CGRC Exam Prep Free practice test →

Free CGRC Practice Questions

10 free, exam-style Certified in Governance (CGRC) practice questions with answers and explanations. No signup required. Work through them below, then take the full free CGRC practice test to study every exam domain.

Question 1

A federal agency is categorizing a new financial management system. The system processes three information types with the following security impact levels: • Budget Formulation: (Confidentiality: Low, Integrity: Moderate, Availability: Low) • Payroll Management: (Confidentiality: Moderate, Integrity: Moderate, Availability: Moderate) • Procurement Data: (Confidentiality: High, Integrity: Low, Availability: Low) Using FIPS 199, what is the overall system security categorization?

  1. Moderate - because the majority of information types are rated Moderate
  2. High - because the high-water mark across all objectives and all information types is High
  3. High for Confidentiality, Moderate for Integrity, Moderate for Availability - each objective is categorized independently
  4. Moderate - because only one of three information types contains a High value
Show answer & explanation

Correct answer: B - High - because the high-water mark across all objectives and all information types is High

Question 2

During a security control assessment of a Moderate-impact system, the assessor reviews the access control policy document (AC-1) and confirms it exists, is current, and addresses all required elements. However, the assessor has not yet verified whether the policy is actually being followed in practice. Which assessment method should the assessor use NEXT to determine operational effectiveness?

  1. Interview system administrators to confirm they are aware of the policy
  2. Test access controls by attempting to log in with unauthorized credentials and reviewing audit logs
  3. Examine additional documentation such as the system security plan and configuration guides
  4. Report the control as Satisfied since the policy document meets all requirements
Show answer & explanation

Correct answer: B - Test access controls by attempting to log in with unauthorized credentials and reviewing audit logs

Question 3

An Authorizing Official (AO) is reviewing the authorization package for a mission-critical system. The Security Assessment Report (SAR) identifies three findings rated as Other than Satisfied: one High-risk finding related to multi-factor authentication and two Low-risk findings related to documentation gaps. The system supports a time-sensitive national security mission launching in 30 days. The system owner has submitted a POA&M with remediation milestones for all three findings. What is the MOST appropriate authorization decision?

  1. Issue a Denial of Authorization to Operate (DATO) until the High-risk finding is fully remediated
  2. Issue an Authorization to Operate (ATO) because the POA&M addresses all findings
  3. Issue a Conditional Authorization to Operate requiring the High-risk finding to be remediated within a defined timeframe while accepting the Low-risk findings
  4. Delay the authorization decision until the High-risk finding is resolved, regardless of mission impact
Show answer & explanation

Correct answer: C - Issue a Conditional Authorization to Operate requiring the High-risk finding to be remediated within a defined timeframe while accepting the Low-risk findings

Question 4

An organization is establishing a governance, risk management, and compliance program that must satisfy both FISMA requirements for its federal contracts and PCI-DSS requirements for its payment card processing environment. The CISO proposes mapping overlapping controls between the two frameworks to avoid duplicative implementation. Which approach BEST supports this strategy?

  1. Implement PCI-DSS controls first since they are more prescriptive, then map any gaps to FISMA requirements
  2. Use NIST SP 800-53 Rev. 5 as the unified control catalog and map both FISMA and PCI-DSS requirements to applicable control families
  3. Maintain two completely separate compliance programs to ensure neither framework's requirements are diluted
  4. Adopt ISO/IEC 27001 as a neutral standard and certify against it, which automatically satisfies both FISMA and PCI-DSS
Show answer & explanation

Correct answer: B - Use NIST SP 800-53 Rev. 5 as the unified control catalog and map both FISMA and PCI-DSS requirements to applicable control families

Question 5

A system owner is implementing controls for a Moderate-impact cloud system hosted in an IaaS environment. The cloud service provider (CSP) implements physical and environmental protection controls (PE family) at its data centers, which are documented in the CSP's FedRAMP authorization package. The system owner's System Security Plan needs to reflect these controls. How should the system owner document the PE controls?

