ISC2 Governance, Risk and Compliance (CGRC) Practice Question
During the operations and maintenance phase of a FIPS 199 moderate-impact federal information system, a vendor releases a security patch that addresses a newly discovered vulnerability. According to NIST guidance, what should the security practitioner do before authorizing deployment of the patch to production?
Apply the patch to the production environment immediately, deferring testing to the next scheduled maintenance window.
Conduct a security impact analysis to evaluate how the patch affects existing controls and authorizations.
Decommission the affected software component and begin media sanitization procedures.
Update the Plan of Actions and Milestones to document the vulnerability and its planned remediation date.
In the operations and maintenance phase, every proposed change to a federal information system must undergo configuration management and change control. NIST SP 800-37 Rev. 2 and NIST SP 800-128 state that organizations are required to perform a security impact analysis to determine how the change could affect existing security and privacy controls and overall risk posture. Only after this analysis is completed and any necessary updates to documentation or controls are identified can the organization proceed to seek authorization and schedule installation. Simply updating a POA&M, rushing the patch into production, or decommissioning the component ignores the fundamental requirement to first understand and document the change's effects on the system's authorized security baseline.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is FIPS 199 and how does it relate to federal information systems?
Open an interactive chat with Bash
What is a security impact analysis and why is it necessary?
Open an interactive chat with Bash
What are configuration management and change control in the context of federal systems?
Open an interactive chat with Bash
ISC2 Governance, Risk and Compliance (CGRC)
Security and Privacy Governance, Risk Management, and Compliance Program
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .