Task 1
This is the collection of documents used by an Authorizing Official to decide if a system’s risk is acceptable.
What is an Authorization Package?
What risk level refers to minor impact and disruption
What is a low-level risk?
This RMF task focuses on deciding how to handle identified risks.
What is Risk Response (Task 3 / R-3)?
This role is responsible for cybersecurity and protecting systems from threats.
What is a CISO (Chief Information Security Officer)?
This is the process of reporting the final authorization decision for a system
What is Authorization Reporting?
This role is responsible for submitting the completed authorization package to the Authorizing Official in Task R-1
Who is the System Owner?
This is the official senior (federal) official or executive with the authority to formally assume responsibility for operating information systems.
What is the authorizing official (AO)?
This is the main goal of Risk Response after risks have been identified.
What is taking action on risks?
This executive focuses on IT systems and ensures technology supports business goals.
Question: What is a CIO (Chief Information Officer)?
This is the decision that tells whether a system is approved to operate or not.
What is an authorizing decision?
This document, found in the Authorization package, contains the results of security control testing performed during the assessment phase.
What is the Security Assessment Report (SAR)?
This concept refers to how much risk an organization is willing to accept
What is risk tolerance?
These are the four strategies used to handle risk.
What are accept, mitigate, transfer, and avoid?
This is the official decision that allows a system to operate after risk is accepted.
What is an Authorization to Operate (ATO)?
The 3 main authorizing decisions are
What is approved, denied, or conditionally approved?
This document, found in the Authorization package, tracks system weaknesses, assigns responsibility, and includes timelines for remediation.
What is the Plan of Action and Milestones (POA&M)?
This concept refers to the organizations evaluate the likelihood and impact of threat events to determine the overall risk level.
What is risk determination
This strategy involves reducing risk by implementing controls or safeguards.
What is risk mitigation?
This type of authorization allows a system to operate temporarily, even though some risk is still unacceptable.
What is an Interim Authorization to Operate (IATO)?
This is the authorization status recorded for organizational tracking?
What is System Registry?
This document, found in the Authorization package, describes the system’s purpose and how its security controls are implemented.
What is the System Security Plan (SSP)?
This concept refers to identifying, evaluating, and prioritizing potential threats to determine their likelihood and impact, enabling proactive risk mitigation.
What is risk analysis?
This strategy eliminates the activity that causes the risk.
What is risk avoidance?
This RMF Step 5 task involves deciding whether the remaining risk to operations, assets, or individuals is acceptable.
What is Accept Risk (Task 4)?
This is the type of control deficiency that must be reported during Task R-5?
What is a Significant Security or Privacy Risk?