The question refers to the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF), a foundational process for the CGRC certification detailed in NIST SP 800-37. The RMF consists of a six-step cycle preceded by a "Prepare" step. Step 6 is "Monitor Security Controls." This final step in the cycle involves continuously monitoring the effectiveness of security controls, assessing changes to the system and its environment, and reporting on the system's security posture. The objective is to maintain ongoing situational awareness and ensure that the system operates within an acceptable level of risk, thereby supporting the continuation of its authorization.

B. Select Controls: This is Step 2 of the RMF, where controls are chosen based on the system's security categorization and tailored to the environment.

C. System Boundary: Defining the system boundary is a critical task performed during Step 1, Categorize System, not a distinct, numbered step itself.

D. Authorize: This is Step 5 of the RMF, where a senior official formally accepts the risk and grants an Authorization to Operate (ATO).

1. National Institute of Standards and Technology (NIST). (2018). Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy (NIST Special Publication 800-37, Revision 2). U.S. Department of Commerce.

Reference: Figure 2, "The Risk Management Framework," on page 10, explicitly lists the six steps, with Step 6 being "MONITOR."

Reference: Section 2.8, "Step 6: Monitor," on page 51, details the purpose and tasks of this step.

2. Purdue University. (n.d.). Cybersecurity Courseware: Introduction to the Risk Management Framework (RMF). Purdue University Global.

Reference: The course module on the RMF lifecycle explicitly identifies the six steps in order, stating, "Step 6: Monitor Security Controls. All implemented security controls are monitored for effectiveness."

3. University of Washington. (n.d.). CISO Certificate Program: Frameworks and Standards. UW Professional & Continuing Education.

Reference: The program curriculum outlines the NIST RMF, listing Step 6 as "Monitor security controls: Continuously monitor the system and controls for ongoing effectiveness."