ISC2 Governance, Risk and Compliance (CGRC) Practice Question

Your federal information system is deployed on a FedRAMP-authorized IaaS platform. During SSP preparation, you must classify each control's responsibility. Which of the following best represents a hybrid control that should be marked as partially inherited and partially system-specific?

Physical access control of the data center enforced solely by the CSP.
Guest operating system patch management conducted entirely by the agency.
Security incident reporting performed exclusively by the CSP's SOC.
Network boundary protection where the CSP operates virtual firewalls while the agency configures security groups for its workloads.

Report Issue

Answer Description

Hybrid (or shared) controls are implemented in part by a common control provider, such as a cloud service provider, and in part by the system owner. Boundary protection (SC-7) in an IaaS environment is a typical example: the CSP supplies and maintains the underlying virtual firewalls and routing infrastructure, but the customer must define and maintain its own security groups, access control lists, and rule sets to protect the specific workload. Physical access safeguards enforced only by the CSP are fully inherited, while patching performed solely by the agency is system-specific. Incident reporting handled exclusively by the CSP is also inherited, not hybrid. Therefore, the scenario that involves both parties sharing implementation responsibility-network boundary protection with CSP-managed devices and customer-managed rules-is the correct choice.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.