The Mango Guide Ver2
The Mango Guide Ver2
The Mango Guide Ver2
Study notes for the (ISC)2 Certified in Governance Risk and Compliance (CGRC) CCSP, CGRC, CISA
This document is intended for informal knowledge transfer for private individuals, It cannot be used for commercial endeavors. You may freely copy, Ryan LeVier, CISSP, CGRC, CSAE
distribute and publish under condition of acknowledgement to the original authors. 2023 - Jim Meincke & Ryan LeVier infosecsherpa@gmail.com
ryan.levier@gmail.com
Table of Contents:
Test Information 2
Appendix C – Glossary 20
Phase 1 – Prepare 36
Phase 2 – Categorize 38
Phase 3 – Implement 39
Phase 4 – Assess 39
Phase 5 – Authorize 40
Phase 6 – Monitor 40
CGRC Examination Information
Length of exam 3 hours
Number of items 125 – Once a question is answered, it cannot be changed or
reviewed.
Item format Multiple choice
Total: 100%
1.1 Understand the foundation of an organization information security risk management program
» Principles of information security Also known as Information Assurance, (IA) is the practice of protecting against
and managing risks related to the use, processing, storage, and transmission of data and information systems. The
U.S. Department of Defense has promulgated the Five Pillars of Information Assurance model that includes the
protection of confidentiality, integrity, availability, authenticity, and non-repudiation of user data.
• Confidentiality: Preserving authorized restrictions on information access and disclosure, including means
for protecting personal privacy and proprietary information.
• Integrity: Guarding against improper information modification or destruction, and includes ensuring
information non-repudiation and authenticity.
• Availability: Ensuring timely and reliable access to and use of information.
• Authenticity: The property of being genuine and being able to be verified and trusted; confidence in the
validity of a transmission, a message, or message originator.
• Non-Repudiation of User Data: A service that is used to provide assurance of the integrity and origin of
data in such a way that the integrity and origin can be verified and validated by a third party as having
originated from a specific entity in possession of the private key (i.e., the signatory).
» Risk Management Frameworks (e.g., National Institute of Standards and Technology (NIST), cyber security
framework, Control Objectives for Information and Related Technology (COBIT), International Organization for
Standardization (ISO) 27001, International Organization for Standardization (ISO) 31000)
» System Development Life Cycle (SDLC) - The scope of activities associated with a system, encompassing the
system’s initiation, development and acquisition, implementation, operation and maintenance, and ultimately its
disposal that instigates another system initiation.
• Initiation
• Development
• Operations / Maintenance
• Disposal
» Information system boundary requirements refers to the physical and logical boundaries of an information
system, which define the extent of the system's operation, control, and protection. Boundary requirements specify
the technical and non-technical controls that are necessary to protect the information system boundary. These
controls are based on an assessment of the system's security and privacy risks, as well as an understanding of the
system's mission and business requirements.
» Security controls and practices Understanding the foundation of an organization's information security risk
management program involves understanding the security controls and practices that are in place to protect the
organization's information assets. The following are some key security controls and practices that are typically
included in a comprehensive information security risk management program:
1. Access Controls: Access controls are used to restrict access to sensitive information and systems to only
those individuals who have a legitimate need to access them. This may involve implementing strong
3.1 Identify and document baseline and inherited controls During the Assessment stage, the process of
identifying and documenting baseline controls involves determining the applicable security control baseline for the
system and referring to relevant security control catalogs, such as NIST SP 800-53, to identify the specific controls
required. These identified controls are then documented in the system’s security plan with descriptions,
implementation requirements, associated guidance or references.
3.2 Select and tailor controls to the system Tailoring a control to a system involves customizing or adjusting the
implementation of a security control to fit the specific characteristics, needs, and requirements of that system.
» Determine applicability of recommended baseline and inherited controls. Evaluate the applicability of each control
within the context of the system. Consider factors such as system functionality, operational environment, system
boundaries, and the sensitivity and criticality of the data being processed or stored.
» Determine appropriate use of control enhancements (e.g., security practices, overlays, countermeasures) To
determine appropriate control enhancements, review security control catalogs, assess system requirements and
risks, and consider cost, feasibility, and expert input. Document the selected control enhancements, implement
them, and monitor their effectiveness to ensure they meet the system's security objectives and address
identified risks.
» Document control applicability - To document control applicability, clearly indicate in the system's security
documentation or security plan which specific controls are applicable, aligning them with the system's
characteristics, risks, and requirements. Provide a concise description of the control's relevance, including any
tailoring or modifications made, and ensure traceability between the controls and associated security
requirements and system components.
3.3 Develop continuous control monitoring strategy (e.g., implementation, timeline, effectiveness) Developing
a continuous control monitoring strategy involves several key steps. First, identify the critical controls that require
continuous monitoring based on their importance to the organization's security objectives and regulatory
requirements. Next, establish a framework for automated control monitoring, including selecting appropriate tools
and technologies to collect relevant data and generate real-time alerts. Develop monitoring procedures and define
metrics or thresholds to track control performance, anomalies, or deviations. Integrate monitoring processes into
existing security operations to ensure timely response and remediation actions. Regularly review and update the
monitoring strategy to adapt to evolving threats, technology changes, and organizational needs. Collaborate with
stakeholders, such as IT teams, compliance officers, and management, to ensure the strategy aligns with
organizational goals and requirements. Lastly, document the monitoring strategy, including roles and
responsibilities, data collection and analysis methods, reporting mechanisms, and the overall governance
framework, to guide implementation and ensure consistent monitoring practices.
7.3 Review supply chain risk analysis monitoring activities (e.g., cyber threat reports, agency reports,
news reports)
7.4 Actively participate in response planning and communication of a cyber event
» Ensure response activities are coordinated with internal and external stakeholders
» Update documentation, strategies and tactics incorporating lessons learned
7.5 Revise monitoring strategies based on changes to industry developments introduced through legal,
regulatory, supplier, security and privacy updates
7.6 Keep designated officials updated about the risk posture for continuous authorization/approval
» Determine ongoing information system risk
» Update risk register, risk treatment and remediation plan
Information Security Risk Management for ISCO 27001/ISO 27002, 3rd Edition by Alan Calder,
Steve Watkings. Publisher: IT Governance Publishing. (Aug, 2019).
