ISC2 Governance, Risk and Compliance (CGRC) Practice Test
Use the form below to configure your ISC2 Governance, Risk and Compliance (CGRC) Practice Test. The practice test can be configured to only include certain exam objectives and domains. You can choose between 5-100 questions and set a time limit.
ISC2 Governance, Risk and Compliance (CGRC) Information
Overview of the CGRC Certification
The ISC2 Certified in Governance, Risk and Compliance (CGRC) credential replaced the Certified Authorization Professional (CAP) title on 15 February 2023 to better reflect the knowledge and skills demanded of modern GRC practitioners. CGRC holders are expected to integrate governance, risk management and regulatory compliance across multiple frameworks—capabilities now recognized by employers worldwide, including the U.S. Department of Defense, which lists the certification under DoDM 8140.03 workforce requirements. To earn the credential you must pass the exam and document at least two years of paid, cumulative work experience in one or more of the seven CGRC domains; candidates lacking the experience can become an Associate of ISC2 while they accrue it.
Exam Format and Content
The computer-based CGRC exam lasts three hours and presents 125 multiple-choice or advanced-item questions. A scaled score of 700 out of 1,000 is required to pass. Content is distributed across seven domains—such as Security and Privacy Governance, Risk Management and Compliance Program (16 %), Implementation of Security and Privacy Controls (17 %) and Compliance Maintenance (13 %)—reflecting the 2024 job-task-analysis update. In the Americas the registration fee is US $599, and testing is delivered exclusively through Pearson VUE centers. Understanding both the weighting and the time limit lets you allocate study hours and develop pacing strategies that mirror the real exam.
The Power of Practice Exams
Timed, high-quality practice exams are one of the quickest ways to convert reading into exam-day readiness. They reveal whether your conceptual understanding holds up under a three-hour clock, spotlight weak domains early, and acclimate you to ISC2’s scenario-driven questioning style. ISC2 recommends using practice assessments to verify comprehension and identify gaps—not to memorize answers—because the real CGRC exam rewards depth of understanding over rote recall. Many candidates track scores by domain until they consistently exceed the 700-point benchmark, using post-test reviews to drill into missed concepts and refine time management.
Putting It All Together: A Strategic Study Plan
Map the exam outline to a calendar that back-loads heavier-weighted domains and includes weekly practice-test checkpoints. Blend modalities: official ISC2 Online Self-Paced or Instructor-Led training, white-papers and control catalogs keep the material fresh and contextual. Adaptive platforms can personalize that journey by flagging knowledge gaps and shortening review cycles, letting you spend more time where it matters. In the final weeks, rotate full-length practice exams with focused drills, refine your test-taking routine (breaks, hydration, mindfulness) and book the real exam when your timed practice scores stabilize above target. This metrics-driven approach not only boosts the odds of a first-time pass but also builds the confidence to apply GRC principles on the job.
Free ISC2 Governance, Risk and Compliance (CGRC) Practice Test
- 20 Questions
- Unlimited time
- Security and Privacy Governance, Risk Management, and Compliance ProgramScope of the SystemSelection and Approval of Framework, Security, and Privacy ControlsImplementation of Security and Privacy ControlsAssessment/Audit of Security and Privacy ControlsSystem ComplianceCompliance Maintenance
Free Preview
This test is a free preview, no account required.
Subscribe to unlock all content, keep track of your scores, and access AI features!
Your federal agency plans to let a private contractor operate a system that will process agency-owned data. According to FISMA requirements, which action must the agency take before allowing the contractor to begin operations?
Obtain prior approval from the Government Accountability Office before any agency information is processed off-site.
Verify that the contractor's system implements security controls that provide protection equivalent to the level the agency applies to its own systems and data.
Transfer full responsibility for any future security incidents to the contractor through a service-level agreement.
Publish a detailed description of the system's security architecture in the Federal Register for public comment.
Answer Description
FISMA extends an agency's information-security responsibilities to any information system that is "used or operated by a contractor of an agency or other organization on behalf of an agency". The agency head must therefore ensure that the contractor's system receives security protections commensurate with the risk and comparable to those applied to government-operated systems. Merely publishing notices, shifting liability through contracts, or seeking external approval are not mandated by the statute. FISMA keeps accountability within the agency and requires equivalent protections, not procedural formalities that delegate or transfer responsibility.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is FISMA and why is it important?
