CGRC Exam Questions with Correct Answers Latest Update 2025-2026
OMB - Answers Office of Management and Budget; they oversee the performance of federal
agencies, and administers the federal budget
FISMA - Answers Federal Information Security Modernization Act; created to strengthen IT
infrastructure operated and maintained by the U.S. federal Gov.
NIST ITl - Answers Information Tech Lab; develops tests, guidelines, and analyzes to promote
secure and effective use of IT in federal systems
What is the purpose of the rmf? - Answers to strengthen the underlying information systems,
component products, and services, "in every sector of the critical infrastructure"
Executive Order 13800 - Answers strengthening the cybersecurity of federal networks and
critical infrastructure
As defined by the OMB, privacy control is - Answers an administrative, technical, or physical
safeguard employed within an agency to ensure compliance with applicable privacy
requirements and to manage privacy risks.
As defined by the OMB, security control is - Answers a safeguard or countermeasure prescribed
for an information system or an org to protect the CIA triad of the system and its information.
OMB Circular A-30 - Answers managing info as a strategic resource, addresses responsibilities
for protecting federal info. resources and managing PII. Requires agencies to use NIST 800-37
(RMF) and emphasizes that both programs, Defense science Board and Exec order, need to
collaborate
What does SDLC refer to in context of NIST SP 800 - 37 (what is it) - Answers System
Development Life Cycle
What are the 7 major updates to Nist SP 800 - 37 r2? - Answers 1. connecting the c-suite and the
front lines
2. prep smarter in all levels
3. link RMF with NIST CMF
4. Build in privacy risk management
5. design trustworthy systems
6. handle supply chain risks
7. customize security controls
System Development Life Cycle (SDLC) - Answers A process for planning, creating, testing, and
,deploying information systems, including hardware and software
FIPS - Answers Federal Information Processing Standards
POAM - Answers Plan of Action and Milestones
Plans of actions and milestones - Answers a to do list for fixing security and privacy
weaknesses in an info systems
5 key parts of POAM - Answers 1. weakness / deficiency issues
2. remediation plan
3. milestones (deadlines or checkpoints)
4. responsible party for fixing issues
5. status (open, in progress, etc.)
What is the multi level approach to SP 800-37? (top to bottom) - Answers 1. org
2. mission/business process
3. information systems
what levels of the multi-level approach impact the selection and implementation of controls at
the system level? (tier 1: org, tier 2: mission/ business processes, tier 3: information systems) -
Answers the risk decisions at Tier 1 and tier 2
What are the three type of controls? - Answers 1. system specific
2. hybrid
3. common (inherited)
What is a system specific control? - Answers controls that are built just for one system
What is a hybrid control? - Answers mix of system specific and common (inherited) controls.
what is a common (inherited) control? - Answers controls that multiple systems share - usually
managed at a higher level.
What are the 4 risk factors? (sp 800 -30) - Answers 1. impact of loss
2. threats
3. vulnerabilities
4. likelihood of occurrence
, ISO - Answers International Organization for Standardization
ISO 15288:2015 - Answers Provides an engineering view of an IS and the entities with which the
system interacts in its environment of operation
Authorization boundary - Answers All components of an information system to be authorized
for operation by an authorizing official. This excludes separately authorized systems to which
the information system is connected.
System Development Life Cycle (SDLC) steps - Answers 1. Planning
2. requirement analysis
3. system design
4. develop/implementation is done
5. testing
6. deployment
7. maintenance and support
FIPS 199 - Answers Standards for Security Categorization of Federal Information and
Information Systems
Impact levels in regards to FIPS 199 - Answers 1. low -> the loss of cia could have a limited
adverse effect on org ops, assets, or individuals
2. moderate-> loss of cia has a serious adverse effect
3. high -> loss of cia has a severe or catastrophic adverse effect
What is the waterfall methodology of SDLC? - Answers requirements > analysis> design >
coding implementation > testing > operation / deployment > maintenance
principles of governance - Answers 1.Accountability
2.Transparency
3.Compliance
4.Risk-Based Approach
5.Continuous Improvement
6.Integration with Business Strategy
7.Stakeholder Engagement
OMB - Answers Office of Management and Budget; they oversee the performance of federal
agencies, and administers the federal budget
FISMA - Answers Federal Information Security Modernization Act; created to strengthen IT
infrastructure operated and maintained by the U.S. federal Gov.
NIST ITl - Answers Information Tech Lab; develops tests, guidelines, and analyzes to promote
secure and effective use of IT in federal systems
What is the purpose of the rmf? - Answers to strengthen the underlying information systems,
component products, and services, "in every sector of the critical infrastructure"
Executive Order 13800 - Answers strengthening the cybersecurity of federal networks and
critical infrastructure
As defined by the OMB, privacy control is - Answers an administrative, technical, or physical
safeguard employed within an agency to ensure compliance with applicable privacy
requirements and to manage privacy risks.
As defined by the OMB, security control is - Answers a safeguard or countermeasure prescribed
for an information system or an org to protect the CIA triad of the system and its information.
OMB Circular A-30 - Answers managing info as a strategic resource, addresses responsibilities
for protecting federal info. resources and managing PII. Requires agencies to use NIST 800-37
(RMF) and emphasizes that both programs, Defense science Board and Exec order, need to
collaborate
What does SDLC refer to in context of NIST SP 800 - 37 (what is it) - Answers System
Development Life Cycle
What are the 7 major updates to Nist SP 800 - 37 r2? - Answers 1. connecting the c-suite and the
front lines
2. prep smarter in all levels
3. link RMF with NIST CMF
4. Build in privacy risk management
5. design trustworthy systems
6. handle supply chain risks
7. customize security controls
System Development Life Cycle (SDLC) - Answers A process for planning, creating, testing, and
,deploying information systems, including hardware and software
FIPS - Answers Federal Information Processing Standards
POAM - Answers Plan of Action and Milestones
Plans of actions and milestones - Answers a to do list for fixing security and privacy
weaknesses in an info systems
5 key parts of POAM - Answers 1. weakness / deficiency issues
2. remediation plan
3. milestones (deadlines or checkpoints)
4. responsible party for fixing issues
5. status (open, in progress, etc.)
What is the multi level approach to SP 800-37? (top to bottom) - Answers 1. org
2. mission/business process
3. information systems
what levels of the multi-level approach impact the selection and implementation of controls at
the system level? (tier 1: org, tier 2: mission/ business processes, tier 3: information systems) -
Answers the risk decisions at Tier 1 and tier 2
What are the three type of controls? - Answers 1. system specific
2. hybrid
3. common (inherited)
What is a system specific control? - Answers controls that are built just for one system
What is a hybrid control? - Answers mix of system specific and common (inherited) controls.
what is a common (inherited) control? - Answers controls that multiple systems share - usually
managed at a higher level.
What are the 4 risk factors? (sp 800 -30) - Answers 1. impact of loss
2. threats
3. vulnerabilities
4. likelihood of occurrence
, ISO - Answers International Organization for Standardization
ISO 15288:2015 - Answers Provides an engineering view of an IS and the entities with which the
system interacts in its environment of operation
Authorization boundary - Answers All components of an information system to be authorized
for operation by an authorizing official. This excludes separately authorized systems to which
the information system is connected.
System Development Life Cycle (SDLC) steps - Answers 1. Planning
2. requirement analysis
3. system design
4. develop/implementation is done
5. testing
6. deployment
7. maintenance and support
FIPS 199 - Answers Standards for Security Categorization of Federal Information and
Information Systems
Impact levels in regards to FIPS 199 - Answers 1. low -> the loss of cia could have a limited
adverse effect on org ops, assets, or individuals
2. moderate-> loss of cia has a serious adverse effect
3. high -> loss of cia has a severe or catastrophic adverse effect
What is the waterfall methodology of SDLC? - Answers requirements > analysis> design >
coding implementation > testing > operation / deployment > maintenance
principles of governance - Answers 1.Accountability
2.Transparency
3.Compliance
4.Risk-Based Approach
5.Continuous Improvement
6.Integration with Business Strategy
7.Stakeholder Engagement
