(Isc)2 Guide To The CAP Review Questions

194 Questions | Total Attempts: 101

SettingsSettingsSettings
CAP Quizzes & Trivia

.


Related Topics
Questions and Answers
  • 1. 
    During which RMF step is the system security plan initially approved?
    • A. 

      RMF Step 1 Categorize Information System

    • B. 

      RMF Step 2 Select Security Controls

    • C. 

      RMF Step 3 Implement Security Controls

    • D. 

      RMF Step 5 Authorize Information System

  • 2. 
    Which organizational official is responsible for the procurement, development, integration, modification, operation, maintenance, and disposal of an information system?
    • A. 

      Information system security engineer (ISSE)

    • B. 

      Chief information officer (CIO)

    • C. 

      Information system owner (ISO)

    • D. 

      Information security architect

  • 3. 
    Which authorization approach considers time elapsed since the authorization results were produced, the environment of operation, the criticality/sensitivity of the information, and the risk tolerance of the other organization?
    • A. 

      Leveraged

    • B. 

      Single

    • C. 

      Joint

    • D. 

      Site specific

  • 4. 
    System authorization programs are marked by frequent failure due to, among other things, poor systems inventory, failure to fix responsibility at the system level, and
    • A. 

      Inability to work with remote teams.

    • B. 

      Lack of a project management office.

    • C. 

      Insufficient system rights.

    • D. 

      Lack of management support.

  • 5. 
    In what phases of the Risk Management Framework (RMF) and system development life cycle (SDLC), respectively, does documentation of control implementation start?
    • A. 

      Categorization and initiation

    • B. 

      Implement security controls and development/acquisition

    • C. 

      Authorization and operations/maintenance

    • D. 

      Monitor and sunset

  • 6. 
    The tiers of the National Institute of Standards and Technology (NIST) risk management framework are
    • A. 

      Operational, management, system.

    • B. 

      Confidentiality, integrity, availability.

    • C. 

      Organization, mission/business process, information system

    • D. 

      Prevention, detection, recovery

  • 7. 
    NIST guidance classifies security controls as
    • A. 

      Production, development, and test.

    • B. 

      People, process, and technology.

    • C. 

      System-specific, common and hybrid.

    • D. 

      Technical, administrative, and program.

  • 8. 
    Which of the following specifies security requirements for federal information and information systems in 17 security-related areas that represent a broad-based, balanced information security program?
    • A. 

      Federal Information Processing Standard (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems

    • B. 

      FIPS 200, Minimum Security Requirements for Federal Information and Information Systems

    • C. 

      Committee on National Security Systems (CNSS) Instruction No. 1253, Security Categorization and Control Selection for National Security Systems

    • D. 

      Section 3541 Title 44 U.S.C. Federal Information Security Management Act of 2002

  • 9. 
    After a monthly change control board meeting at which the team determined the security impact  of proposed changes to an application, what would be the team's next action?
    • A. 

      Prepare the plan of action and milestones based on the findings and recommendations of the security assessment report excluding any remediation actions taken.

    • B. 

      Prepare the security assessment report documenting the issues, findings, and recommendations from the security control assessment.

    • C. 

      Update the security plan, security assessment report, and plan of action and milestones based on the results of the change control board's security impact analysis.

    • D. 

      Assess a selected subset of the security controls employed within and inherited by the application in accordance with the organization-defined monitoring strategy.

  • 10. 
    When an authorization to operate (ATO) is issued, which of the following roles authoritatively accepts residual risk on behalf of the organization?
    • A. 

      Information owner

    • B. 

      Chief information security officer (CISO)

    • C. 

      Authorizing official (AO)

    • D. 

      AO or the AO's designated representative (DR)

  • 11. 
    When attempting to categorize a system, which two Risk Management Framework (RMF) starting point inputs should be accounted for?
    • A. 

      Federal laws and organizational policies

    • B. 

      Federal laws and Office of Management and Budget (OMB) policies

    • C. 

      Federal Information Security Management Act (FISMA) and the Privacy Act

    • D. 

      Architectural descriptions and organizational inputs

  • 12. 
    Documenting the description of the system in the system security plan is the primary responsibility of which RMF role?
    • A. 

      Authorizing official (AO)

    • B. 

      Information owner

    • C. 

      Information system security officer (ISSO)

    • D. 

      Information system owner

  • 13. 
    The registration of the system directly follows which RMF task?
    • A. 

      Categorized the system

    • B. 

      Describe the system

    • C. 

      Review and approve the system security plan

    • D. 

      Select security controls

  • 14. 
    When should the information system owner document the information system and authorization boundary description in the security plan?
    • A. 

      After security controls are implemented

    • B. 

      While assembling the authorization package

    • C. 

      After security categorization

    • D. 

