for the authorizing official by the information system owner or the common control provider, is one of three key documents in the security authorization package and describes the specific tasks that are planned: (i) to correct any weaknesses or deficiencies in the security controls noted  during the assessment; and (ii) to address the residual vulnerabilities in the information system. The plan of action and milestones identifies: (i) the tasks to be accomplished with a recommendation for completion either before or after information system implementation; (ii) the resources required to accomplish the tasks; (iii) any milestones in meeting  the tasks; and (iv) the scheduled completion dates for the milestones.

The plan of action and milestones is used by the authorizing official to monitor progress in correcting weaknesses or deficiencies noted during the security control assessment. All security weaknesses and deficiencies identified during the security control assessment are documented  in the security assessment report to maintain an effective audit trail.

The following answers are incorrect:

The Authorizing Official. This is not the correct answer.

The Information System Security Officer (ISSO). This is not the correct answer.

The Information Steward. This is not the correct answer.

The correct answer is:

The Information System Owner (ISO)

The Information System Owner (ISO)  is NOT a designated supporting role to assist him in making these organizational risk decisions.

DISCUSSION:

TASK 5-3: Determine the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation.

Primary Responsibility: Authorizing Official or Designated Representative.

Supporting Roles: Risk Executive (Function); Senior Information Security Officer.

TASK 5-4: Determine if the risk to organizational operations, organizational assets, individuals, other organizations, or the Nation is acceptable.

Primary Responsibility: Authorizing Official.

Supporting Roles: Risk Executive (Function); Authorizing Official Designated Representative; Senior Information Security Officer.

The following answers are incorrect:

• Authorizing Official Designated Representative – The Authorizing Official Designated Representative is a designated supporting role to assist him in making these organizational risk decisions.
• Senior Information Security Officer -The Senior Information Security Officer is a designated supporting role to assist him in making these organizational risk decisions.
• Risk Executive – The Risk Executive)  is a designated supporting role to assist him in making these organizational risk decisions.

 

The correct answer is:

Categorize, Select, Implement, Assess, Authorize, Monitor

This is the correct answer, please see the discussion section for more details.

DISCUSSION:

RISK MANAGEMENT FRAMEWORK

1 – CATEGORIZE INFORMATION SYSTEM

2 – SELECT SECURITY CONTROLS

3 – IMPLEMENT SECURITY CONTROLS

4 – ASSESS SECURITY CONTROLS

5 – AUTHORIZE INFORMATION SYSTEMS

6 – MONITOR SECURITY CONTROLS

The Risk Management Framework (RMF), provides a disciplined and structured process that integrates information security and risk management activities into the system development life cycle.

The RMF operates primarily at Tier 3 in the risk management hierarchy but can also have interactions at Tiers 1 and 2 (e.g., providing feedback from ongoing authorization decisions to the risk executive [function], dissemination of updated threat and risk information to authorizing officials and information system owners).

The RMF steps include:

• Categorize the information system and the information processed, stored, and transmitted by that system based on an impact analysis.

• Select an initial set of baseline security controls for the information system based on the security categorization; tailoring and supplementing the security control baseline as needed based on an organizational assessment of risk and local conditions.

• Implement the security controls and describe how the controls are employed within the information system and its environment of operation.

• Assess the security controls using appropriate assessment procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.

• Authorize information system operation based on a determination of the risk to organizational operations and assets, individuals, other organizations, and the Nation resulting from the operation of the information system and the decision that this risk is acceptable.

• Monitor the security controls in the information system on an ongoing basis including assessing control effectiveness, documenting changes to the system or its environment of operation, conducting security impact analyses of the associated changes, and reporting the security state of the system to designated organizational officials.

 

The following answers are incorrect:

 

• Categorize, Implement, Assess, Authorize, Monitor, Reauthorize. There is no Reauthorize step in the formal RMF methodology
• Categorize, Register, Select, Test, Authorize, Monitor. There is no “Register” step in the formal RMF methodology
• Categorize, Register, Implement, Test, Authorize, Monitor. This is not the correct answer as the order is not proper.