What does 'security protections commensurate with the risk' mean in FISMA?
How do agencies verify contractor systems meet FISMA requirements?
During the Select step of the NIST Risk Management Framework (RMF), a system owner determines that several controls in the chosen baseline exceed mission needs and could impede usability. According to RMF guidance and sound governance practice, which action should the owner take next?
Postpone the control decision until the Implement step to gather additional operational data.
Apply the entire baseline as written to ensure maximum protection despite usability concerns.
Deploy the system first and request a waiver for the excessive controls during the authorization phase.
Tailor the baseline by scoping, parameterizing, or substituting compensating controls and record the rationale in the security plan.
Answer Description
NIST RMF expects organizations to begin with an appropriate baseline and then tailor it to fit the system's specific mission, business, and operational context. Tailoring includes scoping out controls that are not applicable, adjusting control parameters, or substituting compensating controls that achieve the same objectives with less impact. These decisions and their justifications must be documented in the system security plan so that assessors and authorizing officials understand how risk is being managed. Simply applying all controls without evaluating relevance ignores the governance principle of aligning security with business objectives. Deferring the decision to a later RMF step or waiting for a waiver after deployment fails to follow the structured risk management process and can lead to unmanaged risk or project delays.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the NIST RMF and its purpose?
What does tailoring a security control baseline mean?
What is a compensating control in cybersecurity?
Your organization is establishing a compliance program for a new Software-as-a-Service (SaaS) offering that must meet FedRAMP Moderate requirements. After defining the authorization boundary, tailoring the baseline, and confirming that all selected controls have been fully implemented, what is the next major lifecycle activity your team should perform to remain aligned with the framework?
Return to the control selection step to confirm the appropriateness of the chosen baseline.
Submit the completed security package to the Authorizing Official to request an authorization to operate.
Begin the continuous monitoring phase and generate monthly plans of action and milestones (POA&Ms).
Arrange for an independent security assessment to validate the effectiveness of the implemented controls.
Answer Description
Both the NIST Risk Management Framework and the FedRAMP Security Assessment Framework require an independent evaluation of implemented safeguards before any authorization decision is made. Once controls are put in place, an assessor examines evidence and performs testing to confirm that the controls are correctly implemented, operating as intended, and meeting the desired security outcomes. Only after this assessment is complete can the package move to the Authorizing Official for an authorization decision, and continuous monitoring will follow authorization. Revisiting control selection is not normally required unless significant changes or analysis results dictate it.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is FedRAMP Moderate, and why is it important for SaaS offerings?
What does an independent security assessment entail for FedRAMP compliance?
What happens after an independent security assessment in the FedRAMP lifecycle?
During the design phase of a new payroll application, the project team wants to ensure security is properly integrated. Which of the following actions aligns best with the responsibilities of the design phase rather than activities reserved for later SDLC stages?
Conduct a penetration test against the pre-production environment.
Execute code-level static analysis on completed application modules.
Approve the information system for operational use after reviewing residual risk.
Develop a detailed security architecture that defines trust boundaries, data flows, and required controls.
Answer Description
The design phase focuses on translating security requirements into an overall architecture. Creating detailed security architecture diagrams that map trust boundaries, expected data flows, and the controls that must be built into each component is a design-phase task. Code-level static analysis, penetration testing, and formal authorization decisions occur in the development, test, and deployment/operations stages, respectively, after the design has been completed and implemented.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is meant by 'trust boundaries' in security architecture?
How do data flow diagrams help in the design phase?
What is the role of required controls in a security architecture?
During the assessment of an electronic procurement system, you need to demonstrate that a senior executive cannot later deny approving a purchase order transmitted over the network. Which control provides the STRONGEST technical assurance of non-repudiation for these transactions?
Record the source IP address of each submission in web-server access logs.
Encrypt the purchase order with TLS while it is transmitted between client and server.
Apply a digital signature to each purchase order using the executive's PKI private key.
Require the executive to authenticate with multi-factor credentials before accessing the approval portal.
