Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

The Mango Guide Ver2

Download as pdf or txt
Download as pdf or txt
You are on page 1of 41

Jim Meincke, CISSP,

Study notes for the (ISC)2 Certified in Governance Risk and Compliance (CGRC) CCSP, CGRC, CISA
This document is intended for informal knowledge transfer for private individuals, It cannot be used for commercial endeavors. You may freely copy, Ryan LeVier, CISSP, CGRC, CSAE
distribute and publish under condition of acknowledgement to the original authors. 2023 - Jim Meincke & Ryan LeVier infosecsherpa@gmail.com
ryan.levier@gmail.com
Table of Contents:
Test Information 2

Domain 1 - Information Security Risk Management Program 3

Domain 2 – Scope of the Information System 7

Domain 3 - Selection and Approval of Security and Privacy Controls 9

Domain 4 - Implementation of Security and Privacy Controls 11

Domain 5 - Assessment/Audit of Security and Privacy Controls 13

Domain 6 - Authorization/Approval of Information System 15

Domain 7 - Continuous Monitoring 16

Appendix A – Official References 17

Appendix B – Unofficial References 18

Appendix C – Glossary 20

Appendix D – Study Tips and Tricks 33

Appendix E – “At A Glance” 35

ANNEX I – Steps of the RMF

Phase 1 – Prepare 36

Phase 2 – Categorize 38

Phase 3 – Implement 39

Phase 4 – Assess 39

Phase 5 – Authorize 40

Phase 6 – Monitor 40
CGRC Examination Information
Length of exam 3 hours
Number of items 125 – Once a question is answered, it cannot be changed or
reviewed.
Item format Multiple choice

Passing grade 700 out of 1000 points

CGRC Examination Weights


Domains Weight

1. Information Security Risk Management Program 16%

2. Scope of the Information System 11%

3. Selection and Approval of Security and Privacy Controls 15%

4. Implementation of Security and Privacy Controls 16%

5. Assessment/Audit of Security and Privacy Controls 16%

6. Authorization/Approval of Information System 10%

7. Continuous Monitoring 16%

Total: 100%

The Mango - CGRC Certification Study Guide 2


Domain 1: Information Security Risk Management Program
• NIST SP 800-30 Rev. 1
• NIST SP 800-37 Rev. 2
• NIST SP 800-39
• NIST SP 800-160 Vol. 1
• NIST SP 800-64

1.1 Understand the foundation of an organization information security risk management program
» Principles of information security Also known as Information Assurance, (IA) is the practice of protecting against
and managing risks related to the use, processing, storage, and transmission of data and information systems. The
U.S. Department of Defense has promulgated the Five Pillars of Information Assurance model that includes the
protection of confidentiality, integrity, availability, authenticity, and non-repudiation of user data.
• Confidentiality: Preserving authorized restrictions on information access and disclosure, including means
for protecting personal privacy and proprietary information.
• Integrity: Guarding against improper information modification or destruction, and includes ensuring
information non-repudiation and authenticity.
• Availability: Ensuring timely and reliable access to and use of information.
• Authenticity: The property of being genuine and being able to be verified and trusted; confidence in the
validity of a transmission, a message, or message originator.
• Non-Repudiation of User Data: A service that is used to provide assurance of the integrity and origin of
data in such a way that the integrity and origin can be verified and validated by a third party as having
originated from a specific entity in possession of the private key (i.e., the signatory).
» Risk Management Frameworks (e.g., National Institute of Standards and Technology (NIST), cyber security
framework, Control Objectives for Information and Related Technology (COBIT), International Organization for
Standardization (ISO) 27001, International Organization for Standardization (ISO) 31000)
» System Development Life Cycle (SDLC) - The scope of activities associated with a system, encompassing the
system’s initiation, development and acquisition, implementation, operation and maintenance, and ultimately its
disposal that instigates another system initiation.
• Initiation
• Development
• Operations / Maintenance
• Disposal
» Information system boundary requirements refers to the physical and logical boundaries of an information
system, which define the extent of the system's operation, control, and protection. Boundary requirements specify
the technical and non-technical controls that are necessary to protect the information system boundary. These
controls are based on an assessment of the system's security and privacy risks, as well as an understanding of the
system's mission and business requirements.
» Security controls and practices Understanding the foundation of an organization's information security risk
management program involves understanding the security controls and practices that are in place to protect the
organization's information assets. The following are some key security controls and practices that are typically
included in a comprehensive information security risk management program:
1. Access Controls: Access controls are used to restrict access to sensitive information and systems to only
those individuals who have a legitimate need to access them. This may involve implementing strong

The Mango - CGRC Certification Study Guide 3


authentication mechanisms, such as multi-factor authentication, and limiting access to systems and data
based on the principle of least privilege.
2. Encryption: Encryption is used to protect data both in transit and at rest. This may involve using encryption
to protect data as it is transmitted across networks, as well as encrypting data that is stored on servers or
other storage media.
3. Patch Management: Patch management involves ensuring that all software and systems are kept up-to-
date with the latest security patches and updates. This helps to prevent known vulnerabilities from being
exploited by attackers.
4. Incident Response: Incident response is the process of responding to security incidents and breaches when
they occur. This may involve implementing incident response plans and procedures, conducting regular
drills and exercises to test those plans, and ensuring that incident response teams are properly trained and
equipped to respond to security incidents.
5. Training and Awareness: Training and awareness programs are used to educate employees and other
stakeholders about the importance of information security and the specific risks and threats facing the
organization. This may involve conducting regular training sessions, distributing security awareness
materials, and promoting a culture of security throughout the organization.
6. Risk Assessment and Management: Risk assessment and management involves identifying and assessing
the risks facing the organization's information assets, and implementing appropriate controls and
safeguards to mitigate those risks. This may involve conducting regular risk assessments, developing risk
management plans, and monitoring the effectiveness of those plans over time.
» Roles and responsibilities in the authorization/approval process RMF is a structured process used by federal
agencies and other organizations to manage security and privacy risks associated with their information systems.
The authorization/approval process is a key step in the RMF, in which the information system owner or authorizing
official approves the system to operate, based on a comprehensive assessment of the system's security and privacy
risks. The following are common roles and responsibilities in the authorization/approval process within the RMF:
1. Information System Owner: The information system owner is responsible for identifying and managing the
information system's security and privacy risks. The information system owner provides information and
documentation to support the authorization/approval process and ensures that the system meets the
organization's security requirements.
2. Authorizing Official: The authorizing official is responsible for reviewing and approving the information
system's authorization package. The authorizing official has the authority to make final decisions regarding
the system's authorization to operate and is accountable for the outcomes of those decisions.
3. Security Control Assessor: The security control assessor is responsible for assessing the effectiveness of the
security controls implemented in the information system. The security control assessor provides the results
of the security control assessment to the authorizing official to support the authorization decision.
4. Risk Executive Function: The risk executive function is responsible for overseeing and managing the
organization's risk management activities. The risk executive function provides guidance and support to the
information system owner and authorizing official throughout the authorization/approval process.
5. Information System Security Officer: The information system security officer is responsible for
implementing and maintaining the security controls in the information system. The information system
security officer provides documentation and evidence of the effectiveness of the security controls to
support the authorization decision.

1.2 Understand risk management program processes


» Select program management controls The selection of program management controls is a critical component of
an effective risk management program. Program management controls refer to the policies, procedures, and

The Mango - CGRC Certification Study Guide 4


mechanisms that are put in place to ensure that the program's objectives are achieved in a manner that is consistent
with the organization's risk management strategy.
In the context of a risk management program, the selection of program management controls involves the following
key steps:
1. Identify Program Management Control Requirements: The first step in selecting program management
controls is to identify the requirements of the program. This involves defining the scope of the program,
identifying the goals and objectives, and establishing the parameters for risk management.
2. Determine the Appropriate Controls: Once the program requirements have been identified, the next step is
to determine the appropriate controls to implement. This involves selecting controls that align with the
program's goals and objectives, and that are appropriate for the level of risk the program is intended to
address.
3. Develop Control Implementation Plan: After determining the appropriate controls, the next step is to
develop a control implementation plan. This plan outlines the steps required to implement the controls,
including assigning responsibilities, setting timelines, and determining the necessary resources.
4. Implement and Monitor Controls: The final step is to implement the program management controls and
monitor their effectiveness. This involves ensuring that the controls are being implemented as planned, and
that they are achieving the desired results.
» Privacy requirements Privacy requirements are an important aspect of a risk management program, particularly in
organizations that collect, store, or process sensitive information. The following are some key steps in addressing
privacy requirements within a risk management program:
1. Identify Privacy Risks: The first step in addressing privacy requirements is to identify the potential privacy
risks associated with the organization's information systems and processes. This involves identifying the
types of personal information that are collected, stored, or processed by the organization, and determining
how that information is used and shared.
2. Define Privacy Requirements: Once the privacy risks have been identified, the next step is to define the
privacy requirements for the organization. This involves determining the privacy controls and safeguards
that are necessary to protect personal information and ensure compliance with applicable privacy laws and
regulations.
3. Implement Privacy Controls: The next step is to implement the privacy controls that have been defined. This
may involve implementing technical safeguards, such as encryption and access controls, as well as
administrative and procedural safeguards, such as policies and training programs.
4. Monitor and Maintain Privacy Controls: Once the privacy controls have been implemented, it is important
to monitor and maintain them to ensure their continued effectiveness. This may involve conducting
periodic privacy risk assessments, reviewing and updating privacy policies and procedures, and conducting
privacy training for employees.
5. Respond to Privacy Incidents: Finally, it is important to have a plan in place to respond to privacy incidents,
such as data breaches or unauthorized access to personal information. This may involve notifying affected
individuals and regulatory authorities, as well as taking steps to mitigate the harm caused by the incident.
» Determine third-party hosted information systems Determining third-party hosted information systems is an
important aspect of a risk management program, particularly in organizations that use cloud services or outsource
their IT operations to third-party providers. The following are some key steps in addressing third-party hosted
information systems within a risk management program:
1. Identify Third-Party Hosted Information Systems: The first step in addressing third-party hosted information
systems is to identify all systems and applications that are hosted by third-party providers. This may involve
conducting an inventory of all IT assets and systems used by the organization, including those that are
hosted in the cloud.

The Mango - CGRC Certification Study Guide 5


2. Assess Third-Party Providers: Once the third-party hosted information systems have been identified, the
next step is to assess the third-party providers that are hosting those systems. This may involve conducting
due diligence on the provider, reviewing their security and privacy policies and procedures, and assessing
their compliance with applicable laws and regulations.
3. Define Contractual Requirements: After assessing the third-party providers, the next step is to define the
contractual requirements for the services they provide. This may involve negotiating specific provisions
related to security, privacy, and compliance with applicable laws and regulations.
4. Implement Monitoring and Oversight Mechanisms: Once the contractual requirements have been defined,
it is important to implement monitoring and oversight mechanisms to ensure that the third-party providers
are meeting those requirements. This may involve conducting periodic audits or assessments of the
provider's security and privacy controls, as well as monitoring their performance against established service
level agreements.
5. Plan for Continuity and Recovery: Finally, it is important to plan for continuity and recovery in the event of a
disruption or termination of the third-party hosted information systems. This may involve defining backup
and recovery procedures, as well as establishing contingency plans for transitioning to a new provider if
necessary.

