SPeD SFPC EXAM: Risk Management Framework (RMF) Questions and Answers!

DoD systems are subject to what types of threats? - ANSWER-Confidentiality, integrity, or availability of information processed, stored, or transmitted by DoD systems. Define system categorization - ANSWER-System Categorization is the process by which the Information Owner identifies the potential impact (low, moderate, or high) that would result from the loss of confidentiality, integrity, and availability should a security breach occur. What is non-repudiation and the negative impacts of not having non--repudiation? - ANSWER-Definition: Protection against an individual falsely denying having performed a particular action. Provides the capability to determine whether a given individual took a particular action such as creating information, sending a message, approving information, and receiving a message. Negative impacts : 1.) Sender could deny message was sent. 2.) Recipient of email could change message and contest that altered message was sent by sender. What is confidentiality and the negative impacts of not having confidentiality? - ANSWER-Definition: Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. Negative impacts of no confidentiality: 1.) Persons could be granted access to information beyond their need-to-know. 2.) Sensitive or classified information could be disclosed to an unauthorized system What is CIA in relation to RMF? - ANSWER-Confidentiality: preserving authorized restrictions on information access and disclosure Integrity: guarding against unauthorized information modification or destruction Availability: timely and reliable access to and use of information What program does RMF replace? - ANSWER-DIACAP What DoD guidance provides direction for the implementation of RMF? - ANSWER-DoD 8510.01 What does the Risk Management Framework (RMF) provide? - ANSWER-A structured, yet flexible approach for managing risk resulting from incorporation of information systems into mission/business processes of organization What policy partnerships ensure DoD RMF guidance is aligned with pre-existing standards? - ANSWER-National Institute of Standards and Technology (NIST) and Committee on National Security Systems (CNSS) Security controls and safeguards selected by the organization must take what into account? - ANSWER-Potential mission or business impacts, risk to organizational operations and assets, individuals, other organizations, the nation. DoD RMF Guidance Tier 1 - ANSWER--Office of Secretary of Defense -Addresses risk management at DoD enterprise level -Key governance = DoD CIO, Sr IO or SISO DoD RMF Guidance Tier 2 - ANSWER--Mission and business processes -Addresses risk management at mission area and component levels -Key governance = Principal Authorizing Official (PAO) Who has authority and responsibility for security control assessment? - ANSWER-Component Senior Information Security Officers (SISOs) DoD