ISC2 Governance, Risk and Compliance (CGRC) Practice Question

After consolidating objectives, scope, methods, schedule, resources, and logistics into a draft assessment plan for an upcoming RMF security control assessment, the lead assessor wants to proceed with onsite testing next week. According to NIST RMF best practice for finalizing the plan, what must occur before any assessment activity begins?

Obtain formal approval of the assessment plan from the authorizing official or designated representative.
Draft the final assessment report and distribute it for stakeholder comment.
Issue a plan of action and milestones to document expected remediation tasks.
Perform a preliminary vulnerability scan to validate the defined scope.

Report Issue

Answer Description

NIST SP 800-37 Rev.2 Task 4-1 and SP 800-53A Rev.5 Section 3.1 state that the security assessment plan must be formally reviewed and approved by the authorizing official (or that official's designated representative) before any testing starts. This approval confirms agreement on scope, methods, resources, and schedule and grants the assessor authority to proceed. Activities such as running preliminary scans, issuing a POA&M, or drafting the final report occur only after the plan has received this formal authorization.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.

What is the role of the authorizing official in the RMF process?

Open an interactive chat with Bash

What is contained within a security control assessment plan?

Open an interactive chat with Bash

What does NIST SP 800-37 Rev.2 Task 4-1 focus on?

Open an interactive chat with Bash

What is the RMF (Risk Management Framework)?

Open an interactive chat with Bash

Who is the authorizing official in RMF?

Open an interactive chat with Bash

What is the purpose of NIST SP 800-53A in security assessments?

Open an interactive chat with Bash

Who is an authorizing official in NIST RMF?

Open an interactive chat with Bash

What is the purpose of the security assessment plan in RMF?

Open an interactive chat with Bash

What is a formal plan of action and milestones (POA&M) in RMF?

Open an interactive chat with Bash

ISC2 Governance, Risk and Compliance (CGRC)

Assessment/Audit of Security and Privacy Controls

Your Score:

Settings & Objectives

Security and Privacy Governance, Risk Management, and Compliance Program

Scope of the System

Selection and Approval of Framework, Security, and Privacy Controls

Implementation of Security and Privacy Controls

Assessment/Audit of Security and Privacy Controls

System Compliance

Compliance Maintenance

Random Mixed

Questions are selected randomly from all chosen topics, with a preference for those you haven’t seen before. You may see several questions from the same objective or domain in a row.

Rotate by Objective

Questions cycle through each objective or domain in turn, helping you avoid long streaks of questions from the same area. You may see some repeat questions, but the distribution will be more balanced across topics.

Hide Score

Check or uncheck an objective to set which questions you will receive.

Bash, the Crucial Exams Chat Bot

AI Bot