Random Questions

Question 1

What does RMF stand for?

Answer 1

Risk Management Framework

Question 2

How many steps are in the RMF?

Answer 2

Seven

Question 3

What are the abbreviated RMF steps?

Answer 3

Prepare, Categorize, Select, Implement,
Assess, Authorize, Monitor

Question 4

Who is invited to the kickoff meeting?

Answer 4

The Subject Matter Experts (SME’s)
Project Manager
Software Engineer, Network Engineer, System Engineer
Hardware Team
Common Control Provider
Authorizing Official (AO)
Chief Information Officer (CIO)
Chief Information Security Officer (CISO)
Information System Security Officer (ISSO)

Question 5

What is discussed during the kickoff meeting?

Answer 5

C.I.A. of the system
Location of the system
Cost of the system
A Unique Identification number is assigned to the system
Overlays
Assessment scheduled start and end date and what is expected during assessment.

Question 6

What are the types of overlays?

Answer 6

Privacy, ISO, IEC, CDS, IC

Question 7

What publications are used in the Prepare step?

Answer 7

NIST-800-30 | Conducting Risk Assessments
NIST-800-37 | RMF 1-7
NIST-800-39 | Managing Risk
NIST-800-18 | How to develop an SSP (Creation of the SSP)

Question 8

What is categorization?

Answer 8

The security categorization of Federal systems and step 2 of RMF.

Question 9

What are the two types of systems?

Answer 9

GSS and Major Application System

Question 10

Which system requires an assessement of the whole system?

Answer 10

GSS - General Support System

Question 11

Which system requires an assessment of one application?

Answer 11

Major Application System

Question 12

How many security impacts are there?

Answer 12

Five

Question 13

What are the five security impacts?

Answer 13

Critical, High, Moderate, Low, N/A

Question 14

How soon must you remediate a critical security impact?

Answer 14

Immediately or 30 days

Question 15

How soon must you remediate a high security impact?

Answer 15

Immediately or 30 days

Question 16

How soon must you remediate a moderate security impact?

Answer 16

60 days

Question 17

How soon must you remediate a low security impact?

Answer 17

90 to 180 days

Question 18

What publication is used in the Categorize step?

Answer 18

FIPS-199

Question 19

How do you get the high water mark of a system?

Answer 19

Know what type of system
Use CIA
Determine the highest or most reoccurring security impact
Which will give you the sensitivity of the system (high water mark), which will give you FIPS-199

Question 20

What is an example of assessment of a whole system?

Answer 20

Cell phone

Question 21

What is an example of assessment of one application?

Answer 21

Screen timeout

Question 22

How many security control families are there?

Answer 22

19 + 1

Question 23

How many types of security control families are there?

Answer 23

Three

Question 24

What are the three types of security controls?

Answer 24

Technical, Operational, Managerial

Question 25

How are technical controls tested?

Answer 25

They are demonstrated.

Question 26

What are Operational Controls and how are they managed?

Answer 26

They tell you how something works and are uploaded into a Government Risk Management tool.

Question 27

What is an example of a government risk management tool?

Answer 27

Xactor 360, E-mass, C-SAM, SharePoint

Question 28

What are managerial controls?

Answer 28

Controls that managers or supervisors must do or provide.

Question 29

What references do you need to select the controls?

Answer 29

NIST-800-53 | Information Types
NIST-800-53A | Data
NIST-800-53B | Baseline controls for REV5
NIST-800-60 | Mapping
NIST Special Publication 200 | Basic Controls
DHS Sensitive System Policy Directive 4300A
ISO/IEC 27001 & 27002 | Communication
CNSS-1253 |Committee on National Security Systems
Privacy Overlay (PII or PKI)
Intelligence Community (IC)

Question 30

What is the first thing the ISSO will do after the controls are selected?

Answer 30

TAILOR OUT THE CONTROLS that are NOT APPLICABLE or NOT NEEDED for the system.

Question 31

What is the second thing the ISSO will do after the controls are selected?

Answer 31

Scrub the client’s CAT.

Question 32

What will the SCA do after the controls are selected?

Answer 32

Look for deficiencies between the CAT and the RTM. Ensure both have the same information.

Question 33

If deficiencies are found between the CAT and RTM, what document also needs updated, when, and why?

Answer 33

The SSP needs updated immediately because it is a living document.

Question 34

What information is on the CAT and RTM?

Answer 34

Tester’s name
Contact number
Contact email
Controls being tested
Date and time of test

Question 35

What artifacts satisfy Operational and Managerial controls?

Answer 35

PDF’s and URL’s

Question 36

What artifacts satisfy Technical controls?

Answer 36

Screen Shots

Question 37

How does the ISSO ensure the controls are doing what is designed or intended?

Answer 37

The ISSO will TIE:
Test the control
Interview
Examine

Question 38

What tools are used to conduct vulnerability scans?

Answer 38

Nessus Tenable
Burp
Intruder
Insight

Question 39

How often does the ISSO run patches and perform updates?

Answer 39

Weekly

Question 40

How often must vulnerability scans be conducted?

Answer 40

Every 30 days

Question 41

Implementation satisfies which controls?

Answer 41

RA-5 | Vulnerability Scans
SA-5 | Information System Documentation
SI-5 | Automated Security Alerts and Advisories

Question 42

STIG

Answer 42

Security Technical Implementation Guide