Security - RMF

Question 1

What publication defines the impact levels used by the US DoD RMF?

Answer 1

Federal Information Processing Standards (FIPS) Publication 199

This publication outlines the impact levels for security categorization.

Question 2

List the three impact levels defined by FIPS Publication 199.

Answer 2

• Low
• Moderate
• High

These levels describe potential adverse effects on operations, assets, or individuals.

Question 3

What does the Low impact level indicate?

Answer 3

A limited adverse effect, primary functions can still be performed but effectiveness is noticeably reduced

May involve minor financial loss or harm to individuals.

Question 4

What does the Moderate impact level indicate?

Answer 4

A serious adverse effect, possibly causing significant operational disruption

This may include major asset damage, significant financial loss, or significant harm to individuals.

Question 5

What does the High impact level indicate?

Answer 5

A severe or catastrophic adverse effect, potentially leading to inability to perform primary functions

This can result in severe financial damage, national security risks, or loss of life/severe life-threatening injuries.

Question 6

How is the overall system impact level determined?

Answer 6

Assessed for each security objective (Confidentiality, Integrity, Availability) and determined by the highest impact level

This is known as the high-water mark.

Question 7

Fill in the blank: A system with low confidentiality, moderate integrity, and low availability would be categorized as a _______ impact system.

Answer 7

Moderate

This categorization dictates the baseline security controls required for the system.

Question 8

What is the US DoD Risk Management Framework (RMF)?

Answer 8

A structured, seven-step process for managing cybersecurity risks to information systems and assets

It culminates in an Authority to Operate (ATO) decision and is guided by NIST SP 800-37.

Question 9

What is the first step in the RMF Seven-Step Process?

Answer 9

Prepare

This step involves identifying roles, responsibilities, system boundaries, and an inventory of assets.

Question 10

What does the Categorize step involve in the RMF?

Answer 10

Categorizing the system and information based on potential impact (Low, Moderate, High)

This step uses FIPS 199 standards.

Question 11

What is the purpose of the Select step in the RMF?

Answer 11

Selecting an initial set of security controls from NIST SP 800-53

Tailored using DoD-specific guidance based on the system’s categorization.

Question 12

What is documented during the Implement step of the RMF?

Answer 12

How the selected security controls are deployed within the system’s environment of operation

This includes the implementation details of the controls.

Question 13

What does the Assess step evaluate?

Answer 13

Determines if controls are implemented correctly, operating as intended, and achieving desired security outcomes

Typically performed by an independent assessment team or validator.

Question 14

Who makes the risk-based decision to authorize the system to operate in the Authorize step?

Answer 14

The Authorizing Official (AO)

They review the authorization package to decide on ATO or denial.

Question 15

What is continuously monitored in the Monitor step?

Answer 15

The system’s security posture and the effectiveness of its controls

This includes documenting changes and conducting ongoing assessments.

Question 16

What is the System Security Plan (SSP)?

Answer 16

The core document providing a comprehensive overview of the system and its security controls

It describes the system’s boundaries and operational context.

Question 17

What does the Security Assessment Plan (SAP) outline?

Answer 17

How the security controls will be assessed

It includes procedures, methods, and responsibilities for conducting the assessment.

Question 18

What is documented in the Security Assessment Report (SAR)?

Answer 18

Results of the control assessments, including findings and vulnerabilities

It details the residual risk posture of the system.

Question 19

What is the purpose of the Plan of Action and Milestones (POA&M)?

Answer 19

Tracks the status of vulnerabilities and deficiencies identified during assessment

It outlines a plan for mitigating or accepting these risks.

Question 20

What does the Authority to Operate (ATO) Letter/Decision Briefing signify?

Answer 20

The AO accepts the residual risk of the system’s operation and grants an ATO

The decision is based on the entire authorization package.

Question 21

What is included in the System Inventory / Configuration Management Plan?

Answer 21

A detailed, up-to-date inventory of all hardware and software components

Often includes STIG results and automated scan results to demonstrate compliance.

Question 22

What is the Information System Continuous Monitoring (ISCM) Plan?

Answer 22

Details the strategy and procedures for ongoing monitoring of security controls

Established in the Monitor step after authorization.

