Study your flashcards anywhere!

Download the official Cram app for free >

  • Shuffle
    Toggle On
    Toggle Off
  • Alphabetize
    Toggle On
    Toggle Off
  • Front First
    Toggle On
    Toggle Off
  • Both Sides
    Toggle On
    Toggle Off
  • Read
    Toggle On
    Toggle Off

How to study your flashcards.

Right/Left arrow keys: Navigate between flashcards.right arrow keyleft arrow key

Up/Down arrow keys: Flip the card between the front and back.down keyup key

H key: Show hint (3rd side).h key

A key: Read text to speech.a key


Play button


Play button




Click to flip

18 Cards in this Set

  • Front
  • Back
Who has the primary responsibility for step one of the Risk Management Framework (RMF)?
Information System Owner; Information Owner/Steward
In which phase of the SDLC does the categorization stage take place?
Initiation (concept/requirements definition)
What are two major factors to take into consideration when taking part in the security categorization process?
The enterprise architecture and the information security architecture.
What are three tasks associated with step one of the RMF?
Categorize, Describe, and Register the information system and document the results in the
security plan.
What are four tasks associated with step 2 of the RMF?
Identify the common controls for
organizational information systems,
Select the security controls for the information system

Develop a strategy for the continuous monitoring and document the controls in a security plan

Review and approve the SSP
Security controls that are inherited by one or more organizational
information systems are called ___________?
Common Controls
What three documents are used by authorizing officials within the organization to make risk-based
decisions in the security authorization process for their information systems.
Security plans, security assessment reports, and plans of
action and milestones
What capability should common control providers
have with regard to communicating with information system owners who inherit controls?
Common control providers
are able to quickly inform information system owners when problems arise in the inherited common controls.
In what SDLC phase(s) does step 1 of the RMF occur?
Initiation (concept/requirements definition).
In what SDLC phase(s) does step 2 of the RMF occur?
Initiation and Developement/aquisition
Tasks 2.1-2.3 occur in the inition phase, task 2.4 (Review and approve the security plan) occurs in the developement phase.
What are three things the continuous monitoring strategy for the information system identifies?
the security controls
to be monitored,
the frequency of monitoring, and
the control assessment approach.
Who approves the monitoring strategy including the set of security
controls that are to be monitored on an ongoing basis as well as the frequency of the monitoring activities?
The authorizing official or designated representative
In what step of the RMF are minimum assurance requirements for the security controls employed within and inherited
by the information system addressed?
Step 2
List tasks for step 6 of the RMF.
1. Determine security impact of proposed changes
2. Assess subset of controls
3. conduct remediation actions
4. update the SSP
Lists tasks for step 5 of the RMF
1. Prepare the POA&M
2. Assemble and submit the security authorization package.
3. Determine risk
4. Determine if risk is acceptable
List tasks in step 3 of the RMF
1. Implement security controls
2. document the implentation of the security controls
List tasks in step 4 of the RMF
1. develope plan the assess controls
2. Assess security controls
3. Prepare security assessment report
4. Conduct initial remediation actions
Who is the independant entity responsible for much of step 4.
The Security Control Assessor