CGRC Question #271: Real Exam Question with Answer & Explanation

The correct answer is B: Phase 1. Phase 1 of the Risk Management Framework (RMF), known as Prepare, involves identifying organizational assets, threats, and vulnerabilities that could impact confidentiality, integrity, and availability.

Security and Privacy Governance, Risk Management, and Compliance Program

Question

Which of the following RMF phases identifies key threats and vulnerabilities that could compromise the confidentiality, integrity, and availability of the institutional critical assets? Response:

Options

APhase 2
BPhase 1
CPhase 3
DPhase 0

Explanation

Phase 1 of the Risk Management Framework (RMF), known as Prepare, involves identifying organizational assets, threats, and vulnerabilities that could impact confidentiality, integrity, and availability.

Common mistakes.

A. Phase 2 (Categorize) is about categorizing the information system based on impact, not directly identifying threats and vulnerabilities of assets.
C. Phase 3 (Select) involves selecting security controls, which happens after threats and vulnerabilities have been identified.
D. Phase 0 is not a recognized formal phase in the NIST RMF.

Concept tested. RMF Prepare phase activities

Reference. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf

Topics

#RMF Categorize Phase#Threat Identification#Vulnerability Identification#NIST RMF

Community Discussion

No community discussion yet for this question.

Full CGRC Practice Browse All CGRC Questions