Free CGRC Practice Test Questions and Answers (2026) | Cert Empire

An application that requires special attention to security due to the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application. Note: All federal applications require some level of protection. Certain applications, because of the information in them, however, require special management oversight and should be treated as major. Adequate security for other applications should be provided by security of the systems in which they operate. Response:

What is the comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. Response:

Applying the first three steps in the RMF to legacy systems can be viewed in what way to determine if the necessary and sufficient security controls have been appropriately selected and allocated? Response:

Information developed from Federal Information Processing Standard (FIPS) 199 may be used as an input to which authorization package document? Response:

What is Step 6? Response:

Which of the following governance bodies provides management, operational and technical controls to satisfy security requirements? Response:

An updated risk assessment in response to the security control assessment along with inputs from the risk executive helps to determine and prioritize… Response:

The objective of Configuration Manager and control is "not to" document all proposed or actual changes to an IS & to assess the impact of changes on security of system. Response:

Measure of confidence that the security features, practices, procedures, and architecture of an information system accurately mediates and enforces the security policy. Response:

NIST SP 800-39 requires that the Security Control Assessor’s findings should be: Response: