ISC2 Governance, Risk and Compliance (CGRC) Practice Question
During the Authorize step (Step 6) of the NIST Risk Management Framework, a federal agency receives the Security Assessment Report and the associated Plan of Action and Milestones for a new online service. Which single action is specifically assigned to the Authorizing Official before the system can move into production?
Sign the Authorization to Operate letter, formally accepting any documented residual risk on behalf of the organization.
Conduct independent penetration testing to verify that technical controls are functioning as intended.
Resolve every high and moderate finding listed in the POA&M before submitting artifacts for review.
Update the System Security Plan to include the completed implementation details and residual vulnerabilities.
The Authorizing Official (AO) is the senior management official who accepts responsibility for operating a system at an acceptable level of risk. After reviewing the Security Assessment Report and the Plan of Action and Milestones, the AO documents this risk acceptance by signing an Authorization to Operate (ATO) letter. Conducting penetration testing is the responsibility of the Security Control Assessor, maintaining the System Security Plan is handled by the system owner or ISSO, and remediating vulnerabilities in the POA&M is also the system owner's responsibility-not the AO's.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the role of the Authorizing Official (AO) in the NIST RMF process?
Open an interactive chat with Bash
What is an Authorization to Operate (ATO) letter?
Open an interactive chat with Bash
What is the difference between the AO and the Security Control Assessor (SCA)?
Open an interactive chat with Bash
What is the role of an Authorizing Official (AO) in the RMF process?
Open an interactive chat with Bash
What is the Plan of Action and Milestones (POA&M) in the RMF process?
Open an interactive chat with Bash
What is the Security Assessment Report (SAR) and how does it support the AO’s decision?
Open an interactive chat with Bash
ISC2 Governance, Risk and Compliance (CGRC)
Security and Privacy Governance, Risk Management, and Compliance Program
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .