Re: NIST 37 question

Surferway

In my understanding NIST-37: Risk Management (Federal Government): Guidelines on managing cybersecurity risks (e.g., NIST SP 800-37 for the Risk Management Framework). Where NIST SP 800-53: covers "Security and Privacy Controls for Information Systems and Organizations" provides a comprehensive set of security and privacy controls that can be tailored to the specific needs of an organization. Can you let me know why 800-53 is the better answer?

Mahfujur

Hi,

It is very difficult which angle one answer is better than the others.when both are so close.

My thinking as follows:

SP 800-53: Lists the security and privacy controls to be used within the RMF.
SP 800-37: Details the RMF process

I agree with you alternative C 800-37 is correct because it specifically details the Risk Management Framework (RMF). While B. 800-53 is very closely related and provides the security and privacy controls used within the RMF, it does not detail the RMF process itself. Therefore, i consider , 800-37 is the correct choice for the publication that outlines the RMF.

Sometimes, the expert who formulize the question should ask why B is better than C.

Best regards

Mahfujur

Surferway

Thanks for the confirmation, that was my thinking as well.

Mahfujur

You are welcome.
Br
Mahfuj

dips0502

You are correct. This question is an example of insufficient quality control on the part of the question provider.