The correct answer is:

 

Information System Owner (ISO)

TASK 6-3: Conduct remediation actions based on the results of ongoing monitoring activities, assessment of risk, and outstanding items in the plan of action and milestones.

Primary Responsibility: Information System Owner or Common Control Provider.

Supporting Roles: Authorizing Official or Designated Representative; Information Owner/Steward; Information System Security Officer; Information System Security Engineer; Security Control Assessor

TASK 6-4: Update the security plan, security assessment report, and plan of action and milestones based on the results of the continuous monitoring process.

Primary Responsibility: Information System Owner or Common Control Provider.

Supporting Roles: Information Owner/Steward; Information System Security Officer

 

Common Control Provider

TASK 6-3: Conduct remediation actions based on the results of ongoing monitoring activities, assessment of risk, and outstanding items in the plan of action and milestones.

Primary Responsibility: Information System Owner or Common Control Provider.

Supporting Roles: Authorizing Official or Designated Representative; Information Owner/Steward; Information System Security Officer; Information System Security Engineer; Security Control Assessor

TASK 6-4: Update the security plan, security assessment report, and plan of action and milestones based on the results of the continuous monitoring process.

Primary Responsibility: Information System Owner or Common Control Provider.

Supporting Roles: Information Owner/Steward; Information System Security Officer

 

The following answers are incorrect:

 

Information System Security Officer

TASK 6-3: Conduct remediation actions based on the results of ongoing monitoring activities, assessment of risk, and outstanding items in the plan of action and milestones.

Primary Responsibility: Information System Owner or Common Control Provider.

Supporting Roles: Authorizing Official or Designated Representative; Information Owner/Steward; Information System Security Officer; Information System Security Engineer; Security Control Assessor

TASK 6-4: Update the security plan, security assessment report, and plan of action and milestones based on the results of the continuous monitoring process.

Primary Responsibility: Information System Owner or Common Control Provider.

Supporting Roles: Information Owner/Steward; Information System Security Officer

 

Information Security Architect

TASK 6-3: Conduct remediation actions based on the results of ongoing monitoring activities, assessment of risk, and outstanding items in the plan of action and milestones.

Primary Responsibility: Information System Owner or Common Control Provider.

Supporting Roles: Authorizing Official or Designated Representative; Information Owner/Steward; Information System Security Officer; Information System Security Engineer; Security Control Assessor

TASK 6-4: Update the security plan, security assessment report, and plan of action and milestones based on the results of the continuous monitoring process.

Primary Responsibility: Information System Owner or Common Control Provider.

Supporting Roles: Information Owner/Steward; Information System Security Officer

 

Information System Security Engineer

TASK 6-3: Conduct remediation actions based on the results of ongoing monitoring activities, assessment of risk, and outstanding items in the plan of action and milestones.

Primary Responsibility: Information System Owner or Common Control Provider.

Supporting Roles: Authorizing Official or Designated Representative; Information Owner/Steward; Information System Security Officer; Information System Security Engineer; Security Control Assessor

TASK 6-4: Update the security plan, security assessment report, and plan of action and milestones based on the results of the continuous monitoring process.

Primary Responsibility: Information System Owner or Common Control Provider.

Supporting Roles: Information Owner/Steward; Information System Security Officer

Tier 3 is the correct Answer:

Tier 3 addresses risk from an information system perspective and is guided by the risk decisions at Tiers 1 and 2. Risk decisions at Tiers 1 and 2 impact the ultimate selection and deployment of needed safeguards and countermeasures (i.e., security controls) at the information system level. Information security requirements are satisfied by the selection of appropriate management, operational, and technical security controls from NIST Special Publication 800-53. The security controls are subsequently allocated to the various components of the information system as system-specific, hybrid, or common controls in accordance with the information security architecture developed by the organization. Security controls are typically traceable to the security requirements established by the organization to ensure that the requirements are fully addressed during design, development, and implementation of the information system. Security controls can be provided by the organization or by an external provider. Relationships with external providers are established in a variety of ways, for example, through joint ventures, business partnerships, outsourcing arrangements (i.e., through contracts, interagency agreements, lines of business arrangements), licensing agreements, and/or supply chain arrangements

