Show:
RMF STEP 1
RMF STEP 2
RMF STEP 3
RMF STEP 4
RMF POLICY
100
At DCMA, who signs the System Categorization MFR?
Who is the Information System Owner and Authorizing Official.
100
What type of controls are inherited by one or more DCMA Information Systems?
What are Common Controls.
100
Name 2 roles that supports the ISO in the RMF Step 3 (Implement Security Control) phase?
Who is the Information Owner (IO), Information System Security Officer (ISSO), or Information System Security Engineer (ISSE).
100
What document provides the objectives for the security control assessment?
What is a Security Assessment Plan (SAP).
100
Per DoD Instruction 8510.01, who is responsible for ensuring all products, services, and PIT systems have completed the appropriate evaluation and configuration processes prior to incorporation into or connecting to an IS or PIT system?
Who is the Information System Security Manager (ISSM).
200
To assist the Information System Owner in the Systems Categorization, what publications should be referenced?
What is FIPS 199 and NIST SP 800-60 Volume 1&2.
200
Within DCMA, who approves the Security Assessment Plan?
Who is the Security Control Assessor.
200
During the development life cycle phase, issues found with security controls should be referred to who for early resolution as appropriate?
Who is the Authorizing Official.
200
Per NIST 800-37, who prepares the Security Assessment Report documenting the issues, findings, and recommendations from the security control assessment?
Who is the Security Control Assessor (SCA).
200
Per DoD Instruction 8510.01, the DoD RMF governance structure implements a 3 Tiered approach to cybersecurity risk management described in NIST SP 800-39, synchronizes and integrates RMF activities across all phases of the IT life cycle, and spans logical and organization entities.  What are 3 approaches?
What is Tier 1 Organization, What is Tier 2 Mission/Business Processes, What is Tier 3 IS/PIT Systems.
300
What 3 security objectives does FISMA define for information and information systems?

What is Confidentiality, Integrity, and Availability.

300
After selecting the applicable security control baseline, what must be completed to align controls more closely to the organizations mission/business functions?
What is Tailoring.
300
According to the Knowledge Service, this is defined as the mutual agreement among participating enterprises to accept each other's security assessments in order to reuse IS resources and/or to accept each other's assessed security posture in order to share information.
What is Cybersecurity Reciprocity.
300
Per NIST SP 800-37, what Task are you assessing the security controls in accordance with the assessment procedures defined in the SAP?
What is Task 4-2.
300

!!!!!!!!!!!!!!!!!! DAILY DOUBLE !!!!!!!!!!!!!!!!!!

What different types of overlays can be selected from the RMF Knowledge Service Site?

Which overlay does DCMA uses?

What is Classified Systems, Protected Health Information, PII Low Confidentiality, PII Mod Confidentiality, and PII High Confidentiality.

What is PII Low Confidentiality.

400
These are the potential impact types from CNSSI 1253, Section 3.1.
What is low, moderate, and high.
400

!!!!!!!!!!!!!!!!!!DAILY DOUBLE!!!!!!!!!!!!!!!!!!

Per NIST 800-37, who approves the frequency with which security controls are assessed post deployment?

Who is the Authorizing Official or Designated Representative.
400
What NIST Publication and Instruction assists in security control implementation within DCMA and other DoD components?
What is NIST SP 800-53, and Committee on National Security Systems Instruction (CNSSI) 1253.
400
This document states that during Step 4 of the RMF process, that the Knowledge Service is the authoritative source for security control assessment procedures?
What is DODI 8510.01.
400
What type of authorization package is used to deploy identical copies of an IS or PIT systems into specified environments (such as in the Navy while installing identical systems on certain classes of ships)?
What is a Type Authorization.
500
As outlined in NIST SP 800-37, RMF Step 1, what Task is the ISO required to register the IS with the appropriate organizational program/management offices.
What is Task 1-3.
500
What are the outputs of Step 2?
What is an updated Security Plan, Information System Continuous Monitoring Strategy, and Security Assessment Plan.
500
According to the Knowledge Service, these are used to map control statements to Security Technical Implementation Guides (STIGs).  This mapping provides the ability to identify precisely the part of a control that is satisfied by implementing the configuration required by the STIG.
What is a Control Correlation Identifier (CCI).
500

Per DODI 8510.01, vulnerability severity values are assigned to what as part of the security control analysis to indicate the severity associated with the identified vulnerability?

What are Non-Compliant Controls.
500
As outlined in NIST SP 800-37, what are the three types of security controls for information systems that can be employed by an organization?

What is system specific (specific to a system), common (used across multiple systems), hybrid (has both specific and common characteristics).