      When reviewing the security control assessment plan

  • 15. 
    Information developed from Federal Information Processing Standard (FIPS) 199 may be used as an input to which authorization package document?
    • A. 

      Security assessment report (SAR)

    • B. 

      System security plan (SSP)

    • C. 

      Plan of actions and milestones (POA&M)

    • D. 

      Authorization decision document

  • 16. 
    An organization's information systems are a mix of Windows and UNIX systems located in a single computer room. Access to the computer room is restricted by the use of door locks that require proximity cards and personal identification numbers. Only a small percentage of the organization's employees have access to the computer room. The computer room access restriction is an example of what type of security control relative to the hardware in the computer room?
    • A. 

      Managerial

    • B. 

      System specific

    • C. 

      Technical

    • D. 

      Inherited

  • 17. 
    Why is security control volatility an important consideration in the development of a security control monitoring strategy?
    • A. 

      It identifies needed security control monitoring exceptions.

    • B. 

      It indicates a need for compensating controls.

    • C. 

      It establishes priority for security control monitoring.

    • D. 

      It provides justification for revisions to the configuration management and control plan.

  • 18. 
    An information system is currently in the initiation phase of the system development life cycle (SDLC) and has been categorized high impact. the information system owner wants to inherit common controls provided by another organizational information system that is categorized moderate impact. How does the information system owner ensure that the common controls will provide adequate protection for the information system?
    • A. 

      Supplement the common controls with system-specific or hybrid controls to achieve the required protection for the system.

    • B. 

      Ask the common control provider for the system security plan for the common controls.

    • C. 

      Consult with the information system security engineer and the information security architect.

    • D. 

      Perform rigorous testing of the common controls to determine if they provide adequate protection.

  • 19. 
    An effective security control monitoring strategy for an information system includes
    • A. 

      Monitoring the security controls of interconnecting information systems outside the authorization boundary.

    • B. 

      Active involvement by authorizing officials in the ongoing management of information system-related security risks.

    • C. 

      The annual assessment of all security controls in the information system.

    • D. 

      All controls listed in NIST SP 800-53, Revision 3.

  • 20. 
    A large organization has a documented information security policy that has been reviewed and approved by senior officials and is readily available to all organizational staff. This information security policy explicitly addresses each of the 17 control families in NIST SP 800-53, Revision 3. Some system owners also established procedures for the technical class of security controls on certain of their systems. In their respective system security plans, control AC-1 Access Control Policy and Procedures (a technical class security control) must be identified as what type of control?
    • A. 

      Fully inheritable

    • B. 

      Hybrid

    • C. 

      System specific

    • D. 

      Inherited

  • 21. 
    When determining the applicability of a specific security control, the security professional should utilize which type of guidance?
    • A. 

      Categorization

    • B. 

      Selection

    • C. 

      Scoping

    • D. 

      Remediation

  • 22. 
    When making a determination regarding the adequacy of the implementation of inherited controls for their respective systems, and information system owner (ISO) can refer to the authorization package prepared by which of the following?
    • A. 

      Information owner/steward (IO)

    • B. 

      Information system security engineer (ISSE)

    • C. 

      Information systems security officer (ISSO)

    • D. 

      Common control provider (CCP)

  • 23. 
    The initial security plan for a new application has been approved. What is the next activity in the RMF?
    • A. 

      Develop a new strategy for the continuous monitoring of security control effectiveness.

    • B. 

      Assemble the security authorization package.

    • C. 

      Implement the security controls specified in the security plan.

    • D. 

      Assess a selected subset of the security controls inherited by the information system.

  • 24. 
    Which role has the supporting responsibility to coordinate changes to the system, assess the security impact, and update the system security plan?
    • A. 

      Information system security officer (ISSO)

    • B. 

      Information system owner (ISO)

    • C. 

      Common Control Provider

    • D. 

      Senior agency information security officer

  • 25. 
    Who is primarily responsible for the development of system-specific procedures?
    • A. 

      System owner

    • B. 

      Information systems security officer (ISSO)

    • C. 

      System architect

    • D. 

      System administrator

  • 26. 
    An initial remediation action was taken by the information system owner (ISO) based on findings from the security assessment report (SAR). What is the next appropriate step based on the RMF?
    • A. 

      ISO documents the remedial action in the security plan.

    • B. 

      Include the remediation action taken by information system owner as an addendum to the SAR.

    • C. 

      Information system security officer (ISSO) documents the remediation action and informs the ISO.

    • D. 

      Remedial action taken is sent for review to the ISSO.

  • 27. 
    Which of the following control families belongs to the management class of security controls?
    • A. 

      Media protection

    • B. 

      Configuration management

    • C. 

      Access control

    • D. 

      Risk assessment

  • 28. 
    Prior to completion of the security assessment report (SAR), what type of analysis is performed when agile, iterative development, is used?
    • A. 