Answer Description
Non-repudiation requires technical evidence that definitively binds a specific individual to a specific action and protects that evidence from undetected alteration. A digital signature created with the executive's private key meets this requirement because:
- The private key is uniquely associated with the signer, so the origin of the message can be proven.
- The cryptographic hash included in the signature detects any later modification of the signed content.
- Anyone with the signer's public certificate can verify both origin and integrity, making it difficult for the signer to credibly deny the action.
TLS encryption only protects data in transit; once the session ends it provides no enduring proof of origin. Web-server logs that record IP addresses can be forged, shared, or spoofed and therefore do not offer strong assurance. Multi-factor authentication confirms the user's identity when logging in but does not bind that identity to the specific purchase-order message in a verifiable way after the fact.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a digital signature?
What is PKI and how does it relate to private/public keys?
Why is TLS encryption inadequate for non-repudiation?
Your project has moved from design into coding, and developers are writing new application modules. To embed security controls during the Development phase of the SDLC, which activity should you prioritize before the code is compiled or executed?
Run static application security testing tools against the new source code to detect insecure constructs early.
Submit the system package to the Authorizing Official to obtain a formal Authorization to Operate (ATO).
Develop and approve the media sanitization and disposal plan for components reaching end-of-life.
Perform a post-implementation review of system audit logs to confirm security-relevant events were recorded.
Answer Description
During the Development (coding) phase, the emphasis is on writing secure code and detecting vulnerabilities as early as possible. Static Application Security Testing (SAST) examines source code or byte-code without running it, allowing security flaws such as injection, insecure API use, or buffer overflows to be found and corrected while the code is still being written. Activities such as post-implementation log reviews occur in the operations phase, retirement planning belongs to the disposal phase, and obtaining an Authorization to Operate is part of the authorization step that follows assessment. Therefore, running SAST (or comparable static code analysis) is the most appropriate security activity to integrate in the development phase.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Static Application Security Testing (SAST)?
Why is SAST prioritized during the development phase of the SDLC?
How is SAST different from Dynamic Application Security Testing (DAST)?
A security officer is starting the RMF Prepare phase for a new SaaS environment. Before identifying information types or selecting controls, which element must be documented first to establish the system's authorization boundary and lay the groundwork for all later scoping activities?
The planned schedule for penetration testing and continuous-monitoring activities
The system's name or unique ID and a brief statement of its mission, purpose, and scope
The information types the system will process, including data flows and external interfaces
The preliminary list of compensating controls for any anticipated baseline deviations
Answer Description
NIST RMF tasks require that the authorization boundary begin with basic system identification: the system's official name or unique identifier together with a concise statement of its mission, purpose, and scope. This high-level description comes before listing hardware, software, information types, data flows, assessments, or training needs, and anchors all subsequent scoping and categorization work.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an authorization boundary in the RMF context?
Why is a system's mission, purpose, and scope documented first in the RMF Prepare phase?
What role does NIST guidance play in defining authorization boundaries?
A U.S. federal agency is retiring a legacy payroll system that stores moderate-impact PII. Before the Authorizing Official can sign the termination memorandum, which activity should the security team complete during the disposal/decommissioning phase to meet RMF and SDLC requirements?
Delete the system's entry from the agency's FISMA inventory to avoid reporting it in the next cycle.
Reallocate the system's continuous-monitoring budget to the replacement application before shutting down operations.
Document and sign a residual-risk acceptance memo transferring any remaining risk to the system owner.
Verify that every digital and physical storage media associated with the system has been sanitized or destroyed in accordance with NIST SP 800-88.
Answer Description
During the disposal/decommissioning phase, the organization must ensure that any media containing federal information is properly sanitized, purged, or destroyed in accordance with NIST SP 800-88 guidelines. NIST SP 800-37 Rev. 2 identifies media sanitization as a mandatory disposal task that must be completed before the Authorizing Official can formally terminate the system's authorization to operate. Simply transferring risk, reallocating budgets, or removing the system from the FISMA inventory can occur only after the assurance has been obtained that no sensitive data remains accessible. Therefore, validating that all information system media have been sanitized or destroyed is the correct and most critical step.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is NIST SP 800-88 and why is it relevant to media sanitization?
What is the role of the Authorizing Official in the RMF disposal phase?
How does media sanitization align with the System Development Life Cycle (SDLC)?
