CGRC Question #98: Real Exam Question with Answer & Explanation

The correct answer is A: Common Controls Provider. NIST SP 800-37 defines the 'Common Controls Provider' as the organizational official responsible for the comprehensive management of security controls that are inherited by multiple information systems.

Security and Privacy Governance, Risk Management, and Compliance Program

Question

NIST SP 800-37 defines this role as an organizational official responsible for the development, implementation, assessment, and monitoring of common controls (i.e., security controls inherited by information systems). Response:

Options

ACommon Controls Provider
BImplement Controls
CSecurity Controls
DCommon Controls

Explanation

NIST SP 800-37 defines the 'Common Controls Provider' as the organizational official responsible for the comprehensive management of security controls that are inherited by multiple information systems.

Common mistakes.

B. The phrase 'Implement Controls' describes an activity or process within the RMF, not an organizational role.
C. 'Security Controls' refers to the safeguards themselves, not a person or role responsible for them.
D. 'Common Controls' refers to the specific type of security controls that are inherited, not the official responsible for their management.

Concept tested. NIST RMF roles - Common Controls Provider

Reference. https://csrc.nist.gov/projects/risk-management-framework/key-rmf-roles

Topics

#NIST SP 800-37#Common Controls#Roles and Responsibilities

Community Discussion

No community discussion yet for this question.

Full CGRC Practice Browse All CGRC Questions