Applying Assessment & Authorization (A&A) in the National Industrial Security Program (NISP) Questions with Complete Solutions
Select all of the correct responses. Which of the following tasks should the Information System Security Manager (ISSM) perform before beginning the A&A process?
Select one or more:
a. Review the DSS Risk Management Framework (RMF) website
b. Purchase Information System hardware
c. Possess and understand sponsorship and security documentation
d. Contact the Authorizing Official (AO) with questions
e. Register for an ODAA Business Management System (OBMS) account CORRECT ANS a. Review the DSS Risk Management Framework (RMF) website
c. Possess and understand sponsorship and security documentation
Select all of the correct responses. Which of the following must the Information System Security Manager (ISSM) describe at the end of Step 2, Select Security Controls?
Select one or more:
a. Baseline security controls
b. Security control tailoring
c. Selection of overlays
d. Continuous monitoring strategy CORRECT ANS a. Baseline security controls b. Security control tailoring
c. Selection of overlays
d. Continuous monitoring strategy
True or false? When security control implementation is documented, it must describe how the security controls achieve the required security capability.
Select one:
True
False CORRECT ANS True
When does continuous monitoring begin?
Select one:
a. After the Information System has been operational for 30 days
b. Once the security authorization package is submitted
c. As soon as Authorization to Operate (ATO) or ATO with conditions is
issued
d. After the Information System has been operational for 1 year CORRECT ANS c. As soon as Authorization to Operate (ATO) or ATO with conditions is issued
When does DSS schedule an on-site assessment of the security controls?
Select one:
a. 30 days after initiation of the A&A process b. When the System Security Plan (SSP) and supporting artifacts are complete
c. When required by the Authorizing Official (AO)
d. As soon as the security controls are implemented CORRECT ANS Not c
How does an Information System Security Manager (ISSM) submit the System Security Plan (SSP) to DSS?
Select one:
a. Email it to the Authorizing Official (AO)
b. Upload it to the ODAA Business Management System (OBMS)
c. Upload it via the submission interface on the DSS Risk Management Framework (RMF) website
d. Email it to the Security Controls Assessor (SCA) CORRECT ANS Not C
Which of the following is an input to Step 5, Authorize System?
Select one:
a. Security status report
b. Authorization recommendation from the Information Owner (IO)
c. Security authorization package
d. Information System acknowledgement letter CORRECT ANS c. Security authorization package
Where is the security control implementation documented?
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller Classroom. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $12.99. You're not tied to anything after your purchase.
