Security Plan
This document lists the security controls in place or planned for a system to meet its security requirements. It serves as a comprehensive guide for managing system security throughout its lifecycle, ensuring compliance with applicable standards and regulations, and providing a clear understanding of the system's security posture.
What is the System Security Plan?
This is the purpose of a Business Impact Analysis (BIA).
What is: To correlate the system with critical mission/business processes and characterize consequences of disruption or identify and evaluate the potential effects of disruptions to critical business operations due to emergencies, disasters, or other unexpected events?
_____ is the primary purpose of a Contingency Plan.
What is To establish procedures to recover the system following a disruption?
____ is the purpose of a Configuration Management Plan (CMP)
What is:
To provide guidelines and establish processes for controlling changes to a system without impacting security?
_____ is the first phase in the SCA Process
What is Phase I: Preparation?
This is what CCI stands for ________.
What is Continuous Compliance Insight?
This is what FedRAMP stands for______.
What is the Federal Risk and Authorization Management Program?
______ is the purpose of the USCIS FISMA Disposition Process training session.
What is
To provide ISSOs with a high-level overview of the USCIS FISMA Inventory Disposition process?
This is the default timeframe for remediating System-Level POA&Ms.
What is: To remediate within 12-months?
______ is a process within the Risk Management Framework (RMF) used to ensure that information systems maintain an acceptable security posture throughout their lifecycle
What is Ongoing Authorization?
Which tool is primarily used for vulnerability identification and prioritization.
What is Tenable.io?
This is the primary purpose of the Splunk dashboards walkthrough.
What is to:
assist ISSOs in leveraging dashboards for continuous monitoring and providing actionable insights?
These items are included in Section 1 of the SP. (Name at least 4 items.)
What are the: Boundary/Purpose, Authorization Boundary Diagrams, Inventory, Interconnections, Points of Contact/System Stakeholders.
These are the three categories used to assess impacts in a BIA.
What are Confidentiality, Integrity, and Availability?
A _____ is a structured communication tool used to quickly disseminate information and to verify the effectiveness and reliability of an organization's emergency communication plan.
What is a Call Tree Exercise?
This system is used for enterprise change management at USCIS.
What is ServiceNow?
This element was added to the SCA implementation to elevate the depth of assessments
What is Penetration Testing?
These are the layers CCI analyzes.
What are the OS, DB, INF, and potentially APP layers?
This is the year FedRAMP was established.
When is 2011?
These are the final steps of the SDLC process.
What are Decommission and Disposal?
These are the two main types of POA&Ms
What are: Program-Level POA&Ms and System-Level POA&Ms?
These are the two types of assessments used in Ongoing Authorization.
What are:
Time-driven assessments and Event-driven assessments?
This is the remediation timeline for critical vulnerabilities on internet-facing systems
What is 15 days?
______ tracks, monitors, scans, and adjusts assets assigned to all FISMA boundaries in USCIS
What is Asset Manager?
This individual is responsible for authoring changes in the SP Document Change History Table.
Who is the ISSO/AISSO?
The Loss of confidentiality, integrity, or availability could have a limited adverse effect on operations, assets, or individuals is the definition of which impact.
What is Low Impact?
This federal guidance document requires every information system to include a Contingency Plan and Contingency Plan Test in its security package
What is the Contingency Planning Guide for Federal Information Systems NIST SP 800-34?
Name 2 of 4 tools mentioned in the CMP template that supports configuration management functions.
What are:
Jira, Confluence, Git, or Chef?
_____ is the primary purpose of Security Control Assessments (SCA). (Name at least 2 of 4)
What is to:
CCI has integrations with the _________ system to sync controls, POA&Ms, and other security information.
What is the DHS IACS or CSAM?
______ is the FedRAMP's philosophy.
What is 'Do once, use many'?
This must be done with active Minor Applications or Subsystems during Major/GSS System Dispositions.
What is:
They must either be disposed with the parent system or transitioned to another parent system?
______ of a POA&M is required, for a POA&M to be closed, with relation to remediation.
What is:
All weaknesses described in the POA&M must be 100% remediated?
_______ is the minimum percentage required for Vulnerability Management metrics for OA entry
What is 85%?
This ISVM category requires immediate action due to critical vulnerabilities.
What is an ISVM-A and KEV?
_______ is a SaaS that provides actionable and accurate data to identify, investigate, and prioritize vulnerabilities and misconfigurations in USCIS systems
What is Tenable.io?
________ is declaration that describes the: who, what, when, where, and how a requirement is 'carried out'.
What is an implementation statement?
_______ is the largest amount of time that a system, process, or business function can be unavailable or disrupted without causing significant harm to the organization.
What is Maximum Tolerable Downtime?
To simulate a real-world disruption and assess the CP's effectiveness comprehensively is better known as _________.
What is a Full-Scale Simulation?
_____ is the minimum frequency for reviewing or updating the CMP at USCIS
What is:
Every three years or with any significant change?
During Phase II of the SCA process, this meeting is conducted to initiate the assessment
What is the SCA Kick-Off Meeting?
This is the purpose of the USCIS Continuous Compliance Insight (CCI)
What is:
To provide enhanced insight into system compliance posture and expedite security control assessments?
This entity serves as the primary decision-making body for FedRAMP and grants Provisional Authorizations to cloud service providers.
What is the Joint Authorization Board (JAB)?
This must be closed prior to submission to SNOW for Major/GSS System Dispositions
What is Close All POA&Ms?
These are the key items are included in POA&M Quality Checks. (Name at least 5).
What are:
Title, Weakness Description/Root Cause, Criticality Level, Cost, Responsible POC, Scheduled Completion Date, Planned Start and Finish Date, Actual Start Dates, Associated Security and Privacy Controls, Milestones?
These are the Key components of ongoing authorization. (Name at least 3 of 5.)
What are:
Continuous Monitoring: Regularly assessing the effectiveness of security controls, identifying vulnerabilities, and ensuring compliance with applicable policies and standards.
Risk Management: Continuously evaluating risks and making informed decisions about whether the system remains authorized to operate based on its current security posture.
Automation: Using tools and technologies to automate the collection, analysis, and reporting of security-related information to improve efficiency and accuracy.
Documentation Updates: Keeping security documentation, such as the System Security Plan (SSP), up to date to reflect changes in the system or its environment.
Stakeholder Involvement: Ensuring that system owners, security personnel, and authorizing officials are actively engaged in the process to make timely decisions about the system's authorization status.
This directive focuses on reducing the risk of Known Exploited Vulnerabilities (KEVs)
What is CISA Binding Operational Directive (BOD) 22-01?
A-123 assessments test for these 2 types of methods.
What are:
Test of Design and
Test of Effectiveness?
These are the steps to write an effective implementation statement. (Name at least 4 methods)
What are: Understand the control requirement, use clear language, describe 4W1H, align with system context, include supporting details, ensure compliance, review and revise, and use a structured format?
_____ is the overall length of time an information system’s components can be in the restoration phase before negatively impacting the organization’s mission or mission/business processes.
What is Recovery Time Objective?
______ phase is the stage in continuity planning where an organization transitions back to normal operations after a disruption or emergency.
What is the Reconstitution Phase?
These are the four types of changes described in the CMP template.
Emergency, Major, Minor, and Optional
This document is provided to stakeholders during Phase III of the SCA process
What is the Security Assessment Report (SAR) and security deliverables?
_____, _____, ______, ______, and ______ is what the CCI Dashboard provides for compliance analysis
What are: Drill-down insight, multi-view, trends, scoring, and stack analysis?
These are the minimum set of artifacts to be reviewed annually for FedRAMP systems at USCIS. (Name 3 of 4)
What are the: Penetration Test Report, Vulnerability Scan Results, System Security Plan, Significant Change Requests?
These are the key aspects of the Decommission and Disposal process. (Name at least 3)
What are to:
Complete shutdown of environments, tracking keys/licenses, documenting hardware/media disposal, and data archival/removal/transfer?
A POA&M Must be submitted ____ days prior to the scheduled completion date, include timeline of events, remediation actions, and escalations.
What is 90 days?
Name the main reason a system may be placed into OA probation.
What are:
Repeated failure to meet ISPP goals for ISCM metrics or failure to address significant POA&Ms?
These are the three groups of enterprise-level exceptions.
What are:
Group A: Settings that Cannot be implemented enterprise-wide
Group B: Settings that cam be implemented but Requires remediation,
Group C: Settings that cannot be implemented at the enterprise-level but must be Evaluated by system teams?
The _____ model is used to centrally manage permissions for users across 100+ AWS accounts.
What is the Role-Based Access Control (RBAC) model?