NIST SP 800-53 questions and
answers
security controls - correct answer ✔✔ important tasks that can have major implications on the
operations and assets of organizations as well as the welfare of individuals and the Nation
security controls - correct answer ✔✔ safeguards/countermeasures prescribed for information
systems or organizations that are designed to: (i) protect the confidentiality, integrity, and
availability of information that is processed, stored, and transmitted by those
systems/organizations; and (ii) satisfy a set of defined security requirements.
NIST Special Publication 800-39 - correct answer ✔✔ provides guidance on managing
information security risk at three distinct tiers—the organization level, mission/business process
level, and information system level.
OMB Circular A-130 - correct answer ✔✔ defines as adequate security, or security
commensurate with risk resulting from the unauthorized access, use, disclosure, disruption,
modification, or destruction of information.
three-tiered approach to risk managment - correct answer ✔✔ addresses risk at the: (i)
organization level; (ii) mission/business process level; and (iii) information system level.
Tier 1 Organization Level - correct answer ✔✔ provides a prioritization of organizational
missions/business functions which in turn drives investment strategies and funding decisions—
promoting cost-effective, efficient information technology solutions consistent with the strategic
goals and objectives of the organization and measures of performance.
Tier 2, Mission /Business Process - correct answer ✔✔ (i) defining the mission/business
processes needed to support the organizational missions/business functions; (ii) determining
, the security categories of the information systems needed to execute the mission/business
processes; (iii) incorporating information security requirements into the mission/business
processes; and (iv) establishing an enterprise architecture (including an embedded information
security architecture) to facilitate the allocation of security controls to organizational
information systems and the environments in which those systems operate.
Tier 3, Information Systems - correct answer ✔✔ This publication focuses on Step 2 of the RMF,
the security control selection process, in the context of the three tiers in the organizational risk
management hierarchy.
Three-Tiered Risk Management Approach - correct answer ✔✔
Risk Management Framework - correct answer ✔✔
RMF Step 1: Categorize - correct answer ✔✔ RMF step in which information systems are
classified based on a FIPS Publication 199 impact assessment
RMF Step 2: Select - correct answer ✔✔ RMF step in which security control baselines are based
on the results of the security categorization and apply tailoring guidance (including the potential
use of overlays)
RMF Step 3: Implement - correct answer ✔✔ RMF step that directs the documentation the
design, development, and implementation details for the controls.
RMF Step 4: Assess - correct answer ✔✔ RMF step that is used to determine the extent to
which the controls are implemented correctly, operating as intended, and producing the desired
outcome with respect to meeting the security requirements for the system
RMF Step 5: Authorize - correct answer ✔✔ RMF step in which system operation is based on a
determination of risk to organizational operations and assets, individuals, other organizations,
answers
security controls - correct answer ✔✔ important tasks that can have major implications on the
operations and assets of organizations as well as the welfare of individuals and the Nation
security controls - correct answer ✔✔ safeguards/countermeasures prescribed for information
systems or organizations that are designed to: (i) protect the confidentiality, integrity, and
availability of information that is processed, stored, and transmitted by those
systems/organizations; and (ii) satisfy a set of defined security requirements.
NIST Special Publication 800-39 - correct answer ✔✔ provides guidance on managing
information security risk at three distinct tiers—the organization level, mission/business process
level, and information system level.
OMB Circular A-130 - correct answer ✔✔ defines as adequate security, or security
commensurate with risk resulting from the unauthorized access, use, disclosure, disruption,
modification, or destruction of information.
three-tiered approach to risk managment - correct answer ✔✔ addresses risk at the: (i)
organization level; (ii) mission/business process level; and (iii) information system level.
Tier 1 Organization Level - correct answer ✔✔ provides a prioritization of organizational
missions/business functions which in turn drives investment strategies and funding decisions—
promoting cost-effective, efficient information technology solutions consistent with the strategic
goals and objectives of the organization and measures of performance.
Tier 2, Mission /Business Process - correct answer ✔✔ (i) defining the mission/business
processes needed to support the organizational missions/business functions; (ii) determining
, the security categories of the information systems needed to execute the mission/business
processes; (iii) incorporating information security requirements into the mission/business
processes; and (iv) establishing an enterprise architecture (including an embedded information
security architecture) to facilitate the allocation of security controls to organizational
information systems and the environments in which those systems operate.
Tier 3, Information Systems - correct answer ✔✔ This publication focuses on Step 2 of the RMF,
the security control selection process, in the context of the three tiers in the organizational risk
management hierarchy.
Three-Tiered Risk Management Approach - correct answer ✔✔
Risk Management Framework - correct answer ✔✔
RMF Step 1: Categorize - correct answer ✔✔ RMF step in which information systems are
classified based on a FIPS Publication 199 impact assessment
RMF Step 2: Select - correct answer ✔✔ RMF step in which security control baselines are based
on the results of the security categorization and apply tailoring guidance (including the potential
use of overlays)
RMF Step 3: Implement - correct answer ✔✔ RMF step that directs the documentation the
design, development, and implementation details for the controls.
RMF Step 4: Assess - correct answer ✔✔ RMF step that is used to determine the extent to
which the controls are implemented correctly, operating as intended, and producing the desired
outcome with respect to meeting the security requirements for the system
RMF Step 5: Authorize - correct answer ✔✔ RMF step in which system operation is based on a
determination of risk to organizational operations and assets, individuals, other organizations,