1.3 Understand regulatory and legal requirements


» Familiarize with governmental, organizational and international regulatory security and privacy requirements
(e.g., International Organization for Standardization (ISO) 27001, Federal Information Security Modernization Act
(FISMA), Federal Risk and Authorization Management Program (FedRAMP), General Data Protection Regulation
(GDPR), Health Insurance Portability and Accountability Act (HIPAA))
» Familiarize with other applicable security-related mandates

The Mango - CGRC Certification Study Guide 6


Domain 2: Scope of the Information System
• FIPS 199
• NIST SP 800-60 Vol. 1, Rev.1

2.1 Define the information system


» Determine the scope of the information system : To determine the scope of an information system under the RMF,
the following steps are generally taken:
1. Identify the boundaries of the information system: This involves defining the physical and logical boundaries
of the system, as well as identifying the interfaces between the system and external systems or networks.
2. Identify the system components: This involves identifying the hardware, software, and other components
that make up the information system.
3. Determine the system categorization: This involves determining the potential impact to the organization
and/or individuals if the confidentiality, integrity, or availability of the system or its data were
compromised.
4. Determine the security control baseline: This involves identifying the set of security controls required to
protect the information system based on its categorization.
5. Identify the authorization boundary: This involves defining the boundary within which the system operates,
including any supporting infrastructure or services that are necessary for the system to function.
By completing these steps, the scope of the information system can be defined and the necessary security controls
can be implemented to manage risks associated with its operation and use.
» Describe the architecture (e.g., data flow, internal and external interconnections)
1. Describe the intended purpose of the architecture. What problem is it intended to solve? What
are the key goals and objectives of the architecture?
2. Identify the key components of the architecture, including any hardware, software, networks, and
data involved. Describe how these components interact with one another.
3. If the architecture consists of multiple layers, describe each layer in detail. Explain how data flows
between layers and how each layer contributes to the overall functionality of the architecture.
4. Describe the key design decisions that were made in developing the architecture. What trade-offs
were made? What were the factors that influenced these decisions?
5. Discuss the benefits of the architecture. What advantages does it provide over alternative
approaches? What value does it add to the organization or system it supports?
6. Finally, consider the limitations of the architecture. What are its weaknesses or potential points of
failure? What challenges may arise in implementing or maintaining the architecture over time?
» Describe information system purpose and functionality
1. The first step is to clearly identify the purpose of the information system. This includes
understanding what business need or problem the system is intended to address. Describe the
key objectives, goals, and requirements for the system.
2. Describe the scope of the information system. What business functions or processes does it
support? What are the limits of its functionality or capabilities?
3. Identify the components of the information system, including hardware, software, and any
supporting infrastructure. Describe how these components work together to achieve the system's
purpose.

The Mango - CGRC Certification Study Guide 7


4. Describe the specific functionality of the information system. This includes explaining how users
interact with the system, what tasks or activities it supports, and what data or information it
produces.
5. Explain the benefits of the information system. What advantages does it provide to the
organization or its users? How does it support the organization's goals or objectives?
6. Finally, consider the limitations of the information system. What are its weaknesses or potential
points of failure? Are there any limitations on its scalability, availability, or security?
2.2 Determine categorization of the information system (FIPS 199)
» Identify the information types processed, stored or transmitted by the information system
1. Determine the purpose of the information system: Understanding the purpose of the information
system is essential to identifying the types of information it processes, stores, or transmits. Ask
questions such as: What business functions or processes does the system support? What are the
goals and objectives of the system?
2. Identify the system components: Identify the hardware, software, and other components that
make up the information system. This will help you understand how information flows through
the system.
3. Review documentation: Review any available documentation related to the information system,
such as system design documents, data flow diagrams, and network diagrams. This will help you
understand the types of data that are processed, stored, or transmitted by the system.
4. Review documentation: Review any available documentation related to the information system,
such as system design documents, data flow diagrams, and network diagrams. This will help you
understand the types of data that are processed, stored, or transmitted by the system.
5. Classify the data: Once you have identified the types of data being processed, stored, or
transmitted by the information system, classify the data based on its sensitivity level. This will
help you understand the potential impact of a data breach or compromise.
6. Document the results: Document the types of information processed, stored, or transmitted by
the information system and their corresponding sensitivity levels. This information will be used to
inform security and privacy controls and other risk management activities.
» Determine the impact level on confidentiality, integrity, and availability for each information type
(e.g., Federal Information Processing Standards (FIPS) 199, International Organization for Standardization/
International Electrotechnical Commission (ISO/IEC) 27002, data protection impact assessment)
» Determine information system categorization and document results

The Mango - CGRC Certification Study Guide 8


Domain 3: Selection and Approval of Security and Privacy Controls
• FIPS 200
• NIST SP 800-53 Rev.5
• NIST SP 800-53B

3.1 Identify and document baseline and inherited controls During the Assessment stage, the process of
identifying and documenting baseline controls involves determining the applicable security control baseline for the
system and referring to relevant security control catalogs, such as NIST SP 800-53, to identify the specific controls
required. These identified controls are then documented in the system’s security plan with descriptions,
implementation requirements, associated guidance or references.
3.2 Select and tailor controls to the system Tailoring a control to a system involves customizing or adjusting the
implementation of a security control to fit the specific characteristics, needs, and requirements of that system.
» Determine applicability of recommended baseline and inherited controls. Evaluate the applicability of each control
within the context of the system. Consider factors such as system functionality, operational environment, system
boundaries, and the sensitivity and criticality of the data being processed or stored.
» Determine appropriate use of control enhancements (e.g., security practices, overlays, countermeasures) To
determine appropriate control enhancements, review security control catalogs, assess system requirements and
risks, and consider cost, feasibility, and expert input. Document the selected control enhancements, implement
them, and monitor their effectiveness to ensure they meet the system's security objectives and address
identified risks.
» Document control applicability - To document control applicability, clearly indicate in the system's security
documentation or security plan which specific controls are applicable, aligning them with the system's
characteristics, risks, and requirements. Provide a concise description of the control's relevance, including any
tailoring or modifications made, and ensure traceability between the controls and associated security
requirements and system components.

3.3 Develop continuous control monitoring strategy (e.g., implementation, timeline, effectiveness) Developing
a continuous control monitoring strategy involves several key steps. First, identify the critical controls that require
continuous monitoring based on their importance to the organization's security objectives and regulatory
requirements. Next, establish a framework for automated control monitoring, including selecting appropriate tools
and technologies to collect relevant data and generate real-time alerts. Develop monitoring procedures and define
metrics or thresholds to track control performance, anomalies, or deviations. Integrate monitoring processes into
existing security operations to ensure timely response and remediation actions. Regularly review and update the
monitoring strategy to adapt to evolving threats, technology changes, and organizational needs. Collaborate with
stakeholders, such as IT teams, compliance officers, and management, to ensure the strategy aligns with
organizational goals and requirements. Lastly, document the monitoring strategy, including roles and
responsibilities, data collection and analysis methods, reporting mechanisms, and the overall governance
framework, to guide implementation and ensure consistent monitoring practices.

The Mango - CGRC Certification Study Guide 9


3.4 Review and approve security plan/Information Security Management System (ISMS) To review and
approve a security plan or Information Security Management System (ISMS), establish a formal review process
involving key stakeholders and subject matter experts. Conduct a thorough examination of the plan or ISMS
documentation, ensuring it aligns with applicable security standards, regulations, and organizational requirements.
Evaluate the completeness, effectiveness, and feasibility of the proposed security controls, risk management
practices, incident response procedures, and other components outlined in the plan. Seek input and feedback from
relevant parties, address any identified gaps or concerns, and obtain necessary approvals from management or
governance bodies. Document the review and approval process, including the rationale behind decisions, and
ensure that the approved security plan or ISMS is communicated to all relevant stakeholders for implementation
and ongoing compliance monitoring.

The Mango - CGRC Certification Study Guide 10


Domain 4: Implementation of Security and Privacy Controls
• NIST SP 800-70 Rev. 4

4.1 Implement selected controls


» Determine mandatory configuration settings and verify implementation in accordance with current industry
standards (e.g., Information Technology Security Guidance ITSG-33 – Annex 3A, Technical Guideline for Minimum
Security Measures, United States Government Configuration Baseline (USGCB), National Institute of Standards and
Technology (NIST) checklists, Security Technical Implementation Guides (STIGs), Center for Internet Security (CIS)
benchmarks, General Data Protection Regulation (GDPR))
» Ensure that implementation of controls is consistent with the organizational architecture and associated security
and privacy architecture by conducting a gap analysis, integrate controls into the design process, collaborate with
architects and designers, perform risk assessments, and regularly monitor and maintain consistency by reviewing
and updating the security and privacy architecture as needed. This approach ensures that controls are aligned
with the organizational structure and effectively protect the organization's assets and data.
» Coordinate implementation of inherited controls with control providers by establishing clear communication
channels and agreements with the providers to ensure a shared understanding of roles, responsibilities, and
requirements. Collaborate closely to exchange necessary information, such as control documentation,
implementation guidelines, and monitoring mechanisms. Regularly communicate and coordinate with the control
providers throughout the implementation process, addressing any issues, clarifying expectations, and ensuring
that the controls are effectively implemented, monitored, and maintained in line with the agreed-upon terms.
» Determine and implement compensating/alternate security controls by identifying security controls that
adequately mitigate risks when the originally planned controls cannot be implemented or are deemed insufficient.
This process requires conducting a thorough risk assessment to understand the specific risks and impact, followed
by identifying alternative controls that address those risks effectively. Once identified, these
compensating/alternate controls should be implemented and integrated into the security framework, accompanied
by proper documentation, monitoring, and regular review to ensure their effectiveness in mitigating the identified
risks.

4.2 Document control implementation


» Document inputs to the planned controls, their expected behavior, and expected outputs or deviations by
compiling a comprehensive record that outlines the specific inputs required for each control, such as data sources,
configurations, or parameters. Describe the expected behavior or actions of the controls when applied, including
how they are intended to prevent or detect security incidents or deviations from established norms. Additionally,
document the anticipated outputs or expected results, such as generated alerts, reports, or system logs, as well as
any predefined thresholds or criteria for identifying deviations from expected behavior. This documentation ensures
clarity and serves as a reference for control implementation, monitoring, and assessment activities.
» Verify the documented details of the controls meet the purpose, scope and risk profile of the information system
by conducting a comprehensive review and assessment. Evaluate the documented control details against the
system's defined objectives, requirements, and risk assessment results. Ensure that the controls adequately
address the identified risks, align with applicable standards and regulations, and provide the necessary level of
protection for the system's assets and information. Verify the completeness, effectiveness, and relevance of the
documented control details through reviews, audits, or testing, and make necessary adjustments or additions as
needed to ensure a proper fit with the system's purpose, scope, and risk profile.
» Obtain and document implementation details from appropriate organization entities (e.g.,
physical security, personnel security, privacy) by establishing effective communication and
collaboration channels with these entities. Engage in discussions, interviews, or meetings to

The Mango - CGRC Certification Study Guide 11


gather the necessary information related to their respective domains. Document the
implementation details by recording the specific practices, procedures, policies, and controls
that are implemented by these entities to address physical security, personnel security,
privacy, and other relevant aspects. Ensure the documentation accurately reflects the current
implementation status and is regularly updated to capture any changes or improvements
made by the organization entities.

