What is included in the Plan of Action and Milestones (POA&M) that is presented in the Authorizing
Official (AO) as part of the initial authorization
... [Show More] package?
A. All items identified throughout the Risk Management Framework (RMF) process
B. Only volatile findings that require prioritization in remediation
C. Deficiencies that have not yet been remediate and verified throughout the Risk
Management Framework (RMF) process
D. Only findings that have evaluated as moderate or high - ✔✔Deficiencies that have not yet been
remediate and verified throughout the Risk
Management Framework (RMF) process
What are the steps of a risk assessment?
A. Prepare, Conduct, Communicate, Maintain
B. Prepare, Conduct, Communicate
C. Prepare, Communicate, Conduct
D. Prepare, Communicate, Maintain, Conduct - ✔✔Prepare,Conduct,Communicate,Maintain
***Which of the following cannot be delegated by the Authorizing Official (AO)?
A. Certificate resources**
B. Authorization decision
C. Acceptance of Security Plan (SP)
D. Determination of risk to agency operations - ✔✔Authorization Decision
Configuring an Information System (IS) to prohibit the use of unused ports and protocols
A. Helps provide least privilege
B. Helps provide least functionality
C. Streamlines the functionality of the system
D. Violates configuration management best practice - ✔✔Helps provide least functionality
The Authorization boundary of a system undergoing assessment includes
A. The Information System (IS) components to be authorized for operation
B. The Information (IS) components to be authorized for operation and any outside system
it connects to
C. Any components or systems the Information Owner (IO) states should be included in the
assessment
D. Any components found within the given Internet Protocol (IP) range - ✔✔The Information System(IS)
components to be authorized for operation
Which of the following BEST describes a government-wide standard for security Assessment and
Authorization (A&A) and continuous monitoring for cloud products, which is mandatory for federal
agencies and Cloud Service Providers (CSP)?
A. Federal Risk and Authorization Management Program (FedRAMP)
B. National Institute of Standards and Technology (NIST)
C. Federal Information Technology Acquisition Reform Act (FITARA)
D. National Cyber Security Program (NCSP) - ✔✔Federal Risk and Authorization Management
Program(FedRAMP)
All Federal agencies are required by law to conduct which of the following activities?
A. Protect Information Systems (IS) used or operated by a contractor of an agency or other
organization on behalf of an agency
B. Coordinate with the National Institutes of Standards and Technologies (NIST) to develop
binding operational directives
C. Report the effectiveness of information security policies and practices to the Office of
Personnel Management (OPM)
D. Monitor the implementation of information security policies and practices of ot [Show Less]