  1. List the PE controls as Not Applicable since the system owner does not operate physical data centers
  2. Implement independent PE controls at the system owner's facility to satisfy the requirement
  3. Document the PE controls as inherited common controls provided by the CSP, referencing the CSP's authorization documentation
  4. Omit PE controls from the SSP because they are the sole responsibility of the CSP
Show answer & explanation

Correct answer: C - Document the PE controls as inherited common controls provided by the CSP, referencing the CSP's authorization documentation

Question 6

A system with an active Authorization to Operate (ATO) is scheduled for a major upgrade that will replace the existing single-factor authentication system with a new multi-factor authentication platform, change the network architecture to add a new DMZ segment, and migrate the database from on-premises to a cloud-hosted environment. The ISSO must determine the appropriate compliance action. What is the MOST appropriate course of action?

  1. Document the changes in the POA&M and continue operating under the current ATO
  2. Submit a change request to the Change Control Board and update the SSP after implementation
  3. Conduct a security impact analysis, update the SSP, and notify the AO to determine whether reauthorization is required
  4. Immediately suspend the ATO until a full reauthorization is completed for the upgraded system
Show answer & explanation

Correct answer: C - Conduct a security impact analysis, update the SSP, and notify the AO to determine whether reauthorization is required

Question 7

A security practitioner is tailoring the Moderate baseline from NIST SP 800-53B for a system that does not use wireless networking. The baseline includes control AC-18 (Wireless Access) and its enhancements. The practitioner wants to remove this control from the system's security plan. What is the correct tailoring action and documentation requirement?

  1. Remove the control with no documentation required since it is clearly not applicable to the system
  2. Apply scoping guidance to determine the control is not applicable due to technology constraints, and document the justification in the SSP
  3. Replace AC-18 with a compensating control that addresses a different wireless risk scenario
  4. Retain the control in the SSP as Planned and implement it if the system ever adds wireless capability
Show answer & explanation

Correct answer: B - Apply scoping guidance to determine the control is not applicable due to technology constraints, and document the justification in the SSP

Question 8

A federal agency hires an external firm to conduct the security assessment of a new system being developed for the agency. During the planning phase, the agency discovers that one of the firm's senior assessors previously served as the lead security architect for the same system during its design phase two years ago. The assessor has since left the development contractor and joined the assessment firm. What is the MOST appropriate action?

  1. Allow the assessor to participate since they are now employed by a different organization and sufficient time has passed
  2. Allow the assessor to participate in a limited role, restricting them to examining documentation only
  3. Remove the assessor from the assessment team for this system to maintain assessor independence
  4. Proceed with the assessment but require a second independent assessor to validate all of the first assessor's findings
Show answer & explanation

Correct answer: C - Remove the assessor from the assessment team for this system to maintain assessor independence

Question 9

An organization's security team identifies a critical vulnerability in a production web server during a routine vulnerability scan. A patch is available from the vendor but requires a server reboot and approximately two hours of downtime. The system is currently operating under an active ATO. The vulnerability is listed on CISA's Known Exploited Vulnerabilities (KEV) catalog with active exploitation in the wild. The system owner wants to delay patching until the next scheduled maintenance window in 45 days. What is the MOST appropriate recommendation?

  1. Support the delay because changes to production systems must follow the standard change management process and maintenance schedule
  2. Recommend an emergency change process to apply the patch as soon as possible, documenting the risk of delay and the active exploitation in the POA&M
  3. Accept the risk for 45 days and implement compensating controls such as enhanced monitoring until the patch can be applied
  4. Escalate directly to the Authorizing Official to revoke the ATO until the vulnerability is patched
Show answer & explanation

Correct answer: B - Recommend an emergency change process to apply the patch as soon as possible, documenting the risk of delay and the active exploitation in the POA&M

Question 10

A High-impact system that stored classified defense program data is being decommissioned after its replacement system achieves full operational capability. The system's hard drives contain data classified at the Secret level. The decommissioning team proposes using a certified software overwrite tool (meeting the Clear standard per NIST SP 800-88) to sanitize the drives before disposing of them through the agency's standard surplus equipment process. What is the MOST appropriate response?

  1. Approve the plan because the certified overwrite tool meets NIST SP 800-88 Clear requirements
  2. Require Purge-level sanitization using degaussing because the data is classified
  3. Require physical destruction of the drives because Clear and Purge are insufficient for Secret-level classified data
  4. Require cryptographic erasure because it is faster than physical destruction and meets the same assurance level for classified media
Show answer & explanation

Correct answer: C - Require physical destruction of the drives because Clear and Purge are insufficient for Secret-level classified data

Ready for the real thing?

Practice hundreds more CGRC questions with instant scoring, weak-area drills, and full exam simulations.

Start the free practice test See pricing