The Mango - CGRC Certification Study Guide 12


Domain 5: Assessment/Audit of Security and Privacy Controls
• NIST SP 800-53A Rev.5
• NIST SP 800-137
• NIST SP 800-88
• NIST SP 800-100
• NIST SP 800-128

5.1 Prepare for assessment/audit


» Determine assessor/auditor requirements by considering the following strategies. First, clearly define the scope
and objectives of the assessment or audit, identifying the specific areas, controls, and processes to be evaluated.
Next, assess applicable regulatory and compliance requirements to understand the necessary qualifications,
certifications, or expertise the assessors/auditors should possess. Engage in thorough planning and scoping
discussions with the assessors/auditors to align expectations, timelines, and reporting formats. Establish clear
communication channels and provide access to relevant documentation, systems, and personnel to support their
assessments. Regularly review and update the requirements based on changing regulatory landscapes and lessons
learned from previous assessments or audits.
» Establish objectives and scope by clearly defining the purpose and goals of the project or initiative, identifying
what you aim to achieve. Engage key stakeholders and subject matter experts to gather input and ensure their
perspectives are considered. Conduct a comprehensive analysis of the project requirements, risks, and constraints to
define the scope and boundaries. Prioritize objectives based on their importance and feasibility. Document the
objectives and scope in a concise and easily understandable manner, ensuring alignment with organizational goals
and stakeholder expectations. Regularly review and refine the objectives and scope as needed to adapt to evolving
needs and circumstances throughout the project lifecycle.
» Determine methods and level of effort by conducting a comprehensive review of applicable regulatory
requirements and industry standards to understand the assessment scope; engaging with internal stakeholders to
gather insights on the organization's processes, controls, and risks; leveraging past assessment experiences and
lessons learned to inform the planning process; collaborating with experienced assessors or auditors to gain their
expertise and insights on best practices; conducting a risk assessment to identify critical areas and prioritize efforts
accordingly; and developing a detailed project plan that outlines the specific tasks, timelines, and resource
requirements needed for the assessment or audit. Regular communication and coordination with the assessment
team and relevant stakeholders throughout the planning process is essential to ensure a well-defined and
appropriately resourced effort.
» Determine necessary resources and logistics by identifying the specific requirements of the assessment, such as
the scope, timeframe, and expertise needed, and assess the availability and suitability of resources including
personnel, tools, documentation, and access to systems or facilities, ensuring their alignment with the assessment
objectives and compliance requirements.
» Collect and review artifacts (e.g., previous assessments/audits, system documentation, policies)
» Finalize the assessment/audit plan

5.2 Conduct assessment/audit


» Collect and document assessment/audit evidence: Collecting and documenting assessment and audit evidence
involves systematically gathering relevant data, records, and documentation that support the evaluation of controls,
compliance, and effectiveness. This evidence should be accurately and comprehensively documented, ensuring
traceability, confidentiality, integrity, and availability, and be aligned with established audit methodologies and
regulatory requirements.

The Mango - CGRC Certification Study Guide 13


» Assess/audit implementation and validate compliance using approved assessment methods (e.g.,
interview, test and examine or T.I.E.)

5.3 Prepare the initial assessment/audit report


» Analyze assessment/audit results and identify vulnerabilities by assessing their potential impact on the system's
security posture. This analysis helps prioritize remediation efforts and develop appropriate mitigation strategies to
address identified weaknesses.
» Propose remediation actions by prioritizing them based on the severity and potential impact of the identified
vulnerabilities. Provide clear and actionable recommendations, including specific steps or controls to implement,
along with a timeline for completion. Consider the organization's resources, feasibility, and any regulatory or
compliance requirements that may influence the remediation approach.

5.4 Review initial assessment/audit report and perform remediation actions


» Determine risk responses
Acceptance: Accepting the identified risks without taking further action, typically applicable when the risks are
within acceptable tolerance levels or the cost of mitigation outweighs the potential impact.
Mitigation: Implementing controls or measures to reduce the likelihood or impact of identified risks. This may
involve enhancing security controls, implementing new policies or procedures, or improving training and awareness
programs.
Transfer: Transferring the risks to third parties through insurance, contracts, or outsourcing arrangements. This
shifts the responsibility of managing the risks to external entities.
Avoidance: Taking steps to eliminate or avoid the risks entirely. This can involve making strategic decisions such as
discontinuing certain activities, decommissioning vulnerable systems, or redesigning processes.
Monitoring: Implementing monitoring mechanisms to closely track the identified risks and detect any changes or
new vulnerabilities. This enables proactive risk management and timely response to emerging threats.
» Apply remediations by implementing the recommended actions to address identified vulnerabilities or
weaknesses. This typically includes implementing security controls, patches or updates, process improvements,
policy changes, or other corrective measures.
» Reassess and validate the remediated controls by conducting a thorough evaluation to ensure that the
implemented controls effectively address the identified vulnerabilities or weaknesses. This step typically includes
reviewing documentation, performing testing or verification activities, and assessing the overall effectiveness of the
remediation efforts.

5.5 Develop final assessment/audit report


5.6 Develop remediation plan
» Analyze identified residual vulnerabilities or deficiencies
» Prioritize responses based on risk level
» Identify resources (e.g. financial, personnel, and technical) and determine the appropriate timeframe/ schedule
required to remediate deficiencies

The Mango - CGRC Certification Study Guide 14


Domain 6: Authorization/Approval of Information System
• NIST SP 800-37 Rev. 2

6.1 Compile security and privacy authorization/approval documents


» Compile required security and privacy documentation to support authorization/approval decision by the
designated official
6.2 Determine information system risk
» Evaluate information system risk. Identify and assess potential threats, vulnerabilities, and impacts associated with
the information system. Analyze the likelihood and potential consequences of these risks. Consider existing controls
and safeguards in place and their effectiveness. Quantify and prioritize risks based on their severity, likelihood, and
potential impact. Document the risk assessment results and use them to inform decision-making, risk mitigation
strategies, and resource allocation to manage and reduce the identified risks.
» Determine risk treatment options (i.e., accept, avoid, transfer, mitigate, share)
» Determine residual risk by assessing the effectiveness of existing controls in mitigating identified risks. Evaluate the
likelihood and potential impact of risks that remain after the implementation of controls. Consider any residual
vulnerabilities or deficiencies that could contribute to the overall risk level. Quantify and prioritize the residual risks based
on their severity, likelihood, and potential impact. Document the residual risk assessment results and use them to inform
risk management decisions and the development of additional risk mitigation strategies, if necessary.

6.3 Authorize/approve information system


» Determine terms of authorization/approval – are there any special restrictions, are there any conditions of
approval that must be met? Is there a requirement to show proof of compliance?

The Mango - CGRC Certification Study Guide 15


Domain 7: Continuous Monitoring
• NIST SP 800-37 Rev. 2
• NIST SP 800-53 Rev.5
• NIST SP 800-137
• NIST SP 800-88
• NIST SP 800-100
• NIST SP 800-128

7.1 Determine impact of changes to information system and environment


» Identify potential threat and impact to operation of information system and environment
» Analyze risk due to proposed changes accounting for organizational risk tolerance
» Approve and document proposed changes (e.g., Change Control Board (CCB), technical review board) »
Implement proposed changes
» Validate changes have been correctly implemented
» Ensure change management tasks are performed

7.2 Perform ongoing assessments/audits based on organizational requirements


» Monitor network, physical and personnel activities (e.g., unauthorized assets, personnel and related activities)
» Ensure vulnerability scanning activities are performed
» Review automated logs and alerts for anomalies (e.g., security orchestration, automation and response)

7.3 Review supply chain risk analysis monitoring activities (e.g., cyber threat reports, agency reports,
news reports)
7.4 Actively participate in response planning and communication of a cyber event
» Ensure response activities are coordinated with internal and external stakeholders
» Update documentation, strategies and tactics incorporating lessons learned

7.5 Revise monitoring strategies based on changes to industry developments introduced through legal,
regulatory, supplier, security and privacy updates
7.6 Keep designated officials updated about the risk posture for continuous authorization/approval
» Determine ongoing information system risk
» Update risk register, risk treatment and remediation plan

7.7 Decommission information system


» Determine information system decommissioning requirements
» Communicate decommissioning of information system
» Remove information system from operations

The Mango - CGRC Certification Study Guide 16


Appendix A – (ISC)2 Official References
ISC2’s list of references can be found here: www.isc2.org/certifications/References

Information Security Risk Management for ISCO 27001/ISO 27002, 3rd Edition by Alan Calder,
Steve Watkings. Publisher: IT Governance Publishing. (Aug, 2019).
ISO 27001/ISO 27002 A Pocket Guide, 2nd Edition by Chris Davis, Mike Kegerreis, Mike Schille.
Publisher: McGraw-Hill. (Oct, 2013).
IT Auditing Using Controls to Protect Information Assets, 3rd Edition by Mike Kegerreis, Mike
Schiller, Chris Davis. Publisher: McGraw-Hill Education. (Oct, 2019).
NIST FIPS-199, Standards for Security Categorization of Federal Information and Information
Systems by U.S. Dept. of Commerce. (Feb, 2004).
NIST SP 800-115, Technical Guide to Information Security Testing and Assessment by Karen
Scarfone, Murugiah Souppaya, Amanda Cody, Angela Orebaugh. (Sep, 2008).
NIST SP 800-137, Information Security Continuous Monitoring (ISCM) for Federal Information
Systems and Organizations by Kelley Dempsey, Nirali Shah Chawla, Arnold Johnson, Ronald
Johnston, Alicia Clay Jones, Angela Orebaugh, Matthew Scholl, Kevin Stine. (Sep, 2011).
NIST SP 800-160, Vol. 1, Systems Security Engineering: Considerations for a Multidisciplinary
Approach in the Engineering of Trustworthy Secure Systems by Ron Ross, Michael McEvilley, Janet
Carrier Oren. (Mar, 2018).
NIST SP 800-30, Rev. 1, Guide for Conducting Risk Assessments by Joint Task Force Transformation
Initiative. (Sep, 2012).
NIST SP 800-37, Rev. 2, Risk Management Framework for Information Systems and Organizations:
A System Life Cycle Approach for Security and Privacy by Joint Task Force Transformation Initiative.
(Dec, 2018).
NIST SP 800-39, Managing Information Security Risk: Organization, Mission, and Information
System View by Joint Task Force Transformation Initiative. (Mar, 2011).
NIST SP 800-53, Rev. 5, Security and Privacy Controls for Information Systems and Organizations
by Joint Task Force Transformation Initiative. (Sep, 2020).
NIST SP 800-53B, Control Baselines for Information Systems and Organizations by Joint Task Force
Transformation Initiative. (Oct, 2020).
NIST SP 800-60, Vol. 1, Rev. 1, Guide for Mapping Types of Information and Information Systems
to Security Categories by Kevin Stine, Rich Kissel, William C. Barker, Jim Fahlsing, Jessica Gulick.
(Aug, 2008).

The Mango - CGRC Certification Study Guide 17


NIST SP 800-70, Rev. 4, National Checklist Program for IT Products: Guidelines for Checklist Users
and Developers by Stephen D. Quinn, Murugiah Souppaya, Melanie Cook, Karen Scarfone. (Sep,
2020).
NIST SP 800-88, Guidelines for Media Sanitization by Richard Kissel, Andrew Regenscheid, Matthew
Scholl, Kevin Stine. (Dec, 2014).

Supplementary References
Candidates are encouraged to supplement their education and experience by reviewing relevant
resources that pertain to the CBK and identifying areas of study that may need additional attention.
See the unofficial resources Appendix for possible resources.