ISO 27001/ISO 27002 A Pocket Guide, 2nd Edition by Chris Davis, Mike Kegerreis, Mike Schille.
Publisher: McGraw-Hill. (Oct, 2013).
IT Auditing Using Controls to Protect Information Assets, 3rd Edition by Mike Kegerreis, Mike
Schiller, Chris Davis. Publisher: McGraw-Hill Education. (Oct, 2019).
NIST FIPS-199, Standards for Security Categorization of Federal Information and Information
Systems by U.S. Dept. of Commerce. (Feb, 2004).
NIST SP 800-115, Technical Guide to Information Security Testing and Assessment by Karen
Scarfone, Murugiah Souppaya, Amanda Cody, Angela Orebaugh. (Sep, 2008).
NIST SP 800-137, Information Security Continuous Monitoring (ISCM) for Federal Information
Systems and Organizations by Kelley Dempsey, Nirali Shah Chawla, Arnold Johnson, Ronald
Johnston, Alicia Clay Jones, Angela Orebaugh, Matthew Scholl, Kevin Stine. (Sep, 2011).
NIST SP 800-160, Vol. 1, Systems Security Engineering: Considerations for a Multidisciplinary
Approach in the Engineering of Trustworthy Secure Systems by Ron Ross, Michael McEvilley, Janet
Carrier Oren. (Mar, 2018).
NIST SP 800-30, Rev. 1, Guide for Conducting Risk Assessments by Joint Task Force Transformation
Initiative. (Sep, 2012).
NIST SP 800-37, Rev. 2, Risk Management Framework for Information Systems and Organizations:
A System Life Cycle Approach for Security and Privacy by Joint Task Force Transformation Initiative.
(Dec, 2018).
NIST SP 800-39, Managing Information Security Risk: Organization, Mission, and Information
System View by Joint Task Force Transformation Initiative. (Mar, 2011).
NIST SP 800-53, Rev. 5, Security and Privacy Controls for Information Systems and Organizations
by Joint Task Force Transformation Initiative. (Sep, 2020).
NIST SP 800-53B, Control Baselines for Information Systems and Organizations by Joint Task Force
Transformation Initiative. (Oct, 2020).
NIST SP 800-60, Vol. 1, Rev. 1, Guide for Mapping Types of Information and Information Systems
to Security Categories by Kevin Stine, Rich Kissel, William C. Barker, Jim Fahlsing, Jessica Gulick.
(Aug, 2008).
Supplementary References
Candidates are encouraged to supplement their education and experience by reviewing relevant
resources that pertain to the CBK and identifying areas of study that may need additional attention.
See the unofficial resources Appendix for possible resources.
NIST SP 800-59 Guidelines for Identifying an Provides guidelines developed in conjunction with the Department of Defense including the National This document provides guidelines developed in conjunction with the Department of Defense,
Information System as a Nation Security Agency, for identifying an information system as a national security system. including the National Security Agency, for identifying an information system as a national security
Security System system. The basis for these guidelines is the Federal Information Security Management Act of 2002
(FISMA, Title III, Public Law 107-347, December 17, 2002), which provides government-wide
requirements for information security, superseding the Government Information Security Reform Act
and the Computer Security Act. In addition to defining the term national security system FISMA
amended the NIST Act, at 15 U.SC. 278g-3(b)(3), to require NIST to provide guidelines for identifying an
information system as a national security system.
NIST 800-64 Security Considerations in the System Research because mentioned in RMF Guide - Security considerations in the SLDC Withdrwan - Reference NIST 800-161 Vol. Rev. 1.
Development Lifcycle (SDLC)
NIST 800-161 Vol. 1 Rev 1 Engineering Trustworthy Secure Successor to SDLC This publication describes a basis for establishing principles, concepts, activities, and tasks for
Systems engineering trustworthy secure systems. Such principles, concepts, activities, and tasks can be
effectively applied within systems engineering efforts to foster a common mindset to deliver security
for any system, regardless of the system’s purpose, type, scope, size, complexity, or the stage of its
system life cycle. The intent of this publication is to advance systems engineering in developing
trustworthy systems for contested operational environments (generally referred to as systems security
engineering) and to serve as a basis for developing educational and training programs, professional
certifications, and other assessment criteria.
An online community to discuss aspects of certificaiton and seek assistance with
Reddit Subforum for ISC2 CGRC Online / Social Media Support concepts. https://www.reddit.com/r/ISC2CAP/
An online community with real time chat to discuss aspects of certificaiton and seek
Certification Station on Discord Online / Social Media Support assistance with concepts. https://discord.gg/certstation
This CBK is out of date. Based on NIST 800-37 Rev. 1, this CBK is due for a new
ISC2 CAP CBK Paul J. Howard edition. https://a.co/d/bwLC2kU
https://quizlet.com/518626055/isc2-cap-practice-test-questions-201-230-flash-
Quizlet Knowledge Verification Practice tests to help with the application of study guide material. cards/?funnelUUID=d86788a6-c696-4874-aec1-4503ae56f6c2
https://www.udemy.com/course/cap-practice-exam-based-on-nist-sp-800-37-rev-2-
Udemy Knowledge Verification Practice tests to help with the application of study guide material. experience-j/learn/quiz/5102362/test#overview
FITSI Federal Body of Knowledge An Overview of the Federal Body of Knowledge (FBK) for the Federal IT Security https://www.fitsi.org/documents/FITSI%20Federal%20Body%20of%20Knowledge%20
Guide Tying it all together. Professional (FITSP) Certification Program Guide.pdf
NIST RMF Roles & Responsibilities YouTube Tutorial ARECyber LLC @ CyberassureHuntsville - Video Series on RMF https://www.youtube.com/watch?v=SBrBmSfUz2Y
NIST RMF Risk Analysis Process YouTube Tutorial ARECyber LLC @ CyberassureHuntsville - Video Series on RMF https://www.youtube.com/watch?v=fX3L2N_T4Sc
NIST RMF Step 1 Categorize YouTube Tutorial ARECyber LLC @ CyberassureHuntsville - Video Series on RMF https://www.youtube.com/watch?v=8QCHsNHHOTg
NIST RMF Step 2 Select YouTube Tutorial ARECyber LLC @ CyberassureHuntsville - Video Series on RMF https://www.youtube.com/watch?v=OjqnpxHpUbE
NIST RMF Step 3 Implement YouTube Tutorial ARECyber LLC @ CyberassureHuntsville - Video Series on RMF https://www.youtube.com/watch?v=GQf7VryPJa0
NIST RMF Step 4 Assess YouTube Tutorial ARECyber LLC @ CyberassureHuntsville - Video Series on RMF https://www.youtube.com/watch?v=twyl8RaoTtQ
NIST RMF Step 5 Authorize YouTube Tutorial ARECyber LLC @ CyberassureHuntsville - Video Series on RMF https://www.youtube.com/watch?v=xuJtp0N7feg
NIST RMF Step 6 Monitor YouTube Tutorial ARECyber LLC @ CyberassureHuntsville - Video Series on RMF https://www.youtube.com/watch?v=0htc0gUp1kA
Appendix C - Glossary
Adequate Security Security protections commensurate with the risk resulting from the unauthorized
access, use, disclosure, disruption, modification or destruction of the information. This includes
ensuring that information hosted on behalf of an agency and information systems and applications
used by the agency operate effectively and provide confidentiality, integrity and availability
protection through the application of cost-effective security controls.
