ISC2 Governance, Risk and Compliance (CGRC) Practice Question
You are finalizing the security authorization package to support the Authorizing Official's decision to grant an ATO for a new cloud-based HR system. According to NIST SP 800-37 Rev. 2, which collection of documentation must you include to adequately inform the AO's risk determination?
Privacy Impact Assessment, security awareness training records, and incident response plan
System Security Plan, Security Assessment Report, and Plan of Action and Milestones
Risk register, contingency plan test results, and configuration baseline reports
Interconnection Security Agreement, Authority to Connect letter, and security categorization report
NIST SP 800-37 Rev. 2 states that the authorization package presented to the Authorizing Official must, at a minimum, contain the System Security Plan (SSP), the Security Assessment Report (SAR), and the Plan of Action and Milestones (POA&M). Together, these artifacts describe the security requirements, how each control is implemented, the assessment results, and the plan for correcting any weaknesses, enabling the AO to decide whether residual risk is acceptable. The other answer options list useful but non-mandatory or incomplete document sets: awareness training records and incident plans do not replace the core package; risk registers and baseline reports lack formal assessment results; interconnection agreements and categorization reports are produced earlier in the RMF process and do not satisfy authorization package requirements on their own.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an SSP, and why is it important in the authorization package?
Open an interactive chat with Bash
What is a Security Assessment Report (SAR), and how does it contribute to the ATO process?
Open an interactive chat with Bash
What does a Plan of Action and Milestones (POA&M) include, and why is it part of the package?
Open an interactive chat with Bash
ISC2 Governance, Risk and Compliance (CGRC)
Security and Privacy Governance, Risk Management, and Compliance Program
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .