RMF

Question 1

What is RMF?

Answer 1

RMF (Risk Management Framework) is a process used by the DoD to manage risk by applying security controls, assessing them, and continuously monitoring systems to maintain an ATO.

Question 2

What are the 6 RMF steps?

Answer 2

Categorize → Select → Implement → Assess → Authorize → Monitor

Question 3

What happens in the Categorize step?

Answer 3

The system is assigned an impact level (Low, Moderate, High) based on data sensitivity and mission importance.

Question 4

What happens in the Select step?

Answer 4

Security controls are chosen from NIST 800-53 based on system impact level.

Question 5

What happens in the Implement step?

Answer 5

Security controls are applied (STIGs, configurations, access controls, patching).

Question 6

What happens in the Assess step?

Answer 6

Controls are tested and validated using scans, audits, and reviews.

Question 7

What happens in the Authorize step?

Answer 7

Leadership grants an ATO (Authorization to Operate) after reviewing risk.

Question 8

What happens in the Monitor step?

Answer 8

Continuous monitoring through patching, scanning, logging, and remediation.

Question 9

What is an ATO?

Answer 9

Authorization to Operate—formal approval for a system to run after risk is accepted.

Question 10

What is a STIG?

Answer 10

Security Technical Implementation Guide—DoD baseline security configurations for systems.

Question 11

What is ACAS?

Answer 11

Assured Compliance Assessment Solution—DoD vulnerability scanning tool (uses Nessus).

Question 12

What is Nessus?

Answer 12

A vulnerability scanner used to identify security weaknesses in systems.

Question 13

What is a vulnerability?

Answer 13

A weakness in a system that could be exploited.

Question 14

What are CAT I Vulnerability

Answer 14

Critical

Question 15

What are CAT II Vulnerability

Answer 15

Medium

Question 16

What are CAT III Vulnerability

Answer 16

Low

Question 17

What is least privilege?

Answer 17

Users only get the minimum access needed to perform their job.

Question 18

What does an ISSO do daily?

Answer 18

Reviews scans, tracks vulnerabilities, ensures compliance, supports ATO, works with admins to fix issues.

Question 19

How does system hardening relate to RMF?

Answer 19

It is part of the Implement step.

Question 20

How do vulnerability scans relate to RMF?

Answer 20

They are part of Assess and Monitor steps.

Question 21

What role does patching play in the Risk Management Framework (RMF)?

Answer 21

It supports continuous monitoring and remediation of system vulnerabilities.

Question 22

How are access controls categorized within the RMF process?

Answer 22

They are part of the control implementation phase, specifically identified as AC controls.

Question 23

What is NIST?

Answer 23

The National Institute of Standards and Technology—an organization that creates cybersecurity standards used to secure federal systems.

Question 24

What does “SP” mean in NIST SP 800-53?

Answer 24

Special Publication

This designation indicates that it is a formal publication by NIST.

Question 25

What is **NIST SP 800-53**?

Answer 25

A catalog of security controls used to secure information systems. ## Footnote It provides guidelines for selecting and specifying security controls.

Question 26

What do **NIST 800-53 controls** define?

Answer 26

What needs to be secured in a system: * access * logging * configuration ## Footnote These controls help organizations manage risk effectively.

Question 27

What is **NIST SP 800-37**?

Answer 27

The RMF guide that defines the process for managing risk. ## Footnote RMF stands for Risk Management Framework.

Question 28

What is **NIST SP 800-30**?

Answer 28

A guide for conducting risk assessments. ## Footnote It outlines a systematic approach to identifying and evaluating risks.

Question 29

What is **NIST SP 800-53A**?

Answer 29

A guide for assessing/testing security controls. ## Footnote It provides methods for evaluating the effectiveness of security controls.

Question 30

What is **NIST SP 800-171**?

Answer 30

Guidelines for protecting Controlled Unclassified Information (CUI). ## Footnote It is aimed at federal contractors and other organizations handling CUI.

Question 31

What is a **security control**?

Answer 31

A safeguard or measure used to protect systems and reduce risk. ## Footnote Security controls can be technical, administrative, or physical.

Question 32

Do you need to memorize all **NIST controls**?

Answer 32

No—you need to understand categories and how they apply. ## Footnote Focus on the principles behind the controls rather than rote memorization.

Question 33

How do **STIGs** relate to NIST 800-53?

Answer 33

STIGs are technical implementations of NIST security controls. ## Footnote STIGs provide specific configuration settings for security compliance.

Question 34

How does your experience relate to **NIST controls**?

Answer 34

Through system hardening, patching, access control, and vulnerability remediation. ## Footnote Practical experience helps in understanding the application of controls.

Question 35

Which NIST publication defines **RMF**?

Answer 35

NIST SP 800-37 ## Footnote This publication outlines the Risk Management Framework process.

Question 36

Which NIST publication defines **security controls**?

Answer 36

NIST SP 800-53 ## Footnote It serves as a comprehensive catalog of security controls.

Question 37

Which NIST publication focuses on **risk assessment**?

Answer 37

NIST SP 800-30 ## Footnote This guide provides a structured approach to assessing risks.

Question 38

Difference between Vulnerability, Threat, and Risk. Individual

Answer 38

Vulnerability - A weakness (The door is unlocked) Threat - The attacker (Someone trying the door) Risk - The chance of occurrence and potential loss or danger (What happens if they get in?)

Question 39

Interview - Difference between Vulnerability, Threat, and Risk. Individual

Answer 39

A vulnerability is a weakness in a system, a threat is anything that can exploit that weakness, and risk is the likelihood and impact of that exploitation occurring.