DODI 8510.01, RISK MANAGEMENT FRAMEWORK (RMF) FOR DOD INFORMATION TECHNOLOGY (IT)

Question 1

Which approach to cybersecurity risk management as described in NIST SP 800-39 is implemented by the DoD RMF governance structure?

Answer 1

Three-tiered

Question 2

Which Tier level in RMF addresses risk management at the DoD enterprise level?

Answer 2

Tier 1

Question 3

Who directs and oversees the cybersecurity risk management of DoD IT?

Answer 3

Department of Defense Chief Information Officer (DoD CIO)

Question 4

What performs the DoD Risk Executive Function?

Answer 4

DoD Information Security Risk Management Committee (ISRMC)

Question 5

What is the community forum for reviewing and resolving authorization issues related to the sharing of community risk?

Answer 5

Defense IA Security Accreditation Working Group (DSAWG)

Question 6

Who oversees the RMF TAG and the online KS?

Answer 6

Department of Defense Senior Information Security Officer (DoD SISO)

Question 7

What provides implementation guidance for the RMF by interfacing with the DoD component cybersecurity programs, cybersecurity communities of interest (COIs), and other entities to address issues that are common across all entities?

Answer 7

Risk Management Framework Technical Advisory Group (RMF TAG)

Question 8

What supports RMF implementation, planning, and execution by functioning as the authoritative source for RMF procedures and guidance?

Answer 8

Knowledge Service

Question 9

Who must monitor and track overall execution of system-level POA&Ms?

Answer 9

Authorizing Officials

Question 10

Who develops, maintains, and tracks security plans for assigned IS and PIT systems?

Answer 10

Information System Owners (ISOs)

Question 11

PMs must ensure periodic reviews, testing and assessment of assigned IS and PIT systems are conducted at least how often?

Answer 11

Annually

Question 12

PMs must ensure T&E of assigned IS and IT systems is planned, resourced, and documented in the program T&E master plan in accordance with which reference?

Answer 12

DoDI 5000.02

Question 13

What reduces redundant testing, assessing and documentation, and the associated cost in time and resources?

Answer 13

Reciprocity

Question 14

What must PMs and ISOs who are deploying systems across DoD Components post security authorization documentation to in order to provide visibility of authorization status and documentation to planned receiving sites?

Answer 14

Enterprise Mission Assurance Support Service (eMASS)

Question 15

Which reference contains DoD policy for Unified Capabilities (UC)?

Answer 15

DoDI 8100.04

Question 16

What is used to deploy identical copies of an IS or PIT system in specified environments?

Answer 16

Type authorization

Question 17

Which type of systems do not transmit, receive, route, or exchange information outside of the system’s authorizations?

Answer 17

3

Question 18

What must all DoD IS and PIT systems have that provides an overview of the security requirements for the system and describes the security controls in place or planned for meeting those requirements?

Answer 18

Security plan

Question 19

How many steps are in the RMF process?

Answer 19

6

Question 20

What is step one of the RMF process?

Answer 20

Categorize system

Question 21

What is step two of the RMF process?

Answer 21

Select Security Controls

Question 22

What is step three of the RMF process?

Answer 22

Implement Security Controls

Question 23

What is step four of the RMF process?

Answer 23

Assess Security Controls

Question 24

What is step five of the RMF process?

Answer 24

Authorize System

Question 25

What is the final step of the RMF process?

Answer 25

Monitor Security Controls

Question 26

RMF Team members are required to meet the suitability and fitness requirements established in which reference?

Answer 26

DoD 5200.2-R

Question 27

What is the authoritative source for detailed security control descriptions, implementation guidance and assessment procedures?

Answer 27

Knowledge Service

Question 28

Which reference identifies vulnerability severity values?

Answer 28

NIST SP 800-30

Question 29

Who determines and documents in the SAR a risk level for every NC security control in the system baseline?

Answer 29

Security Control Assessor (SCA)

Question 30

What is used to document the SCA’s findings of compliance with assigned security controls based on actual assessment results?

Answer 30

Security Assessment Report (SAR)

Question 31

What is used to identify tasks that need to be accomplished to remediate or mitigate vulnerabilities?

Answer 31

POA&M

Question 32

IATTs should be granted only when an operational environment or live data is required to complete specific test objectives and should expire at the completion of testing (normally for a period of less than how many days)?

Answer 32

90

Question 33

Who continuously monitors the system or information environment for security-relevant events and configuration changes that negatively affect security posture?

Answer 33

Information Systems Security Manager (ISSM)