16 Questions
According to the text, what is the NIST RMF?
A comprehensive approach to implementing a structured information security program
What is the main difference between the NIST RMF and the NIST Cybersecurity Framework?
The NIST RMF is a six-step process while the NIST Cybersecurity Framework is a high level graphic
Who provided the NIST RMF diagram?
Aaron Lang
What is the purpose of the NIST RMF?
To implement proper controls on federal IT systems
Which step in the Risk Management Framework (RMF) involves categorizing the system and reviewing the system categorization?
Step 3: System categorization
What is the recommended time frame for conducting a third of the controls assessment in the RMF?
Every year
What document is used for system categorization in the RMF?
NIST SP 800-860
How often should the controls be monitored in the RMF?
Every year
Which level of the Risk Management Framework (RMF) is typically associated with auditing?
Information system level
What is Step One of the RMF process?
Categorizing the information system based on the data it contains
Which category is most commonly associated with information systems under the RMF?
Moderate
What is Step Four of the RMF process?
Assessing the controls through independent auditing
Which document is used to look up federal information systems and their corresponding provisional impact levels?
NIST 800 SP 860
What does the CIA Triad stand for in the context of the NIST RMF?
Confidentiality, Integrity, Availability
What does control tailoring involve in the NIST RMF?
Adjusting or excluding certain controls based on specific requirements or conditions
Which document provides the complete control dictionary in the NIST RMF?
NIST 800 SP 853
Study Notes
Overview of NIST RMF and Control Tailoring Process
- NIST RMF consists of two volumes: Volume 1 provides guidance for mapping categories, and Volume 2 contains appendices for mapping.
- The document NIST 800 SP 860 is used to look up federal information systems and their corresponding provisional impact levels.
- The CIA Triad (confidentiality, integrity, availability) is used to map the security category for different information types.
- The NIST RMF requires choosing the high water mark for the security control levels, even if some aspects are low.
- Tailoring in the RMF allows for the customization of controls based on specific security objectives and needs.
- The selection of controls is done by filtering the NIST 800 SP 853 control spreadsheet based on the chosen baseline (e.g., moderate).
- Controls can be categorized as preventive, detective, deterrent, manual, or automatic, and can fall under physical, technical, or administrative control categories.
- Different authority documents, such as ISO, PCI, or NIST 853, provide control frameworks for selecting controls.
- Control tailoring involves adjusting or excluding certain controls based on specific requirements or conditions.
- Tailoring controls can be done to address unique situations, such as not having locks on certain doors for safety reasons.
- The RMF process involves reviewing and selecting controls based on the impact levels determined in the categorization step.
- NIST 800 SP 53 is the complete control dictionary, while 800 SP 53b is the control baseline extraction specifically for meeting minimum requirements.
Test your knowledge of the NIST RMF and Control Tailoring Process with this informative quiz. Learn about the different volumes, the CIA Triad, control selection, and the customization of controls based on specific security objectives. Challenge yourself to understand the process of tailoring controls and how it addresses unique situations. This quiz will help you become familiar with the various authority documents and control frameworks.
Make Your Own Quizzes and Flashcards
Convert your notes into interactive study material.
Get started for free
