DODI 8510.01 Flashcards and Quiz for RMF & DOD IT

Questions and Answers

What does DODI 8510.01, RISK MANAGEMENT FRAMEWORK (RMF) FOR DOD INFORMATION TECHNOLOGY (IT) refer to?

DODI 8510.01, RISK MANAGEMENT FRAMEWORK (RMF) FOR DOD INFORMATION TECHNOLOGY (IT)

Who oversees the implementation of DoDI 8510.01 and directs and oversees the cybersecurity risk management of DoD IT?

DoD Chief Information Officer (DoD CIO)

Who develops and provides RMF training and awareness products to support the DoD Components?

Director, Defense Information Systems Agency (DISA)

Who is responsible for coordinating with the DoD CIO for RMF processes?

Under Secretary of Defense for Acquisition, Technology, and Logistics (USD(AT&L)) Signup and view all the answers

Who reviews operational testing plans for DoD IT acquisitions?

Director, Operational Test and Evaluation (DOT&E) Signup and view all the answers

Who ensures that IS security engineering services support the RMF?

Director, National Security Agency/Chief, Central Security Service (DIRNSA/CHCSS) Signup and view all the answers

DOD Component heads must ensure a trained and qualified AO is appointed for which systems?

All DoD IS and PIT systems Signup and view all the answers

Who is responsible for ensuring the JCIDS process supports IS and PIT system categorization?

Chairman of the Joint Chiefs of Staff (CJCS) Signup and view all the answers

Who is responsible for ensuring security evaluations are completed before incorporating systems?

Information Systems Security Manager (ISSM) Signup and view all the answers

What are product-specific DoD policies and security requirements known as?

Security Technical Implementation Guides (STIGs) Signup and view all the answers

What provides general security compliance guidelines developed by DISA?

Security Requirements Guides (SRGs) Signup and view all the answers

Which approach to cybersecurity risk management is implemented by DoD RMF governance?

Three-tiered Signup and view all the answers

Which Tier level in RMF addresses risk management at the DoD enterprise level?

Tier 1 Signup and view all the answers

Who directs and oversees the cybersecurity risk management of DoD IT?

Department of Defense Chief Information Officer (DoD CIO) Signup and view all the answers

What performs the DoD Risk Executive Function?

DoD Information Security Risk Management Committee (ISRMC) Signup and view all the answers

What is the community forum for reviewing authorization issues related to community risk?

Defense IA Security Accreditation Working Group (DSAWG) Signup and view all the answers

Who oversees the RMF TAG and the online KS?

Department of Defense Senior Information Security Officer (DoD SISO) Signup and view all the answers

What provides implementation guidance for the RMF?

Risk Management Framework Technical Advisory Group (RMF TAG) Signup and view all the answers

What supports RMF implementation and serves as an authoritative source for guidance?

Knowledge Service Signup and view all the answers

Who must monitor and track overall execution of system-level POA&Ms?

Authorizing Officials (AOs) Signup and view all the answers

Who develops and tracks security plans for IS and PIT systems?

Information System Owners (ISOs) Signup and view all the answers

PMs must ensure periodic reviews of IS and PIT systems are conducted at least how often?

Annually Signup and view all the answers

PMs must ensure T&E of IS and IT systems is planned according to which reference?

DoDI 5000.02 Signup and view all the answers

What reduces redundant testing and associated costs?

Reciprocity Signup and view all the answers

What must PMs and ISOs post security authorization documentation to?

Enterprise Mission Assurance Support Service (eMASS) Signup and view all the answers

Which reference contains DoD policy for Unified Capabilities?

DoDI 8100.04 Signup and view all the answers

What is used to deploy identical copies of an IS or PIT system?

Type authorization Signup and view all the answers

Which type of systems do not exchange information outside of the system's authorization?

Platform Information Technology (PIT) Signup and view all the answers

How many different approaches are described by NIST SP 800-37 for security authorizations?

3 Signup and view all the answers

What must all DoD IS and PIT systems have for security requirements overview?

Security Plan Signup and view all the answers

How many steps are in the RMF process?

6 steps Signup and view all the answers

What is step one of the RMF process?

Categorize system Signup and view all the answers

What is step two of the RMF process?

Select Security Controls Signup and view all the answers

What is step three of the RMF process?

Implement Security Controls Signup and view all the answers

What is step four of the RMF process?

Assess Security Controls Signup and view all the answers

What is step five of the RMF process?

Authorize System Signup and view all the answers

What is the final step of the RMF process?

Monitor Security Controls Signup and view all the answers

RMF Team members must meet suitability requirements established in which reference?

DoD 5200.2-R Signup and view all the answers

What is the authoritative source for security control descriptions and guidance?

Knowledge Service Signup and view all the answers

Which reference identifies vulnerability severity values?

NIST SP 800-30 Signup and view all the answers

Who determines a risk level for every NC security control in the system baseline?

Security Control Assessor (SCA) Signup and view all the answers

What is used to document the SCA's findings of compliance with security controls?

Security Assessment Report (SAR) Signup and view all the answers

What is used to identify tasks that need to remediate vulnerabilities?

POA&M Signup and view all the answers

IATTs should expire after completing testing within how many days?

90 Signup and view all the answers

Who continuously monitors the system for security-relevant events?