Allocation The process of an organization employs to assign security or its environment of operation;
or to assign controls to specific system elements responsible for providing a security or privacy
capability (e.g. router, server, remote sensor).
Assessor The individual, group or organization responsible for conducting a security or privacy
assessment.
Asset System and subsystem components that must be protected, including but not limited to: all
hardware, software, data, personnel, supporting physical environment and environmental systems,
administrative support and supplies.
Authorization Official (AO) A senior federal official or executive with the authority to authorize (i.e.,
assume responsibility for) the operation of an information system or the use of a designated set of
common controls at an acceptable level of risk to agency operations (including mission, functions,
image or reputation), agency assets, individuals, other organizations and the nation.
Authorizing Official Designated Representative (AO DR) An organizational official acting on behalf of
an authorizing official in carrying out and coordinating the required activities associated with the
authorization process.
Authorization Package The essential information that an authorizing official uses to determine
whether to authorize the operation of an information system or the provision of a designated set of
common controls. At a minimum, the authorization package includes an executive summary, system
security plan, privacy plan, security control assessment, privacy control assessment as well as any
relevant plans of action and milestones.
Authorization to Operate (ATO) The official management decision given by one or more senior
federal officials to authorize operation of an information system and to explicitly accept the risk to
agency operations (including mission, functions, image, or reputation), agency assets, individuals,
other organizations and the nation, based on the implementation of an agreed-upon set of security
and privacy controls. Authorization also applies to common controls inherited by agency information
systems.
Change Control Process for controlling modifications to hardware, firmware, software and
documentation to protect the information system against improper modifications before, during and
after system implementation.
Chief Information Officer (CIO) The senior official that provides advice and other assistance to the
head of the agency and other senior management personnel of the agency to ensure that IT is
acquired and information resources are managed for the agency in a manner that achieves the
agency's strategic goals and is responsible for ensuring agency compliance with, and prompt,
efficient and effective implementation of, the information policies and information resources
management responsibilities, including the reduction of information collection burdens on the
public.
Chief Information Security Officer (CISO) See Senior Agency Information Security Officer
Clear A method of sanitization by applying logical techniques to sanitize data in all user-addressable
storage locations for protection against simple non-invasive data recovery techniques using the same
interface available to the user; typically applied through the standard read and write commands to
the storage device, such as by re-writing with a new value or using a menu option to reset the device
to the factory state (where re-writing is not supported)
Common Control (CC) A security or privacy control that is inherited by multiple information systems
or programs.
Common Control Provider (CCP) An organizational official responsible for the development,
implementation, assessment and monitoring of common controls (i.e., controls inheritable by
organizational systems).
Common Criteria Governing document that provides a comprehensive, rigorous method for
specifying security function and assurance requirements for products and systems.
Configuration The possible conditions, parameters and specifications with which an information
system or system component can be described or arranged.
Configuration Control Process for controlling modifications to hardware, firmware, software and
documentation to protect the information system against improper modifications before, during and
after system implementation.
Configuration Control Board A group of qualified people with responsibility for the process of
regulating and approving changes to hardware, firmware, software, and documentation throughout
the development and operational lifecycle of an information system.
Configuration Settings The set of parameters that can be changed in hardware, software or firmware
that affect the security posture and/or functionality of the system.
Control Assessor The individual, group or organization responsible for conducting a control
assessment. See assessor.
Destroy A method of sanitization that renders target data recovery infeasible using state-of-the-art
laboratory techniques and results in the subsequent inability to use the media for storage of data.
Disposal A release outcome following the decision that media does not contain sensitive data. This
occurs either because the media never contained sensitive data or because sanitization techniques
were applied, and the media no longer contains sensitive data.
Enterprise An organization with a defined mission / goal and a defined boundary, using systems to
execute that mission, and with responsibility for managing its own risks and performance. An
enterprise may consist of all or some of the following business aspects acquisition, program
management, human resources, financial management, security, as well as systems, information and
mission management. See organization.
Enterprise Architecture A strategic information asset base, which defines the mission; the
information necessary to perform the mission; the technologies necessary to perform the mission;
and the transitional processes for implementing new technologies in response changing mission
needs; and includes a baseline architecture; a target architecture; and a sequencing plan.
Federal Information Security Management Act (FISMA) a United States federal law that establishes
a framework for managing information security and risk within federal government agencies. It
requires federal agencies to develop and implement comprehensive security programs, conduct
regular risk assessments, and provide oversight to ensure the confidentiality, integrity, and
availability of information systems and data.
Hardware The material physical components of a system. See software and firmware
High-Impact System A system in which at least one security objective (i.e., confidentiality, integrity
or availability) is assigned a FIPS publication 199 potential impact value of high.
High Value Assets resources or components within an organization that possess significant
importance, worth, or criticality. These assets are typically valuable to the organization's operations,
objectives, or mission, and their compromise, loss, or unauthorized access could result in severe
consequences.
High Water Mark For an information system, the potential impact values assigned to the respective
security objectives (confidentiality, integrity, availability) shall be the highest values (i.e., high water
mark) from among those security categories that have been determined for each type of information
resident on the information system.
Hybrid Control A security or privacy control that is implemented for an information system in part as
a common control and in part as a system-specific control.
Impact With respect to security, the effect on an organizational operations, organizational assts,
individuals, other organizations or the nation (including the national security interests of the United
States) of a loss of confidentiality, integrity or availability of an information or a system. With respect
to privacy, the adverse effects that individuals could experience when an information system
processes their PII.
Impact Value The assessed worst-case potential impact that could result from a compromise of the
confidentiality, integrity, or availability of information expressed as a value of low, moderate or high.
Independent Verification and Validation A comprehensive review, analysis and testing (software
and/or hardware) performed by an objective third party to confirm (i.e., verify) that the
requirements are correctly defined, and to confirm (i.e., validate) that the system correctly
implements the required functionality and security requirements.
Information Life Cycle The stages through which information passes, typically characterized as
creation or collection, processing dissemination, use, storage and disposition, to include destruction
and deletion. "Life cycle" typically appears as two words in NIST publications, but as one word in ISO
standards.
Information Owner (IO) Official with statutory or operational authority for specified information and
responsibility for establishing the controls for its generation, collection, processing, dissemination
and disposal.
Information Security The protection of information systems from unauthorized access, use,
disclosure, disruption, modification or destruction in order to provide confidentiality, integrity and
availability.
Information Security Architecture An embedded integral part of the enterprise architecture that
describes the structure and behavior of the enterprise security processes, security systems,
personnel and organizational subunits, showing their alignment with the enterprise's mission and
strategic plans. See security architecture.
Information System Owner (ISO) The organizational official responsible for the development,
implementation, assessment and monitoring of security controls in an information system.
Information Systems Security Officer (ISSO) Responsible for security an information system,
managing all security aspects of the system and assembling the security accreditation package while
serving as the point of contact for the Security Control Assessor (SCA)
Information Security Risk The risk to organizational operations (including mission, functions, image,
reputation), organizational assets, individuals, other organizations and the nation due to the
potential for unauthorized access, use, disclosure, disruption, modification or destruction of
information and/or systems.
Information Steward An agency official with statutory or operational authority for specified
information and responsibility for establishing the controls for its generation, collection, processing,
dissemination and disposal.
Information System A discrete set of information resources organized for the collection, processing,
maintenance, use, sharing, dissemination or disposition or information.
Information Type A specific category of information (e.g., privacy, medical, proprietary, financial,
investigative, contractor-sensitive, security management) defined by an organization or in some
instances, by a specific law, executive order, directive, policy or regulation.
Inheritance A situation in which a system or application receives protection from controls (or
portions of controls) that are developed, implemented, assessed, authorized and monitored by
entities other than those responsible for the system or application; entities either internal or external
to the organization where the system or application resides. NIST refers to this term as "Control
Inheritance." See: Common Control
Integrity Guarding against improper information modification or destruction and includes ensuring
information non-repudiation and authenticity.
Likelihood Value The assessed worst-case potential impact that could result from a compromise of
the confidentiality, integrity, or availability of information expressed as a value of low, medium or
high.
Low-Impact System A system in which all three security objectives (i.e., confidentiality, integrity and
availability are assigned a FIPS Publication 199 potential impact value of low.
Moderate-Impact System A system in which at least one security objective (i.e., confidentiality,
integrity or availability) is assigned a FIPS publication 199 potential impact value of moderate.
National Security System Any system (including any telecommunications system) used or operated
by an agency or by a contractor of an agency, or other organization on behalf of an agency - (i) the
function, operation or use of which involves intelligence activities related to national security;
involves command and control of military forces; involves equipment that is an integral part of a
weapon or weapons system; or is critical to the direct fulfillment of military or intelligence missions
(excluding a system that is to be used for routine administrative and business applications, for
example: payroll, finance, logistics and personnel management applications); or (ii) is protected at all
times by procedures established for information that have been specifically authorized under criteria
established by an Executive Order or an Act of Congress to be kept classified in the interest of
national defense or foreign policy.
Organization An entity of any size, complexity, or positioning within an organizational structure (e.g.,
federal agencies, private enterprises, academic institutions, state, local, or tribal governments or, as
appropriate, any of their operational elements).
Organization Defined Control Parameter The variable part of a control or control enhancement that
can be instantiated by an organization during the tailoring process by either assigning an
organization defined value or selecting a value from a pre-defined list provided as part of the control
or control enhancement.
Personally Identifiable Information (PII) Information that can be used to distinguish or trace an
individual's identity, either alone or when combined with other information that is linked or linkable
to a specific individual.
Plan of action and Milestones (POAM) A document that identifies tasks needing to be accomplished.
It details resources required to accomplish the elements of the plan, any milestones in meeting the
tasks and scheduled completion dates for the milestones.
Potential Impact The loss of confidentiality, integrity or availability could be expected to have a
limited adverse effect (FIPS Publication 199 low); a serious adverse effect (FIPS Publication 199
Moderate); or a severe or catastrophic adverse effect (FIPS Publication 199 High) on organizational
operations, organizational assets or individuals.
Privacy Architect Individual, group or organization responsible for ensuring that the system privacy
requirements necessary to protect individuals' privacy are adequately addressed in all aspects of
enterprise architecture including reference models, segment and solution architectures, and
information systems processing PII.
Privacy Architecture An embedded, integral part of the enterprise architecture that describes the
structure and behavior for an enterprise's privacy protection processes, technical measures,
personnel and organizational sub-units, showing their alignment with the enterprise's mission and
strategic plans.
