CGRC ACTUAL PRACTICE EXAM 2026-2027 COMPLETE
QUESTIONS AND CORRECT ANSWERS || VERIFIED 100%
ALREADY GRADED A+\BRAND NEW!!
C - TASK 1
Information System and Environment Changes, determine the security impact
of proposed or actual changes to the information system and its environment
of operation; is Task in RMF Step 7, monitoring of controls.
Choose one:
A - Task 3
B - Task 2
C - Task 1
D - Task 4
C-EXAMINE
All of the following except one are assessment objects.
Choose one:
A - Mechanisms
B - Activities and individuals
C - Examine
D - Specifications
,D-NIST SP 800-37
Which publication primarily targets activities in Tier 3 of Risk Management
approach/pyramid?
Choose one:
A - NIST SP 800-53
B - NIST SP 800-38
C - NIST SP 800-53A
D - NIST SP 800-37
A-Common Control Provider (CCP)
An organizational official responsible for the development, implementation,
assessment, and monitoring of security controls inherited by information
systems is called…
Choose one:
A-Common Control Provider
(CCP) B-Information System
Owner (ISO)
C-Information System Security Engineer
(ISSE) D-Chief Information Officer (CIO)
,1 - System Characterization
2 - Threat identification
3 - Vulnerability Identification
4 - Control Analysis
5 - Likelihood Determination
6 - Impact Analysis
7 - Risk Determination
8 - Control Recommendation
9 - Results Documentation
What are the nine steps of Risk Assessment Methodology?
B-Implementation phase
Authorization to process should occur during what phase of the SDLC?
Choose one:
A-Threat Identification
B-Implementation phase
C-Vulnerability
Identification D-Risk
Determination
B-Recommendations for control remediations
The final Security Assessment Report (SAR) should contain findings from the
security control assessment and which of the ensuing?
Choose one:
A-Security control assessment plan
B-Recommendations for control
remediations C-Determination of residual
risk
D-System Security Plan (SSP) and Concept of Operations (CONOPS)
, SP 800-137
Which National Institute of Standards and Technology Special Publication
(NIST SP) 800 series document is concerned with continuous monitoring for
federal information systems and organizations?
Choose one:
A-SP 800-64
B-SP 800-144
C-SP 800-26
D-SP 800-137
True
True or False; After an ATO is granted, ongoing continuous monitoring is performed on
all identified security controls as well as physical environment, etc..
False
True
Gray box testing
Focused testing is a test methodology that assumes some knowledge of the
internal structure and implementation detail of the assessment object. This
type of testing is also known as:
A-Black box testing
B-Gray box testing
C-Penetration
testing D-White
box testing
QUESTIONS AND CORRECT ANSWERS || VERIFIED 100%
ALREADY GRADED A+\BRAND NEW!!
C - TASK 1
Information System and Environment Changes, determine the security impact
of proposed or actual changes to the information system and its environment
of operation; is Task in RMF Step 7, monitoring of controls.
Choose one:
A - Task 3
B - Task 2
C - Task 1
D - Task 4
C-EXAMINE
All of the following except one are assessment objects.
Choose one:
A - Mechanisms
B - Activities and individuals
C - Examine
D - Specifications
,D-NIST SP 800-37
Which publication primarily targets activities in Tier 3 of Risk Management
approach/pyramid?
Choose one:
A - NIST SP 800-53
B - NIST SP 800-38
C - NIST SP 800-53A
D - NIST SP 800-37
A-Common Control Provider (CCP)
An organizational official responsible for the development, implementation,
assessment, and monitoring of security controls inherited by information
systems is called…
Choose one:
A-Common Control Provider
(CCP) B-Information System
Owner (ISO)
C-Information System Security Engineer
(ISSE) D-Chief Information Officer (CIO)
,1 - System Characterization
2 - Threat identification
3 - Vulnerability Identification
4 - Control Analysis
5 - Likelihood Determination
6 - Impact Analysis
7 - Risk Determination
8 - Control Recommendation
9 - Results Documentation
What are the nine steps of Risk Assessment Methodology?
B-Implementation phase
Authorization to process should occur during what phase of the SDLC?
Choose one:
A-Threat Identification
B-Implementation phase
C-Vulnerability
Identification D-Risk
Determination
B-Recommendations for control remediations
The final Security Assessment Report (SAR) should contain findings from the
security control assessment and which of the ensuing?
Choose one:
A-Security control assessment plan
B-Recommendations for control
remediations C-Determination of residual
risk
D-System Security Plan (SSP) and Concept of Operations (CONOPS)
, SP 800-137
Which National Institute of Standards and Technology Special Publication
(NIST SP) 800 series document is concerned with continuous monitoring for
federal information systems and organizations?
Choose one:
A-SP 800-64
B-SP 800-144
C-SP 800-26
D-SP 800-137
True
True or False; After an ATO is granted, ongoing continuous monitoring is performed on
all identified security controls as well as physical environment, etc..
False
True
Gray box testing
Focused testing is a test methodology that assumes some knowledge of the
internal structure and implementation detail of the assessment object. This
type of testing is also known as:
A-Black box testing
B-Gray box testing
C-Penetration
testing D-White
box testing
