RISK MANAGEMENT FRAMEWORK
(RMF) STEP SIX - MONITOR SECURITY
CONTROLS
Who ultimately determines whether the current risk to an information system is
acceptable? - ANSWER-Authorizing Official
In step 6 of the RMF, risk review by the Authorizing Official includes - ANSWER-Using
metrics and dashboards
Using automated support tools
determining whether the current risk is acceptable
All of the above - correct
The DIACAP Knowledge Service is the? - ANSWER-None of the above
Who is primarily responsible for information system removal and disposal? - ANSWER-
Information System Owner
In step 6 of the RMF, the following document is updated - ANSWER-Security
Assessment Report
Plan of Action and Milestones
Security Plan
All of the above - correct
Who has primary responsibility for assessing the security controls employed and
inherited by an information system? - ANSWER-Security Control Assessor
Who has a key role in reviewing security status reports on an ongoing basis in step 6 of
the RMF? - ANSWER-Authorizing Official
The report criteria and use in step 6 of the RMF includes all but which one of the
following - ANSWER-Used to help satisfy OMB Circular A-130 reporting requirements
The sixth step in the RMF process is to: - ANSWER-Continuously monitor the system
In step 6 of RMF, existing assessment results are reused when they are still valid -
ANSWER-True
Systems must be reassessed and reauthorized once every 3 years unless they operate
under a continuous reauthorization. - ANSWER-True
(RMF) STEP SIX - MONITOR SECURITY
CONTROLS
Who ultimately determines whether the current risk to an information system is
acceptable? - ANSWER-Authorizing Official
In step 6 of the RMF, risk review by the Authorizing Official includes - ANSWER-Using
metrics and dashboards
Using automated support tools
determining whether the current risk is acceptable
All of the above - correct
The DIACAP Knowledge Service is the? - ANSWER-None of the above
Who is primarily responsible for information system removal and disposal? - ANSWER-
Information System Owner
In step 6 of the RMF, the following document is updated - ANSWER-Security
Assessment Report
Plan of Action and Milestones
Security Plan
All of the above - correct
Who has primary responsibility for assessing the security controls employed and
inherited by an information system? - ANSWER-Security Control Assessor
Who has a key role in reviewing security status reports on an ongoing basis in step 6 of
the RMF? - ANSWER-Authorizing Official
The report criteria and use in step 6 of the RMF includes all but which one of the
following - ANSWER-Used to help satisfy OMB Circular A-130 reporting requirements
The sixth step in the RMF process is to: - ANSWER-Continuously monitor the system
In step 6 of RMF, existing assessment results are reused when they are still valid -
ANSWER-True
Systems must be reassessed and reauthorized once every 3 years unless they operate
under a continuous reauthorization. - ANSWER-True