You are retiring a cloud-hosted solid-state drive (SSD) array that stored controlled unclassified information (CUI). According to NIST SP 800-88 Rev.1, which disposal action provides purge-level sanitization while still allowing the provider to reuse the hardware?
Submit the SSDs for mechanical shredding into 2 mm particles.
Expose the SSDs to a Type I degausser with a 7,000-gauss magnetic field.
Execute a single overwrite pass of all logical blocks with pseudorandom data.
Invoke the drive's built-in cryptographic erase function to delete and re-generate its encryption key.
Answer Description
NIST SP 800-88 identifies three sanitization levels: Clear, Purge, and Destroy. For SSD-based media, cryptographic erase-destroying the media's encryption key so that remaining ciphertext is indecipherable-is specifically listed as a Purge method. It removes data to the same assurance level as physical block erasure but preserves the drive for future use. A single overwrite pass is only a Clear operation and is unreliable on SSDs because wear-leveling may leave residual data. Mechanical shredding renders the drive unrecoverable, meeting the Destroy level, but does not permit reuse. Degaussing is ineffective on flash technology because SSDs do not store data magnetically and therefore cannot be sanitized by a magnetic field. Consequently, invoking the drive's built-in cryptographic erase function is the best choice.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is cryptographic erase preferred for Purge-level sanitization in SSDs?
How does wear-leveling in SSDs affect overwrite sanitization methods?
Why is degaussing ineffective for SSD sanitization?
A security steering committee meets quarterly to compare the organization's security performance metrics to strategic business goals and assign accountability for improvements. Which aspect of GRC is this activity chiefly demonstrating?
Governance
Incident response coordination
Risk management
Compliance
Answer Description
The described committee is carrying out governance. Governance establishes direction and oversight, aligns information-security efforts with business objectives, and holds leaders accountable for outcomes. By reviewing metrics against strategic goals and directing corrective actions, the committee exercises that oversight function. Risk management would focus on identifying and treating specific risks, compliance would emphasize adherence to external requirements, and incident response coordination concerns reacting to security events-none of which are the primary purpose of this meeting.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does governance entail in the context of GRC?
How is governance different from risk management in GRC?
Why is accountability important in governance activities?
During a risk assessment for a public-facing e-commerce application, management mandates at least 99.95 percent uptime. Which control would most directly help satisfy the availability principle for this requirement?
Deploy a geographically distributed, load-balanced failover cluster
Add enhanced server-side input sanitization routines
Require client-side certificate authentication for all users
Implement HMAC-based digital signatures on transaction logs
Answer Description
A geographically distributed, load-balanced failover cluster directly addresses availability because it provides redundant capacity and automatic traffic distribution; if one site or node fails, service continues with minimal interruption, supporting the 99.95 percent uptime objective. The other options primarily protect different security objectives: input sanitization safeguards data integrity, client-side certificate authentication strengthens confidentiality (and to some extent integrity), and HMAC-based digital signatures provide non-repudiation and integrity assurance for logs, but none of these measures keeps the service accessible when hardware or site outages occur.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a geographically distributed, load-balanced failover cluster?
How does load balancing improve availability?
What is the principle of availability in information security?
Your organization is finalizing an enterprise retention schedule for transactional logs that contain customer PII after acquiring a subsidiary in another legal jurisdiction. One regulation requires keeping the data for three years, while another mandates seven. To remain compliant company-wide, which retention period should be documented for this data set?
Five years, balancing legal mandates with operational efficiency.
Three years, because keeping data longer than necessary increases privacy risk.
Seven years, because the policy must satisfy the most stringent applicable legal requirement across jurisdictions.
Retain indefinitely until harmonized regulations are issued by both jurisdictions.
Answer Description
When different jurisdictions impose conflicting retention requirements, the organization must satisfy the most stringent (longest) mandate so that it does not violate any applicable law or regulation. Selecting the shorter three-year period would breach the seven-year mandate, while averaging or retaining data indefinitely would either still break the stricter law or conflict with storage-limitation principles that require data not be kept longer than necessary.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is PII and why is it important in compliance regulations?
Why is the longest retention period chosen in conflicting regulation scenarios?
How can organizations balance legal mandates and storage-limitation principles?