 

The following answers are incorrect:

Tier 2

Tier 2 addresses risk from a mission and business process perspective and is guided by the risk decisions at Tier 1. Tier 2 activities are closely associated with  enterprise architecture and include: (i) defining the core missions and business processes for the organization (including any derivative or related missions and business processes carried out by subordinate organizations); (ii) prioritizing missions and business processes with respect to the goals and objectives of the organization; (iii) defining the types of information that the organization needs to successfully execute the stated missions and business processes and the nformation flows both internal and external to the organization; (iv) developing an organization-wide information protection strategy and incorporating high-level information security requirements into the core missions and business processes; and (v) specifying the degree of autonomy for subordinate organizations (i.e., organizations within the parent organization) that the parent organization permits for assessing, evaluating, mitigating, accepting, and monitoring risk

Tier 4

There is no such thing as Tier 4.  It is only a bogus answer.

Tier 1

Tier 1 addresses risk from an organizational perspective with the development of a comprehensive governance structure and organization-wide risk management strategy that includes: (i) the techniques and methodologies the organization plans to employ to assess information system-related security risks and other types of risk of concern to the organization; (ii) the methods and procedures the organization plans to use to evaluate the significance of the risks identified during the risk assessment; (iii) the types and extent of risk mitigation measures the organization plans to employ to address identified risks; (iv) the level of risk the organization plans to accept (i.e., risk tolerance); (v) how the organization plans to monitor risk on an ongoing basis given the inevitable changes to organizational information systems and their environments of operation; and (vi) the degree and type of oversight the organization plans to use to ensure that the risk management strategy is being effectively carried out.

As part of the overall governance structure established by the organization, the risk management strategy is propagated to organizational officials and contractors with programmatic, planning, developmental, acquisition, operational, and oversight responsibilities, including for example: (i) authorizing officials; (ii) chief information officers; (iii) senior information security officers; (iv) enterprise/information security architects; (v) information system owners/program managers; (vi) information owners/stewards; (vii) information system security officers; (viii) information system security engineers; (ix) information system developers and integrators; (x) system administrators; (xi) contracting officers; and (xii) users

The correct answer is:

The Information System Security Officer (ISSO)

The ISSO is the supporting role.  See discussion for more details.

DISCUSSION:

INFORMATION SYSTEM REGISTRATION

TASK 1-3:  Register the information system with appropriate organizational program/management offices.
Primary Responsibility:  Information System Owner.
Supporting Roles:  Information System Security Officer.
System Development Life Cycle Phase:  Initiation (concept/requirements definition).
Supplemental Guidance: 

The registration process begins by identifying the information system (and subsystems, if appropriate) in the system inventory and establishes a relationship between the information system and the parent orgoverning organization that owns, manages, and/or controls the system. Information system registration, in accordance
with organizational policy, uses information in the system identification section of the security plan to inform the parent or governing organization of: (i) the existence of the information system; (ii) the key characteristics of the system; and (iii) any security implications for the organization due to the ongoing operation of the system. Information
system registration provides organizations with an effective management/tracking tool that is necessary for security status reporting in accordance with applicable laws, Executive Orders, directives, policies, standards, guidance, or regulations. Those subsystems that are more dynamic in nature (e.g., subsystems in net-centric architectures) may not be present throughout all phases of the system development life cycle. Such subsystems are registered either as a subset of a well-defined information system or a method of registration for dynamic subsystems is implemented that includes as much information as feasible. Some information about dynamic subsystems is known prior to the subsystem manifesting itself in the information system (e.g., assumptions and constraints specified in the security plan). However, more detailed information may not be known until the subsystem manifests itself.

The following answers are incorrect:

• The Information System Security Engineer (ISSE).The ISSE is not the supporting role.
• The Authorizing Official (AO). The AO is not the supporting role.
• Information System Owner (ISO). The ISO is not the supporting  role.

