Question 1

In the prepare step of the NIST RMF, which of the following should be established to ensure an effective risk management process?

Options :

A : A communication process for risk-related information

B : A continuous monitoring strategy

C : A system security plan

D : An incident response plan

Answer: A

Question 2

What is the main purpose of system categorization?

Options :

A : Determine if the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security and privacy requirements for the system and the organization.

B : Inform organizational risk management processes and tasks by determining the adverse impact with respect to the loss of confidentiality, integrity, and availability of systems and the information processed, stored, and transmitted by those systems

C : Carry out essential activities to help prepare all levels of the organization to manage its security and privacy risks using the RMF

D : Maintain ongoing situational awareness about the security and privacy posture of the system and organization to support risk management decisions

Answer: B

Question 3

Your organization is preparing to authorize a new information system. As part of the Prepare phase of the NIST SP 800-37 Risk Management Framework, your team is working to identify the system's stakeholders and their roles. Which of the following stakeholders would be responsible for ensuring that the system's security controls are properly implemented and maintained?

Options :

A : The system owner

B : The authorizing official

C : The system administrator

D : The security manager

Answer: C

Question 4

What are the types of authorization decisions that can be given by an authorizing official? Select all that apply.

Options :

A : Authorization to operate

B : Interim authorization to operate

C : Common control authorization

D : Authorization to use

E : Denial of authorization

Answer: A,C,D,E

Question 5

What NIST special publication provides guidance on continuous monitoring?

Options :

A : NIST SP 800-53

B : NIST SP 800-37

C : NIST SP 800-137

D : NIST SP 800-160

Answer: C