APPLYING ASSESSMENT AND AUTHORIZATION (A&A) IN
THE NATIONAL SECURITY PROGRAM NISP TEST
QUESTIONS AND ANSWERS
Select all the correct answers. Which of the following activities is the ISSM
responsible for before initiating the A&A process?
Choose one or more:
a. Check the DSS RMF website
b. Procure Information System hardware
c. Have and know the sponsorship and security documentation
d. Call the AO for clarification
e. Create an ODAA Business Management System (OBMS) account -
ANSWER a. Access the DSS Risk Management Framework RMF website
c. Have and understand sponsorship and security documentation
Choose all the correct answers. Which of the following does the Information
System Security Manager ISSM need to define by the conclusion of Step 2,
Select Security Controls?
Choose one or more:
a. Baseline security controls
b. Security control tailoring
c. Overlays selection
d. Continuous monitoring strategy - ANSWER a. Baseline security controls
b. Security control tailoring
c. Selection of overlays
, d. Continuous monitoring strategy
True or false? When security control implementation is documented, it must
describe how the security controls achieve the required security capability.
Select one:
True
False - ANSWER True
At what point does continuous monitoring begin?
Select one:
a. After the Information System has been operational for 30 days
b. Once the security authorization package is submitted
c. As soon as Authorization to Operate (ATO) or ATO with conditions is issued
d. After the Information System has been operational for 1 year - ANSWER c.
As soon as Authorization to Operate (ATO) or ATO with conditions is issued
What is the timeframe for DSS to schedule an on-site assessment of the security
controls?
Choose one:
a. 30 days after initiation of the A&A process
b. When the System Security Plan (SSP) and supporting artifacts are complete
c. When required by the Authorizing Official (AO)
d. As soon as the security controls are implemented - ANSWER Not c
How does an Information System Security Manager (ISSM) submit the System
Security Plan (SSP) to DSS?
THE NATIONAL SECURITY PROGRAM NISP TEST
QUESTIONS AND ANSWERS
Select all the correct answers. Which of the following activities is the ISSM
responsible for before initiating the A&A process?
Choose one or more:
a. Check the DSS RMF website
b. Procure Information System hardware
c. Have and know the sponsorship and security documentation
d. Call the AO for clarification
e. Create an ODAA Business Management System (OBMS) account -
ANSWER a. Access the DSS Risk Management Framework RMF website
c. Have and understand sponsorship and security documentation
Choose all the correct answers. Which of the following does the Information
System Security Manager ISSM need to define by the conclusion of Step 2,
Select Security Controls?
Choose one or more:
a. Baseline security controls
b. Security control tailoring
c. Overlays selection
d. Continuous monitoring strategy - ANSWER a. Baseline security controls
b. Security control tailoring
c. Selection of overlays
, d. Continuous monitoring strategy
True or false? When security control implementation is documented, it must
describe how the security controls achieve the required security capability.
Select one:
True
False - ANSWER True
At what point does continuous monitoring begin?
Select one:
a. After the Information System has been operational for 30 days
b. Once the security authorization package is submitted
c. As soon as Authorization to Operate (ATO) or ATO with conditions is issued
d. After the Information System has been operational for 1 year - ANSWER c.
As soon as Authorization to Operate (ATO) or ATO with conditions is issued
What is the timeframe for DSS to schedule an on-site assessment of the security
controls?
Choose one:
a. 30 days after initiation of the A&A process
b. When the System Security Plan (SSP) and supporting artifacts are complete
c. When required by the Authorizing Official (AO)
d. As soon as the security controls are implemented - ANSWER Not c
How does an Information System Security Manager (ISSM) submit the System
Security Plan (SSP) to DSS?
