A federal agency is preparing a new data analytics platform for authorization. The platform will process publicly available datasets as well as sensitive citizen PII. The development team has proposed a system boundary that includes the cloud-based data lake and processing engines, but excludes the on-premises data ingestion servers that perform initial data cleansing. According to NIST SP 800-37 R2, what is the primary risk of this proposed boundary definition?
A healthcare provider is implementing a continuous monitoring program for its Electronic Health Record (EHR) system, which has a High impact categorization. The current strategy involves monthly vulnerability scans, quarterly access reviews, and annual penetration tests. A GRC analyst notes that while these activities are performed, the results are only reviewed during the annual assessment cycle. Which RMF step is being inadequately addressed in this scenario?
A defense contractor is implementing the SI-4 (Information System Monitoring) control from NIST SP 800-53 on a classified system. The system owner has deployed a Security Information and Event Management (SIEM) tool that collects logs from all servers and network devices. To meet the full requirement of SI-4, which of the following activities are also necessary? (Select TWO)
True or False: During the 'Select' step of the RMF, an organization is permitted to tailor a High baseline down to a Moderate baseline if the System Owner determines the cost of implementation is too high.
A financial services company, FinSecure, is preparing for its first formal authorization of a new cloud-native wealth management platform. The platform handles sensitive client financial data and PII, and has been categorized as High impact for confidentiality and integrity, and Moderate for availability. The company has a mature GRC program but has never applied the NIST RMF before. The Chief Risk Officer (CRO) has tasked the ISSM with establishing the foundational elements for the RMF process within the organization. The development teams are eager to start implementing controls, but the ISSM insists that several organization-level activities must be completed first as part of the RMF 'Prepare' step. Which of the following actions represents the MOST critical organization-level task FinSecure must complete before proceeding to system-specific control selection and implementation?
A Security Control Assessor is reviewing the implementation of control AU-5 (Response to Audit Processing Failures) for a critical patient records database. The documentation in the SSP states: "In the event of an audit failure, the system will automatically shut down to prevent further activity." The assessor finds that while this mechanism is implemented, there is no procedure for alerting administrators about the shutdown. Which assessment finding is most accurate?
An organization is preparing an Authorization to Operate (ATO) package for the Authorizing Official (AO). The package includes the System Security Plan (SSP), the Security Assessment Report (SAR), and the Plan of Action and Milestones (POA&M). The SAR identifies 5 High, 12 Moderate, and 20 Low findings. The POA&M details a remediation plan for all High and Moderate findings within 180 days. What is the primary purpose of including the POA&M in this package?
A system categorized as Moderate-Moderate-Moderate is being deployed. The ISSO is reviewing the draft System Security Plan (SSP) and notes that the development team has decided not to implement several applicable controls from the Moderate baseline, citing 'operational constraints'. However, no alternative or compensating controls are documented. What should be the ISSO's immediate next step?
A university is developing a research portal that will handle controlled unclassified information (CUI) from a federal grant. According to FIPS 199, the potential impact of a loss of confidentiality is assessed as Moderate, loss of integrity as Moderate, and loss of availability as Low. What is the final security categorization for this system?
After a system receives its ATO, a critical vulnerability is discovered in a core software component. The system owner performs a security impact analysis and determines the change to patch the vulnerability is 'significant'. According to the RMF, what is the most likely consequence of this determination?