RMF Step 2: Select

Question 1

RMF Task 2-1

Answer 1

Identify security controls that are common controls

Question 2

RMF Task 2-2

Answer 2

Select the security controls for the information system

Question 3

RMF Task 2-3

Answer 3

Develop a strategy for continuous monitoring of controls

Question 4

Security Controls

Answer 4

Management, Operational, and Technical controls designated to information system to protect CIA. Made up of safeguards and countermeasures

Question 5

Safeguards

Answer 5

Protective measures prescribed to meet the security requirements

Question 6

Countermeasures

Answer 6

Actions that reduce the vulnerability of a system

Question 7

Minimum Security Baseline

Answer 7

set of standards that applied enterprise wide to ensure consistent level of compliance

Question 8

Two documents that govern Step 2 selection of security controls are

Answer 8

FIPs 200 and NIST 800-53 (Security and Privacy Controls for information systems)

Question 9

How many control families are there?

Answer 9

17, with one additional family control (PM controls, program mgmt)

and privacy controls

but makes a total of 18

Question 10

High water mark

Answer 10

used to identify the system category and baseline security controls to implement

Question 11

NIST 800-53 no longer divides families into what?

Answer 11

Mgmt, operational, technical controls

Question 12

What are the 18 control families

AC
AT
AU 
CA
CM
CP
IA
IR
MA
MP
PE 
PL
PS
RA
SA
SC
SI 
PM

Answer 12

AC
AT
AU - audit and accountability
CA - Security Assessment and Authorization
CM
CP
IA - identification and authentication
IR
MA
MP
PE - physical and environment protection
PL
PS
RA
SA - System and Services Acquisition
SC - System and Communications Protection
SI - System and Information Integrity
PM - Program mgmt

Question 13

Information Security Programs - PM Controls

Answer 13

• Organization wide information security program management controls
• Not associated with security control baselines
• Independent of any system impact level, no control enhancements

Question 14

Privacy Controls - Define and how many control families

Answer 14

• Safeguards employed to protect and ensure proper handling of PII
• Split into 8 families

Question 15

Privacy Controls

AP
AR
DI
DM
IP
SE
TR
UL

Answer 15

AP - Authority and purpose
AR - Accountability, Audit, and Risk Mgmt
DI - Data Quality and Integrity
DM - Data Minimization and Retention
IP - Individual Participation and Redress
SE - Security
TR - Transparency 
UL - Use Limitation

Question 16

Privacy Controls - AP and AR Controls

Answer 16

AP - Authority and Purpose
*authority of PII, purpose of PII

AR - Accountability, Audit, and Risk Mgmt
*ensure compliance with privacy protection requirements and minimizing overall privacy risk

Question 17

Privacy Controls - DI and DM

Answer 17

DI - Data Quality and Integrity
*ensure PII is accurate

DM - Data Minimization and Retention
*ensures retaining PII that is necessary or relevant

Question 18

Privacy Controls - IP and SE

Answer 18

IP - Individual Participation and Redress
*Individuals made aware of the collection and use of their PII

SE - Security
*ensure safeguards are in place to protect PII collected against loss or unauthorized access and ensure compliance with OMB policies and guidance

Question 19

Privacy Controls - TR and UL

Answer 19

TR - Transparency
*ensures organizations provide public notice of their practices and privacy impact of their programs and activities

UL - Use Limitation
*Ensure use of PII only as specified in their public notices

Question 20

NIST 800-53 Control Section

Answer 20

concise statement of specific security capabilities needed to protect information system (definition of control)

Question 21

NIST 800-53 Supplemental Guidance Section

Answer 21

provides additional info related to a specific control, but contains no requirements

Question 22

NIST 800-53 Control Enhancements Section

Answer 22

provides statements of security capability to

1) build additional functionality to a control
2) increase the strength of the control

Question 23

NIST 800-53 References Section

Answer 23

a list of applicable federal laws, executive orders, directives, policies, standards, and guidelines that are relevant to a control or enhancement

Question 24

NIST 800-53 Priority and Baseline Allocation Section

Answer 24

1) The recommended priority codes used in sequencing decisions during security control implementation
2) initial allocation of controls and enhancements for low, mod, high impact systems

Priority Code 1 (P1) - FIRST - implement first
P2 - NEXT
P3 - LAST
P0 - NONE - control not selected for baseline

Question 25

Common Controls and their benefits

Answer 25

Controls that can be allocated to one or more information systems

Benefits - major savings in development and implementation costs, reliable application to multiple systems

Question 26

Input/Output for RMF Step 2: Select

Answer 26

Inputs

• System description
• Security cateogry
• Impact level
• NIST 800-53
• Common Controls

Output
*Final, agreed upon set of security controls