CGRC Question #581: Real Exam Question with Answer & Explanation

Question

When attempting to categorize a system which two RMF starting point inputs should be accounted for and are critical input to Categorization? Response:

Options

• AArchitectural descriptions and organizational inputs
• BFederal laws and organizational policies
• CFederal laws and Office of Management and Budget (OMB) policies
• DFederal Information Security Management Act (FISMA) and the Privacy Act

Explanation

When categorizing a system in RMF, critical inputs include architectural descriptions, which detail the system's structure and components, and organizational inputs, which provide context on the system's mission and business functions. These inputs are vital for accurately determining the system's security impact level.

Common mistakes.

• B. While federal laws and organizational policies are important for RMF implementation, they typically guide the categorization process and determine requirements, rather than being direct inputs to categorize a specific system's function and data.
• C. Federal laws and OMB policies provide high-level directives and requirements, but are not the specific, detailed inputs directly used to describe a system's characteristics for categorization.
• D. FISMA and the Privacy Act are foundational laws that establish requirements, but they are not direct inputs describing a particular system's architecture or organizational context for categorization.

Concept tested. RMF Step 1 Categorization inputs

Reference. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf

No community discussion yet for this question.