Work with all stakeholders to customize and approve control baselines so they fit the environment and account for interdependencies is correct.

Work with all stakeholders to customize and approve control baselines so they fit the environment and account for interdependencies is the right choice because implementation in a hybrid environment requires tailoring and agreement across teams. Engaging IT operations, operational technology engineers, and third party vendors early ensures the baseline reflects cloud services, on site systems, and industrial control systems. Tailoring baselines reduces unnecessary burden and captures control interdependencies so the controls are practical and enforceable.

Work with all stakeholders to customize and approve control baselines so they fit the environment and account for interdependencies also supports traceability and authorization evidence. When stakeholders approve the baseline they accept responsibilities and the authorization lead can document how controls map to risks and system boundaries. That alignment is essential for a successful Controls Implementation phase in the NIST Risk Management Framework.

Deploy automated configuration and continuous compliance pipelines using infrastructure as code and policy enforcement is useful but not the most critical first action. Automation helps maintain consistent configurations but it can only enforce the right controls after the baselines are defined and agreed. Without stakeholder buy in an automated pipeline may harden the wrong settings or miss industrial control system constraints.

Apply every control in NIST SP 800 53 without assessing applicability to the organization is incorrect because NIST defines tailoring and scoping to produce a risk based baseline. Applying every control is impractical and it creates unnecessary work and potential conflicts with operational requirements. The RMF expects informed selection and tailoring of controls.

Prioritize implementing controls only for on site infrastructure because it is perceived as the highest risk is incorrect because a hybrid enterprise and industrial control systems have cross cutting risks. Focusing solely on on site systems ignores cloud services and vendor managed components and it misses interdependencies that can undermine security across the environment.

Full AWS Practitioner Certification Question