ISC2 Governance, Risk and Compliance (CGRC) Practice Question
While drafting the System Security Plan (SSP) for a newly categorized moderate-impact web application, you discover that the organization's enterprise boundary protection service already satisfies control SC-7 for every system in the enclave. According to RMF guidance, what is the MOST appropriate way to reflect this control in the application's SSP?
Mark SC-7 as Not Applicable because boundary protection is provided outside the system boundary.
Redefine SC-7 as a hybrid control and restate all implementation details in both the SSP and the common control documentation.
Indicate SC-7 as inherited, reference the common control provider's authorization package, and document any remaining monitoring responsibilities.
Copy the full enterprise firewall configuration into the SSP so assessors can evaluate it directly.
Because the enterprise boundary protection service is a fully implemented common control, the application inherits that protection. The SSP should therefore show SC-7 as inherited, cite the common control provider's authorization package or identifier, and note any residual responsibilities (for example, reporting or continuous-monitoring tasks) assigned to the system owner. Marking the control Not Applicable would be incorrect because the protection still applies; it is simply delivered by another provider. Duplicating the firewall configuration or redefining the control as hybrid adds unnecessary detail and contradicts RMF guidance, which stresses referencing-rather than rewriting-common control information.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does it mean for a control to be inherited in RMF?
Open an interactive chat with Bash
What is a common control provider in RMF, and how does it relate to SSPs?
Open an interactive chat with Bash
Why is referencing the common control provider better than duplicating implementation details?
Open an interactive chat with Bash
What are inherited controls in RMF?
Open an interactive chat with Bash
What is SC-7 in NIST Special Publications?
Open an interactive chat with Bash
What is a System Security Plan (SSP) and why is it important?
Open an interactive chat with Bash
ISC2 Governance, Risk and Compliance (CGRC)
Selection and Approval of Framework, Security, and Privacy Controls
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .