Question

Which of the following is not true?A. An organization may express its cybersecurity state through a Current Profile to report results or to compare with acquisition requirements.B. Only critical infrastructure agencies may establish a Target Profile that can be used among their constituents as an initial baseline Profile to build their tailored Target Profiles.C. An organization may utilize a Target Profile to express cybersecurity risk management requirements to an external service provider (for example, a cloud provider to which it is exporting data).D. A critical infrastructure owner/operator, having identified an external partner on whom that infrastructure depends, may use a Target Profile to convey required categories and subcategories.

Answer 1

Answer: B. Only critical infrastructure agencies may establish a Target Profile that can be used among their constituents as an initial baseline Profile to build their tailored Target Profiles.

Explanation:

Of the options given in the question, the option that is false is option B "requirements.B. Only critical infrastructure agencies may establish a Target Profile that can be used among their constituents as an initial baseline Profile to build their tailored Target Profiles".

This is not true as the establishment of a target profile is not meant for the critical infrastructure agencies alone. Other infrastructural agencies or companies can also establish the target profile.