During a HIPAA Security Rule gap assessment, a covered entity confirms it must document an enterprise-wide risk analysis and formally designate a security official. To which safeguard category defined by 45 CFR §§ 164.308-164.312 do both of these requirements belong?
Technical safeguards
Physical safeguards
Administrative safeguards
Organizational requirements
Answer Description
Under the HIPAA Security Rule, the security standards are grouped into three safeguard categories: administrative (§164.308), physical (§164.310), and technical (§164.312). Conducting a risk analysis (§164.308(a)(1)(ii)(A)) and designating a security official (§164.308(a)(2)) are both listed within the Administrative Safeguards section. Physical safeguards address facility and device protections, while technical safeguards focus on electronic measures such as access control and encryption. Separate from these safeguards, §164.314 establishes organizational requirements (for example, business associate contracts). Because both cited requirements appear in §164.308, they are Administrative Safeguards.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are the administrative safeguards under HIPAA?
What is the difference between administrative, physical, and technical safeguards?
Why is documenting an enterprise-wide risk analysis critical under HIPAA?
You are the system owner of a new cloud-based HR platform. After tailoring the NIST RMF control baseline and deploying the technical safeguards, which action must you complete during the Implement step before the independent assessment can begin?
Request the Authorizing Official to sign the system's Authorization to Operate letter
Finalize the continuous monitoring strategy and schedule
Update the System Security Plan to describe the implementation of every selected control
Draft the Plan of Action and Milestones for any residual findings
Answer Description
During Step 4 (Implement) of the NIST Risk Management Framework, the system owner not only puts the selected controls in place but also documents how each control was implemented and integrated within the system and its operating environment. This information is recorded in the System Security Plan (SSP) so that assessors can evaluate the controls against documented evidence. Creating a POA&M, requesting an authorization decision, or finalizing a continuous monitoring strategy occur in later RMF steps (Assess, Authorize, and Monitor, respectively), not during implementation.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the NIST RMF?
What is a System Security Plan (SSP)?
What is the Implement step in RMF?
During a periodic review of an HR payroll application, you learn that employee Social Security numbers are being sent to an overseas payroll processor-a data transfer that was never documented or approved. Which action should you take first?
Update the data-flow diagram to document the new cross-border path, then schedule a compliance review.
Tokenize all stored Social Security numbers before taking any other action.
Notify affected employees and regulators within 72 hours because every undocumented transfer is automatically a breach.
Suspend the unapproved transfer at once and initiate a formal investigation and risk assessment.
Answer Description
The priority is to stop the unauthorized cross-border transfer immediately and launch a formal investigation and risk assessment. Halting the flow contains any further potential exposure and allows the organization to determine legality, security impact, and necessary notifications. Once the incident is contained and assessed, the data-flow diagram, GDPR Article 30 records, and other documentation can be updated, and additional controls (such as tokenization) or remediation (such as purging data) can be planned. Not every undocumented international transfer is automatically a notifiable breach, so notifications should follow the investigation if required.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is GDPR Article 30 and why is it important?
What is tokenization, and how does it help secure sensitive data?
What constitutes a 'notifiable breach' according to GDPR?
During a security assessment of a cloud-based HR application, you learn that employee salary data is sent to an external payroll processor over the public Internet. Which control would best ensure confidentiality of that data while it is in transit?
Require multi-factor authentication for all payroll processor user accounts.
Establish Transport Layer Security (TLS) 1.2 or higher encryption for all sessions between the systems.
Provision redundant network circuits between the HR application and the payroll processor.
Perform daily file integrity monitoring using cryptographic hashes.
Answer Description
Encrypting the communications channel with a current version of Transport Layer Security protects the salary information from disclosure to unauthorized parties as it traverses untrusted networks, directly addressing confidentiality. Multi-factor authentication strengthens user identity proofing but does not prevent interception of the data stream itself. File integrity monitoring verifies that stored data has not been altered, serving integrity rather than confidentiality. Redundant network links improve availability but leave the information readable if captured in transit.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Transport Layer Security (TLS)?
Why is TLS preferred for confidentiality over multi-factor authentication?
How does file integrity monitoring differ from encryption?
