What is the purpose of a system authorization decision, and which documents support it?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $25.99Unlock all

Study for the RMF Steps, Tasks, and Outcomes Test. Get ready for your exam with flashcards, multiple choice questions, and in-depth explanations. Master each step and outcome with ease!

Multiple Choice

What is the purpose of a system authorization decision, and which documents support it?

Explanation:
The authorization decision answers the question: is it acceptable to allow the system to operate with its current security controls given the assessed risks? In RMF, this is a formal judgment by the authorizing official that the system’s security posture and residual risks are within acceptable levels for the defined environment and mission. The evidence base for that decision comes from the key artifacts that document how controls were implemented, evaluated, and monitored. The System Security Plan describes which controls are in place and how the system is protected; the Security Assessment Report captures the results of testing and evaluation of those controls; the risk assessment analyzes potential threats, vulnerabilities, and impacts; the Plan of Actions and Milestones tracks remediation efforts and status; and the monitoring plan outlines ongoing assessment and continuous monitoring activities. Together, these documents support the decision to authorize operation. Designing architecture, deploying code, or retiring the system are different lifecycle activities and do not constitute the authorization decision.

The authorization decision answers the question: is it acceptable to allow the system to operate with its current security controls given the assessed risks? In RMF, this is a formal judgment by the authorizing official that the system’s security posture and residual risks are within acceptable levels for the defined environment and mission. The evidence base for that decision comes from the key artifacts that document how controls were implemented, evaluated, and monitored. The System Security Plan describes which controls are in place and how the system is protected; the Security Assessment Report captures the results of testing and evaluation of those controls; the risk assessment analyzes potential threats, vulnerabilities, and impacts; the Plan of Actions and Milestones tracks remediation efforts and status; and the monitoring plan outlines ongoing assessment and continuous monitoring activities. Together, these documents support the decision to authorize operation. Designing architecture, deploying code, or retiring the system are different lifecycle activities and do not constitute the authorization decision.

More Multiple Choice Questions
Subscribe

Get the latest from Passetra

You can unsubscribe at any time. Read our privacy policy