Browse Exams Pricing

ExamsCGRCQuestions

CGRC Exam Questions

724 real CGRC exam questions with expert-verified answers and explanations. Page 11 of 15.

Question #502Compliance Maintenance
The primary responsibility to update authorization package documents lies on which of the following officials? Response:
Roles and ResponsibilitiesAuthorization PackageSystem OwnerCommon Control Provider
Question #503Scope of the System
The RMF Step and task where the Information System (include system boundary) is described and documented in the Security Plan Response:
RMF Prepare StepSystem ScopeSecurity PlanNIST SP 800-37
Question #504Security and Privacy Governance, Risk Management, and Compliance Program
What is the four-step security categorization process? Response:
Security CategorizationInformation TypesRisk Management Process
Question #505Security and Privacy Governance, Risk Management, and Compliance Program
NIST SP 800-37, Revision 1, provides guidance to individuals involved in the................... Response:
NIST SP 800-37Risk Management FrameworkGovernment Information SystemsSystem Lifecycle
Question #506Selection and Approval of Framework, Security, and Privacy Controls
The Software Development Life-Cycle phase that maps to RMF Step 2 (select controls), Task 4, SP Approval? Response:
RMF StepsSDLC PhasesControl SelectionSystem Acquisition
Question #507Security and Privacy Governance, Risk Management, and Compliance Program
Which authorization approach considers time elapsed since the authorization results were produced, the environment of operation, the criticality/sensitivity of the information, and...
Leveraged AuthorizationRisk ManagementAuthorization DecisionNIST RMF
Question #508Scope of the System
A system in which at least one security objective is assigned a FIPS Publication 199 potential impact value of high best defines... Response:
FIPS 199System CategorizationImpact LevelsHigh-Impact System
Question #509Security and Privacy Governance, Risk Management, and Compliance Program
Which of the three-tiered approaches to risk management address risk at an Enterprise-wide perspective? Response:
Risk Management TiersEnterprise Risk ManagementNIST RMFOrganizational Risk
Question #510Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following describes residual risk as the risk remaining after risk mitigation has occurred? Response:
Residual RiskRisk MitigationDIACAPRisk Management Frameworks
Question #511Assessment/Audit of Security and Privacy Controls
During the assessment of security controls, some failed controls (quick fixes) may be remediated immediately or before the final security assessment report is completed and submitt...
Security Control AssessmentRemediationRisk Management Framework (RMF)Documentation
Question #512Security and Privacy Governance, Risk Management, and Compliance Program
Who is responsible for reviewing the assessment reports and plans of action and milestones and determining whether the identified risks need to be mitigated prior to authorization?...
Authorizing OfficialRMF RolesSystem AuthorizationRisk Acceptance
Question #513Compliance Maintenance
Which of the following is not part of the contents of a PO&Ms? Response:
PO&MPlan of Action and MilestonesRemediationRisk Management Framework
Question #514Security and Privacy Governance, Risk Management, and Compliance Program
You are the project manager for your company and a new change request has been approved for your project. This change request, however, has introduced several new risks to the proj...
Risk ManagementRisk RegisterProject Management DocumentationRisk Response Planning
Question #515Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following is NOT a phase of the security certification and accreditation process? Response:
Security Certification and AccreditationC&A Process PhasesRisk Management Framework
Question #516Assessment/Audit of Security and Privacy Controls
What task in Assess Security Controls where you conduct initial remediation actions on security controls based on findings and recommendations of the security assessment report and...
Security Control AssessmentRemediationNIST RMFControl Reassessment
Question #517Compliance Maintenance
What is the purpose of the monitor step? Response:
RMFContinuous MonitoringSituational AwarenessSecurity Posture
Question #518Security and Privacy Governance, Risk Management, and Compliance Program
Which NIST SP is a Guide for Conducting. Response:
NIST SP 800-30Risk AssessmentNIST Publications
Question #519Security and Privacy Governance, Risk Management, and Compliance Program
DIACAP applies to the acquisition, operation, and sustainment of any DoD system that collects, stores, transmits, or processes unclassified or classified information since December...
DIACAPAuthorization ProcessDoD SecurityCompliance Phases
Question #520Compliance Maintenance
Which of the following roles is used to ensure that the confidentiality, integrity, and availability of the services are maintained to the levels approved on the Service Level Agre...
Change ManagementService Level Agreement (SLA)Confidentiality, Integrity, Availability (CIA)IT Service Management roles
Question #521Selection and Approval of Framework, Security, and Privacy Controls
Subsequent to a security breach, which of the following techniques are used with the intention to limit the extent of damage caused by the incident? Response:
Security controlsCorrective controlsIncident responseDamage limitation
Question #522Security and Privacy Governance, Risk Management, and Compliance Program
Five keys to successful Risk Management Program? Response:
Risk Management ProgramSenior Management CommitmentProgram Success FactorsGovernance
Question #523Security and Privacy Governance, Risk Management, and Compliance Program
A project team member has just identified a new project risk. The risk event is determined to have significant impact but a low probability in the project. Should the risk event ha...
Risk IdentificationRisk Management ProcessRisk RegisterProject Risk
Question #524Compliance Maintenance
Which of the following activities is not a element of monitoring security controls? Response:
Security Control MonitoringContinuous MonitoringNIST RMFSecurity Operations
Question #525Security and Privacy Governance, Risk Management, and Compliance Program
Frank is the project manager of the NHH Project. He is working with the project team to create a plan to document the procedures to manage risks throughout the project. This docume...
Risk managementRisk management planProject managementContingency planning
Question #526Assessment/Audit of Security and Privacy Controls
An initial remediation action was taken by the information system owner (ISO) based on findings from the security assessment report (SAR). What is the next appropriate step based o...
Risk Management Framework (RMF)RemediationSecurity Assessment Report (SAR)Documentation
Question #527Assessment/Audit of Security and Privacy Controls
What assessment procedure is designed to work with and complement the assessment procedures to contribute to the grounds for confidence in the effectiveness of the security control...
Assessment proceduresExtended assessmentSecurity control effectivenessConfidence
Question #528Compliance Maintenance
What is the purpose of security impact analysis? Response:
Security Impact AnalysisChange ManagementCompliance Maintenance
Question #529Assessment/Audit of Security and Privacy Controls
The Assessment Test plan once developed is submitted to __________ for approval. Response:
Assessment PlanControl AssessmentApproval ProcessNIST RMF
Question #530Compliance Maintenance
Which of the following processes has the goal to ensure that any change does not lead to reduced or compromised security? Response:
Change ManagementSecurity ControlsConfiguration Management
Question #531Security and Privacy Governance, Risk Management, and Compliance Program
FIPS Publication 199 defines three levels of potential impact on organizations or individuals should there be a breach of security (i.e., a loss of confidentiality, integrity, or a...
FIPS 199Impact LevelsRisk AssessmentCIA Triad
Question #532Scope of the System
In 2003, NIST developed a new Certification & Accreditation (C&A) guideline known as FIPS 199. What levels of potential impact are defined by FIPS 199? Each correct answer represen...
NIST FIPS 199Impact LevelsInformation System CategorizationRisk Management
Question #533Scope of the System
One of the following sentences can appropriately help Authorizing Officials and CISOs define an accreditation boundary. Response:
Accreditation BoundaryAuthorization BoundarySystem ScopeRisk Management Framework (RMF)
Question #534Implementation of Security and Privacy Controls
In which of the following phases does the change management process start? Response:
NIST RMFChange ManagementControl ImplementationRMF Phases
Question #535Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following documents were developed by NIST for conducting Certification & Accreditation (C&A)? Each correct answer represents a complete solution. Choose all that appl...
NIST Special PublicationsRisk Management FrameworkCertification and AccreditationNIST RMF Documents
Question #536Security and Privacy Governance, Risk Management, and Compliance Program
One of the ensuing in not an activity conducted when preparing to implement the risk management framework. Response:
Risk Management Framework (RMF)RMF Prepare StepSecurity Test and Evaluation (ST&E)Risk Management Program