Question 23

7 Phases of RMF: People Cut Slices into Apples, Almonds and Mushrooms

Answer 23

Prepare
Categorize
Select
Implement
Authorize
Assess
Monitor

Question 24

What are SCAP Scans

Answer 24

SCAP scans are automated processes that use the Security Content Automation Protocol (SCAP), a suite of open standards developed by the U.S. National Institute of Standards and Technology (NIST), to manage and measure system security, identify vulnerabilities, and ensure compliance with security policies.
Purpose and Function
The primary goal of SCAP is to standardize and automate the way organizations monitor the security posture of their systems. SCAP scans achieve this by:
Comparing Systems to Baselines: Scans compare the configuration of a target system to established security baselines or benchmarks, most notably the Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGs) within the DoD context.
Automating Compliance Checks: They automate the labor-intensive process of manually checking system settings against specific security requirements, which is a crucial part of the RMF’s Assessment and Monitoring steps.
Vulnerability Management: SCAP uses standardized identifiers, such as Common Vulnerabilities and Exposures (CVE) and the Common Vulnerability Scoring System (CVSS), to identify and score known software flaws on a system.
Standardized Reporting: The results of SCAP scans are produced in standardized, machine-readable formats (like XCCDF or ARF XML files), which allows different tools to interoperate and share data efficiently. This allows for consistent reporting across various systems and organizations.

Note use DoD Gold Master or Iron Bank container, etc

Question 25

Who is the **Authorizing Official (AO)** in the U.S. DoD RMF?

Answer 25

A senior federal official or executive responsible for assuming the risk associated with operating an information system ## Footnote The AO is typically a General Officer, Flag Officer, or a civilian Senior Executive Service (SES) member.

Question 26

What is the primary responsibility of the **Authorizing Official (AO)**?

Answer 26

To formally assume the risk associated with operating an information system ## Footnote This role is pivotal in the Risk Management Framework (RMF) process.

Question 27

What is the **central decision** in the RMF process made by the AO?

Answer 27

Risk Acceptance ## Footnote The AO is the only official who can explicitly accept security and privacy risks.

Question 28

What are the three possible **authorization decisions** the AO can make?

Answer 28

* Grant an Authority to Operate (ATO) * Grant an Interim ATO (IATO) * Deny Authorization to Operate (DATO) ## Footnote Each decision has implications for the system's operation and risk management.

Question 29

What does granting an **Authority to Operate (ATO)** allow?

Answer 29

Allows the system to operate, potentially with conditions for mitigating certain risks ## Footnote This is a formal decision made by the AO.

Question 30

What is the purpose of the **Interim ATO (IATO)**?

Answer 30

Allows operation for a limited time under specific conditions ## Footnote Often referred to as an 'ATO with conditions' in the RMF.

Question 31

What does **Deny Authorization to Operate (DATO)** signify?

Answer 31

Prohibits the system from operating due to unacceptable risk ## Footnote This decision is made by the AO after reviewing the authorization package.

Question 32

What is included in the **authorization package** that the AO reviews?

Answer 32

* System Security Plan (SSP) * Security Assessment Report (SAR) * Plan of Action and Milestones (POA&M) * Risk Assessment Report (RAR) ## Footnote This review helps the AO understand the system's security posture and residual risk.

Question 33

What does the AO establish regarding **acceptable risk levels**?

Answer 33

The level of risk the organization is willing to tolerate (risk tolerance) ## Footnote This involves balancing the system's risk with its mission requirements.

Question 34

What is the role of the AO in **continuous monitoring**?

Answer 34

Reviews data and reports to make ongoing authorization decisions ## Footnote Ensures the system maintains an acceptable risk level throughout its lifecycle.

Question 35

What is the function of an **Authorizing Official Designated Representative (AODR)**?

Answer 35

Helps manage day-to-day RMF activities and coordinate with system owners ## Footnote The ultimate authority for signing the final authorization decision letter rests solely with the AO.

Question 36

What does the AO ensure regarding **compliance**?

Answer 36

That the system's operation complies with relevant federal laws, DoD policies, and regulations ## Footnote For example, compliance with DoDI 8510.01.

Question 37

The AO provides a crucial link between **technical security assessments** and what?

Answer 37

The overall mission and business needs of the organization ## Footnote This role is essential for making the final, accountable decision on system safety.