DODI 8510.01, RMF FOR DOD (IT)

Question 1

Who oversees the implementation of DoDI 8510.01 and directs and oversees the cybersecurity risk management of DoD IT?

Answer 1

DoD Chief Information Officer (DoD CIO)

Question 2

Who develops and provides RMF training and awareness products and a distributive training capability
to support the DoD Components?

Answer 2

Director, Defense Information Systems Agency (DISA)

Question 3

Who is responsible for coordinating with the DoD CIO to ensure RMFs processes are appropriately
integrated with Defense Acquisition System processes for DoD IT acquisitions?

Answer 3

Under Secretary of Defense for Acquisition, Technology, and Logistics (USD(AT&L))

Question 4

Who reviews plans, execution, and results of operational testing to ensure adequate evaluation of
cybersecurity for all DoD IT acquisitions subject to oversight?

Answer 4

Director, Operational Test and Evaluation (DOT&E)

Question 5

Who ensures that IS security engineering services, when provided to the DoD components, support the
RMF?

Answer 5

Director, National Security Agency/Chief, Central Security Service (DIRNSA/CHCSS)

Question 6

6. DOD Component heads must ensure that a trained and qualified AO is appointed in writing for all DoD IS and PIT systems operating within or on behalf of the DoD Component in accordance with which
   reference?

Answer 6

DoD Instruction 8500.01

Question 7

Who is responsible for ensuring the Joint Capabilities Integration and Development System (JCIDS)
process supports and documents IS and PIT system categorization consistent with DoDI 8510.01?

Answer 7

Chairman of the Joint Chiefs of Staff (CJCS)

Question 8

Who is responsible for ensuring all products, services, and PIT have completed the appropriate
evaluation and configuration processes prior to incorporation into or connection to an IS or PIT system?

Answer 8

Information Systems Security Manager (ISSM)

Question 9

What are product-specific and document the applicable DoD policies and security requirements, as well
as best practices and configuration guidelines?

Answer 9

Security Technical Implementation Guides (STIGs)

Question 10

What are developed by DISA to provide general security compliance guidelines as well as serving as
source guidance documents for STIGs?

Answer 10

Security Requirements Guides (SRGs)

Question 11

Which approach to cybersecurity risk management as described in NIST SP 800-39 is implemented by
the DoD RMF governance structure?

Answer 11

Three-tiered

Question 12

Which Tier level in RMF addresses risk management at the DoD enterprise level?

Answer 12

Tier 1

Question 13

Who directs and oversees the cybersecurity risk management of DoD IT?

Answer 13

Department of Defense Chief Information Officer (DoD CIO)

Question 14

What performs the DoD Risk Executive Function?

Answer 14

DoD Information Security Risk Management Committee (ISRMC)

Question 15

What is the community forum for reviewing and resolving authorization issues related to the sharing of
community risk?

Answer 15

Defense IA Security Accreditation Working Group (DSAWG)

Question 16

Who oversees the RMF TAG and the online KS?

Answer 16

Department of Defense Senior Information Security Officer (DoD SISO)

Question 17

What provides implementation guidance for the RMF by interfacing with the DoD component
cybersecurity programs, cybersecurity communities of interest (COIs), and other entities to address issues
that are common across all entities?

Answer 17

Risk Management Framework Technical Advisory Group (RMF TAG)

Question 18

What supports RMF implementation, planning, and execution by functioning as the authoritative source
for RMF procedures and guidance?

Answer 18

Knowledge Service

Question 19

Who must monitor and track overall execution of system-level POA&Ms?

Answer 19

Authorizing Officials (AOs)

Question 20

Who develops, maintains, and tracks security plans for assigned IS and PIT systems?

Answer 20

Information Systems Owners (ISOs)

Question 21

PMs must ensure periodic reviews, testing and assessment of assigned IS and PIT systems are
conducted at least how often?

Answer 21

Annually

Question 22

PMs must ensure T&E of assigned IS and IT systems is planned, resourced, and documented in the
program T&E master plan in accordance with which reference?

Answer 22

DoDI 5000.02

Question 23

What reduces redundant testing, assessing and documentation, and the associated cost in time and
resources?

Answer 23

Reciprocity

Question 24

What must PMs and ISOs who are deploying systems across DoD Components post security
authorization documentation to in order to provide visibility of authorization status and documentation to
planned receiving sites?

Answer 24

Enterprise Mission Assurance Support Service (eMASS)

Question 25

Which reference contains DoD policy for Unified Capabilities(UC)?

Answer 25

DoDI 8100.04

Question 26

What is used to deploy identical copies of an IS or PIT system in specified environments?

Answer 26

Type authorization

Question 27

Which type of systems do not transmit, receive, route, or exchange information outside of the system’s
authorization?

Answer 27

Platform Information Technology (PIT)

Question 28

How many different approaches are described by NIST SP 800-37 when planning for and conducting
security authorizations?

Answer 28

3

Question 29

What must all DoD IS and PIT systems have that provides an overview of the security requirements for
the system and describes the security controls in place or planned for meeting those requirements?

Answer 29

Security Plan

Question 30

How many steps are in the RMF process?

Answer 30

6

Question 31

What is step one of the RMF process?

Answer 31

Categorize system

Question 32

What is step two of the RMF process?

Answer 32

Select Security Controls

Question 33

What is step three of the RMF process?

Answer 33

Implement Security Controls

Question 34

What is step four of the RMF process?

Answer 34

Assess Security Controls

Question 35

What is step five of the RMF process?

Answer 35

Authorize System

Question 36

What is the final step of the RMF process?

Answer 36

Monitor Security Controls

Question 37

RMF Team members are required to meet the suitability and fitness requirements established in which
reference?

Answer 37

DoD 5200.2-R

Question 38

14. What is the authoritative source for detailed security control descriptions, implementation guidance and
    assessment procedures?

Answer 38

Knowledge Service

Question 39

Which reference identifies vulnerability severity values?

Answer 39

NIST SP 800-30

Question 40

Who determines and documents in the SAR a risk level for every NC security control in the system
baseline?

Answer 40

Security Control Assessor (SCA)

Question 41

What is used to document the SCA’s findings of compliance with assigned security controls based on
actual assessment results?

Answer 41

Security Assessment Report

Question 42

What is used to identify tasks that need to be accomplished to remediate or mitigate vulnerabilities?

Answer 42

POA&M

Question 43

19. IATTs should be granted only when an operational environment or live data is required to complete
    specific test objectives and should expire at the completion of testing (normally for a period of less than how many days)?

Answer 43

90

Question 44

Who continuously monitors the system or information environment for security-relevant events and
configuration changes that negatively affect security posture?

Answer 44

Information Systems Security Manager (ISSM)

Question 45

What is the authoritative source for RMF guidance and the repository for DoD RMF policy?

Answer 45

Knowledge Service (KS)

Question 46

Who is responsible for the functional configuration and content management of the KS as well as

providing detailed analysis and authoring support for the enterprise portion of the KS content?

Answer 46

Risk Management Framework Technical Advisory Group (RMF TAG)