Crucial Exams

ISC2 Governance, Risk and Compliance (CGRC) Practice Question

While tailoring the NIST SP 800-53 Rev.5 moderate baseline for a new SaaS application, you confirm that AC-6(9) (audit of privileged actions) is fully implemented by the FedRAMP-authorized cloud service provider through its management plane. The system owner wants to mark the enhancement "not applicable." What is the BEST way to address this control during selection and tailoring?

  • Document AC-6(9) as an inherited control in the SSP and reference the provider's authorization package for evidence.

  • Remove AC-6(9) from the baseline because the enhancement is above the minimum requirements for moderate systems.

  • Formally accept the residual risk and leave AC-6(9) marked "not applicable" in the SSP.

  • List AC-6(9) as a compensating control and create a POA&M item for on-premises implementation at a later date.

ISC2 Governance, Risk and Compliance (CGRC)
Selection and Approval of Framework, Security, and Privacy Controls
Your Score:
Settings & Objectives
Random Mixed
Questions are selected randomly from all chosen topics, with a preference for those you haven’t seen before. You may see several questions from the same objective or domain in a row.
Rotate by Objective
Questions cycle through each objective or domain in turn, helping you avoid long streaks of questions from the same area. You may see some repeat questions, but the distribution will be more balanced across topics.

Check or uncheck an objective to set which questions you will receive.

Wipe Score
Bash, the Crucial Exams Chat Bot
AI Bot