Privacy Control The administrative, technical, and physical safeguards employed within an agency to
ensure compliance with applicable privacy requirements and manage privacy risks. Note: Controls
can be selected to achieve multiple objectives; those controls that are selected to achieve both
security and privacy objectives require a degree of collaboration between the organization's
information security program and privacy program.
Privacy Control Assessment The assessment of privacy controls to determine whether the controls
are implemented correctly, operating as intended, and sufficient to ensure compliance with
applicable privacy requirements and manage privacy risks. A privacy control assessment is both an
assessment and a formal document detailing the process and the outcome of the assessment.
Privacy Plan A formal document that details the privacy controls selected for an information system
or environment of operation that are in place or planned, to meet applicable privacy requirements
and manage privacy risks, details how the controls have been implemented, and describes the
methodologies and metrics that will be used to assess the controls.
Program Management Controls a set of processes, policies, and procedures that are implemented to
effectively plan, execute, and monitor a program. These controls help ensure that the program is
managed in a structured and organized manner, adhering to defined objectives, timelines, budgets,
and quality standards. They encompass various aspects such as governance, risk management,
stakeholder engagement, performance measurement, resource allocation, and communication.
Purge A method of sanitization by applying physical or logical techniques that renders target data
recovery infeasible using state-of-the-art laboratory techniques
Risk A measure of the extent to which an entity is threatened by a potential circumstance or event
and typically is a function of: (i) the adverse impact, or magnitude of harm, that would arise if the
circumstance or event occurs; and (ii) the likelihood of occurrence.
Risk Assessment The process of identifying risks to organizational operations (including mission,
functions, image, reputation), organizational assets, individuals, other organizations and the nation,
resulting from the operation of a system.
Risk Executive (Function) An individual or group within an organization, led by the senior
accountable official for risk management, that helps to ensure that security risk considerations for
individual systems, to include the authorization decisions for those systems, are viewed from an
organization-wide perspective with regard to the overall strategic goals and objectives of the
organization in carrying out its missions and business functions; and managing risk from individual
systems is consistent across the organization, reflects organizational risk tolerance and is considered
along with other organizational risks affecting mission/business success.
Risk Management The program and supporting processes to manage risk to agency operations
(including mission, functions, image, reputation), agency assets, individuals, other organizations and
the nation, and includes: establishing the context for risk-related activities; assessing risk; responding
to risk once determined; and monitoring risk over time.
Risk Response Accepting, avoiding, mitigating, sharing or transferring risk to agency operations,
agency assets, individuals, other organizations or the nation.
Sanitize A process to render access to target data on the media infeasible for a given level of effort.
Clear, purge and destroy are actions that can be taken to sanitize media.
Security Architect Individual, group or organization responsible for ensuring that the information
security requirements necessary to protect the organization's core missions and business processes
are adequately addressed in all aspects of enterprise architecture including reference models,
segment and solution architectures, and the resulting information systems supporting those missions
and business processes.
Security Architecture An embedded, integral part of the enterprise architecture that describes the
structure and behavior for an enterprise's security processes, information security systems,
personnel and organizational sub-units, showing their alignment with the enterprise's mission and
strategic plans. See information security architecture.
Security Categorization The process of determining the security category for information or a
system. Security categorization methodologies are described in CNSS Instruction 1253 for national
security systems and in FIPS Publication 199 for other than national security systems. See: security
category
Security Controls The management, operational and technical controls (i.e., safeguards or
countermeasures) prescribed for an information system to protect the confidentiality, integrity and
availability of the system and its information.
Security Control Baseline The set of minimum security controls defined for a low-impact, moderate-
impact or high-impact information system. See Also: Control Baseline
Security Control Assessment The testing or evaluation of security controls to determine the extent
to which the controls are implemented correctly, operating as intended and producing the desired
outcome with respect to meeting the security requirements for an information system or
organization.
Security Impact Analysis The analysis conducted by an organizational official to determine the extent
to which a change to the information system has affected the security state of the system.
Security Plan A formal document that provides an overview of the security requirements for an
information system and describes the security controls in place or planned for meeting those
requirements.
Security Posture The security status of an enterprise's networks, information and systems based on
information security resources (e.g., people hardware, software, policies) and capabilities in place to
manage the defense of the enterprise and to react as the situation changes. Synonymous with
security status.
Security Risk Risk that arises through the loss of confidentiality, integrity, or availability of
information or systems, and that considers impacts to the organization (including assets, mission,
functions, image or reputation), individuals, other organizations and the nation. See: Risk.
Senior Accountable Official for Risk Management (SAORM) The senior official, designated by the
head of each agency, who has vision into all areas of the organization, and is responsible for
alignment of information security management processes with strategic, operational and budgetary
planning processes.
Senior Agency Information Security Officer (SAISO) Official responsible for carrying out the Chief
Information Officer responsibilities under FISMA and serving as the chief Information Officer's
primary liaison to the agency's authorizing officials, information system security officers.
Senior Agency Official for Privacy (SAOP) The senior official, designated by the head of each agency,
who has agency-wife responsibility for privacy, including implementation of privacy protections;
compliance with federal laws, regulations and policies relating to privacy; management of privacy
risks at the agency; and a central policymaking role int eh agency's development and evaluation of
legislative, regulatory and other policy proposals.
Software Computer Programs and associated data that may be dynamically written or modified
during execution.
Supply Chain Linked set of resources and processes between multiple tiers of developers that begins
with the sourcing of products and services and extends through the design, development,
manufacturing, processing, handling and delivery of products and services to the acquirer.
Supply Chain Risk Risks that arise from the loss of confidentiality, integrity or availability of
information or information systems, and reflect the potential adverse impacts to organizational
operations (including mission, functions, image or reputation), organizational assets, individuals,
other organizations and the nation.
