RMF - CHAPTER 8, STEP 4, ASSESS
SECURITY CONTROLS WITH
COMPLETE SOLUTIONS
Agencies are required to use FIPS _____/NIST SP 800-__ for the specification of
security controls and NIST SP 800-___ for the assessment of security control
effectiveness. - ANSWER-200/53/53A
___________________ the security controls is using the appropriate assessment
procedures to determine the extent to which the controls are implemented correctly,
operating as intended, and producing the desired outcome with respect to meeting the
securing requirements for the system. - ANSWER-Assessing
*An assessment can be Satisfactory (met control) or __________ (did not meet control);
nothing else. DoD calls these Compliant of Non-compliant. - ANSWER-*Other
Security weakness and deficiencies identified in the system development lifecycle can
be resolved more quickly and in a much more cost-effective manner before proceeding
to subsequent phases in the lifecycle. (True or False) - ANSWER-True
*#When iterative development processes such as ________ development are
employed, this typically results in an iterative assessment as each cycle is conducted.
(Agile = sprint/short bursts - test every cycle, iterative - agile development). - ANSWER-
*#agile
*Security Assessment Results -
Security Control Assessment Objectives:
-Implemented correctly
- Operating as intended
- Producing desired result with reference to security objectives (C, I, A). (True or False)
- ANSWER-*True
_________________ - Sprint/short burst of ..... Test every cycle - ANSWER-Agile
#Security control assessments in support of initial and subsequent security
authorization are conducted by independent assessors. Assessor independence during
continuous monitoring, although not mandated, facilitates reuse of assessment results
when ______________________ is required. - ANSWER-#reauthorization
Original Assessment Methods
*Assessment procedure steps will include the appropriate evaluation method(s) from the
following list:
, - Test (T)
- Observation (O)
- Document Review (D) = TODI
- ____________________ - ANSWER-Interview (I)
Scope, method, depth, and breath are all critical factors in _________________. -
ANSWER-assessments
6 Key Areas for _____________________
- Prepare for security control assessment
- Establish security control assessment plan
- Determine security control effectiveness
- Develop initial security assessment report
- Perform initial remediation actions
- Develop final security assessment report and addendum. - ANSWER-Assessment
Why Assess? - ANSWER-Gap Analysis (pg 345)
Security Assessment Plan -
Developing a security assessment policy
Organizations should develop an information security assessment policy to provide
direction and guidance for their security ______________________. - ANSWER-
assessments
The Assessment Plan -
The policy should be reviewed at least _________________ and whenever there are
new assessment-related requirements. - ANSWER-annually
SP800-53A
Information is more:
- Complete
- Reliable
- Trustworthy
(True or False) - ANSWER-True
The guidance in SP 800-___ have been developed to help achieve more secure
information systems within the federal government by doing the following:
- Enabling more consistent, comparable, and repeatable assessments of security
controls with reproducible results
- Facilitating more cost -effective assessment of security controls contributing to the
determination of overall control effectiveness.
- Promoting a better understanding of the risks to organizational operations,
organizational assets, individuals, other organizations, and the Nation resulting from the
operation and use of federal ISs.
SECURITY CONTROLS WITH
COMPLETE SOLUTIONS
Agencies are required to use FIPS _____/NIST SP 800-__ for the specification of
security controls and NIST SP 800-___ for the assessment of security control
effectiveness. - ANSWER-200/53/53A
___________________ the security controls is using the appropriate assessment
procedures to determine the extent to which the controls are implemented correctly,
operating as intended, and producing the desired outcome with respect to meeting the
securing requirements for the system. - ANSWER-Assessing
*An assessment can be Satisfactory (met control) or __________ (did not meet control);
nothing else. DoD calls these Compliant of Non-compliant. - ANSWER-*Other
Security weakness and deficiencies identified in the system development lifecycle can
be resolved more quickly and in a much more cost-effective manner before proceeding
to subsequent phases in the lifecycle. (True or False) - ANSWER-True
*#When iterative development processes such as ________ development are
employed, this typically results in an iterative assessment as each cycle is conducted.
(Agile = sprint/short bursts - test every cycle, iterative - agile development). - ANSWER-
*#agile
*Security Assessment Results -
Security Control Assessment Objectives:
-Implemented correctly
- Operating as intended
- Producing desired result with reference to security objectives (C, I, A). (True or False)
- ANSWER-*True
_________________ - Sprint/short burst of ..... Test every cycle - ANSWER-Agile
#Security control assessments in support of initial and subsequent security
authorization are conducted by independent assessors. Assessor independence during
continuous monitoring, although not mandated, facilitates reuse of assessment results
when ______________________ is required. - ANSWER-#reauthorization
Original Assessment Methods
*Assessment procedure steps will include the appropriate evaluation method(s) from the
following list:
, - Test (T)
- Observation (O)
- Document Review (D) = TODI
- ____________________ - ANSWER-Interview (I)
Scope, method, depth, and breath are all critical factors in _________________. -
ANSWER-assessments
6 Key Areas for _____________________
- Prepare for security control assessment
- Establish security control assessment plan
- Determine security control effectiveness
- Develop initial security assessment report
- Perform initial remediation actions
- Develop final security assessment report and addendum. - ANSWER-Assessment
Why Assess? - ANSWER-Gap Analysis (pg 345)
Security Assessment Plan -
Developing a security assessment policy
Organizations should develop an information security assessment policy to provide
direction and guidance for their security ______________________. - ANSWER-
assessments
The Assessment Plan -
The policy should be reviewed at least _________________ and whenever there are
new assessment-related requirements. - ANSWER-annually
SP800-53A
Information is more:
- Complete
- Reliable
- Trustworthy
(True or False) - ANSWER-True
The guidance in SP 800-___ have been developed to help achieve more secure
information systems within the federal government by doing the following:
- Enabling more consistent, comparable, and repeatable assessments of security
controls with reproducible results
- Facilitating more cost -effective assessment of security controls contributing to the
determination of overall control effectiveness.
- Promoting a better understanding of the risks to organizational operations,
organizational assets, individuals, other organizations, and the Nation resulting from the
operation and use of federal ISs.