      Regression analysis

    • B. 

      Interim assessment

    • C. 

      Incremental assessment

    • D. 

      Executive assessment

  • 29. 
    In the case of a complex information system, where a "leveraged authorization" that involves two agencies will be conducted, what is the minimum number of system boundaries/accreditation boundaries that can exist?
    • A. 

      Only one.

    • B. 

      Only two, because there are two agencies.

    • C. 

      At least two.

    • D. 

      A leveraged authorization cannot be conducted with more that one agency involved.

  • 30. 
    Who determines the required level of independence for security control assessors?
    • A. 

      Information system owner (ISO)

    • B. 

      Information system security manager (ISSM)

    • C. 

      Authorizing official (AO)

    • D. 

      Information system security officer (ISSO)

  • 31. 
    System authorization is now used to refer to which of the following terms?
    • A. 

      System security declaration

    • B. 

      Certification and accreditation

    • C. 

      Security test and evaluation

    • D. 

      Continuous monitoring

  • 32. 
    What key information is used by the authorizing official (AO) to assist with the risk determination of an information system (IS)?
    • A. 

      Security authorization package (SAP)

    • B. 

      Plan of action and milestones (POA&M)

    • C. 

      Security plan (SP)

    • D. 

      Interconnection security agreement (ISA)

  • 33. 
    When an authorizing official (AO) submits the security authorization decision, what responses should the information system owner (ISO) expect to receive?
    • A. 

      Authorized to operate (ATO) or denial authorization to operate (DATO), the conditions for the authorization placed on the information system and owner, and the authorization termination date

    • B. 

      Authorized to operate (ATO) or denial authorization to operate (DATO), the list of security controls assessed, and a system contingency plan

    • C. 

      Authorized to operate (ATO) or denial authorization to operate (DATO), and the conditions for the authorization placed on the information system and owner

    • D. 

      A plan of action and milestones (POA&M), the conditions for the authorization placed on the information system and owner, and the authorization termination date

  • 34. 
    What should the system owner use to prioritize mitigation actions when developing the plan of action and milestones (POA&M)?
    • A. 

      Budget constraints

    • B. 

      Risk assessment results

    • C. 

      Continuous monitoring strategy

    • D. 

      Recommendations of the information owners

  • 35. 
    According to NIST SP 800-39, when an organization responds to risk by eliminating the activities or technologies that are the basis for the risk, that organization is
    • A. 

      Accepting the risk.

    • B. 

      Avoiding the risk.

    • C. 

      Transferring the risk.

    • D. 

      Mitigating the risk.

  • 36. 
    An effective continuous monitoring program can be used to
    • A. 

      Meet the Federal Information Processing Standard (FIPS) Publication 200 requirement for monthly risk assessments.

    • B. 

      Meet an organization's requirement for periodic information assurance training of all computer users.

    • C. 

      Replace information system security audit logs.

    • D. 

      Support the Federal Information Security Management Act (FISMA) requirement for annual assessment of the security controls in information systems.

  • 37. 
    According to RMF, which role has a primary responsibility to report the security status of the information system to the authorizing official (AO) and other appropriate organizational officials on an ongoing basis in accordance with the monitoring strategy?
    • A. 

      Information system security officer (ISSO)

    • B. 

      Common control provider

    • C. 

      Independent assessor

    • D. 

      Senior information assurance officer (SIAO)

  • 38. 
    During an annual assessment, numerous high-risk findings are discovered on a critical organizational system. The system's Federal Information Processing Standard (FIPS) 199 rating is "high" integrity, "high" confidentiality, and "low" availability. The organization has a very low risk tolerance. What is the best decision that should be made in this situation?
    • A. 

      The authorizing official should deny operation of the system until risk is reduced to an acceptable level.

    • B. 

      The information system owner should resolve issues as quickly as possible while keeping the system up.

    • C. 

      The security control assessor should implement immediate compensating controls.

    • D. 

      The chief information security officer should scope and tailor the weak controls to ensure proper function.

  • 39. 
    Which NIST SP 800 series document is concerned with continuous monitoring for federal information systems and organizations?
    • A. 

      SP 800-26

    • B. 

      SP 800-64

    • C. 

      SP 800-137

    • D. 

      SP 800-144

  • 40. 
    Which of the following are phases of the NIST RMF?
    • A. 

      Categorize, select, implement, authorize

    • B. 

      Assess, certify, accredit, manage

    • C. 

      Prepare, execute, authorize, monitor

    • D. 

      Assess, mitigate, authorize, monitor

  • 41. 
    In which type of access control do user ID and password system come under?
    • A. 

      Physical

    • B. 

      Administrative

    • C. 

      Power

    • D. 