While reviewing your multinational organization's incident-response plan, you must map legal breach-notification timelines. Which regulation specifically requires a data controller to notify the competent supervisory authority of a personal data breach no later than 72 hours after becoming aware of it, unless the breach is unlikely to risk individuals' rights and freedoms?
Payment Card Industry Data Security Standard (PCI-DSS)
General Data Protection Regulation (GDPR)
Health Insurance Portability and Accountability Act (HIPAA)
Federal Information Security Modernization Act (FISMA)
Answer Description
The General Data Protection Regulation (GDPR) sets a strict 72-hour deadline for data controllers to report personal data breaches to the relevant supervisory authority (Art. 33 (1)), unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. HIPAA allows up to 60 days to notify affected individuals, FISMA/OMB guidance generally requires federal agencies to report certain incidents to US-CERT within one hour, and PCI-DSS does not define a universal regulatory timeline-making GDPR the only framework in the list that mandates a 72-hour authority notification.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a data controller in GDPR?
What happens if the data breach notification is delayed beyond 72 hours under GDPR?
What risks to individuals' rights and freedoms does GDPR include in its breach evaluation criteria?
During the final stages of the RMF process, the assessment team submits a Security Assessment Report describing residual risks. Which RMF role must decide whether these risks are acceptable and formally authorize the information system to operate in production?
System Owner
Information System Security Officer
Authorizing Official
Security Control Assessor
Answer Description
The Authorizing Official is a senior management role that has the statutory authority to assume responsibility for operating an information system at an acceptable level of risk. After reviewing the Security Assessment Report and other authorization package artifacts, the Authorizing Official issues the formal Authorization to Operate (ATO). The System Owner is responsible for the system throughout its life-cycle but cannot grant authorization. The Information System Security Officer supports security operations and reporting but does not make risk acceptance decisions. The Security Control Assessor conducts the assessment and provides findings but likewise lacks the authority to authorize operation.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the role of the Authorizing Official (AO) in the RMF process?
What is the difference between a System Owner and an Authorizing Official?
What is included in the Security Assessment Report (SAR)?
Your agency intends to migrate a mission-support application to a FedRAMP-authorized SaaS provider. While establishing the compliance program with the NIST Risk Management Framework, which action belongs specifically in the Prepare step and helps you maximize use of inherited SaaS controls during later phases?
Execute the security assessment plan to validate that provider controls are operating as intended.
Identify shared control providers and record common controls in the organization-wide control inventory.
Tailor the NIST SP 800-53 moderate baseline to create the system's security control set.
Assign FIPS 199 impact levels to the application to determine security categorization.
Answer Description
During the Prepare step, organizations establish the foundational activities that will streamline later RMF tasks. One of those activities is identifying common controls and their providers so the system owner can inherit them instead of duplicating effort. Categorizing the system is performed in the separate Categorize step, tailoring baselines happens in the Select step, and executing the security assessment plan occurs in the Assess step. Therefore, documenting shared control providers during Prepare is the correct choice.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are common controls in the NIST RMF?
What is the significance of the Prepare step in the NIST RMF?
How does inheriting SaaS controls benefit the RMF process?
While gathering requirements for a new cloud-hosted payroll application, the project team wants to embed security as early as possible in the System Development Life Cycle (SDLC). Which task should they complete during the requirements-gathering phase to achieve this goal?
Configure baseline hardening settings on the development and test servers before coding begins.
Install continuous monitoring agents in the production environment to collect security telemetry.
Conduct penetration testing against an early prototype to uncover exploitable vulnerabilities.
Identify and document security and privacy requirements derived from business objectives, data sensitivity, and regulatory mandates.
Answer Description
During the requirements-gathering (requirements analysis) phase, the project team must determine and document the system's security and privacy requirements that stem from business objectives, data sensitivity, and applicable laws or regulations. Capturing these requirements early allows security controls to be designed into the system from the outset, guiding architecture, development, and later testing activities. Configuring servers, performing penetration tests, or deploying production monitoring are important security tasks but occur in later SDLC phases-implementation, testing, and operations, respectively-after requirements have been set.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the purpose of security and privacy requirements in the SDLC?
What are the key sources for determining security requirements during the SDLC?
Why are tasks like penetration testing and server hardening not part of the requirements-gathering phase?
Nice!
Looks like that's it! You can go back and review your answers or click the button below to grade your test.