The correct answer is:

Information System Owner (ISO)

This is the correct answer, see the discussion section for full details.

DISCUSSION:

TASK 2-1: Identify the security controls that are provided by the organization as common controls for organizational information systems and document the controls in a security plan (or equivalent document).

Primary Responsibility: Chief Information Officer or Senior Information Security Officer; Information Security Architect; Common Control Provider.

Supporting Roles: Risk Executive (Function); Authorizing Official or Designated Representative; Information System Owner; Information System Security Engineer.

INFORMATION SYSTEM OWNER
The information system owner is an organizational official responsible for the procurement, development, integration, modification, operation, maintenance, and disposal of an information system.

The information system owner is responsible for addressing the operational interests of the user community (i.e., users who require access to the information system to satisfy mission, business, or operational requirements) and for ensuring compliance with information security requirements. In coordination with the information system security officer, the information system owner is responsible for the development and maintenance of the security plan and ensures that the system is deployed and operated in accordance with the agreed-upon security controls. In coordination with the information owner/steward, the information system owner is also responsible for deciding who has access to the system (and with what types of privileges or access rights) training (e.g., instruction in rules of behavior).

Based on guidance from the authorizing official, the information system owner informs appropriate organizational officials of the need to conduct the security authorization, ensures that the necessary resources are available for the effort, and provides the required information system access, information, and documentation to the security control assessor.

The information system owner receives the security assessment results from the security control assessor. After taking appropriate steps to reduce or eliminate vulnerabilities, the information system owner assembles the authorization package and submits the package to the authorizing official or the authorizing official designated representative for adjudication.

The following answers are incorrect:

• Common Control Provider. This is not the correct answer.
• Chief Information Officer (CIO) or Senior Information Security Officer. This is NOT the correct answer
• Information Security Architect. This is not the correct answer.

The correct answer is:

Information System Owner (ISO)

Task 1-2: is to describe the information system (including system boundary) and document the description in the security plan

Primary Responsibility: Information System Owner.

Supporting Roles:Authorizing Official or Designated Representative; Senior Information Security Officer; Information Owner/Steward; Information System Security Officer.

DISCUSSION:

INFORMATION SYSTEM DESCRIPTION
TASK 1-2:  Describe the information system (including system boundary) and document the description in the security plan.
Primary Responsibility:  Information System Owner.
Supporting Roles:  Authorizing Official or Designated Representative; Senior Information Security Officer;
Information Owner/Steward; Information System Security Officer.
System Development Life Cycle Phase:  Initiation (concept/requirements definition).
Supplemental Guidance:

Descriptive information about the information system is documented in the system identification section of the security plan, included in attachments to the plan, or referenced in other standard sources for information generated as part of the system development life cycle. Duplication of information is avoided, whenever possible. The level of detail provided in the security plan is determined by the organization and is typically commensurate with the security categorization of the information system. Information may be added to the system description as it becomes available during the system development life cycle and execution of the RMF tasks.

The following answers are incorrect:

Information System Security Engineer (ISSE). This is not a task of the ISSE

Information System Security Officer (ISSO). This is not a task of the ISSO

Authorizing Official (AO). This is not a task of the AO

The correct answer is:

The information system owner (ISO)

The information system owner initiates system authorization activities, ensures that resources are available, prepares the system security plans, and monitors preparation of the accreditation package.

The following answers are incorrect:

 

Chief Information Security Officer

• The CISO is normally the organization’s senior security officer and would be responsible for oversight of the program, but would not initiate a package for a system.
• The information system owner initiates system authorization activities, ensures that resources are available, prepares the system security plans, and monitors preparation of the accreditation package.
• The Information System Security Officer (ISSO)
• The ISSO serves as the principal advisor to the system owner.
• The information system owner initiates system authorization activities, ensures that resources are available, prepares the system security plans, and monitors preparation of the accreditation package.
• Authorizing Official (AO)
• The Authorizing Official is responsible for making a determination when the authorization package is submitted as to whether or not the risk is acceptable.
• The information system owner initiates system authorization activities, ensures that resources are available, prepares the system security plans, and monitors preparation of the accreditation package.

