ISC2 Governance, Risk and Compliance (CGRC) Practice Question
During control selection for a new moderate-impact federal system that will store and transmit health-related PII, the ISSO finds that the standard moderate baseline does not fully address statutory privacy requirements. According to NIST guidance, what is the most appropriate way to introduce additional privacy-focused control enhancements?
Re-categorize the system as high impact and implement the full high baseline.
Replace access control family requirements with compensating controls documented only in the POA&M.
Rely exclusively on privacy controls inherited from the cloud service provider without changing the baseline.
Apply the NIST SP 800-53 privacy overlay to augment the moderate baseline with targeted privacy controls.
NIST SP 800-53 Rev. 5 allows organizations to apply overlays when the default security baseline must be augmented for specialized needs such as privacy, industrial control systems, or PKI. A privacy overlay maps additional or stronger privacy controls and enhancements onto the selected baseline without wholesale recategorization. Elevating the entire system to the high baseline would add many unrelated controls and is not required solely for privacy concerns. Listing compensating controls in a POA&M is a gap-tracking activity and does not proactively tailor the baseline. Relying on inherited CSP controls alone ignores the organization's responsibility to ensure system-specific privacy safeguards.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is NIST SP 800-53 Rev. 5?
Open an interactive chat with Bash
What is a privacy overlay in NIST SP 800-53?
Open an interactive chat with Bash
How do inherited controls from a cloud service provider fit into privacy requirements?
Open an interactive chat with Bash
What is the purpose of a NIST SP 800-53 overlay?
Open an interactive chat with Bash
What is the difference between a baseline and an overlay in NIST SP 800-53?
Open an interactive chat with Bash
Why is recategorizing a system as high impact inappropriate for addressing privacy needs?
Open an interactive chat with Bash
ISC2 Governance, Risk and Compliance (CGRC)
Selection and Approval of Framework, Security, and Privacy Controls
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .