ISC2 Governance, Risk and Compliance (CGRC) Practice Question

While completing RMF Step 2 (Select), a security engineer finishes tailoring the moderate-impact baseline for a new SaaS solution. To meet the control selection documentation requirement, what information must be recorded in the System Security Plan before the package can move to the next step?

A list of system users granted access during the initial authorization boundary definition.
A mapping of chosen and withdrawn controls to organizational policies, with justification for every tailoring decision.
The continuous-monitoring schedule, including tool scan intervals and reporting thresholds.
The provisional Plan of Action and Milestones (POA&M) with target remediation dates for all known weaknesses.

Report Issue

Answer Description

During RMF Step 2, the organization must document its control selection results in the System Security Plan. This record must show which baseline controls and enhancements were chosen, how they were tailored, and-crucially-the rationale that links each tailoring decision to applicable business or policy requirements. Including the justification and authoritative references demonstrates that the selection is risk-based and traceable to organizational directives, satisfying NIST SP 800-37 and SP 800-18 guidance. Merely noting implementation schedules, continuous-monitoring frequencies, or user rosters may appear elsewhere in accreditation artifacts but does not fulfill the specific documentation task for control selection.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.