System Any organized assembly of resources and procedures united and regulated by interaction or
interdependence to accomplish a set of specific functions. See information system. Note: Systems
also include specialized systems such as industrial/process controls systems, telephone switching and
private branch exchange (PBX) systems, and environmental control systems. Combination of
interacting elements organized to achieve one or more stated purposes. Note 1: There are many
types of systems. Examples include: general and special-purpose information systems; command,
control and communication systems; crypto modules; central processing unit and graphics processor
boards; industrial/process control systems; flight control systems; weapons, targeting and fire
control systems; medical devices and treatment systems; financial, banking and merchandising
transaction systems; and social networking systems. Note 2: The interacting elements in the
definition of system include hardware, software, data, humans, processes, facilities, materials and
naturally occurring physical entities. Note 3: System of systems is included in the definition of
system.
System Component A discrete identifiable information technology asset that represents a building
block of a system and may include hardware, software and firmware.
System Development Life Cycle (SDLC) The scope of activities associated with a system,
encompassing the system's initiation, development and acquisition, implementation, operation and
maintenance and ultimately its disposal that instigates another system initiation.
System Element Member of a set of elements that constitute a system. Note 1: A system element
can be a discrete component, product, service, subsystem, system, infrastructure or enterprise. Note
2: Each element of the system is implemented to fulfill specified requirements. Note 3: The recursive
nature of the term allows the term system to apply equally when referring to a discrete component
or to a large, complex, geographically distributed system-of-systems. Note 4: System elements are
implemented by: hardware, software and firmware that perform operations on data/information;
physical structures, devices and components in the environment of operation; and the people,
processes and procedures for operating, sustaining and supporting the system elements. Note 5:
System elements and information resources (as defined at 44 U.S.C. Sec. 3502 and in this document)
are interchangeable terms as used in this document.
System Privacy Officer Individual with assigned responsibility for maintaining the appropriate
operational privacy posture for a system or program.
System Security Officer Individual with assigned responsibility for maintaining the appropriate
operational security posture for an information system or program.
System Security Plan Principally used to verify that Information Systems (ISs) are meting their stated
security goals and objectives
System User Individual, or (system) process acting on behalf of an individual, authorized to access a
system.
System Privacy Engineer Individual assigned responsibility for conducting systems privacy
engineering activities.
Systems Security Engineer Individual assigned responsibility for conducting systems security
engineering activities.
Systems Security or Privacy Engineer See Systems Security Engineer and Systems Privacy Engineer
Tailored Control Baseline A set of controls resulting from the application of tailoring guidance to a
control baseline. See: Tailoring
Tailoring The process by which security control baselines are modified by identifying and designating
common controls, applying scoping considerations, selecting compensating controls, assigning
specific values to agency-defined control parameters, supplementing baselines with additional
controls or control enhancements and providing additional specification information for control
implementation. The tailoring process may also be applied to privacy controls.
Threat Any circumstance or event with the potential to adversely impact organizational operations,
organizational assets, individuals, other organizations or the nation through a system via
unauthorized access, destruction, disclosure, modification of information and/or denial of service.
Threat Source The intent and method targeted at the intentional exploitation of a vulnerability or a
situation and method that may accidentally trigger a vulnerability.
To that end, running through as many practice exams as possible is a necessary component of studying for this
exam. I’ve developed a methodology over the years that seems to work for me in preparing the numerous
certifications that I hold.
1) With 125 questions on the actual exam, you should review and regularly pass any practice exams with a score
of 85% or higher. In the certification exam, once you answer a question, you will not be permitted to go back
and review any questions. Once you submit an answer, the submission is final.
2) Many practice exams come in test batches of 50 questions, with a grand daddy test of 125 questions. Focus
on the 50 question batches first and carefully review your answers. What I do is immediately after taking a
practice exam (found on quizlet, udemy or any number of other study resource sites) is open up a blank word
document and write the entire question and the correct answer ONLY. I’ll write these questions several times
over the course of a few weeks ahead of the certification exam.
3) With four possible multi-choice answers, work to quickly identify the incorrect ones so that you can work to
select the correct answer. By and large, I’ve found the answers to be formatted like this:
A) Most Correct
B) Partially Correct
C) Partially Incorrect
D) Most Incorrect
If you can quickly eliminate possible answers, it will allow you to deconstruct the correct answers and determine
which answer is more correct than the other.
4) Try to do one block of test questions at least 5 nights of the week in the three weeks leading up to the
certification exam. Review the one page “At A Glance” study guide several times a day.
5) Finally, like most other locations will tell you, relax and take your time reading each question. Think about the
RMF, remember key phrases like “HIGH WATER MARK” and make sure you memorize your phases of the RMF
and SDLC.
RMF Phases # of Steps SDLC (IDIOD) Assessment Objects Assessment Methods Control Classes Control Families Control Types FARM (Risk) Authorizations
P Prepare 18 (7-11) I Initiation A.I.M.S. T.I.E. T.O.M. Common Frame Risk Authorization To Operate-ATO
C Categorize 3 D/A Development / Acquisition Activity Test Technical 4 Compensating Assessing Risk Common Control
S Select 6 I/A Implementration / Assessment Individual Interview Operational 9 Tailored Responding to Risk Authorization to Use (3rd Party)
I Implement 2 O/M Operations / Maintenance Mechanism Examine Management 4 Hybrid Monitoring Risk Denial
A Assess 6 D Disposal Specification Recission (Revokation)
A Authorize 5 (Waterfall Model) Findings Risk Assessments (PARM)
M Monitor 7 Depth-Rigor Satisfied Prepare for Assessment Authorization Types:
*NIST 800-64 - depricated Coverage-Scope Other Than Satisfied Conduct Assessment Traditional - Single Authorizing Official
Cummunicate Results Joint - Multiple Authorizing Officials
Maintain Assessment Facility - FedRAMP Moderate/High
RMF -> SDLC Mapping
P8-18, C1-C3, S3 Initiation
S1-S6 (-S3) Devopment/Aqusition
I1-I2, A1-A6 Devopment/Aqusition
R1-R5 Implementation/Assessment
M1-M6 Operations/Maintenance
M7 Disposal (Existing Only)
Existing Systems- All Operations/Maintenance
except M7 -> Disposal
11
P7 Continuous Monitoring Develop and implement an organization-wide SAOR, Risk Risk management strategy; organization- and system-level risk assessment results; An implemented organizational continuous monitoring strategy.