The Mango - CGRC Certification Study Guide 18


UNNOFFICAL CGRC REFERENCES
NIST SP 800-34 Contingency Planning Guide for This publication assists organizations in understanding the purpose, process, and format of ISCP This document is published by NIST as recommended guidelines for federal organizations. To assist
Federal Information Systems development through practical, real-world guidelines. While the principles establish a baseline to personnel responsible for developing contingency plans, this document discusses common
meet most organizational needs, it is recognized that each organization may have additional technologies that may be used to support contingency capabilities. Given the broad range of
requirements specific to its own operating environment. This guidance document provides information system designs and configurations, as well as the rapid development and obsolescence of
background information on interrelationships between information system contingency planning products and capabilities, the scope of the discussion is not intended to be comprehensive. Rather, the
and other types of security and emergency management-related contingency plans, organizational document describes technology practices to enhance an organization’s information system
resiliency, and the system development life cycle (SDLC). The document provides guidance to help contingency planning capabilities. These guidelines present contingency planning principles for the
personnel evaluate information systems and operations to determine contingency planning following common platform types:
requirements and priorities.
NIST SP 800-128 Guide for Security-Focused Federal agencies are responsible for “including policies and procedures that ensure compliance with This publication is intended to provide guidelines for organizations responsible for managing and
Configuration Management of minimally acceptable system configuration requirements, as determined by the agency” within their administrating the security of federal information systems and associated environments of operation.
Information Systems information security program.2 Managing system configurations is also a minimum security For organizations responsible for the security of information processed, stored, and transmitted by
requirement identified in [FIPS 200] and NIST [SP 800-53] defines controls that support this external or service-oriented environments (e.g., cloud service providers), the configuration
requirement. management concepts and principles presented here can aid organizations in establishing assurance
In addition to general guidelines for ensuring that security considerations are integrated into the CM requirements for suppliers providing external information technology services.
process, this publication provides guidelines for implementation of the Configuration Management
family of controls defined in NIST [SP 800-53] (CM-1 through CM-9).

NIST SP 800-59 Guidelines for Identifying an Provides guidelines developed in conjunction with the Department of Defense including the National This document provides guidelines developed in conjunction with the Department of Defense,
Information System as a Nation Security Agency, for identifying an information system as a national security system. including the National Security Agency, for identifying an information system as a national security
Security System system. The basis for these guidelines is the Federal Information Security Management Act of 2002
(FISMA, Title III, Public Law 107-347, December 17, 2002), which provides government-wide
requirements for information security, superseding the Government Information Security Reform Act
and the Computer Security Act. In addition to defining the term national security system FISMA
amended the NIST Act, at 15 U.SC. 278g-3(b)(3), to require NIST to provide guidelines for identifying an
information system as a national security system.

NIST 800-64 Security Considerations in the System Research because mentioned in RMF Guide - Security considerations in the SLDC Withdrwan - Reference NIST 800-161 Vol. Rev. 1.
Development Lifcycle (SDLC)

NIST 800-161 Vol. 1 Rev 1 Engineering Trustworthy Secure Successor to SDLC This publication describes a basis for establishing principles, concepts, activities, and tasks for
Systems engineering trustworthy secure systems. Such principles, concepts, activities, and tasks can be
effectively applied within systems engineering efforts to foster a common mindset to deliver security
for any system, regardless of the system’s purpose, type, scope, size, complexity, or the stage of its
system life cycle. The intent of this publication is to advance systems engineering in developing
trustworthy systems for contested operational environments (generally referred to as systems security
engineering) and to serve as a basis for developing educational and training programs, professional
certifications, and other assessment criteria.
An online community to discuss aspects of certificaiton and seek assistance with
Reddit Subforum for ISC2 CGRC Online / Social Media Support concepts. https://www.reddit.com/r/ISC2CAP/
An online community with real time chat to discuss aspects of certificaiton and seek
Certification Station on Discord Online / Social Media Support assistance with concepts. https://discord.gg/certstation

This CBK is out of date. Based on NIST 800-37 Rev. 1, this CBK is due for a new
ISC2 CAP CBK Paul J. Howard edition. https://a.co/d/bwLC2kU
https://quizlet.com/518626055/isc2-cap-practice-test-questions-201-230-flash-
Quizlet Knowledge Verification Practice tests to help with the application of study guide material. cards/?funnelUUID=d86788a6-c696-4874-aec1-4503ae56f6c2
https://www.udemy.com/course/cap-practice-exam-based-on-nist-sp-800-37-rev-2-
Udemy Knowledge Verification Practice tests to help with the application of study guide material. experience-j/learn/quiz/5102362/test#overview
FITSI Federal Body of Knowledge An Overview of the Federal Body of Knowledge (FBK) for the Federal IT Security https://www.fitsi.org/documents/FITSI%20Federal%20Body%20of%20Knowledge%20
Guide Tying it all together. Professional (FITSP) Certification Program Guide.pdf
NIST RMF Roles & Responsibilities YouTube Tutorial ARECyber LLC @ CyberassureHuntsville - Video Series on RMF https://www.youtube.com/watch?v=SBrBmSfUz2Y
NIST RMF Risk Analysis Process YouTube Tutorial ARECyber LLC @ CyberassureHuntsville - Video Series on RMF https://www.youtube.com/watch?v=fX3L2N_T4Sc
NIST RMF Step 1 Categorize YouTube Tutorial ARECyber LLC @ CyberassureHuntsville - Video Series on RMF https://www.youtube.com/watch?v=8QCHsNHHOTg
NIST RMF Step 2 Select YouTube Tutorial ARECyber LLC @ CyberassureHuntsville - Video Series on RMF https://www.youtube.com/watch?v=OjqnpxHpUbE
NIST RMF Step 3 Implement YouTube Tutorial ARECyber LLC @ CyberassureHuntsville - Video Series on RMF https://www.youtube.com/watch?v=GQf7VryPJa0
NIST RMF Step 4 Assess YouTube Tutorial ARECyber LLC @ CyberassureHuntsville - Video Series on RMF https://www.youtube.com/watch?v=twyl8RaoTtQ
NIST RMF Step 5 Authorize YouTube Tutorial ARECyber LLC @ CyberassureHuntsville - Video Series on RMF https://www.youtube.com/watch?v=xuJtp0N7feg
NIST RMF Step 6 Monitor YouTube Tutorial ARECyber LLC @ CyberassureHuntsville - Video Series on RMF https://www.youtube.com/watch?v=0htc0gUp1kA
Appendix C - Glossary
Adequate Security Security protections commensurate with the risk resulting from the unauthorized
access, use, disclosure, disruption, modification or destruction of the information. This includes
ensuring that information hosted on behalf of an agency and information systems and applications
used by the agency operate effectively and provide confidentiality, integrity and availability
protection through the application of cost-effective security controls.

Allocation The process of an organization employs to assign security or its environment of operation;
or to assign controls to specific system elements responsible for providing a security or privacy
capability (e.g. router, server, remote sensor).

Application A software program hosted by an information system.

Assessment See: Control Assessment

Assessor The individual, group or organization responsible for conducting a security or privacy
assessment.

Asset System and subsystem components that must be protected, including but not limited to: all
hardware, software, data, personnel, supporting physical environment and environmental systems,
administrative support and supplies.

Authorization Boundary All components of an information system to be authorized for operation by


an authorizing official. This excludes separately authorized systems to which the information system
is connected.

Authorization Official (AO) A senior federal official or executive with the authority to authorize (i.e.,
assume responsibility for) the operation of an information system or the use of a designated set of
common controls at an acceptable level of risk to agency operations (including mission, functions,
image or reputation), agency assets, individuals, other organizations and the nation.

Authorizing Official Designated Representative (AO DR) An organizational official acting on behalf of
an authorizing official in carrying out and coordinating the required activities associated with the
authorization process.

Authorization Package The essential information that an authorizing official uses to determine
whether to authorize the operation of an information system or the provision of a designated set of
common controls. At a minimum, the authorization package includes an executive summary, system
security plan, privacy plan, security control assessment, privacy control assessment as well as any
relevant plans of action and milestones.

Authorization to Operate (ATO) The official management decision given by one or more senior
federal officials to authorize operation of an information system and to explicitly accept the risk to
agency operations (including mission, functions, image, or reputation), agency assets, individuals,
other organizations and the nation, based on the implementation of an agreed-upon set of security
and privacy controls. Authorization also applies to common controls inherited by agency information
systems.

The Mango - CGRC Certification Study Guide 19


Authorization to Use (ATU) The official management decision given by an authorizing official to
authorize the use of an information system, service or application based on the information in an
existing authorization package generated by another organization, and to explicitly accept the risk to
agency operations (including mission, functions, image, or reputation), agency assets, individuals,
other organizations and the nation, based on the implementation of an agreed-upon set of controls
in the system, service or application.

Availability Ensuring timely and reliable access to and use of information.

Baseline See: Control Baseline

Baseline Configuration A documented set of specifications for a system, or a configuration item


within a system, that has been formally reviewed and agreed on at a given point in time, and which
can be changed only through change control procedures.

Capability A combination of mutually reinforcing controls implemented by technical means, physical


means and procedural means. Such controls are typically selected to achieve a common information
security or privacy purpose.

Change Control Process for controlling modifications to hardware, firmware, software and
documentation to protect the information system against improper modifications before, during and
after system implementation.

Chief Information Officer (CIO) The senior official that provides advice and other assistance to the
head of the agency and other senior management personnel of the agency to ensure that IT is
acquired and information resources are managed for the agency in a manner that achieves the
agency's strategic goals and is responsible for ensuring agency compliance with, and prompt,
efficient and effective implementation of, the information policies and information resources
management responsibilities, including the reduction of information collection burdens on the
public.

Chief Information Security Officer (CISO) See Senior Agency Information Security Officer

Clear A method of sanitization by applying logical techniques to sanitize data in all user-addressable
storage locations for protection against simple non-invasive data recovery techniques using the same
interface available to the user; typically applied through the standard read and write commands to
the storage device, such as by re-writing with a new value or using a menu option to reset the device
to the factory state (where re-writing is not supported)

Common Control (CC) A security or privacy control that is inherited by multiple information systems
or programs.

Common Control Provider (CCP) An organizational official responsible for the development,
implementation, assessment and monitoring of common controls (i.e., controls inheritable by
organizational systems).

Common Criteria Governing document that provides a comprehensive, rigorous method for
specifying security function and assurance requirements for products and systems.

The Mango - CGRC Certification Study Guide 20


Compensating Controls The security and privacy controls implemented in lieu of the controls in the
baselines described in NIST Special Publication 800-53 that provide equivalent or comparable
protection for a system or organization.

Confidentiality Preserving authorized restrictions on information access and disclosure, including


means for protecting personal privacy and proprietary information.

Configuration The possible conditions, parameters and specifications with which an information
system or system component can be described or arranged.

Configuration Control Process for controlling modifications to hardware, firmware, software and
documentation to protect the information system against improper modifications before, during and
after system implementation.

Configuration Control Board A group of qualified people with responsibility for the process of
regulating and approving changes to hardware, firmware, software, and documentation throughout
the development and operational lifecycle of an information system.

Configuration Item An aggregation of system components that is designated for configuration


management and treated as a single entity in the configuration management process.

Configuration Management A collection of activities focused on establishing and maintaining the


integrity of information technology products and systems, through control of processes for
initializing, changing and monitoring the configurations of those products and systems throughout
the system development life cycle.

Configuration Management Plan A comprehensive description of the roles, responsibilities, policies


and procedures that apply when managing the configuration of products and systems.

Configuration Settings The set of parameters that can be changed in hardware, software or firmware
that affect the security posture and/or functionality of the system.

Continuous Monitoring Maintaining ongoing awareness to support organizational risk decisions.

Continuous Monitoring Program A program established to collect information in accordance with


pre-established metrics, utilizing information readily available in part through implemented security
controls. Note: Privacy and security continuous monitoring strategies, and programs can be the same
or different strategies and programs.

Control See security control and privacy control.

Control Assessment The testing or evaluation of the controls in an information system or an


organization to determine the extent to which the controls are implemented correctly, operating as
intended and producing the desired outcome with respect to meeting the security or privacy
requirements for the system or the organization.

Control Assessor The individual, group or organization responsible for conducting a control
assessment. See assessor.

The Mango - CGRC Certification Study Guide 21


Control Baseline The set of controls that are applicable to information or an information system to
meet legal, regulatory or policy requirements, as well address protection needs for the purpose of
managing risk.

Control Enhancement Augmentation of a control to build in additional, but related, functionality to


the control, increase the strength of the control or add assurance to the control.

Control Effectiveness A measure of whether a given control is contributing to the reduction of


information security or privacy risk.

Destroy A method of sanitization that renders target data recovery infeasible using state-of-the-art
laboratory techniques and results in the subsequent inability to use the media for storage of data.

Disposal A release outcome following the decision that media does not contain sensitive data. This
occurs either because the media never contained sensitive data or because sanitization techniques
were applied, and the media no longer contains sensitive data.

Enterprise An organization with a defined mission / goal and a defined boundary, using systems to
execute that mission, and with responsibility for managing its own risks and performance. An
enterprise may consist of all or some of the following business aspects acquisition, program
management, human resources, financial management, security, as well as systems, information and
mission management. See organization.

Enterprise Architecture A strategic information asset base, which defines the mission; the
information necessary to perform the mission; the technologies necessary to perform the mission;
and the transitional processes for implementing new technologies in response changing mission
needs; and includes a baseline architecture; a target architecture; and a sequencing plan.

Environment of Operation The physical surroundings in which an information system processes,


stores and transmits information.

Federal Enterprise Architecture (FEA) A business-based framework for government-wide


improvement developed by the Office of Management and Budget that is intended to facilitate
efforts to transform the federal government to one that is citizen-centered, results-oriented and
market-based.

Federal Information Security Management Act (FISMA) a United States federal law that establishes
a framework for managing information security and risk within federal government agencies. It
requires federal agencies to develop and implement comprehensive security programs, conduct
regular risk assessments, and provide oversight to ensure the confidentiality, integrity, and
availability of information systems and data.

Federal Information System An information system used or operated by an executive agency, by a


contractor of an executive agency, or by another organization on behalf of an executive agency.

Hardware The material physical components of a system. See software and firmware

The Mango - CGRC Certification Study Guide 22


High Impact Level The loss of CIA that could be expected to have a severe or catastrophic adverse
effect on organizational operations, organizational assets, individuals, other organizations or the
nation

High-Impact System A system in which at least one security objective (i.e., confidentiality, integrity
or availability) is assigned a FIPS publication 199 potential impact value of high.

High Value Assets resources or components within an organization that possess significant
importance, worth, or criticality. These assets are typically valuable to the organization's operations,
objectives, or mission, and their compromise, loss, or unauthorized access could result in severe
consequences.

High Water Mark For an information system, the potential impact values assigned to the respective
security objectives (confidentiality, integrity, availability) shall be the highest values (i.e., high water
mark) from among those security categories that have been determined for each type of information
resident on the information system.

Hybrid Control A security or privacy control that is implemented for an information system in part as
a common control and in part as a system-specific control.

Impact With respect to security, the effect on an organizational operations, organizational assts,
individuals, other organizations or the nation (including the national security interests of the United
States) of a loss of confidentiality, integrity or availability of an information or a system. With respect
to privacy, the adverse effects that individuals could experience when an information system
processes their PII.

Impact Level See impact value

Impact Value The assessed worst-case potential impact that could result from a compromise of the
confidentiality, integrity, or availability of information expressed as a value of low, moderate or high.

Independent Verification and Validation A comprehensive review, analysis and testing (software
and/or hardware) performed by an objective third party to confirm (i.e., verify) that the
requirements are correctly defined, and to confirm (i.e., validate) that the system correctly
implements the required functionality and security requirements.

Information Any communication or representation of knowledge such as facts, data or opinions in


any medium or form, including textual, numerical, graphic, cartographic narrative, electronic or
audiovisual forms.

Information Life Cycle The stages through which information passes, typically characterized as
creation or collection, processing dissemination, use, storage and disposition, to include destruction
and deletion. "Life cycle" typically appears as two words in NIST publications, but as one word in ISO
standards.

Information Owner (IO) Official with statutory or operational authority for specified information and
responsibility for establishing the controls for its generation, collection, processing, dissemination
and disposal.

The Mango - CGRC Certification Study Guide 23


Information Owner or Steward See Information Owner and Information Steward

Information Security The protection of information systems from unauthorized access, use,
disclosure, disruption, modification or destruction in order to provide confidentiality, integrity and
availability.

Information Security Architecture An embedded integral part of the enterprise architecture that
describes the structure and behavior of the enterprise security processes, security systems,
personnel and organizational subunits, showing their alignment with the enterprise's mission and
strategic plans. See security architecture.

Information Security Management System (ISMS) Compilation of processes and management


structure that preserves the confidentiality, integrity and availability of information by applying a risk
management process and gives confidence to interested parties that risks are adequately managed.
The ISO 27001 standard defines the components of the ISMS.

Information System Owner (ISO) The organizational official responsible for the development,
implementation, assessment and monitoring of security controls in an information system.

Information Systems Security Officer (ISSO) Responsible for security an information system,
managing all security aspects of the system and assembling the security accreditation package while
serving as the point of contact for the Security Control Assessor (SCA)

Information Security Risk The risk to organizational operations (including mission, functions, image,
reputation), organizational assets, individuals, other organizations and the nation due to the
potential for unauthorized access, use, disclosure, disruption, modification or destruction of
information and/or systems.

Information Steward An agency official with statutory or operational authority for specified
information and responsibility for establishing the controls for its generation, collection, processing,
dissemination and disposal.

Information System A discrete set of information resources organized for the collection, processing,
maintenance, use, sharing, dissemination or disposition or information.

Information Technology (IT) Any services, equipment, or interconnected system(s) or subsystem(s)


of equipment, that are used in the automatic acquisition, storage, analysis, evaluation, manipulation,
management, movement, control, display, switching, interchange, transmission or reception of data
or information by the agency. For purposes of this definition, such services or equipment if used by
the agency directly or if used by a contractor under a contract with the agency that requires its use;
or to a significant extent, its use in the performance of a service or the furnishing of a product.
Information technology includes computers, ancillary equipment (including imaging peripherals,
input, output and storage devices necessary for security and surveillance), peripheral equipment
designed to be controlled by the central processing unit of a computer, software, firmware and
similar procedures, services (including cloud computing and help-desk services or other professional
services which support any point of the life cycle of the equipment or service) and related resources.

The Mango - CGRC Certification Study Guide 24


Information technology does not include any equipment that is acquired by a contractor incidental to
a contract which does not require its use.

Information Type A specific category of information (e.g., privacy, medical, proprietary, financial,
investigative, contractor-sensitive, security management) defined by an organization or in some
instances, by a specific law, executive order, directive, policy or regulation.

Inheritance A situation in which a system or application receives protection from controls (or
portions of controls) that are developed, implemented, assessed, authorized and monitored by
entities other than those responsible for the system or application; entities either internal or external
to the organization where the system or application resides. NIST refers to this term as "Control
Inheritance." See: Common Control

Integrity Guarding against improper information modification or destruction and includes ensuring
information non-repudiation and authenticity.

Likelihood the state or fact of something's being likely; probability.

Likelihood Value The assessed worst-case potential impact that could result from a compromise of
the confidentiality, integrity, or availability of information expressed as a value of low, medium or
high.

Low-Impact System A system in which all three security objectives (i.e., confidentiality, integrity and
availability are assigned a FIPS Publication 199 potential impact value of low.

Moderate-Impact System A system in which at least one security objective (i.e., confidentiality,
integrity or availability) is assigned a FIPS publication 199 potential impact value of moderate.

National Security System Any system (including any telecommunications system) used or operated
by an agency or by a contractor of an agency, or other organization on behalf of an agency - (i) the
function, operation or use of which involves intelligence activities related to national security;
involves command and control of military forces; involves equipment that is an integral part of a
weapon or weapons system; or is critical to the direct fulfillment of military or intelligence missions
(excluding a system that is to be used for routine administrative and business applications, for
example: payroll, finance, logistics and personnel management applications); or (ii) is protected at all
times by procedures established for information that have been specifically authorized under criteria
established by an Executive Order or an Act of Congress to be kept classified in the interest of
national defense or foreign policy.

Organization An entity of any size, complexity, or positioning within an organizational structure (e.g.,
federal agencies, private enterprises, academic institutions, state, local, or tribal governments or, as
appropriate, any of their operational elements).

Organization Defined Control Parameter The variable part of a control or control enhancement that
can be instantiated by an organization during the tailoring process by either assigning an
organization defined value or selecting a value from a pre-defined list provided as part of the control
or control enhancement.

The Mango - CGRC Certification Study Guide 25


Organizationally Tailored Control Baseline A control baseline tailored for a defined notional (type of)
information system using overlays and/or system-specific control tailoring and intended for use in
selecting controls for multiple systems within one or more organizations. See Also: Tailoring

Overlay A specification of security or privacy controls, control enhancements, supplemental


guidance and other supporting information employed during the tailoring process, that is intended to
complement (and further refine) security control baselines. The overlay specification may be more
stringent or less stringent than the original security control baseline specification and can be applied
to multiple information systems.

Personally Identifiable Information (PII) Information that can be used to distinguish or trace an
individual's identity, either alone or when combined with other information that is linked or linkable
to a specific individual.

Plan of action and Milestones (POAM) A document that identifies tasks needing to be accomplished.
It details resources required to accomplish the elements of the plan, any milestones in meeting the
tasks and scheduled completion dates for the milestones.

Potential Impact The loss of confidentiality, integrity or availability could be expected to have a
limited adverse effect (FIPS Publication 199 low); a serious adverse effect (FIPS Publication 199
Moderate); or a severe or catastrophic adverse effect (FIPS Publication 199 High) on organizational
operations, organizational assets or individuals.

Privacy Architect Individual, group or organization responsible for ensuring that the system privacy
requirements necessary to protect individuals' privacy are adequately addressed in all aspects of
enterprise architecture including reference models, segment and solution architectures, and
information systems processing PII.

Privacy Architecture An embedded, integral part of the enterprise architecture that describes the
structure and behavior for an enterprise's privacy protection processes, technical measures,
personnel and organizational sub-units, showing their alignment with the enterprise's mission and
strategic plans.

Privacy Control The administrative, technical, and physical safeguards employed within an agency to
ensure compliance with applicable privacy requirements and manage privacy risks. Note: Controls
can be selected to achieve multiple objectives; those controls that are selected to achieve both
security and privacy objectives require a degree of collaboration between the organization's
information security program and privacy program.

Privacy Control Baseline A collection of controls specifically assembled or brought together by a


group, organization or community of interest to address the privacy protection needs of individuals.

Privacy Control Assessment The assessment of privacy controls to determine whether the controls
are implemented correctly, operating as intended, and sufficient to ensure compliance with
applicable privacy requirements and manage privacy risks. A privacy control assessment is both an
assessment and a formal document detailing the process and the outcome of the assessment.

The Mango - CGRC Certification Study Guide 26


Privacy Information Information that describes the privacy posture of an information system or
organization.

Privacy Plan A formal document that details the privacy controls selected for an information system
or environment of operation that are in place or planned, to meet applicable privacy requirements
and manage privacy risks, details how the controls have been implemented, and describes the
methodologies and metrics that will be used to assess the controls.

Privacy Requirement A requirement that applies to an information system or an organization that is


derived from applicable laws, executive orders, directives, policies, standards, regulations,
procedures and /or mission / business needs with respect to privacy. Note: The term privacy
requirement can be used in a variety of contexts from high-level policy activities to low-level
implementation activities in system development and engineering principles.

Program Management Controls a set of processes, policies, and procedures that are implemented to
effectively plan, execute, and monitor a program. These controls help ensure that the program is
managed in a structured and organized manner, adhering to defined objectives, timelines, budgets,
and quality standards. They encompass various aspects such as governance, risk management,
stakeholder engagement, performance measurement, resource allocation, and communication.

Purge A method of sanitization by applying physical or logical techniques that renders target data
recovery infeasible using state-of-the-art laboratory techniques

Reciprocity Agreement among participating organizations to accept each other's security


assessments to reuse system resources and/or to accept each other's assessed security posture to
share information.

Risk A measure of the extent to which an entity is threatened by a potential circumstance or event
and typically is a function of: (i) the adverse impact, or magnitude of harm, that would arise if the
circumstance or event occurs; and (ii) the likelihood of occurrence.

Risk Assessment The process of identifying risks to organizational operations (including mission,
functions, image, reputation), organizational assets, individuals, other organizations and the nation,
resulting from the operation of a system.

Risk Executive (Function) An individual or group within an organization, led by the senior
accountable official for risk management, that helps to ensure that security risk considerations for
individual systems, to include the authorization decisions for those systems, are viewed from an
organization-wide perspective with regard to the overall strategic goals and objectives of the
organization in carrying out its missions and business functions; and managing risk from individual
systems is consistent across the organization, reflects organizational risk tolerance and is considered
along with other organizational risks affecting mission/business success.

Risk Management The program and supporting processes to manage risk to agency operations
(including mission, functions, image, reputation), agency assets, individuals, other organizations and
the nation, and includes: establishing the context for risk-related activities; assessing risk; responding
to risk once determined; and monitoring risk over time.

The Mango - CGRC Certification Study Guide 27


Risk Mitigation Prioritizing, evaluating and implementing the appropriate risk-reducing
controls/countermeasures recommended from the risk management process.

Risk Response Accepting, avoiding, mitigating, sharing or transferring risk to agency operations,
agency assets, individuals, other organizations or the nation.

Sanitize A process to render access to target data on the media infeasible for a given level of effort.
Clear, purge and destroy are actions that can be taken to sanitize media.

Security Architect Individual, group or organization responsible for ensuring that the information
security requirements necessary to protect the organization's core missions and business processes
are adequately addressed in all aspects of enterprise architecture including reference models,
segment and solution architectures, and the resulting information systems supporting those missions
and business processes.

Security Architecture An embedded, integral part of the enterprise architecture that describes the
structure and behavior for an enterprise's security processes, information security systems,
personnel and organizational sub-units, showing their alignment with the enterprise's mission and
strategic plans. See information security architecture.

Security Categorization The process of determining the security category for information or a
system. Security categorization methodologies are described in CNSS Instruction 1253 for national
security systems and in FIPS Publication 199 for other than national security systems. See: security
category

Security Category The characterization of information or an information system based on an


assessment of the potential impact that a loss of confidentiality of such information or information
system would have on agency operations, agency assets, individuals, other organizations and the
nation.

Security Control The safeguards or countermeasures prescribed for an information system or an


organization to protect the confidentiality, integrity and availability of the system and its
information.

Security Controls The management, operational and technical controls (i.e., safeguards or
countermeasures) prescribed for an information system to protect the confidentiality, integrity and
availability of the system and its information.

Security Control Baseline The set of minimum security controls defined for a low-impact, moderate-
impact or high-impact information system. See Also: Control Baseline

Security Control Assessment The testing or evaluation of security controls to determine the extent
to which the controls are implemented correctly, operating as intended and producing the desired
outcome with respect to meeting the security requirements for an information system or
organization.

Security Impact Analysis The analysis conducted by an organizational official to determine the extent
to which a change to the information system has affected the security state of the system.

The Mango - CGRC Certification Study Guide 28


Security Objective Confidentiality, integrity or availability

Security Plan A formal document that provides an overview of the security requirements for an
information system and describes the security controls in place or planned for meeting those
requirements.

Security Posture The security status of an enterprise's networks, information and systems based on
information security resources (e.g., people hardware, software, policies) and capabilities in place to
manage the defense of the enterprise and to react as the situation changes. Synonymous with
security status.

Security Requirement A requirement levied on an information system or an organization that is


derived from applicable laws, executive orders, directives, policies, standards, instructions,
regulations , procedures and/or mission / business needs to ensure the confidentiality, integrity and
availability of information that is being processed, stored or transmitted. Note: Security
requirements can be used in a variety of contexts from high-level policy activities in system
development and engineering disciplines.

Security Risk Risk that arises through the loss of confidentiality, integrity, or availability of
information or systems, and that considers impacts to the organization (including assets, mission,
functions, image or reputation), individuals, other organizations and the nation. See: Risk.

Senior Accountable Official for Risk Management (SAORM) The senior official, designated by the
head of each agency, who has vision into all areas of the organization, and is responsible for
alignment of information security management processes with strategic, operational and budgetary
planning processes.

Senior Agency Information Security Officer (SAISO) Official responsible for carrying out the Chief
Information Officer responsibilities under FISMA and serving as the chief Information Officer's
primary liaison to the agency's authorizing officials, information system security officers.

Senior Agency Official for Privacy (SAOP) The senior official, designated by the head of each agency,
who has agency-wife responsibility for privacy, including implementation of privacy protections;
compliance with federal laws, regulations and policies relating to privacy; management of privacy
risks at the agency; and a central policymaking role int eh agency's development and evaluation of
legislative, regulatory and other policy proposals.

Software Computer Programs and associated data that may be dynamically written or modified
during execution.

Supply Chain Linked set of resources and processes between multiple tiers of developers that begins
with the sourcing of products and services and extends through the design, development,
manufacturing, processing, handling and delivery of products and services to the acquirer.

Supply Chain Risk Risks that arise from the loss of confidentiality, integrity or availability of
information or information systems, and reflect the potential adverse impacts to organizational
operations (including mission, functions, image or reputation), organizational assets, individuals,
other organizations and the nation.

The Mango - CGRC Certification Study Guide 29


Supply Chain Risk ManagementThe process of identifying, assessing and mitigating the risks
associated it the global and distributed nature of information and communications technology
product and service supply chains.

System Any organized assembly of resources and procedures united and regulated by interaction or
interdependence to accomplish a set of specific functions. See information system. Note: Systems
also include specialized systems such as industrial/process controls systems, telephone switching and
private branch exchange (PBX) systems, and environmental control systems. Combination of
interacting elements organized to achieve one or more stated purposes. Note 1: There are many
types of systems. Examples include: general and special-purpose information systems; command,
control and communication systems; crypto modules; central processing unit and graphics processor
boards; industrial/process control systems; flight control systems; weapons, targeting and fire
control systems; medical devices and treatment systems; financial, banking and merchandising
transaction systems; and social networking systems. Note 2: The interacting elements in the
definition of system include hardware, software, data, humans, processes, facilities, materials and
naturally occurring physical entities. Note 3: System of systems is included in the definition of
system.

System Boundary See authorization boundary

System Component A discrete identifiable information technology asset that represents a building
block of a system and may include hardware, software and firmware.

System Development Life Cycle (SDLC) The scope of activities associated with a system,
encompassing the system's initiation, development and acquisition, implementation, operation and
maintenance and ultimately its disposal that instigates another system initiation.

System Element Member of a set of elements that constitute a system. Note 1: A system element
can be a discrete component, product, service, subsystem, system, infrastructure or enterprise. Note
2: Each element of the system is implemented to fulfill specified requirements. Note 3: The recursive
nature of the term allows the term system to apply equally when referring to a discrete component
or to a large, complex, geographically distributed system-of-systems. Note 4: System elements are
implemented by: hardware, software and firmware that perform operations on data/information;
physical structures, devices and components in the environment of operation; and the people,
processes and procedures for operating, sustaining and supporting the system elements. Note 5:
System elements and information resources (as defined at 44 U.S.C. Sec. 3502 and in this document)
are interchangeable terms as used in this document.

System Privacy Officer Individual with assigned responsibility for maintaining the appropriate
operational privacy posture for a system or program.

System Security Officer Individual with assigned responsibility for maintaining the appropriate
operational security posture for an information system or program.

System Security Plan Principally used to verify that Information Systems (ISs) are meting their stated
security goals and objectives

The Mango - CGRC Certification Study Guide 30


System-Specific Control A security or privacy control for an information system that is implemented
at the system level and is not inherited by any other information system.

System User Individual, or (system) process acting on behalf of an individual, authorized to access a
system.

System Privacy Engineer Individual assigned responsibility for conducting systems privacy
engineering activities.

Systems Security Engineer Individual assigned responsibility for conducting systems security
engineering activities.

Systems Security or Privacy Engineer See Systems Security Engineer and Systems Privacy Engineer

Tailored Control Baseline A set of controls resulting from the application of tailoring guidance to a
control baseline. See: Tailoring

Tailoring The process by which security control baselines are modified by identifying and designating
common controls, applying scoping considerations, selecting compensating controls, assigning
specific values to agency-defined control parameters, supplementing baselines with additional
controls or control enhancements and providing additional specification information for control
implementation. The tailoring process may also be applied to privacy controls.

Threat Any circumstance or event with the potential to adversely impact organizational operations,
organizational assets, individuals, other organizations or the nation through a system via
unauthorized access, destruction, disclosure, modification of information and/or denial of service.

Threat Source The intent and method targeted at the intentional exploitation of a vulnerability or a
situation and method that may accidentally trigger a vulnerability.

Vulnerability Weakness in an information system, system security procedures, internal controls or


implementation that could be exploited or triggered by a threat source. Note: The term weakness is
synonymous with deficiency. Weakness may result in security and/or privacy risks.

The Mango - CGRC Certification Study Guide 31


Appendix D - Examination Tips and Tricks
Studying
Studying is a skill that not everyone has mastered or fully understands. To a large extent it’s something that I’m
not fully versed in. In order to pass these exams you must be able to deconstruct the questions that are being
asked of you and be able to quickly parse the four possible answers into two categories – Correct and incorrect.

To that end, running through as many practice exams as possible is a necessary component of studying for this
exam. I’ve developed a methodology over the years that seems to work for me in preparing the numerous
certifications that I hold.

1) With 125 questions on the actual exam, you should review and regularly pass any practice exams with a score
of 85% or higher. In the certification exam, once you answer a question, you will not be permitted to go back
and review any questions. Once you submit an answer, the submission is final.

2) Many practice exams come in test batches of 50 questions, with a grand daddy test of 125 questions. Focus
on the 50 question batches first and carefully review your answers. What I do is immediately after taking a
practice exam (found on quizlet, udemy or any number of other study resource sites) is open up a blank word
document and write the entire question and the correct answer ONLY. I’ll write these questions several times
over the course of a few weeks ahead of the certification exam.

The Mango - CGRC Certification Study Guide 32


Some of the questions found on the practice exams are written in the negative. My solution is to re-write the
question into a positive so that I am re-affirming the correct answers and not reinforcing a negative. For
example:
“The following are activities conducted when preparing to implement the risk management framework:
- Identifying key stakeholders
- Assigning roles & responsibilities
- Establishing a risk management strategy”

3) With four possible multi-choice answers, work to quickly identify the incorrect ones so that you can work to
select the correct answer. By and large, I’ve found the answers to be formatted like this:
A) Most Correct
B) Partially Correct
C) Partially Incorrect
D) Most Incorrect
If you can quickly eliminate possible answers, it will allow you to deconstruct the correct answers and determine
which answer is more correct than the other.

4) Try to do one block of test questions at least 5 nights of the week in the three weeks leading up to the
certification exam. Review the one page “At A Glance” study guide several times a day.

5) Finally, like most other locations will tell you, relax and take your time reading each question. Think about the
RMF, remember key phrases like “HIGH WATER MARK” and make sure you memorize your phases of the RMF
and SDLC.

The Mango - CGRC Certification Study Guide 33


Risk Management Framwork for Information Systems and Organizations
NIST SP 800-37 Revision 2

RMF Phases # of Steps SDLC (IDIOD) Assessment Objects Assessment Methods Control Classes Control Families Control Types FARM (Risk) Authorizations
P Prepare 18 (7-11) I Initiation A.I.M.S. T.I.E. T.O.M. Common Frame Risk Authorization To Operate-ATO
C Categorize 3 D/A Development / Acquisition Activity Test Technical 4 Compensating Assessing Risk Common Control
S Select 6 I/A Implementration / Assessment Individual Interview Operational 9 Tailored Responding to Risk Authorization to Use (3rd Party)
I Implement 2 O/M Operations / Maintenance Mechanism Examine Management 4 Hybrid Monitoring Risk Denial
A Assess 6 D Disposal Specification Recission (Revokation)
A Authorize 5 (Waterfall Model) Findings Risk Assessments (PARM)
M Monitor 7 Depth-Rigor Satisfied Prepare for Assessment Authorization Types:
*NIST 800-64 - depricated Coverage-Scope Other Than Satisfied Conduct Assessment Traditional - Single Authorizing Official
Cummunicate Results Joint - Multiple Authorizing Officials
Maintain Assessment Facility - FedRAMP Moderate/High
RMF -> SDLC Mapping
P8-18, C1-C3, S3 Initiation
S1-S6 (-S3) Devopment/Aqusition
I1-I2, A1-A6 Devopment/Aqusition
R1-R5 Implementation/Assessment
M1-M6 Operations/Maintenance
M7 Disposal (Existing Only)
Existing Systems- All Operations/Maintenance
except M7 -> Disposal

Continuous Monitoring Program


Define P7 - Org. Strategy
Establish S5 - System Strategy
Implement M1-M6 SDLC RMF
Analyze I P8-18
Report I C
Respond D S -3
Review D/I I
Update I A
I A
MO M [-7]
S3 & M7
A B C D E F G H I
1
2 PREPARE
The purpose of the Prepare step is to carry out essential activities at the organization, mission and business process, and information system levels of the organization to help prepare the organization to manage its security and privacy risks using the Risk Management
3 Framework .
4 Prepare - Organizational Level
5 Task # Task Title Description Primary Roles Potential Inputs Expected Outputs SDLC *
P1 Risk Management Roles Identify and assign individuals to specific roles Head of Agency, Security and Privacy policies and proceedures, org charts Documented RMF role assignments
associated with security and privacy risk CIO, SAOP N/A
6 management
P2 Risk Management Strategy Establish a risk management strategy for the Head of Agency Org. mission statement, org. policies, org. risk assumptions, constraints, priorities, trade-offs Risk management strategy and statement of risk tolerance
organization that includes a determeination of inclusive of information security and privacy risk N/A
7 risk tolerance
P3 Risk Assessment - Assess organization wide security and privacy SAORM, SAISO, Risk management strategy, mission or business objectives, current threat information, Organizational level risk assessment results
Organization risk and update the risk assessment results on SAOP system level security and privacy risk assessment results, supply chain risk assessment
an ongoing basis results, previous org. level security and privacy assessments rsults, information sharing
8 agreeements or MOU's, security and privacy information from continuous monitoring
P4 Organizationally tailored Establish, document and publish SAORM, Mission or Documented security and privacy requirements directing the use of organizationally- List of approved or directed organizationally-tailored control
control baselines and organizationally tailored control baselines Business Owner tailored control baselines; mission or business objectives; enterprise architecture; baselines; NIST CSF Profiles.
cybersecurity framework and/or cybersecurity framework profiles security architecture; privacy architecture; organization- and system-level risk N/A
profiles (optional) assessment results; list of common control providers and common controls available
9 for inheritance; NIST Special Publication 800-53B control baselines.
P5 Common Control Identify, document, and publish organization- SAISO, SAOP Documented security and privacy requirements; existing common control providers and List of common control providers and common controls available
Identification wide common controls that are available for associated security and privacy plans; information security and privacy program plans; for inheritance; security and privacy plans (or equivalent
inheritance by organizational systems. organization- and system-level security and privacy risk assessment results. documents) providing a description of the common control N/A
implementation (including inputs, expected behavior, and
10 expected outputs).
P6 Impact Level Prioritization Prioritize organizational systems with the same SAOR, Risk Security categorization information for organizational systems; system descriptions; Organizational systems prioritized into low-, moderate-, and high-
(optional) impact level. Executive (function) organization- and system-level risk assessment results; mission or business objectives; impact sub- categories.
Cybersecurity Framework Profiles.
N/A

11
P7 Continuous Monitoring Develop and implement an organization-wide SAOR, Risk Risk management strategy; organization- and system-level risk assessment results; An implemented organizational continuous monitoring strategy.
Strategy - Organization strategy for continuously monitoring control Executive (function) organizational security and privacy policies. N/A
12 effectiveness.
13 Prepare - System Level
P8 Mission or Business Focus Identify the missions, business functions, and Mission or Business Organizational mission statement; organizational policies; mission/business process Missions, business functions, and mission/business processes
mission/business processes that the system is Owner information; system stakeholder information; Cybersecurity Framework Profiles; requests for that the system will support. Initiation (concept /
intended to support. proposal or other acquisition documents; concept of operations. requirements definition)
14
P9 System Stakeholders Identify stakeholders who have an interest in Mission or Business Organizational mission statement; mission or business objectives; missions, business List of system stakeholders.
the design, development, implementation, Owner, functions, and mission/business processes that the system will support; other
assessment, operation, maintenance, or SystemOwner mission/business process information; organizational security and privacy policies and Initiation (concept /
disposal of the system. procedures; organizational charts; information about individuals or groups (internal and requirements definition)
external) that have an interest in and decision- making responsibility for the system.
15
P10 Asset Identification Missions, business functions, and System Owner Missions, business functions, and mission/business processes the information system will Set of assets to be protected.
mission/business processes the information support; business impact analyses; internal stakeholders; system stakeholder information;
system will support; business impact analyses; system information; information about other systems that interact with the system.
Initiation (concept /
internal stakeholders; system stakeholder
requirements definition)
information; system information; information
about other systems that interact with the
16 system.
A B C D E F G H I
17
18 PREPARE
19 Prepare - System Level (continued)
P11 Authorization Boundary Determine the authorization boundary of the Authorizing Official System design documentation; network diagrams; system stakeholder information; asset Documented authorization boundary.
Initiation (concept /
system information; network and/or enterprise architecture diagrams; organizational structure
requirements definition)
20 (charts, information).
P12 Information Types Identify the types of information to be System Owner, System design documentation; assets to be protected; mission/business process information; A list of information types for the system.
Initiation (concept /
processed, stored, and transmitted by the Information Owner system design documentation.
requirements definition)
21 system. or Steward
P13 Information Life Cycle Identify and understand all stages of the SAOP, System Missions, business functions, and mission/business processes the system will support; system Documentation of the stages through which information passes
information life cycle for each information type Owner, Information stakeholder information; authorization boundary information; information about other in the system, such as a data map or model illustrating how
processed, stored, or transmitted by the Ownere or Steward systems that interact with the system (e.g., information exchange/connection agreements); information is structured or is processed by the system Initiation (concept /
system. system design documentation; system element information; list of system information types. throughout its life cycle. Such documentation includes, for requirements definition)
example, data flow diagrams, entity relationship diagrams,
22 database schemas, and data dictionaries.
P14 Risk Assessment - System Conduct a system-level risk assessment and System Owner, Assets to be protected; missions, business functions, and mission/business processes the Security and privacy risk assessment reports.
update the risk assessment results on an System Security system will support; business impact analyses or criticality analyses; system stakeholder
ongoing basis. Officer, System information; information about other systems that interact with the system; provider Initiation (concept /
Privacy Officer information; threat information; data map; system design documentation; Cybersecurity requirements definition)
Framework Profiles; risk management strategy; organization-level risk assessment results.
23
P15 Requirements Definition Define the security and privacy requirements Mission or Business System design documentation; organization- and system-level risk assessment results; known Documented security and privacy requirements.
for the system and the environment of Owner, System set of stakeholder assets to be protected; missions, business functions, and mission/business
operation. Owner, Information processes the system will support; business impact analyses or criticality analyses; system
Owner or Steward, stakeholder information; data map of the information life cycle for PII; Cybersecurity Initiation (concept /
System Privacy Framework Profiles; information about other systems that interact with the system; supply requirements definition)
Officer chain information; threat information; laws, executive orders, directives, regulations, or
policies that apply to the system; risk management strategy.
24
P16 Enterprise Architecture Determine the placement of the system within Mission or Business Security and privacy requirements; organization- and system-level risk assessment results; Updated enterprise architecture; updated security architecture;
the enterprise architecture. Owner, Enterprise enterprise architecture information; security architecture information; privacy architecture updated privacy architecture; plans to use cloud-based systems
Architect, Security information; asset information. and shared systems, services, or applications. Initiation (concept /
Architect, Privacy requirements definition)
Architect
25
P17 Requirements Allocation Allocate security and privacy requirements to Security Architect, Organization- and system-level risk assessment results; documented security and privacy List of security and privacy requirements allocated to the system,
the system and to the environment of Privacy Architect, requirements; organization- and system-level risk assessment results; list of common control system elements, and the environment of operation.
Initiation (concept /
operation. System Security providers and common controls available for inheritance; system description; system
requirements definition)
Officer, System element information; system component inventory; relevant laws, executive orders,
26 Privacy Officer directives, regulations, and policies.
P18 System Registration Register the system with organizational System Owner Organizational policy on system registration; system information. Registered system in accordance with organizational policy. Initiation (concept /
27 program or management offices. requirements definition)
28 *SDLC - only New systems are shown. Existing systems are all Operations/Maintenance in every task of the RMF. The SDLC does not apply to P1-P7, organizational level tasks.
A B C D E F G H I
1
2 CATEGORIZE
The purpose of the Categorize step is to inform organizational risk management processes and tasks by determining the adverse impact to organizational operations and assets, individuals, other organizations, and the Nation with respect to the loss of confidentiality,
3 integrity, and availability of organizational systems and the information processed, stored, and transmitted by those systems.
4
5 Task # Task Title Description Primary Roles Potential Inputs Expected Outputs SDLC *
C1 System Description Document the characteristics of the System Owner System design and requirements documentation; authorization boundary information; list of security and privacy Documented system description.
system. requirements allocated to the system, system elements, and the environment of operation; physical or other
processes controlled by system elements; system element information; system component inventory; system Initiation (concept
element supply chain information, including inventory and supplier information; security categorization; data map requirements / definition)
of the information life cycle for information types processed, stored, and transmitted by the system; information
on system use, users, and roles.
6
C2 Security Categorization Categorize the system and document System Owner, Risk management strategy; organizational risk tolerance; authorization boundary (i.e., system) information; mpact levels determined for each information type and for
the security categorization results. Information Owner organization- and system-level risk assessment results; information types processed, stored, or transmitted by each security objective (confidentiality, integrity,
or Steward the system; list of security and privacy requirements allocated to the system, system elements, and environment availability); security categorization based on high-water Initiation (concept
of operation; organizational authority or purpose for operating the system; business impact analyses or criticality mark of information type impact levels. requirements / definition)
analyses; information about missions, business functions, and mission/business processes supported by the
7 system.
C3 Security Categorization Review and approve the security Authorizing Officer, Impact levels determined for each information type and for each security objective (confidentiality, integrity, Approval of security categorization for the system.
Review and Approval categorization results and decision. AODR, SAOP availability); security categorization based on high-water mark of information type impact levels; list of high value Initiation (concept
assets for the organization. requirements / definition)
8
9 SELECT
11 The purpose of the Select step is to select, tailor, and document the controls necessary to protect the information system and organization commensurate with risk to organizational operations and assets, individuals, other organizations, and the Nation.
12
13 Task # Task Title Description Primary Roles Potential Inputs Expected Outputs SDLC *
S1 Control Selection Select the controls for the system and System Owner, ecurity categorization; organization- and system-level risk assessment results; system element information; Controls selected for the system and the environment of
the environment of operation. Common Control system component inventory; list of security and privacy requirements allocated to the system, system elements, operation.
Provider and environment of operation; list of contractual requirements allocated to external providers of the system or Development /
system element; business impact analysis or criticality analysis; risk management strategy; organizational security Acquisition
and privacy policy; federal or organization-approved or mandated baselines or overlays; Cybersecurity Framework
14 Profiles.
S2 Control Tailoring Tailor the controls selected for the System Owner, Initial control baselines; organization- and system-level risk assessment results; system element information; List of tailored controls for the system and environment of
system and the environment of Common Control system component inventory; list of security and privacy requirements allocated to the system, system elements, operation (i.e., tailored control baselines). Development /
operation. Provider and environment of operation; business impact analysis or criticality analysis; risk management strategy; Acquisition
organizational security and privacy policies; federal or organization- approved or mandated overlays.
15
S3 Control Allocation Allocate security and privacy controls Security Architect, Security categorization; organization- and system-level risk assessment results; organizational policy on system List of security and privacy controls allocated to the system,
to the system and to the environment Privacy Architect, registration; enterprise architecture; security and privacy architectures; security and privacy requirements; list of system elements, and the environment of operation.
of operation. System Security security and privacy requirements allocated to the system, system elements, and the environment of operation; Development /
Officer, System list of common control providers and common controls available for inheritance; system description; system Acquisition
Privacy Officer element information; system component inventory; relevant laws, executive orders, directives, regulations, and
16 policies.
S4 Documentation of Document the controls for the system System Owner, Security categorization; organization- and system-level risk assessment results (security, privacy, and/or supply Security and privacy plans for the system.
Planned Control and environment of operation in Common Control chain); system element information; system component inventory; business impact or criticality analysis; list of
Implementations security and privacy plans. Provider security and privacy requirements allocated to the system, system elements, and environment of operation; risk Development /
management strategy; list of selected controls for the system and environment of operation; organizational Acquisition

