Leveraged authorization is a process where an organization accepts an existing authorization of a system, service, or application from another organization to avoid redundant assessment and authorization efforts. In the scenario described, a single complex information system is used by two agencies. This system is defined by a single, unique accreditation boundary. One agency (the provider or owner) performs the initial authorization. The second agency then "leverages" this existing authorization package to grant its own Authority to Operate (ATO). Although two agencies issue separate ATOs, they are both for the same system contained within that single boundary. Therefore, the minimum number of system boundaries is one.

B. Only two, because there are two agencies.

This is incorrect. The number of agencies using a system does not dictate the number of system boundaries. Leveraged authorization is designed for a single system to be used by multiple entities.

C. At least two.

This is incorrect. The principle of leveraged authorization for a shared or common system is most efficient when applied to a single system with one boundary, making one the minimum.

D. A leveraged authorization cannot be conducted with more that one agency involved.

This is incorrect. The concept of "leveraged" authorization inherently requires at least two parties: the entity providing the authorization package and the entity leveraging it.

---

1. NIST Special Publication 800-37, Revision 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy.

Section 2.5, "Relationship Among Authorizations," describes leveraged authorizations: "An authorization based on a leveraged authorization is an authorization decision that is based, in part, on another authorization decision." This confirms that one system's authorization can be the basis for another agency's decision, implying a single system boundary is the subject.

Appendix F, "Authorization Boundary," defines the authorization boundary as encompassing all components of a single information system to be authorized. This supports the concept of one system having one boundary, regardless of the number of consuming agencies.

2. Federal Risk and Authorization Management Program (FedRAMP), Guide to Understanding FedRAMP.

"What is an Agency ATO?" section: This guide explains how federal agencies leverage the FedRAMP authorization of a Cloud Service Provider (CSP). The CSP's service has a single authorization boundary, and multiple agencies can grant their own ATOs by leveraging the single FedRAMP package. This is a direct, real-world application of the principle.

3. ISC2, (ISC)² CGRC Certified in Governance, Risk and Compliance Official Study Guide (1st ed.).

Chapter 4, "Select, Implement, and Assess Security and Privacy Controls": This chapter discusses the RMF process, including the concept of reciprocity and leveraging existing authorizations for common controls and shared systems, reinforcing that a single authorized system can serve multiple entities.

The Organization Level (Tier 1) is responsible for establishing the overall risk management strategy and governance for the entire organization. This involves defining the complete, logical lifecycle for managing risk. The correct answer presents the standard, sequential phases of a risk management process. The process logically begins with risk assessment and evaluation to understand potential risks. This is followed by a risk response, such as mitigation or acceptance. Finally, the process includes continuous monitoring of risks and is governed by strategic oversight. This sequence represents the comprehensive strategy established at Tier 1 and executed throughout the organization.

B: Incorrect because it places risk response activities (Mitigation, Acceptance) before the essential first step of assessing and evaluating the risk.

C: Incorrect because it begins with risk acceptance, a decision that can only be made after a risk has been properly assessed and evaluated.

D: Incorrect because it illogically separates risk evaluation from risk assessment and places it before the assessment has been conducted.

1. NIST Special Publication 800-39, Managing Information Security Risk: Organization, Mission, and Information System View. Section 2.3, "The Risk Management Process," outlines the core components as Frame, Assess, Respond, and Monitor. The sequence in the correct answer (A) directly maps to this process: Assess (Assessment, Evaluation), Respond (Mitigation, Acceptance), and Monitor (Monitoring), all under the governance of Frame (Oversight).

2. NIST Special Publication 800-37, Revision 2, Risk Management Framework for Information Systems and Organizations. Appendix D, "Risk Management Roles," describes Tier 1 responsibilities, which include establishing the risk management strategy and providing oversight for the entire process, confirming that Tier 1 is concerned with this complete lifecycle.

3. Carnegie Mellon University, Software Engineering Institute, OCTAVE Allegro: Information Security Risk Assessment Method. The OCTAVE method follows a similar logical progression. Phase 2 involves identifying and evaluating risks to information assets, and Phase 3 focuses on identifying risks and developing mitigation strategies, reinforcing the Assess-then-Respond sequence. (See "OCTAVE Allegro Guidebook v1.0," CMU/SEI-2007-TR-012, Steps 5-7).

The question provides the verbatim definition of an information system as established by U.S. law and adopted by the National Institute of Standards and Technology (NIST). An information system is a comprehensive term that includes not just technology but also the people and processes organized for the specific purpose of managing the information lifecycle (collection, processing, maintenance, disposition). This definition is fundamental to the Risk Management Framework (RMF) and the CGRC domain. The other options represent either subsets or foundational components of an information system, but not the complete, defined entity itself.

B. A General Support System (GSS) is a specific type of information system that provides a shared infrastructure, making it a narrower term than the definition provided.

C. An IT infrastructure is the underlying technological foundation (hardware, networks) but lacks the specific, organized purpose of information processing and management described in the question.

D. A Major Application is a software component that runs within an information system, not the entire discrete set of organized resources itself.

1. NIST Special Publication 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations, Appendix A, Page A-10. The document defines an Information System as: "A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information."

2. NIST Special Publication 800-37, Revision 2, Risk Management Framework for Information Systems and Organizations, Page 11, Section 2.1. This publication states, "The RMF applies to all federal information systems..." and uses the standard definition throughout, reinforcing that the question describes an information system.

3. 44 U.S. Code § 3502 (Definitions). The E-Government Act of 2002, which is a primary legal source for federal information security, defines "information system" in this section, providing the legal basis for the NIST definition. The text is nearly identical to the question.

The System Owner (or Information System Owner) is a managerial role with ultimate responsibility for an information system throughout its lifecycle. Their responsibilities encompass procurement, development, operation, and disposal.

Option A is correct as it addresses the crucial lifecycle responsibility of integrating security from the very beginning. Option B correctly identifies the owner's duty to ensure ongoing security posture management, including vulnerability assessments and reporting. Option D provides a concise, high-level summary of the System Owner's core accountability for ensuring the system complies with security requirements, as explicitly defined in NIST frameworks.

C. This option is incorrect because it conflates the managerial oversight of the System Owner with the specific, hands-on technical tasks of a System Administrator or Custodian. While the owner ensures security policies are met, they do not typically oversee the granular details of "operating system configurations."

1. NIST Special Publication 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations. (December 2020).

Appendix F, Section F.2.6 (Information System Owner): States the System Owner is "Responsible and accountable for ensuring that the security and privacy of the information system are adequately addressed throughout the life cycle... [and] for ensuring that all security and privacy controls are implemented and operating as intended." This directly supports option D. It also supports the lifecycle concept in option A.

2. NIST Special Publication 800-18, Revision 1, Guide for Developing Security Plans for Federal Information Systems. (February 2006).

Section 2.2 (Roles and Responsibilities), System Owner: Defines the role as the "official responsible for the overall procurement, development, integration, modification, operation, maintenance, and disposal of an information system." This supports option A (procurement, development) and the operational oversight implied in option B.

3. Carnegie Mellon University, Information Security Office, Information Security Roles and Responsibilities. (2023).

System Owners Section: Lists responsibilities including: "Ensuring that appropriate security controls are in place and functioning as intended" (supports D), "Ensuring that the system is regularly scanned for vulnerabilities" (supports B), and "Ensuring that security is a part of the system's entire life cycle" (supports A). This source clearly delineates these high-level responsibilities for the owner.