      Technical

  • 42. 
    During the security impact analysis vulnerabilities were uncovered in the information system. Which of the following documents should address the outstanding items?
    • A. 

      Plan of action and milestones

    • B. 

      System security plan

    • C. 

      System discrepancy plan

    • D. 

      System deficiency plan

  • 43. 
    Which of the following would be an accurate description of the role of the ISSO in the RMF process?
    • A. 

      The ISSO determines whether a system is ready for certification and conducts the certification process.

    • B. 

      The operational interests of system users are vested in the ISSO.

    • C. 

      The ISSO coordinates all aspects of the system from initial concept through development to implementation and system maintenance.

    • D. 

      The ISSO is responsible to the DAA for maintaining the appropriate operational security posture for an information system or program.

  • 44. 
    Which of the following statements about the authentication concept of information security management is true?
    • A. 

      It ensures that modifications are not made to data by unauthorized personnel or processes.

    • B. 

      It determines the actions and behaviors of a single individual within a system and identifies that particular individual.

    • C. 

      It ensures the reliable and timely access to resources.

    • D. 

      It establishes the identity of users and ensures that the users are who they say they are.

  • 45. 
    Which of the following NIST documents provides a guideline for identifying an information system as a National Security System?
    • A. 

      NIST SP 800-59

    • B. 

      NIST SP 800-53

    • C. 

      NIST SP 800-60

    • D. 

      NIST SP 800-37

  • 46. 
    NIST SP 800-53A defines three types of interview depending on the level of assessment conducted. Which of the following NIST SP 800-53A interviews consists of informal and ad hoc interviews?
    • A. 

      Substantial

    • B. 

      Abbreviated

    • C. 

      Comprehensive

    • D. 

      Significant

  • 47. 
    FISMA assigned the responsibility for developing standards to be used by all Federal agencies to categorize all information and information systems to which one of the following organizations?
    • A. 

      OMB

    • B. 

      NIST

    • C. 

      NSA

    • D. 

      DoD

  • 48. 
    Applying the first three steps in the RMF to legacy systems can be viewed in what way to determine if the necessary and sufficient security controls have been appropriately selected and allocated?
    • A. 

      Sequential

    • B. 

      Level of effort

    • C. 

      Gap analysis

    • D. 

      Common control

  • 49. 
    What process should be initiated when changes to the information system negatively impact the security of the system or when a period of time has elapsed as specified by agency or federal policy?
    • A. 

      IS audit

    • B. 

      Systems acquisition

    • C. 

      Reauthorization

    • D. 

      Reclassification of data

  • 50. 
    Which of the following governance bodies directs and coordinates implementations of the information security program?
    • A. 

      Chief Information Security Officer

    • B. 

      Information Security Steering Committee

    • C. 

      Senior Management

    • D. 

      Business Unit Manager

  • 51. 
    Which of the following statements best describes the difference between the role of a data owner and the role of a data custodian?
    • A. 

      The data owner implements the information classification scheme after the initial assignment by the custodian.

    • B. 

      The custodian implements the information classification scheme after the initial assignment by the operations manager.

    • C. 

      The data custodian implements the information classification scheme after the initial assignment by the data owner.

    • D. 

      The custodian makes the initial information classification assignments and the operations manager implements the scheme.

  • 52. 
    Who does an organization require that is capable of conducting an impartial assessment of security controls employed within or inherited by an information system? 
    • A. 

      Vendor assessor

    • B. 

      Technical expert

    • C. 

      Authorization assessor

    • D. 

      Independent assessor

  • 53. 
    The first item listed in the system security plan is the system name and identifier. As required in OMB Circular A 11, each system should be assigned a name and unique identifier. The assignment of a unique identifier supports the agency's ability to do what? 
    • A. 

      Collect agency information and security metrics specific to the system.

    • B. 

      Establish budget auditability.

    • C. 

      Identify risks associated to location.

    • D. 

      Create an RTM.

  • 54. 
    FISMA charges which one of the following agencies with the responsibility of overseeing the security policies and practices of all agencies of the executive branch of the Federal government?  
    • A. 

      Office of Management and Budget (OMB)

    • B. 

      National Institute of Standards and Technology (NIST)

    • C. 

      National Security Agency (NSA)

    • D. 

      Department of Justice

  • 55. 
    An assessment procedure consists of a set of which things, each with an associated set of potential assessment methods and assessment objects? 
    • A. 

      Assessment objectives

    • B. 

      Security controls

    • C. 

      Operational requirements

    • D. 

      Assessment objects

  • 56. 
    Which one of the following publications provides details of the monitoring security control?
    • A. 

      NIST SP 800-53

    • B. 

      NIST SP 800-42

    • C. 

      NIST SP 800-137

    • D. 

      NIST SP 800-41

  • 57. 
    Which role in the security authorization process is responsible for organizational information systems?
    • A. 

      IS program manager

    • B. 

      Designated authorizing official

    • C. 

      Certification agent

    • D. 

      User representative

  • 58. 
    FIPS 200 provides how many minimum security requirements for federal information and information systems? The requirements represent a broad based, balanced information security program that addresses the management, operational, and technical aspects of protecting the CIA of federal information and information systems. 
    • A. 

      5

    • B. 

      17

    • C. 

      21

    • D. 

      10

  • 59. 
    Which of the following documents can best aid in selecting controls to be monitored?
    • A. 

      NIST SP 800-37

    • B. 

      FISMA

    • C. 

      FIPS 199

    • D. 

      NIST SP 800-18

  • 60. 
    Which of the following is not a standard phase in the System Authorization Process?
    • A. 

      Pre certification

    • B. 

      Post authorization

    • C. 

      Post certification

    • D. 

      Certification

  • 61. 
    The security authorization package contains multiple key documents enabling the authorization officials to make risk based authorization decisions. Which of the following documents is not part of the package?
    • A. 

      Security plan

    • B. 

      Security assessment report

    • C. 

      Plan of action and milestones

    • D. 

      Security service level agreements

  • 62. 
    Why would the authorization decision issue a determination of Not Authorized?
    • A. 

      If the system is not authorized (NA) to process classified information.

    • B. 

      If it is deemed that the agency level risk is unacceptably high.

    • C. 

      If the system is mission critical and requires an interim authority to operate.

    • D. 

      The information system is always accredited without any restrictions or limitations on its operation.

  • 63. 
    Who is primarily responsible for categorizing the Information System?
    • A. 

      IS program manager

    • B. 

      CIO

    • C. 

      Information system owner

    • D. 

      System architect

  • 64. 
    FITSAF stands for Federal Information Technology Security Assessment Framework. It is a methodology for assessing the security of information systems. Which of the following FITSAF levels shows that the procedures and controls have been implemented?
    • A. 

      Level 2

    • B. 

      Level 1

    • C. 

      Level 5

    • D. 

      Level 3

  • 65. 
    Which of the following statements about Discretionary Access Control List (DACL) is true?
    • A. 

      It is a list containing user accounts, groups, and computers that are allowed (or denied) access to the object.

    • B. 

      It specifies whether an audit activity should be performed when an object attempts to access a resource.

    • C. 

      It is a unique number that identifies a user, group, and computer account.

    • D. 

      It is a rule list containing access control entries.

  • 66. 
    Which of the following individuals is responsible for monitoring the information system environment that can negatively impact the security of the system and its accreditation?
    • A. 

      Chief Information Security Officer

    • B. 

      Chief Information Officer

    • C. 

      Chief Risk Officer

    • D. 

      Information System Owner

  • 67. 
    Which of the following professionals plays the role of a monitor and takes part in the organizations configuration management process?
    • A. 

      Senior Agency Information Security Officer

    • B. 

      Authorizing Official

    • C. 

      Common Control Provider

    • D. 

      Chief Information Officer

  • 68. 
    Which of the following NIST Special Publication documents provides a guideline on network security testing?
    • A. 

      NIST SP 800-53A

    • B. 

      NIST SP 800-53

    • C. 

      NIST SP 800-42

    • D. 

      NIST SP 800-37

  • 69. 
    This is a standard that sets essential requirements for assessing the effectiveness of computer security controls built into a computer system? 
    • A. 

      FITSAF

    • B. 

      TCSEC

    • C. 

      FIPS

    • D. 

      SSAA

  • 70. 
    The British Standard BS7799 was the basis for which of the following standards?
    • A. 

      ISO/IEC 154508

    • B. 

      ISO/IEC 17799

    • C. 

      ICO/ICE 17799

    • D. 

      Executive Order (E.O.) 13231

  • 71. 
    The guidelines in this publication apply to the security controls defined in NIST Special Publication 800 53 in an effort to enable more consistent, comparable, and repeatable assessments of security controls.
    • A. 

      SP 800-53

    • B. 

      SP 800-53A

    • C. 

      SP 800-37

    • D. 

      FIPS 200

  • 72. 
    What assessment procedure is designed to work with and complement the assessment procedures to contribute to the grounds for confidence in the effectiveness of the security controls employed in the information system?
    • A. 

      Extended

    • B. 

      Subordinate

    • C. 

      Based

    • D. 

      Cross Control

  • 73. 
    Subsequent to a security breach, which of the following techniques are used with the intention to limit the extent of damage caused by the incident?
    • A. 

      Corrective controls

    • B. 

      Preventative controls

    • C. 

      Change controls

    • D. 

      Incident controls

  • 74. 
    Change management is initiated under which phase?
    • A. 

      Select security controls

    • B. 

      Categorize information system

    • C. 

      Authorize information system

    • D. 

      Monitor security controls

  • 75. 
    Which of the following professionals plays the role of a monitor and takes part in the organization's configuration management process?
    • A. 

      Senior Agency Information Security Officer

    • B. 

      Authorizing Official

    • C. 

      Common Control Provider

    • D. 

      Chief Information Officer

  • 76. 
    Which of the following professionals is responsible for starting the Certification & Accreditation (C&A) process?
    • A. 

      Information system owner

    • B. 

      Authorizing Official

    • C. 

      Chief Risk Officer (CRO)

    • D. 

      Chief Information Officer (CIO)

  • 77. 
    Which of the following assessment methodologies defines a six-step technical security evaluation?
    • A. 

      FITSAF

    • B. 

      FIPS 102

    • C. 

      OCTAVE

    • D. 

      DITSCAP

  • 78. 
    Which of the following refers to an information security document that is used in the United States Department of Defense (DoD) to describe and accredit networks and systems?
    • A. 

      FITSAF

    • B. 

      FIPS

    • C. 

      TCSEC

    • D. 

      SSAA

  • 79. 
    Certification and Accreditation (C&A or CnA) is a process for implementing information security.Which of the following is the correct order of C&A phases in a DITSCAP assessment?
    • A. 

      Definition, Validation, Verification, and Post Accreditation

    • B. 

      Verification, Definition, Validation, and Post Accreditation

    • C. 

      Verification, Validation, Definition, and Post Accreditation

    • D. 

      Definition, Verification, Validation, and Post Accreditation

  • 80. 
    Which of the following is a subset discipline of Corporate Governance focused on information security systems and their performance and risk management?
    • A. 

      Lanham Act

    • B. 

      ISG

    • C. 

      Clinger-Cohen Act

    • D. 

      Computer Misuse Act

  • 81. 
    Where can a project manager find risk-rating rules?
    • A. 

      Risk probability and impact matrix

    • B. 

      Organizational process assets

    • C. 

      Enterprise environmental factors

    • D. 

      Risk management plan

  • 82. 
    There are five inputs to the quantitative risk analysis process. Which one of the following is NOT an input to the perform quantitative risk analysis process?
    • A. 

      Risk register

    • B. 

      Cost management plan

    • C. 

      Risk management plan

    • D. 

      Enterprise environmental factors

  • 83. 
    Which of the following techniques are used after a security breach and are intended to limit the extent of any damage caused by the incident?
    • A. 

      Safeguards

    • B. 

      Preventive controls

    • C. 

      Detective controls

    • D. 

      Corrective controls

  • 84. 
    Which of the following assessment methodologies defines a six-step technical security evaluation?
    • A. 

      OCTAVE

    • B. 

      FITSAF

    • C. 

      DITSCAP

    • D. 

      FIPS 102

  • 85. 
    Which of the following is a 1996 United States federal law, designed to improve the way the federal government acquires, uses, and disposes information technology?
    • A. 

      Computer Misuse Act

    • B. 

      Lanham Act

    • C. 

      Clinger-Cohen Act

    • D. 

      Paperwork Reduction Act

  • 86. 
    Which of the following is used to indicate that the software has met a defined quality level and is ready for mass distribution either by electronic means or by physical media? 
    • A. 

      RTM

    • B. 

      CRO

    • C. 

      DAA

    • D. 

      ATM

  • 87. 
    Which of the following processes is a structured approach to transitioning individuals, teams, and organizations from a current state to a desired future state?
    • A. 

      Procurement management

    • B. 

      Change management

    • C. 

      Risk management

    • D. 

      Configuration management

  • 88. 
    Which of the following roles is responsible for review and risk analysis of all contracts on a regular basis?
    • A. 

      The Supplier Manager

    • B. 

      The IT Service Continuity Manager

    • C. 

      The Service Catalogue Manager

    • D. 

      The Configuration Manager

  • 89. 
    Which one of the following is the only output for the qualitative risk analysis process?
    • A. 

      Project management plan

    • B. 

      Risk register updates

    • C. 

      Enterprise environmental factors

    • D. 

      Organizational process assets

  • 90. 
    To help review or design security controls, they can be classified by several criteria. One of thesecriteria is based on nature. According to this criteria, which of the following controls consists ofincident response processes, management oversight, security awareness, and training?
    • A. 

      Technical

    • B. 

      Physical

    • C. 

      Procedural

    • D. 

      Compliance

  • 91. 
    What component of the change management system is responsible for evaluating, testing, and documenting changes created to the project scope?
    • A. 

      Configuration Management System

    • B. 

      Project Management Information System

    • C. 

      Scope Verification

    • D. 

