Applying Assessment & Authorization (A&A) in the National Industrial Security Program (NISP) Questions with Complete Solutions
Select all of the correct responses. Which of the following tasks should the Information System Security Manager (ISSM) perform before beginning the A&A process?
Select one or more:
a. Review the DSS Risk Management Framework (RMF) website
b. Purchase Information System hardware
c. Possess and understand sponsorship and security documentation
d. Contact the Authorizing Official (AO) with questions
e. Register for an ODAA Business Management System (OBMS) account CORRECT ANS a. Review the DSS Risk Management Framework (RMF) website
c. Possess and understand sponsorship and security documentation
Select all of the correct responses. Which of the following must the Information System Security Manager (ISSM) describe at the end of Step 2, Select Security Controls?
Select one or more:
a. Baseline security controls
b. Security control tailoring
c. Selection of overlays
d. Continuous monitoring strategy CORRECT ANS a. Baseline security controls b. Security control tailoring
c. Selection of overlays
d. Continuous monitoring strategy
True or false? When security control implementation is documented, it must describe how the security controls achieve the required security capability.
Select one:
True
False CORRECT ANS True
When does continuous monitoring begin?
Select one:
a. After the Information System has been operational for 30 days
b. Once the security authorization package is submitted
c. As soon as Authorization to Operate (ATO) or ATO with conditions is
issued
d. After the Information System has been operational for 1 year CORRECT ANS c. As soon as Authorization to Operate (ATO) or ATO with conditions is issued
When does DSS schedule an on-site assessment of the security controls?
Select one:
a. 30 days after initiation of the A&A process b. When the System Security Plan (SSP) and supporting artifacts are complete
c. When required by the Authorizing Official (AO)
d. As soon as the security controls are implemented CORRECT ANS Not c
How does an Information System Security Manager (ISSM) submit the System Security Plan (SSP) to DSS?
Select one:
a. Email it to the Authorizing Official (AO)
b. Upload it to the ODAA Business Management System (OBMS)
c. Upload it via the submission interface on the DSS Risk Management Framework (RMF) website
d. Email it to the Security Controls Assessor (SCA) CORRECT ANS Not C
Which of the following is an input to Step 5, Authorize System?
Select one:
a. Security status report
b. Authorization recommendation from the Information Owner (IO)
c. Security authorization package
d. Information System acknowledgement letter CORRECT ANS c. Security authorization package
Where is the security control implementation documented?
Select all of the correct responses. Which of the following tasks should the Information System Security Manager (ISSM) perform before beginning the A&A process?
Select one or more:
a. Review the DSS Risk Management Framework (RMF) website
b. Purchase Information System hardware
c. Possess and understand sponsorship and security documentation
d. Contact the Authorizing Official (AO) with questions
e. Register for an ODAA Business Management System (OBMS) account CORRECT ANS a. Review the DSS Risk Management Framework (RMF) website
c. Possess and understand sponsorship and security documentation
Select all of the correct responses. Which of the following must the Information System Security Manager (ISSM) describe at the end of Step 2, Select Security Controls?
Select one or more:
a. Baseline security controls
b. Security control tailoring
c. Selection of overlays
d. Continuous monitoring strategy CORRECT ANS a. Baseline security controls b. Security control tailoring
c. Selection of overlays
d. Continuous monitoring strategy
True or false? When security control implementation is documented, it must describe how the security controls achieve the required security capability.
Select one:
True
False CORRECT ANS True
When does continuous monitoring begin?
Select one:
a. After the Information System has been operational for 30 days
b. Once the security authorization package is submitted
c. As soon as Authorization to Operate (ATO) or ATO with conditions is
issued
d. After the Information System has been operational for 1 year CORRECT ANS c. As soon as Authorization to Operate (ATO) or ATO with conditions is issued
When does DSS schedule an on-site assessment of the security controls?
Select one:
a. 30 days after initiation of the A&A process b. When the System Security Plan (SSP) and supporting artifacts are complete
c. When required by the Authorizing Official (AO)
d. As soon as the security controls are implemented CORRECT ANS Not c
How does an Information System Security Manager (ISSM) submit the System Security Plan (SSP) to DSS?
Select one:
a. Email it to the Authorizing Official (AO)
b. Upload it to the ODAA Business Management System (OBMS)
c. Upload it via the submission interface on the DSS Risk Management Framework (RMF) website
d. Email it to the Security Controls Assessor (SCA) CORRECT ANS Not C
Which of the following is an input to Step 5, Authorize System?
Select one:
a. Security status report
b. Authorization recommendation from the Information Owner (IO)
c. Security authorization package
d. Information System acknowledgement letter CORRECT ANS c. Security authorization package
Where is the security control implementation documented?
