Rmf Step 2
18 community-sourced questions and answers. Free — no login.
Risk Management Framework (RMF) is the unified information security framework for the entire federal government that is replacing the legacy DIACAP (DoD Information Assurance Certification and Accreditation Process) processes within federal government departments and agencies, the Department of Defense (DOD) and the Intelligence Community (IC).
What is RMF?
DIACAP is the certification and accreditation (C&A) process that was implemented in 2006 replacing DITSCAP. DIACAP has now been replaced by the RMF process.
What is DIACAP?
Step 1 - CATEGORIZE System Step 2 - SELECT Security Controls Step 3 - IMPLEMENT Security Controls Step 4 - ASSESS Security Controls Step 5 - AUTHORIZE Systems Step 6 - MONITOR Security Controls
What are the steps in the RMF process?
DoDI 8510.01
_________________ is the high level document dated march 2014 that sets forth policy stating that RMF is to be used by DoD.
CNSSI 1253
_________________ establishes guidlelines and a method for selecting security controls for information systems and the information they contain.
NIST SP 800-37
_________________ is the guide for applying RMF to Federal Information Systems.
NIST SP 800-53
_________________ provides a security controls catalog and guidance for security control selection.
confidentiality, integrity, availability
Security controls are safeguards and countermeasures prescribed for an information system to protect _________ , ___________ and __________ of a system and its information.
mission, business, system risks
Security controls are safeguards and countermeasures prescribed for an information system to properly manage _____________ , _______________ and ____________ risks.
reciprocity
Cybersecurity _______________ is an essential element in ensuring IT capabilities are developed and fielded rapidly and efficiently across the DoD Information Enterprise.
security roles and responsibilities
The continuous monitoring strategy defines all of the following EXCEPT: - Security status reporting requirements - the configuration management process - security roles and responsibilities - how the security impact analysis will be conducted
categorize the information system
Which of the following is not included in the tasks that are part of the second step of the RMF process? - identify common security controls - develop a monitoring strategy - categorize the information system - apply appropriate overlay(s) based on the information and mission requirements
it is developed late in the system development cycle
Which of the following is not true of the Monitoring Strategy? - It is ongoing - it may be included in the security plan - it is a critical aspect of risk management - it is developed late in the system development cycle
select security controls
The second step in the RMF process is: - Monitor security controls - assess security controls - categorize the system - select security controls
to manage roles and responsibilities
Security controls are safeguards and countermeasures prescribed for an information system to accomplish all of the following except: - to manage roles and responsibilities - to properly manage mission, business and system risks - to facilitate reciprocity - to protect the confidentiality, integrity, and availability of the system and its information
Define the system boundary
All of the following are important to selecting security controls, EXCEPT: - Tailor security controls - Develop a monitoring strategy - Define the system boundary - Identify common controls
FALSE
The RMF Knowledge Service is not applicable to generating a set of baseline security controls. (True or False)
TRUE
Security Controls have a well-defined organization and structure and are divided into eighteen families: (True or False)
Looking for a different version?
CBTs get updated every year. Search for the exact version you're taking (e.g. "cyber awareness 2025").
Search all study materials