Strategy - Organization strategy for continuously monitoring control Executive (function) organizational security and privacy policies. N/A
12 effectiveness.
13 Prepare - System Level
P8 Mission or Business Focus Identify the missions, business functions, and Mission or Business Organizational mission statement; organizational policies; mission/business process Missions, business functions, and mission/business processes
mission/business processes that the system is Owner information; system stakeholder information; Cybersecurity Framework Profiles; requests for that the system will support. Initiation (concept /
intended to support. proposal or other acquisition documents; concept of operations. requirements definition)
14
P9 System Stakeholders Identify stakeholders who have an interest in Mission or Business Organizational mission statement; mission or business objectives; missions, business List of system stakeholders.
the design, development, implementation, Owner, functions, and mission/business processes that the system will support; other
assessment, operation, maintenance, or SystemOwner mission/business process information; organizational security and privacy policies and Initiation (concept /
disposal of the system. procedures; organizational charts; information about individuals or groups (internal and requirements definition)
external) that have an interest in and decision- making responsibility for the system.
15
P10 Asset Identification Missions, business functions, and System Owner Missions, business functions, and mission/business processes the information system will Set of assets to be protected.
mission/business processes the information support; business impact analyses; internal stakeholders; system stakeholder information;
system will support; business impact analyses; system information; information about other systems that interact with the system.
Initiation (concept /
internal stakeholders; system stakeholder
requirements definition)
information; system information; information
about other systems that interact with the
16 system.
A B C D E F G H I
17
18 PREPARE
19 Prepare - System Level (continued)
P11 Authorization Boundary Determine the authorization boundary of the Authorizing Official System design documentation; network diagrams; system stakeholder information; asset Documented authorization boundary.
Initiation (concept /
system information; network and/or enterprise architecture diagrams; organizational structure
requirements definition)
20 (charts, information).
P12 Information Types Identify the types of information to be System Owner, System design documentation; assets to be protected; mission/business process information; A list of information types for the system.
Initiation (concept /
processed, stored, and transmitted by the Information Owner system design documentation.
requirements definition)
21 system. or Steward
P13 Information Life Cycle Identify and understand all stages of the SAOP, System Missions, business functions, and mission/business processes the system will support; system Documentation of the stages through which information passes
information life cycle for each information type Owner, Information stakeholder information; authorization boundary information; information about other in the system, such as a data map or model illustrating how
processed, stored, or transmitted by the Ownere or Steward systems that interact with the system (e.g., information exchange/connection agreements); information is structured or is processed by the system Initiation (concept /
system. system design documentation; system element information; list of system information types. throughout its life cycle. Such documentation includes, for requirements definition)
example, data flow diagrams, entity relationship diagrams,
22 database schemas, and data dictionaries.
P14 Risk Assessment - System Conduct a system-level risk assessment and System Owner, Assets to be protected; missions, business functions, and mission/business processes the Security and privacy risk assessment reports.
update the risk assessment results on an System Security system will support; business impact analyses or criticality analyses; system stakeholder
ongoing basis. Officer, System information; information about other systems that interact with the system; provider Initiation (concept /
Privacy Officer information; threat information; data map; system design documentation; Cybersecurity requirements definition)
Framework Profiles; risk management strategy; organization-level risk assessment results.
23
P15 Requirements Definition Define the security and privacy requirements Mission or Business System design documentation; organization- and system-level risk assessment results; known Documented security and privacy requirements.
for the system and the environment of Owner, System set of stakeholder assets to be protected; missions, business functions, and mission/business
operation. Owner, Information processes the system will support; business impact analyses or criticality analyses; system
Owner or Steward, stakeholder information; data map of the information life cycle for PII; Cybersecurity Initiation (concept /
System Privacy Framework Profiles; information about other systems that interact with the system; supply requirements definition)
Officer chain information; threat information; laws, executive orders, directives, regulations, or
policies that apply to the system; risk management strategy.
24
P16 Enterprise Architecture Determine the placement of the system within Mission or Business Security and privacy requirements; organization- and system-level risk assessment results; Updated enterprise architecture; updated security architecture;
the enterprise architecture. Owner, Enterprise enterprise architecture information; security architecture information; privacy architecture updated privacy architecture; plans to use cloud-based systems
Architect, Security information; asset information. and shared systems, services, or applications. Initiation (concept /
Architect, Privacy requirements definition)
Architect
25
P17 Requirements Allocation Allocate security and privacy requirements to Security Architect, Organization- and system-level risk assessment results; documented security and privacy List of security and privacy requirements allocated to the system,
the system and to the environment of Privacy Architect, requirements; organization- and system-level risk assessment results; list of common control system elements, and the environment of operation.
Initiation (concept /
operation. System Security providers and common controls available for inheritance; system description; system
requirements definition)
Officer, System element information; system component inventory; relevant laws, executive orders,
26 Privacy Officer directives, regulations, and policies.
P18 System Registration Register the system with organizational System Owner Organizational policy on system registration; system information. Registered system in accordance with organizational policy. Initiation (concept /
27 program or management offices. requirements definition)
28 *SDLC - only New systems are shown. Existing systems are all Operations/Maintenance in every task of the RMF. The SDLC does not apply to P1-P7, organizational level tasks.
A B C D E F G H I
1
2 CATEGORIZE
The purpose of the Categorize step is to inform organizational risk management processes and tasks by determining the adverse impact to organizational operations and assets, individuals, other organizations, and the Nation with respect to the loss of confidentiality,
3 integrity, and availability of organizational systems and the information processed, stored, and transmitted by those systems.
4
5 Task # Task Title Description Primary Roles Potential Inputs Expected Outputs SDLC *
C1 System Description Document the characteristics of the System Owner System design and requirements documentation; authorization boundary information; list of security and privacy Documented system description.
system. requirements allocated to the system, system elements, and the environment of operation; physical or other
processes controlled by system elements; system element information; system component inventory; system Initiation (concept
element supply chain information, including inventory and supplier information; security categorization; data map requirements / definition)
of the information life cycle for information types processed, stored, and transmitted by the system; information
on system use, users, and roles.
