NIST SP 800-53A Flashcards
1
Q
“The selection of appropriate assessment procedures and the rigor, intensity, and scope of the assessment depend on three factors:…”
A
- The security categorization of the information system
- The assurance requirements that the organization intends to meet in determining the overall effectiveness of the security controls; and
- The selection of security controls from SP 800-53 as identified in the approved security plan
2
Q
Security categorization (national security systems)
A
Is accomplished with CNSS Instruction 1253
3
Q
Security categorization (other than national security systems)
A
Is accomplished in accordance with FIPS 199 and SP 800-60
4
Q
Information produced during security control assessments can be used by an organization to:
A
- Identify potential problems or shortfalls in the organization’s implementation of the Risk Management Framework;
- Identify information system weaknesses and deficiencies;
- Prioritize risk mitigation decisions and associated risk mitigation activities;
- Confirm that identified weaknesses and deficiencies in the information systems have been addressed;
- Support continuous monitoring activities and information security situational awareness;
- Facilitate security authorization decisions; and
- Inform budgetary decisions and the capital investment process