The correct answer is:

Issue-specific control

There are three types of security controls for information systems that can be employed by an organization: (i) system-specific controls (i.e., controls that provide a security capability for a particular information system only); (ii) common controls (i.e., controls that provide a security capability for multiple information systems); or (iii) hybrid controls(i.e., controls that have both system-specific and common characteristics)

DISCUSSION:

There are three types of security controls for information systems that can be employed by an organization: (i) system-specific controls (i.e., controls that provide a security capability for a particular information system only); (ii) common controls (i.e., controls that provide a security capability for multiple information systems); or (iii) hybrid controls (i.e., controls that have both system-specific and common characteristics).

The organization allocates security controls to an information system consistent with the organization’s enterprise architecture and information security architecture.

This activity is carried out as an organization-wide activity involving authorizing officials, information system owners, chief information security officer, senior information security officer, enterprise architect, information security architect, information system security officers, common control providers, and risk executive (function).

As part of the information security architecture, organizations are encouraged to identify and implement security controls that can support multiple information systems efficiently and effectively as a common capability (i.e., common controls). When these controls are used to support a specific information system, they are referenced by that specific system as inherited controls. Common controls promote more cost-effective and consistent information security across the organization and can also simplify risk management activities.

By allocating security controls to an information system as system-specific controls, hybrid controls, or common controls, the organization assigns responsibility and accountability to specific organizational entities for the overall development, implementation, assessment, authorization, and monitoring of those controls.

The organization has significant flexibility in deciding which families of security controls or specific controls from selected families in NIST Special Publication 800-53 are appropriate for the different types of allocations.

Since the security control allocation process involves the assignment and provision of security capabilities derived from security controls, the organization ensures that there is effective communication among all entities either receiving or providing such capabilities. This communication includes, for example, ensuring that common control authorization results and continuous monitoring information are readily available to those organizational entities inheriting common controls and that any changes to common controls are effectively communicated to those affected by such changes.

The following answers are incorrect:

System-specific control

There are three types of security controls for information systems that can be employed by an organization: (i) system-specific controls (i.e., controls that provide a security capability for a particular information system only); (ii) common controls (i.e., controls that provide a security capability for multiple information systems); or (iii) hybrid controls(i.e., controls that have both system-specific and common characteristics)

Common control

There are three types of security controls for information systems that can be employed by an organization: (i) system-specific controls (i.e., controls that provide a security capability for a particular information system only); (ii) common controls (i.e., controls that provide a security capability for multiple information systems); or (iii) hybrid controls(i.e., controls that have both system-specific and common characteristics)

Hybrid control

There are three types of security controls for information systems that can be employed by an organization: (i) system-specific controls (i.e., controls that provide a security capability for a particular information system only); (ii) common controls (i.e., controls that provide a security capability for multiple information systems); or (iii) hybrid controls(i.e., controls that have both system-specific and common characteristics)

 

The correct answer is:

Select Security Controls

DISCUSSION:

RISK MANAGEMENT FRAMEWORK (RMF)

     1 – CATEGORIZE INFORMATION SYSTEM

    2 – SELECT SECURITY CONTROLS

                3 – IMPLEMENT SECURITY CONTROLS

                4 – ASSESS SECURITY CONTROLS

                5 – AUTHORIZE INFORMATION SYSTEMS

                6 – MONITOR SECURITY CONTROLS

The Risk Management Framework (RMF), provides a disciplined and structured process that integrates information security and risk management activities into the system development life cycle.

The RMF operates primarily at Tier 3 in the risk management hierarchy but can also have interactions at Tiers 1 and 2 (e.g., providing feedback from ongoing authorization decisions to the risk executive [function], dissemination of updated threat and risk information to authorizing officials and information system owners).

The RMF steps include:

• Categorize the information system and the information processed, stored, and transmitted by that system based on an impact analysis.

• Select an initial set of baseline security controls for the information system based on the security categorization; tailoring and supplementing the security control baseline as needed based on an organizational assessment of risk and local conditions.