Question #537Selection and Approval of Framework, Security, and Privacy Controls
During which RMF step is the system security plan (SP) approved? Response:
RMFSystem Security Plan (SSP)Control SelectionNIST SP 800-37
Question #538Security and Privacy Governance, Risk Management, and Compliance Program
According to NIST SP 800-37 Rev 2, step 6 of the risk management framework can be described as: Response:
NIST RMFRisk Management FrameworkAuthorizationNIST SP 800-37 Rev 2
Question #539Security and Privacy Governance, Risk Management, and Compliance Program
System authorization is now used to refer to which of the following terms? Response:
System AuthorizationCertification and Accreditation (C&A)NIST RMFAuthorization to Operate (ATO)
Question #540Assessment/Audit of Security and Privacy Controls
Which of the following NIST documents includes components for penetration testing? Response:
NIST Special PublicationsPenetration TestingRisk AssessmentVulnerability Identification
Question #541Scope of the System
The direct connection of two or more IT systems for the purpose of sharing data and other information resources. Response:
System InterconnectionData SharingInformation Exchange
Question #542Compliance Maintenance
Which NIST SP 800 series document is concerned with continuous monitoring of Federal Information Systems & organizations? Response:
NIST SP 800-137Continuous MonitoringInformation SecurityFederal Information Systems
Question #543Security and Privacy Governance, Risk Management, and Compliance Program
Which of the following C&A professionals plays the role of an advisor? Response:
RMF RolesISSESecurity PersonnelAdvisory Role
Question #544Selection and Approval of Framework, Security, and Privacy Controls
Colvine-Tech hardware (10 computers) are located in a single computer room and access to the room is permitted only to the few system users who have the required privileges. To acc...
Security Controls ClassificationCommon ControlsPhysical SecurityNIST RMF
Question #545Security and Privacy Governance, Risk Management, and Compliance Program
A condition that exists within an organization, a mission/business process, enterprise architecture, or information system including its environment of operation, which contributes...
risk management terminologypredisposing conditionssecurity conceptsthreat events
Question #546Security and Privacy Governance, Risk Management, and Compliance Program
What are the nine steps of Risk Assessment Methodology? Response:
Risk Assessment MethodologyNIST SP 800-30System CharacterizationRisk Management
Question #547Assessment/Audit of Security and Privacy Controls
Another term used to refer to a Security Controls Assessment or security review; is? Response:
Security Controls AssessmentSecurity ReviewST&ETerminology
Question #548Security and Privacy Governance, Risk Management, and Compliance Program
Organizations implement safeguards and countermeasures to protect information resources from risks. One of the following is an administrative safeguard family implemented by the ma...
Administrative safeguardsCertification and AccreditationSecurity controlsNIST RMF
Question #549Security and Privacy Governance, Risk Management, and Compliance Program
Which term (Sensitivity or Criticality) normally places emphasis on availability and most often relates to the amount of time an organization can tolerate the non-availability of t...
CriticalityAvailabilityRisk ManagementBusiness Continuity
Question #550Assessment/Audit of Security and Privacy Controls
What does the finding "other than satisfied" reflect in an assessment report? Response:
Assessment findingsControl effectivenessSecurity control deficienciesAssessment reporting
Question #551Selection and Approval of Framework, Security, and Privacy Controls
The RMF Step and task where the security controls are selected and documented in the Security Plan. Response:
RMF StepsSecurity Control SelectionSecurity PlanNIST SP 800-37

PreviousPage 11 of 15Next

study smarter, certify faster.

Product

Browse Exams
Pricing
PDF Downloads

Resources

Blog
Glossary
Topics
FAQ
Contact Us

Legal

Terms of Service
Privacy Policy
Cookie Policy
DMCA
Refund Policy

Company

About
Contact

© 2026 NerdExam. All rights reserved.Built for IT professionals

NerdExam is a trading name of WADL Solutions Limited, a company incorporated in Hong Kong (CR# 80143234). Registered office: Unit 2904-05, 29/F, Universal Trade Centre, 3 Arbuthnot Road, Central, Hong Kong.

CompTIA, AWS, Cisco, Microsoft, Google Cloud, Oracle, VMware, and other certification names referenced on this site are trademarks of their respective owners. NerdExam is not affiliated with, endorsed by, or sponsored by any certification vendor.