CGRC Question #669: Real Exam Question with Answer & Explanation

The correct answer is D: It takes place after the initial system security accreditation.. The question asks about the timing of the continuous monitoring process in relation to system security accreditation.

Compliance Maintenance

Question

Which of the following statements is true about the continuous monitoring process? Response:

Options

AIt takes place in the middle of system security accreditation.
BIt takes place before and after system security accreditation.
CIt takes place before the initial system security accreditation.
DIt takes place after the initial system security accreditation.

Explanation

The question asks about the timing of the continuous monitoring process in relation to system security accreditation.

Common mistakes.

A. Continuous monitoring is an ongoing process throughout the system's operational life, not limited to "the middle" of an accreditation phase.
B. While monitoring activities might exist before accreditation (e.g., during development), the formal "continuous monitoring process" as defined in frameworks like NIST RMF primarily focuses on maintaining authorization after the initial accreditation decision.
C. Initial accreditation is largely based on the security assessment before operation, whereas continuous monitoring is about maintaining that security during operation.

Concept tested. Continuous Monitoring in RMF

Reference. https://csrc.nist.gov/projects/risk-management-framework/rmf-steps/step-6-monitor

Topics

#Continuous Monitoring#Risk Management Framework (RMF)#System Accreditation#Authorization to Operate (ATO)

Community Discussion

No community discussion yet for this question.

Full CGRC Practice Browse All CGRC Questions