Which documents should include justification for a baseline deviation in RMF?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $25.99Unlock all

Study for the RMF Steps, Tasks, and Outcomes Test. Get ready for your exam with flashcards, multiple choice questions, and in-depth explanations. Master each step and outcome with ease!

Multiple Choice

Which documents should include justification for a baseline deviation in RMF?

Explanation:
When a control from the baseline isn’t fully implemented, you need a clear reason and a plan for handling the risk. The Security System Plan (SSP) is where you document the system, its control implementations, and any tailoring or deviations from the baseline. It provides the formal justification for why a deviation is acceptable in the particular environment or mission context. But documenting the deviation isn’t enough on its own. The Plan of Actions and Milestones (POA&M) tracks what needs to be done to address the deviation, assigns remediation actions, and records milestones and decision points. It captures how the risk will be managed over time and shows the path to full compliance or the acceptance of residual risk. While the risk assessment informs the level of risk associated with the deviation, it isn’t the primary place to record the explicit justification or the remediation plan. Therefore, documenting the justification for a baseline deviation in both the SSP and the POA&M ensures the rationale is clear at the system level and the remediation steps and risk management are tracked and auditable.

When a control from the baseline isn’t fully implemented, you need a clear reason and a plan for handling the risk. The Security System Plan (SSP) is where you document the system, its control implementations, and any tailoring or deviations from the baseline. It provides the formal justification for why a deviation is acceptable in the particular environment or mission context.

But documenting the deviation isn’t enough on its own. The Plan of Actions and Milestones (POA&M) tracks what needs to be done to address the deviation, assigns remediation actions, and records milestones and decision points. It captures how the risk will be managed over time and shows the path to full compliance or the acceptance of residual risk.

While the risk assessment informs the level of risk associated with the deviation, it isn’t the primary place to record the explicit justification or the remediation plan. Therefore, documenting the justification for a baseline deviation in both the SSP and the POA&M ensures the rationale is clear at the system level and the remediation steps and risk management are tracked and auditable.

More Multiple Choice Questions
Subscribe

Get the latest from Passetra

You can unsubscribe at any time. Read our privacy policy