nerdexam
ExamsCAS-002Questions#773
CompTIA

CAS-002 · Question #773

CAS-002 Question #773: Real Exam Question with Answer & Explanation

The correct answer is A: Establish the security control baseline. In the NIST Risk Management Framework, establishing a security control baseline must occur before a security assessment can be meaningful. Skipping this step means the assessment has no defined controls to evaluate against.

Question

A security engineer is a new member to a configuration board at the request of management. The company has two new major IT projects starting this year and wants to plan security into the application deployment. The board is primarily concerned with the applications' compliance with federal assessment and authorization standards. The security engineer asks for a timeline to determine when a security assessment of both applications should occur and does not attend subsequent configuration board meetings. If the security engineer is only going to perform a security assessment, which of the following steps in system authorization has the security engineer omitted?

Options

  • AEstablish the security control baseline
  • BBuild the application according to software development security standards
  • CReview the results of user acceptance testing
  • DConsult with the stakeholders to determine which standards can be omitted

Explanation

In the NIST Risk Management Framework, establishing a security control baseline must occur before a security assessment can be meaningful. Skipping this step means the assessment has no defined controls to evaluate against.

Common mistakes.

  • B. While building the application securely is important, it is the responsibility of developers, not the security assessor; the engineer's defined role is assessment only, so omitting development oversight is not the gap.
  • C. Reviewing user acceptance testing results is a quality assurance activity outside the scope of a federal security assessment and authorization process, so this is not a step the security engineer would be expected to perform.
  • D. Consulting stakeholders to omit standards is not a valid step in federal assessment and authorization; applicable standards are determined by system categorization and cannot be arbitrarily waived by stakeholders.

Concept tested. NIST RMF steps - security control baseline selection

Reference. https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full CAS-002 Practice