      Integrated Change Control

  • 92. 
    During qualitative risk analysis you want to define the risk urgency assessment. All of the following are indicators of risk priority except for which one?
    • A. 

      Risk rating

    • B. 

      Warning signs

    • C. 

      Cost of the project

    • D. 

      Symptoms

  • 93. 
    Which of the following is not a standard phase in the System Authorization Process? 
    • A. 

      Pre-certification

    • B. 

      Post-Authorization

    • C. 

      Post-Certification

    • D. 

      Certification

  • 94. 
    Which of the following would be an accurate description of the role of the ISSO in the C&A process? 
    • A. 

      The ISSO determines whether a system is ready for certification and conducts the certification process.

    • B. 

      The operational interests of system users are vested in the ISSO.

    • C. 

      The ISSO coordinates all aspects of the system from initial concept, through development, to implementation and system maintenance.

    • D. 

      The ISSO is responsible to the DAA for ensuring that security is provided for and implemented throughout the life cycle.

  • 95. 
    Which is not a common responsibility of the user representative? 
    • A. 

      The user representative is responsible for the secure operation of a certified and accredited IS.

    • B. 

      The user representative represents the user community.

    • C. 

      The user representative determines whether a system is ready for certification and conducts the certification process.

    • D. 

      The user representative functions as the liaison for the user community throughout the life cycle of the system.

  • 96. 
    Which statement is not true about the SAA? 
    • A. 

      The SSAA is used throughout the entire process.

    • B. 

      The SSAA is a formal agreement among the DAA(s), certifier, user representative, and program manager.

    • C. 

      The SSAA is used only during Phase 3, Validation.

    • D. 

      The SSAA documents the conditions of the C&A for an IS.

  • 97. 
    Which C&A role is also referred to as the accreditor? 
    • A. 

      IS program manager

    • B. 

      Designated Approving Authority (DAA)

    • C. 

      Certification agent

    • D. 

      User representative

  • 98. 
    Which is not a C&A role? 
    • A. 

      IS program manager

    • B. 

      Certifier

    • C. 

      Vendor representative

    • D. 

      User representative

  • 99. 
    Which is not a NIACAP accreditation type? 
    • A. 

      Site

    • B. 

      Process

    • C. 

      Type

    • D. 

      System

  • 100. 
    Which statement is not true about the Designated Approving Authority (DAA)? 
    • A. 

      The DAA determines the existing level of residual risk and makes an accreditation recommendation.

    • B. 

      The DAA is the primary government official responsible for implementing system security.

    • C. 

      The DAA is an executive with the authority and ability to balance the needs of the system with the security risks.

    • D. 

      The DAA can grant an accreditation or an Interim Approval to Operate (IATO) or may determine that the system’s risks are not at an acceptable level and it is not ready to be operational.

  • 101. 
    Which statement is not true about the certification agent? 
    • A. 

      The certifier provides the technical expertise to conduct the certification throughout the system’s life cycle based on the security requirements documented in the SSAA.

    • B. 

      The certifier determines the acceptable level of residual risk for a system.

    • C. 

      The certifier determines whether a system is ready for certification and conducts the certification process.

    • D. 

      The certifier should be independent from the organization responsible for the system development or operation.

  • 102. 
    What is the task of the certifier at the completion of the certification effort? 
    • A. 

      To recommend to the DAA whether or not to accredit the system based on documented residual risk

    • B. 

      To provide details of the system and its life cycle management to the DAA

    • C. 

      To ensures that the security requirements are integrated in a way that will result in an acceptable level of risk

    • D. 

      To keep all NIACAP participants informed of life cycle actions, security requirements, and documented user needs

  • 103. 
    Which choice most accurately defines a user representative? 
    • A. 

      The user representative is an executive with the authority and ability to balance the needs of the system with the security risks.

    • B. 

      The user representative is concerned with system availability, access, integrity, functionality, performance, and confidentiality as they relate to the mission environment.

    • C. 

      The user representative determines the acceptable level of residual risk for a system.

    • D. 

      The user representative is the primary government official responsible for implementing system security.

  • 104. 
    Which statement about certification and accreditation (C&A) is not correct? 
    • A. 

      Certification is the comprehensive evaluation of the technical and nontechnical security features of an information system.

    • B. 

      C&A is optional for most federal agencies’ security systems.

    • C. 

      Accreditation is the formal declaration by a DAA approving an information system to operate.

    • D. 

      C&A consists of formal methods applied to ensure that the appropriate information system security safeguards are in place and that they are functioning per the specifications.

  • 105. 
    The DAA accreditation decision is made at the last step of which phase? 
    • A. 

      1

    • B. 

      2

    • C. 

      3

    • D. 

      4

  • 106. 
    If the DAA does not accredit the system, what happens? 
    • A. 

      The C&A process reverts to Phase 1.

    • B. 

