ISC2 Governance, Risk and Compliance (CGRC) Practice Question

A cloud service provider has completed its initial security authorization package for a new federal offering and must now transmit the materials to an accredited third-party assessment organization (3PAO) for its FedRAMP readiness assessment. Which preparatory action best ensures the package can be transferred in compliance with FedRAMP requirements and agency policy while preserving confidentiality?

Upload the package to a commercial file-sharing site that supports multifactor authentication and share the link with the 3PAO.
Encrypt the complete authorization package with a FIPS 140-2-validated algorithm before transferring it to the 3PAO.
Wait for the authorizing official to sign the Authorization to Operate letter, then email the unsigned documents to the 3PAO.
Compress the documents into a single ZIP file without encryption to reduce the chance of file corruption during transfer.

Report Issue

Answer Description

Before any FedRAMP security or privacy documentation leaves the organization, it must be protected to a level commensurate with its sensitivity. FedRAMP requires that all electronic transmissions of authorization packages use cryptography validated under FIPS 140-2 (or the current revision) to safeguard data in transit. Encrypting the entire package with a FIPS-validated mechanism, such as a password-protected archive that relies on an approved AES implementation, satisfies this mandate and aligns with most federal agency policies. Relying solely on commercial file-sharing, sending unencrypted email, or merely compressing files without encryption fails to meet the mandatory confidentiality controls and risks unauthorized disclosure.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.