LRAFB SAPPC - INTRODUCTION TO
THE RISK MANAGEMENT
FRAMEWORK (RMF)QUESTIONS AND
ANSWERS WITH COMPLETE
SOLUTIONS ( GRADED A+)
The key governance elements in Tier 1 are:
• DoD Senior Information Security Officer (SISO).
• Risk Executive Function.
• DoD Cybersecurity Architecture.
• The RMF Technical Advisory Group (TAG).
• The Knowledge Service (KS).
Tier 1 Guidance (2) - CORRECT ANSWES -- Per current 8510.01 this information is
listed for a Tier 1 Organization:
DoD SISO:
National Institute of Standards and Technology (NIST), 800 Series - CORRECT
ANSWES -- The Risk Management Framework, supported by the National Institute of
Standards and Technology (NIST), 800-series publications and used by other federal
agencies under the Federal Information Security Modernization Act, provides a
structured, yet flexible approach for managing risk resulting from the incorporation of
information systems into the mission and business processes of an organization.
Policy Alignment - CORRECT ANSWES -- DoD aligned Cybersecurity and risk
management policies, procedures, and guidance with Joint Transformation NIST
documents to create the basis for a unified information security framework for the
Federal government.
Policy Partnerships - CORRECT ANSWES -- DoD participates in Committee on
National Security Systems and NIST policy development as a vested stakeholder with
the goals to create a more standardized approach to cybersecurity and to protect the
unique requirements of DoD missions and warfighters.
, RMF Guidance Alignment - CORRECT ANSWES -- The RMF knowledge service is
DoD 's official repository for enterprise RMF policy and implementation guidelines.
The RMF knowledge service provides Cybersecurity practitioners and managers with a
single authorized source for execution and implementation guidance, community
forums, and the latest information and developments in the RMF.
DoD RMF Decisions Structure - CORRECT ANSWES -- Under the RMF, technical and
non-technical features of DoD Information systems are comprehensively evaluated in
the intended environment.
This allows an Authorizing Official (AO), to determine whether the system is approved
to operate at an acceptable level of security risk based on the implementation of an
approved set of technical, managerial, and procedural countermeasures or mitigation.
RMF Governance Overview - CORRECT ANSWES -- The DoD RMF governance
structure implements the three-tiered approach to cybersecurity risk management
described in NIST SP 800-39, synchronizes and integrates RMF activities across all
phases of the IT life cycle, and spans logical and organizational entities.
DoD RMF Guidance (1) - CORRECT ANSWES -- The complex, many-to-many
relationships among mission or business processes and the information systems
supporting those processes require a holistic, organization-wide view for managing risk.
A holistic approach requires the management of risk at both the enterprise-level and
system-level.
This approach takes into account the organization as a whole, including strategic goals
and objectives and relationships between mission/business processes and the
supporting information systems.
DoD RMF Guidance (2) - CORRECT ANSWES -- Organizational culture and
infrastructure should also be considered.
The security controls and safeguards selected by the organization must take into
account:
• Potential mission or business impacts.
• Risk to organizational operations and assets, individuals, other organizations, and the
Nation.
These roles and responsibilities have been delegated enterprise wide and are arranged
into tiers.
THE RISK MANAGEMENT
FRAMEWORK (RMF)QUESTIONS AND
ANSWERS WITH COMPLETE
SOLUTIONS ( GRADED A+)
The key governance elements in Tier 1 are:
• DoD Senior Information Security Officer (SISO).
• Risk Executive Function.
• DoD Cybersecurity Architecture.
• The RMF Technical Advisory Group (TAG).
• The Knowledge Service (KS).
Tier 1 Guidance (2) - CORRECT ANSWES -- Per current 8510.01 this information is
listed for a Tier 1 Organization:
DoD SISO:
National Institute of Standards and Technology (NIST), 800 Series - CORRECT
ANSWES -- The Risk Management Framework, supported by the National Institute of
Standards and Technology (NIST), 800-series publications and used by other federal
agencies under the Federal Information Security Modernization Act, provides a
structured, yet flexible approach for managing risk resulting from the incorporation of
information systems into the mission and business processes of an organization.
Policy Alignment - CORRECT ANSWES -- DoD aligned Cybersecurity and risk
management policies, procedures, and guidance with Joint Transformation NIST
documents to create the basis for a unified information security framework for the
Federal government.
Policy Partnerships - CORRECT ANSWES -- DoD participates in Committee on
National Security Systems and NIST policy development as a vested stakeholder with
the goals to create a more standardized approach to cybersecurity and to protect the
unique requirements of DoD missions and warfighters.
, RMF Guidance Alignment - CORRECT ANSWES -- The RMF knowledge service is
DoD 's official repository for enterprise RMF policy and implementation guidelines.
The RMF knowledge service provides Cybersecurity practitioners and managers with a
single authorized source for execution and implementation guidance, community
forums, and the latest information and developments in the RMF.
DoD RMF Decisions Structure - CORRECT ANSWES -- Under the RMF, technical and
non-technical features of DoD Information systems are comprehensively evaluated in
the intended environment.
This allows an Authorizing Official (AO), to determine whether the system is approved
to operate at an acceptable level of security risk based on the implementation of an
approved set of technical, managerial, and procedural countermeasures or mitigation.
RMF Governance Overview - CORRECT ANSWES -- The DoD RMF governance
structure implements the three-tiered approach to cybersecurity risk management
described in NIST SP 800-39, synchronizes and integrates RMF activities across all
phases of the IT life cycle, and spans logical and organizational entities.
DoD RMF Guidance (1) - CORRECT ANSWES -- The complex, many-to-many
relationships among mission or business processes and the information systems
supporting those processes require a holistic, organization-wide view for managing risk.
A holistic approach requires the management of risk at both the enterprise-level and
system-level.
This approach takes into account the organization as a whole, including strategic goals
and objectives and relationships between mission/business processes and the
supporting information systems.
DoD RMF Guidance (2) - CORRECT ANSWES -- Organizational culture and
infrastructure should also be considered.
The security controls and safeguards selected by the organization must take into
account:
• Potential mission or business impacts.
• Risk to organizational operations and assets, individuals, other organizations, and the
Nation.
These roles and responsibilities have been delegated enterprise wide and are arranged
into tiers.
