DODI 8510.01, RISK MANAGEMENT FRAMEWORK (RMF) FOR DOD INFORMATION TECHNOLOGY (IT)

Question 1

Who oversees the implementation of DoDI 8510.01 and directs and oversees the cyber security risk management of DoD IT?

Answer 1

DoD Chief Information Officer (DoD CIO)

Question 2

Who develops and provides RMF training and awareness products and a distributive training capability to support the DoD Components?

Answer 2

Director, Defense Information Systems Agency (DISA)

Question 3

Who is responsible for coordinating with the DoD CIO to ensure RMFs processes are appropriately integrated with Defense Acquisition System processes for DoD IT acquisitions?

Answer 3

Under Secretary of Defense for Acquisition, Technology, and Logistics (USD(AT&L))

Question 4

Who reviews plans, execution, and results of operational testing to ensure adequate evaluation of cybersecurity for all DoD IT acquisitions subject to oversight?

Answer 4

Director, Operational Test and Evaluation (DOT&E)

Question 5

Who ensures that IS security engineering services, when provided to the DoD components, support the RMF?

Answer 5

Director, National Security Agency/Chief, Central Security Service (DIRNSA/CHCSS)

Question 6

DOD Component heads must ensure that a trained and qualified AO is appointed in writing for all DoD IS and PIT systems operating within or on behalf of the DoD Component in accordance with which reference?

Answer 6

DoD Instruction 8500.01

Question 7

Who is responsible for ensuring the Joint Capabilities Integration and Development System (JCID) process supports and documents IS and PIT system categorization consistent with DoDI 8510.01?

Answer 7

Chairman of the Join Chiefs of Staff (CJCS)

Question 8

Who is responsible for ensuring all products, services, and PIT have completed the appropriate evaluation and configuration processes prior to incorporation into or connection to an IS or PIT system?

Answer 8

Information Systems Security Manager (ISSM)

Question 9

What are product-specific and document the applicable DoD policies and security requirements, as well as best practices and configuration guidelines?

Answer 9

Security Technical Implementation Guides (STIGs)

Question 10

What are developed by DISA to provide general security compliance guidelines as well as serving as source guidance documents for STIGs?

Answer 10

Security Requirements Guides (SRGs)

Question 11

Which approach to cyber security risk management as described in NIST SP 800-39 is implemented by the DoD RMF governance structure?

Answer 11

Three-tiered

Question 12

Which Tier level in RMF addresses risk management at the DoD enterprise level?

Answer 12

Tier I

Question 13

Who directs and oversees the cyber security risk management of DoD IT?

Answer 13

Department of Defense Chief of Information Officer (DoD CIO)

Question 14

What performs the DoD Risk Executive Function?

Answer 14

DoD Information Security Risk Management Committee (ISRMC)

Question 15

What is the community forum for reviewing and resolving authorization issues related to the sharing of community risk?

Answer 15

Defense IA Security Accreditation Working Group (DSAWG)

Question 16

Who oversees the RMF TAG and the online KS?

Answer 16

Department of Defense Senior Information Security Officer (DoD SISO)

Question 17

What provides implementation guidance for the RMF by interfacing with the DoD component cyber security programs, cyber security communities of interest (COIs), and other entities to address issues that are common across all entities?

Answer 17

Risk Management Framework Technical advisory Group (RMF TAG)

Question 18

What supports RMF implementation, planning, and execution by functioning as the authoritative source for RMF procedures and guidance?

Answer 18

Knowledge Service

Question 19

Who must monitor and track overall execution of system-level POA&Ms?

Answer 19

Authorizing Officials (AOs)

Question 20

Who develops, maintains, and racks security plans for assigned IS and PIT systems?

Answer 20

Information System Owners (ISOs)

Question 21

PMs must ensure periodic reviews, testing and assessment of assigned IS and PIT systems are conducted at least how often?

Answer 21

Annually

Question 22

PMs must ensure T&E of assigned IS and IT systems is planned, resourced, and documented in the program T&E master plan in accordance with which reference?

Answer 22

DoDI 5000.02

Question 23

What reduces redundant testing, assessing and documentation, and the associated cost in time and resources?

Answer 23

Reciprocity

Question 24

What must PMs and ISOs who are deploying systems across DoD Components post security authorization documentation to in order to provide visibility of authorization status and documentation to planned receiving sites?

Answer 24

Enterprise Mission Assurance Support Service (eMASS)

Question 25

Which reference contains DoD policy for Unified Capabilities (UC)?

Answer 25

DoDI 8100.04

Question 26

What is used to deploy identical copies of an IS or PIT system in specified environments?

Answer 26

Type authorization

Question 27

Which type of systems do not transmit, receive, route, or exchange information outside of the system’s authorization?

Answer 27

Platform Information Technology (PIT)

Question 28

How many different approaches are described by NIST SP 800-37 when planning for and conducting security authorizations?

Answer 28

3

Question 29

What must all DoD IS and PIT systems have that provides an overview of the security requirements for the system and describes the security controls in place or planned for meeting those requirements?

Answer 29

Security Plan

Question 30

How many steps are in the RMF process?

Answer 30

6

Question 31

What is step one of the RMF process?

Answer 31

Categorize system

Question 32

What is step two of the RMF process?

Answer 32

Select Security Controls

Question 33

What is step three of the RMF process?

Answer 33

Implement Security Controls

Question 34

What is step four of the RMF process?

Answer 34

Assess Security Controls

Question 35

What is step five of the RMF process?

Answer 35

Authorize System

Question 36

What is the final step of the RMF process?

Answer 36

Monitor Security Controls

Question 37

RMF Team members are required to meet the suitability and fitness requirements established in which reference?

Answer 37

DoD 5200.2-R

Question 38

What is the authoritative source for detailed security control descriptions, implementation guidance and assessment procedures?

Answer 38

Knowledge Service

Question 39

Which reference identifies vulnerability severity values?

Answer 39

NIST SP 800-30

Question 40

Who determines and documents in the SAR a risk level for every NC security control in the system baseline?

Answer 40

Security Control Assessor (SCA)

Question 41

What is used to document the SCA’s findings of compliance with assigned security controls based on actual assessment results?

Answer 41

Security Assessment Report (SAR)

Question 42

What is used to identify tasks that need to be accomplished o remediate or mitigate vulnerabilities?

Answer 42

POA&M

Question 43

IATTs should be granted only when an operational environment or live data is required to complete specific test objectives and should expire at the completion of testing (normally for a period of less than how many days)?

Answer 43

90

Question 44

Who continuously monitors the system or information environment for security-relevant events and configuration changes that negatively affect security posture?

Answer 44

Information Systems Security Manager (ISSM)

Question 45

What is the authoritative source for RMF guidance and the repository for DoD RMF policy?

Answer 45

Knowledge Service (KS)

Question 46

Who is responsible for the functional configuration and content management of the KS as well as providing detailed analysis and authoring support for the enterprise portion of the KS content?

Answer 46

Risk Management Framework Technical Advisory Group (RMF TAG)