17 security, privacy, and SCRM policies.


S5 Continuous Monitoring Develop and implement a system- System Owner, Organizational risk management strategy; organizational continuous monitoring strategy; organization- and Continuous monitoring strategy for the system including
Strategy - System level strategy for monitoring control Common Control system-level risk assessment results; security and privacy plans; organizational security and privacy policies. time-based trigger for ongoing authorization.
effectiveness that is consistent with Provider Development /
and supplements the organizational Acquisition

18 continuous monitoring strategy.


S6 Plan Review and Review and approve the security and Authorizing Official Security and privacy plans; organization- and system-level risk assessment results. Security and privacy plans approved by the authorizing
Development /
Approval privacy plans for the system and the or AODR official.
Acquisition
19 environment of operation.
A B C D E F G H I J K
1
2 IMPLEMENT
The purpose of the Implement step is to implement the controls in the security and privacy plans for the system and for the organization and to document in a baseline configuration, the specific details of the control implementation.
3
4
5 Task # Task Title Description Primary Roles Potential Inputs Expected Outputs SDLC *
I1 Control Implementation Implement the controls in the security and System Owner, Approved security and privacy plans; system design documents; organizational Implemented Controls
privacy plans. Common Control security and privacy policies and procedures; business impact or criticality analyses;
Provider enterprise architecture information; security architecture information; privacy
architecture information; list of security and privacy requirements allocated to the Development / Aquisition -
system, system elements; and environment of operation; system element Implementation / Assessment
information; system component inventory; organization- and system-level risk
6 assessment results.
I2 Update Control Document changes to planned control System Owner, Security and privacy plans; information from control implementation efforts. Security and privacy plans updated with
Implementation implementations based on the “as- Common Control implementation detail sufficient for use by Development / Aquisition -
Information implemented” state of controls.eration. Provider assessors; system configuration baseline. Implementation / Assessment
7
8
9 ASSESS
A1 Assessor Selection Select the appropriate assessor or assessment Authorizing Official, Security, privacy, and SCRM plans; program management control information; common Selection of assessor or assessment team responsible
team for the type of control assessment to be AODR control documentation; organizational security and privacy program plans; SCRM strategy; for conducting the control assessment. Development / Aquisition -
conducted. system design documentation; enterprise, security, and privacy architecture information;
Implementation / Assessment
security, privacy, and SCRM policies and procedures applicable to the system.
10
A2 Assessment Plan Develop, review, and approve plans to assessAuthorizing Official, Security, privacy, and SCRM plans; program management control information; Security and privacy assessment plans approved
AODR, Control common control documentation; organizational security and privacy program by the authorizing official.
Assessor Development / Aquisition -
plans; SCRM strategy; system design documentation; supply chain information;
Implementation / Assessment
enterprise, security, and privacy architecture information; security, privacy, and
11 SCRM policies and procedures applicable to the system.
A3 Control Assessments Assess the controls in accordance with the Control Assessor Security and privacy assessment plans; security and privacy plans; external Completed control assessments and associated
Development / Aquisition -
assessment procedures described in assessment or audit results (if applicable). assessment evidence.
Implementation / Assessment
12 assessment plans.
A4 Assessment Reports Prepare the assessment reports Control Assessor Completed control assessments and associated assessment evidence. Completed security and privacy assessment
documenting the findings and reports detailing the assessor findings and Development / Aquisition -
recommendations from the control recommendations. Implementation / Assessment
13 assessments.
A5 Recommendation Actions Conduct initial remediation actions on the System Owner, Completed security and privacy assessment reports with findings and Completed initial remediation actions based on
controls and reassess remediated controls. Common Control recommendations; security and privacy plans; security and privacy assessment the security and privacy assessment reports;
Provider, Control plans; organization- and system-level risk assessment results. changes to implementations reassessed by the
Assessor
assessment team; updated security and privacy Development / Aquisition -
assessment reports; updated security and privacy Implementation / Assessment
plans including changes to the control
14 implementations.
A6 Plan of Action and Prepare the plan of action and milestones Information System Updated security and privacy assessment reports; updated security and privacy A plan of action and milestones detailing the
Milestones based on the findings and recommendations of Security Officer plans; organization- and system-level risk assessment results; organizational risk findings from the security and privacy assessment Implementation / Assessment
the assessment reports.
15 management strategy and risk tolerance. reports that are to be remediated.
A B C D E F G H I J K
1
2 AUTHORIZE
The purpose of the Authorize step is to provide organizational accountability by requiring a senior management official to determine if the security and privacy risk (including supply chain risk) to organizational operations and assets, individuals, other organizations, or the Nation based on the operation
of a system or the use of common controls, is acceptable.
3
4
5 Task # Task Title Description Primary Roles Potential Inputs Expected Outputs SDLC *
R1 Authorization Package Assemble the authorization package and submit the System Owner, Security and privacy plans; security and privacy assessment reports; plan of action and milestones; Authorization package (with an executive summary), which may be
package to the authorizing official for an Common Control supporting assessment evidence or other documentation, as required. generated from a security or privacy management tool94 for Implementation / Assessment
6 authorization decision. Provider, SAOP submission to the authorizing official.
R2 Risk Analysis and Determination Analyze and determine the risk from the operation or Authorizing Official, Authorization package; supporting assessment evidence or other documentation as required; Risk Determination
use of the system or the provision of common AODR information provided by the senior accountable official for risk management or risk executive
controls. (function); organizational risk management strategy and risk tolerance; organization- and system-level Implementation / Assessment
risk assessment results.
7
R3 Risk Response Identify and implement a preferred course of action Authorizing Official, Authorization package; risk determination; organization- and system-level risk assessment results. Risk responses for determined risks.
in response to the risk determined. AODR Implementation / Assessment
8
R4 Authorization Decision Determine if the risk from the operation or use of the Authorizing Official Risk responses for determined risks. Authorization to operate, authorization to use, common control
information system or the provision or use of authorization; denial of authorization to operate, denial of
common controls is acceptable. authorization to use, denial of common control authorization. Implementation / Assessment

9
R5 Authorization Reporting Report the authorization decision and any Authorizing Official, Authorization decision. A report indicating the authorization decision for a system or set of
deficiencies in controls that represent significant AODR common controls; annotation of authorization status in the
Implementation / Assessment
security or privacy risk. organizational system registry.
10
11
12 MONITOR
13 The purpose of the Monitor step is to maintain an ongoing situational awareness about the security and privacy posture of the information system and the organization in support of risk management decisions.

M1 System and Environment Monitor the information system and its environment System Owner or Organizational continuous monitoring strategy; organizational configuration management policy and Updated security and privacy plans; updated plans of action and
Changes of operation for changes that impact the security and Common Control procedures; organizational policy and procedures for handling unauthorized system changes; security milestones; updated security and privacy assessment reports.
privacy posture of the system. Provider, SAOP, SAISO and privacy plans; configuration change requests/approvals; system design documentation; security Operations / Maintenance
and privacy assessment reports; plans of action and milestones; information from automated and
15 manual monitoring tools.
M2 Ongoing Assessments Assess the controls implemented within and Control Assessor Organizational continuous monitoring strategy and system level continuous monitoring strategy (if Updated security and privacy assessment reports.
inherited by the system in accordance with the applicable); security and privacy plans; security and privacy assessment plans; security and privacy
continuous monitoring strategy. assessment reports; plans of action and milestones; information from automated and manual Operations / Maintenance
monitoring tools; organization- and system-level risk assessment results; external assessment or audit
16 results (if applicable).
M3 Ongoing Risk Repsonse Respond to risk based on the results of ongoing Authorizing Official, Security and privacy assessment reports; organization- and system-level risk assessment results; Mitigation actions or risk acceptance decisions; updated security and
monitoring activities, risk assessments, and System Owner, security and privacy plans; plans of action and milestones. privacy assessment reports.
Operations / Maintenance
outstanding items in plans of action and milestones. Common Control
17 Provider
M4 Authorization Package Updates Update plans, assessment reports, and plans of System Owner, Security and privacy assessment reports; organization- and system-level risk assessment results; Updated security and privacy assessment reports; updated plans of
action and milestones based on the results of the Common Control security and privacy plans; plans of action and milestones. action and milestones; updated risk assessment results; updated Operations / Maintenance
18 continuous monitoring process. Provider security and privacy plans.
M5 Security and Privacy Reporting Report the security and privacy posture of the system System Security Security and privacy assessment reports; plans of action and milestones; organization- and system- Security and privacy posture reports
to the authorizing official and other organizational Officer, System level risk assessment results; organization- and system-level continuous monitoring strategy; security
officials on an ongoing basis in accordance with the Pricacy Officer and privacy plans; Cybersecurity Framework Profile. Operations / Maintenance

19 organizational continuous monitoring strategy.


M6 Ongoing Authorization Review the security and privacy posture of the Authorizing Official Risk tolerance; security and privacy posture reports; plans of action and milestones; organization- and A determination of risk; ongoing authorization to operate, ongoing
system on an ongoing basis to determine whether system-level risk assessment results; security and privacy plans. authorization to use, ongoing common control authorization; denial
the risk remains acceptable. of ongoing authorization to operate, denial of ongoing authorization Operations / Maintenance
to use, denial of ongoing common control authorization.
20
M7 System Disposal Implement a system disposal strategy and execute System Owner Security and privacy plans; organization- and system-level risk assessment results; system component Disposal strategy; updated system component inventory; updated
New - N/A
required actions when a system is removed from inventory. security and privacy plans.
21 operation.
Existing- Disposal

You might also like