6
C2 Security Categorization Categorize the system and document System Owner, Risk management strategy; organizational risk tolerance; authorization boundary (i.e., system) information; mpact levels determined for each information type and for
the security categorization results. Information Owner organization- and system-level risk assessment results; information types processed, stored, or transmitted by each security objective (confidentiality, integrity,
or Steward the system; list of security and privacy requirements allocated to the system, system elements, and environment availability); security categorization based on high-water Initiation (concept
of operation; organizational authority or purpose for operating the system; business impact analyses or criticality mark of information type impact levels. requirements / definition)
analyses; information about missions, business functions, and mission/business processes supported by the
7 system.
C3 Security Categorization Review and approve the security Authorizing Officer, Impact levels determined for each information type and for each security objective (confidentiality, integrity, Approval of security categorization for the system.
Review and Approval categorization results and decision. AODR, SAOP availability); security categorization based on high-water mark of information type impact levels; list of high value Initiation (concept
assets for the organization. requirements / definition)
8
9 SELECT
11 The purpose of the Select step is to select, tailor, and document the controls necessary to protect the information system and organization commensurate with risk to organizational operations and assets, individuals, other organizations, and the Nation.
12
13 Task # Task Title Description Primary Roles Potential Inputs Expected Outputs SDLC *
S1 Control Selection Select the controls for the system and System Owner, ecurity categorization; organization- and system-level risk assessment results; system element information; Controls selected for the system and the environment of
the environment of operation. Common Control system component inventory; list of security and privacy requirements allocated to the system, system elements, operation.
Provider and environment of operation; list of contractual requirements allocated to external providers of the system or Development /
system element; business impact analysis or criticality analysis; risk management strategy; organizational security Acquisition
and privacy policy; federal or organization-approved or mandated baselines or overlays; Cybersecurity Framework
14 Profiles.
S2 Control Tailoring Tailor the controls selected for the System Owner, Initial control baselines; organization- and system-level risk assessment results; system element information; List of tailored controls for the system and environment of
system and the environment of Common Control system component inventory; list of security and privacy requirements allocated to the system, system elements, operation (i.e., tailored control baselines). Development /
operation. Provider and environment of operation; business impact analysis or criticality analysis; risk management strategy; Acquisition
organizational security and privacy policies; federal or organization- approved or mandated overlays.
15
S3 Control Allocation Allocate security and privacy controls Security Architect, Security categorization; organization- and system-level risk assessment results; organizational policy on system List of security and privacy controls allocated to the system,
to the system and to the environment Privacy Architect, registration; enterprise architecture; security and privacy architectures; security and privacy requirements; list of system elements, and the environment of operation.
of operation. System Security security and privacy requirements allocated to the system, system elements, and the environment of operation; Development /
Officer, System list of common control providers and common controls available for inheritance; system description; system Acquisition
Privacy Officer element information; system component inventory; relevant laws, executive orders, directives, regulations, and
16 policies.
S4 Documentation of Document the controls for the system System Owner, Security categorization; organization- and system-level risk assessment results (security, privacy, and/or supply Security and privacy plans for the system.
Planned Control and environment of operation in Common Control chain); system element information; system component inventory; business impact or criticality analysis; list of
Implementations security and privacy plans. Provider security and privacy requirements allocated to the system, system elements, and environment of operation; risk Development /
management strategy; list of selected controls for the system and environment of operation; organizational Acquisition
9
R5 Authorization Reporting Report the authorization decision and any Authorizing Official, Authorization decision. A report indicating the authorization decision for a system or set of
deficiencies in controls that represent significant AODR common controls; annotation of authorization status in the
Implementation / Assessment
security or privacy risk. organizational system registry.
10
11
12 MONITOR
13 The purpose of the Monitor step is to maintain an ongoing situational awareness about the security and privacy posture of the information system and the organization in support of risk management decisions.
M1 System and Environment Monitor the information system and its environment System Owner or Organizational continuous monitoring strategy; organizational configuration management policy and Updated security and privacy plans; updated plans of action and
Changes of operation for changes that impact the security and Common Control procedures; organizational policy and procedures for handling unauthorized system changes; security milestones; updated security and privacy assessment reports.
privacy posture of the system. Provider, SAOP, SAISO and privacy plans; configuration change requests/approvals; system design documentation; security Operations / Maintenance
and privacy assessment reports; plans of action and milestones; information from automated and
15 manual monitoring tools.
M2 Ongoing Assessments Assess the controls implemented within and Control Assessor Organizational continuous monitoring strategy and system level continuous monitoring strategy (if Updated security and privacy assessment reports.
inherited by the system in accordance with the applicable); security and privacy plans; security and privacy assessment plans; security and privacy
continuous monitoring strategy. assessment reports; plans of action and milestones; information from automated and manual Operations / Maintenance
monitoring tools; organization- and system-level risk assessment results; external assessment or audit
16 results (if applicable).
M3 Ongoing Risk Repsonse Respond to risk based on the results of ongoing Authorizing Official, Security and privacy assessment reports; organization- and system-level risk assessment results; Mitigation actions or risk acceptance decisions; updated security and
monitoring activities, risk assessments, and System Owner, security and privacy plans; plans of action and milestones. privacy assessment reports.
Operations / Maintenance
outstanding items in plans of action and milestones. Common Control
17 Provider
M4 Authorization Package Updates Update plans, assessment reports, and plans of System Owner, Security and privacy assessment reports; organization- and system-level risk assessment results; Updated security and privacy assessment reports; updated plans of
action and milestones based on the results of the Common Control security and privacy plans; plans of action and milestones. action and milestones; updated risk assessment results; updated Operations / Maintenance
18 continuous monitoring process. Provider security and privacy plans.
M5 Security and Privacy Reporting Report the security and privacy posture of the system System Security Security and privacy assessment reports; plans of action and milestones; organization- and system- Security and privacy posture reports
to the authorizing official and other organizational Officer, System level risk assessment results; organization- and system-level continuous monitoring strategy; security
officials on an ongoing basis in accordance with the Pricacy Officer and privacy plans; Cybersecurity Framework Profile. Operations / Maintenance