• Implement the security controls and describe how the controls are employed within the information system and its environment of operation.

• Assess the security controls using appropriate assessment procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.

• Authorize information system operation based on a determination of the risk to organizational operations and assets, individuals, other organizations, and the Nation resulting from the operation of the information system and the decision that this risk is acceptable.

• Monitor the security controls in the information system on an ongoing basis including assessing control effectiveness, documenting changes to the system or its environment of operation, conducting security impact analyses of the associated changes, and reporting the security state of the system to designated organizational officials.

 

The following answers are incorrect:

• Categorize the Security Controls. This is not the second step.
• Assess the Security Controls.This is not the second step.
• Implement the Security Controls.This is not the second step.

The correct answer is:

Information System Owner (ISO)

TASK 2-3: Develop a strategy for the continuous monitoring of security control effectiveness and any proposed or actual changes to the information system and its environment of operation.

Primary Responsibility: Information System Owner or Common Control Provider.

Supporting Roles:Risk Executive (Function); Authorizing Official or Designated Representative; Chief Information Officer; Senior Information Security Officer; Information Owner/Steward

; Information System Security Officer.

Common Control Provider (CCP)

TASK 2-3: Develop a strategy for the continuous monitoring of security control effectiveness and any proposed or actual changes to the information system and its environment of operation.

Primary Responsibility: Information System Owner or Common Control Provider.

Supporting Roles:Risk Executive (Function); Authorizing Official or Designated Representative; Chief Information Officer; Senior Information Security Officer; Information Owner/Steward; Information System Security Officer.

The following answers are incorrect:

Authorizing Official Designated Representative (AODR)

TASK 2-3: Develop a strategy for the continuous monitoring of security control effectiveness and any proposed or actual changes to the information system and its environment of operation.

Primary Responsibility: Information System Owner or Common Control Provider.

Supporting Roles:Risk Executive (Function); Authorizing Official or Designated Representative; Chief Information Officer; Senior Information Security Officer; Information Owner/Steward; Information System Security Officer.

Chief Executive Officer (CEO)

TASK 2-3: Develop a strategy for the continuous monitoring of security control effectiveness and any proposed or actual changes to the information system and its environment of operation.

Primary Responsibility: Information System Owner or Common Control Provider.

Supporting Roles:Risk Executive (Function); Authorizing Official or Designated Representative; Chief Information Officer; Senior Information Security Officer; Information Owner/Steward; Information System Security Officer.

Information Custodian

TASK 2-3: Develop a strategy for the continuous monitoring of security control effectiveness and any proposed or actual changes to the information system and its environment of operation.

Primary Responsibility: Information System Owner or Common Control Provider.

Supporting Roles:Risk Executive (Function); Authorizing Official or Designated Representative; Chief Information Officer; Senior Information Security Officer; Information Owner/Steward; Information System Security Officer.

The correct answer is:

The Information System Owner or the Common Control Provider

The Information System Owner or the Common Control Provider is responsible to determine the security impact of proposed or actual changes to the information system and its environment of operation.

DISCUSSION:

INFORMATION SYSTEM AND ENVIRONMENT CHANGES

TASK 6-1:  Determine the security impact of proposed or actual changes to the information system and its environment of operation.

Primary Responsibility:  Information System Owner or Common Control Provider.

Supporting Roles:  Risk Executive (Function); Authorizing Official or Designated Representative; Senior Information Security Officer; Information Owner/Steward; Information System Security Officer.

System Development Life Cycle Phase:  Operation/Maintenance.

Supplemental Guidance:  Information systems are in a constant state of change with upgrades to hardware, software, or firmware and modifications to the surrounding environments where the systems reside and operate. A disciplined and structured approach to managing, controlling, and documenting changes to an information system or its environment of operation is an essential element of an effective security control monitoring program. Strict configuration management and control processes are established by the organization to support such monitoring activities. It is important to record any relevant information about specific changes to hardware, software, or firmware such as version or release numbers, descriptions of new or modified features/capabilities, and security implementation guidance. It is also important to record any changes to the environment of operation for the information system (e.g., modifications to hosting networks and facilities, mission/business use of the system, threats), or changes to the organizational risk management strategy.

