Applying Assessment & Authorization
(A&A) in the National Industrial Security
Program (NISP) UPDATED ACTUAL
Exam Questions and CORRECT Answers
Select all of the correct responses. Which of the following tasks should the Information System
Security Manager (ISSM) perform before beginning the A&A process?
Select one or more:
a. Review the DSS Risk Management Framework (RMF) website
b. Purchase Information System hardware
c. Possess and understand sponsorship and security documentation
d. Contact the Authorizing Official (AO) with questions
e. Register for an ODAA Business Management System (OBMS) account - CORRECT
ANSWER - a. Review the DSS Risk Management Framework (RMF) website
c. Possess and understand sponsorship and security documentation
Select all of the correct responses. Which of the following must the Information System Security
Manager (ISSM) describe at the end of Step 2, Select Security Controls?
Select one or more:
a. Baseline security controls
b. Security control tailoring
c. Selection of overlays
d. Continuous monitoring strategy - CORRECT ANSWER - a. Baseline security controls
b. Security control tailoring
c. Selection of overlays
d. Continuous monitoring strategy
True or false? When security control implementation is documented, it must describe how the
security controls achieve the required security capability.
, Select one:
True
False - CORRECT ANSWER - True
When does continuous monitoring begin?
Select one:
a. After the Information System has been operational for 30 days
b. Once the security authorization package is submitted
c. As soon as Authorization to Operate (ATO) or ATO with conditions is issued
d. After the Information System has been operational for 1 year - CORRECT ANSWER - c.
As soon as Authorization to Operate (ATO) or ATO with conditions is issued
When does DSS schedule an on-site assessment of the security controls?
Select one:
a. 30 days after initiation of the A&A process
b. When the System Security Plan (SSP) and supporting artifacts are complete
c. When required by the Authorizing Official (AO)
d. As soon as the security controls are implemented - CORRECT ANSWER - Not c
How does an Information System Security Manager (ISSM) submit the System Security Plan
(SSP) to DSS?
Select one:
a. Email it to the Authorizing Official (AO)
b. Upload it to the ODAA Business Management System (OBMS)
c. Upload it via the submission interface on the DSS Risk Management Framework (RMF)
website
d. Email it to the Security Controls Assessor (SCA) - CORRECT ANSWER - Not C
Which of the following is an input to Step 5, Authorize System?
(A&A) in the National Industrial Security
Program (NISP) UPDATED ACTUAL
Exam Questions and CORRECT Answers
Select all of the correct responses. Which of the following tasks should the Information System
Security Manager (ISSM) perform before beginning the A&A process?
Select one or more:
a. Review the DSS Risk Management Framework (RMF) website
b. Purchase Information System hardware
c. Possess and understand sponsorship and security documentation
d. Contact the Authorizing Official (AO) with questions
e. Register for an ODAA Business Management System (OBMS) account - CORRECT
ANSWER - a. Review the DSS Risk Management Framework (RMF) website
c. Possess and understand sponsorship and security documentation
Select all of the correct responses. Which of the following must the Information System Security
Manager (ISSM) describe at the end of Step 2, Select Security Controls?
Select one or more:
a. Baseline security controls
b. Security control tailoring
c. Selection of overlays
d. Continuous monitoring strategy - CORRECT ANSWER - a. Baseline security controls
b. Security control tailoring
c. Selection of overlays
d. Continuous monitoring strategy
True or false? When security control implementation is documented, it must describe how the
security controls achieve the required security capability.
, Select one:
True
False - CORRECT ANSWER - True
When does continuous monitoring begin?
Select one:
a. After the Information System has been operational for 30 days
b. Once the security authorization package is submitted
c. As soon as Authorization to Operate (ATO) or ATO with conditions is issued
d. After the Information System has been operational for 1 year - CORRECT ANSWER - c.
As soon as Authorization to Operate (ATO) or ATO with conditions is issued
When does DSS schedule an on-site assessment of the security controls?
Select one:
a. 30 days after initiation of the A&A process
b. When the System Security Plan (SSP) and supporting artifacts are complete
c. When required by the Authorizing Official (AO)
d. As soon as the security controls are implemented - CORRECT ANSWER - Not c
How does an Information System Security Manager (ISSM) submit the System Security Plan
(SSP) to DSS?
Select one:
a. Email it to the Authorizing Official (AO)
b. Upload it to the ODAA Business Management System (OBMS)
c. Upload it via the submission interface on the DSS Risk Management Framework (RMF)
website
d. Email it to the Security Controls Assessor (SCA) - CORRECT ANSWER - Not C
Which of the following is an input to Step 5, Authorize System?