The information system owner and common control provider use this information in assessing the potential security impact of the changes. Documenting proposed or actual changes to an information system or its environment of operation and subsequently assessing the potential impact those changes may have on the security state of the system or the organization is an important aspect of security control monitoring and maintaining the security authorization over time. Information system changes are generally not undertaken prior to assessing the security impact of such changes.

Organizations are encouraged to maximize the use of automation when managing changes to the information system or its environment of operation.

The following answers are incorrect:

• The ISSO is primarily responsible for ensuring the Information System Owner follows through. This is not the correct answer.
• The Common Control Provider at the behest of the Authorizing Official. This is not the correct answer.
• The Information System Owner with the input from the Information System Security Engineer. This is not the correct answer.

The correct answer is:

Validating the security controls for an information system when reaccreditation needs to be completed on a fast track basis

This is not part of the CIO role.  Assessment of the controls is always the responsibilities of the Security Control Assessor

DISCUSSION:

The chief information officer is an organizational official responsible for: (i) designating a senior information security officer; (ii) developing and maintaining information security policies, procedures, and control techniques to address all applicable requirements; (iii) overseeing personnel with significant responsibilities for information security and ensuring that the personnel are adequately trained; (iv) assisting senior organizational officials concerning their security responsibilities; and (v) in coordination with other senior officials, reporting annually to the head of the federal agency on the overall effectiveness of the organization’s information security  program, including progress of remedial actions. The chief information officer, with the support  of the risk executive (function) and the senior information security officer, works closely with authorizing officials and their designated representatives to help ensure that:

• An organization-wide information security program is effectively implemented resulting in adequate security for all organizational information systems and environments of operation for those systems;
•Information security considerations are integrated into programming/planning/budgeting cycles, enterprise architectures, and acquisition/system development life cycles;
•Information systems are covered by approved security plans and are authorized to operate;
•Information security-related activities required across the organization are accomplished in an efficient, cost-effective, and timely manner; and
•There is centralized reporting of appropriate information security-related activities.

The chief information officer and authorizing officials also determine, based on organizational priorities, the appropriate allocation of resources dedicated to the protection of the information systems supporting the organization’s missions and business functions. For selected information systems, the chief information officer may be designated as an authorizing official or a co-authorizing official with other senior organizational officials. The role of chief information officer has inherent U.S. Government authority and is assigned to government personnel only.

The following answers are incorrect:

• An organization-wide information security program is effectively implemented resulting in adequate security for all organizational information systems and environments of operation for those systems. This is part of the CIO role
• Information security considerations are integrated into programming/planning/budgeting cycles, enterprise architectures, and acquisition/system development life cycles. This is part of the CIO role
• Information systems are covered by approved security plans and are authorized to operate. This is part of the CIO role

The correct answer is:

Security Control Assessor

Primary Responsibility: Security Control Assessor.

See the discussion section for more details or consult the reference used for this question.

DISCUSSION:

ASSESSMENT PREPARATION
TASK 4-1:  Develop, review, and approve a plan to assess the security controls.
Primary Responsibility:  Security Control Assessor.
Supporting Roles:  Authorizing Official or Designated Representative; Chief Information Officer; Senior Information Security Officer; Information System Owner or Common Control Provider; Information Owner/Steward; Information System Security Officer.
System Development Life Cycle Phase:  Development/Acquisition; Implementation.

Supplemental Guidance:  The security assessment plan provides the objectives for the security control assessment, a detailed roadmap of how to conduct such an assessment, and assessment procedures. The assessment plan reflects the type of assessment the organization is conducting (e.g., developmental testing and evaluation, independent verification and validation, assessments supporting security authorizations or reauthorizations, audits, continuous monitoring, assessments subsequent to remediation actions).

The following answers are incorrect:

• Project Manager. This is not the correct answer.
• Common Control Provider (CCP). This is not the correct answer.
• Assessment Technical Subject Matter Experts. This is not the correct answer.