      The C&A process moves on to Phase 4.

    • C. 

      The C&A project is ended.

    • D. 

      The C&A stays in Phase 3 until the system is accredited.

  • 107. 
    What is the main purpose of the post-accreditation phase? 
    • A. 

      To initiate the risk management agreement process among the four principals: the DAA, certifier, program manager, and user representative

    • B. 

      To continue to operate and manage the system so that it will maintain an acceptable level of residual risk

    • C. 

      To ensure that the SSAA properly and clearly defines the approach and level of effort

    • D. 

      To collect information and documentation about the system, such as capabilities and functions the system will perform

  • 108. 
    How long does Phase 4 last? 
    • A. 

      Until the initial certification analysis determines whether the IS is ready to be evaluated and tested

    • B. 

      Until the DAA reviews the SSAA and makes an accreditation determination

    • C. 

      Until the information system is removed from service, a major change is planned for the system, or a periodic compliance validation is required

    • D. 

      Until the responsible organizations adopt the SSAA and concur that those objectives have been reached

  • 109. 
    Which policy document determines that all federal government departments and agencies establish andimplement programs mandating the certification and accreditation (C&A) of national security systems under their operational control? 
    • A. 

      DoD 8510.1-M, “Department of Defense Information Technology Security Certification and Accreditation Process (DITSCAP) Application Manual,” July 31, 2000

    • B. 

      FIPS PUB102, “Guidelines for Computer Security Certification and Accreditation,” September 27, 1983

    • C. 

      NSTISS Instruction (NSTISSI) No. 1000, “National Information Assurance Certification and Accreditation Process (NIACAP),” April 2000

    • D. 

      NSTISS Policy (NSTISSP) No. 6, “National Policy on Certification and Accreditation of National Security Telecommunications and Information Systems,” April 8, 1994

  • 110. 
    Which of the following assessment methodologies defines a six-step comprehensive C&A? 
    • A. 

      Federal Information Processing Standard (FIPS) 102

    • B. 

      Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)

    • C. 

      Federal Information Technology Security Assessment Framework (FITSAF)

    • D. 

      INFOSEC Assessment Methodology (IAM)

  • 111. 
    What is the order of phases in a DITSCAP assessment? 
    • A. 

      Verification, Definition, Validation, and Post Accreditation

    • B. 

      Definition, Verification, Validation, and Post Accreditation

    • C. 

      Definition, Validation, Verification, and Post Accreditation

    • D. 

      Validation, Definition, Verification, and Post Accreditation

  • 112. 
    Which one of the following documents requires the development and maintenance of minimum controlsto protect Federal information and information systems? 
    • A. 

      NIST SP 800-30, “Risk Management Guide for Information Technology Systems”

    • B. 

      SP 800-37, “Guide for the Security Certification and Accreditation of Federal Information Systems”

    • C. 

      The Federal Information Security Management Act (FISMA)

    • D. 

      FIPS Publication 199, “Standards for Security Categorization of Federal Information and Information Systems”

  • 113. 
    FISMA charges which one of the following agencies with the responsibility of overseeing thesecurity policies and practices of all agencies of the executive branch of the Federal government? 
    • A. 

      Office of Management and Budget (OMB)

    • B. 

      National Institute of Standards and Technology (NIST)

    • C. 

      National Security Agency (NSA)

    • D. 

      Department of Justice

  • 114. 
    NIST Special Publication (SP) 800-53, “Recommended Security Controls for Federal InformationSystems,” defines the term assurance as: 
    • A. 

      The requirement that information and programs are changed only in a specified and authorized manner

    • B. 

      The measure designed to establish the validity of a transmission, message, or originator, or a means of verifying an individual’s authorization to receive specific categories of information

    • C. 

      The grounds for confidence that the security controls implemented within an information system are effective in their application

    • D. 

      The requirement that private or confidential information not be disclosed to unauthorized individuals

  • 115. 
    Which one of the following publications requires Federal agencies to review the security controlsin their information systems and perform security accreditation? 
    • A. 

      FIPS –199, “Standard for Security Categorization of Federal Information and Information Systems”

    • B. 

      OMB Circular A-130, Appendix III

    • C. 

      NIST SP 800-53, “Recommended Security Controls for Federal Information Systems”

    • D. 

      NIST SP 800-30, “Risk Management Guide for Information Technology Systems”

  • 116. 
    Which one of the following publications provides direction for each government agency in developingand implementing an agency wide information security program according to the FISMA requirements? 
    • A. 

      NIST SP 800-37, “Guide for the Security Certification and Accreditation of Federal Information Systems”

    • B. 

      NIST SP 800-53, “Recommended Security Controls for Federal Information Systems”

    • C. 

      NIST SP 800-30, “Risk Management Guide for Information Technology Systems”

    • D. 

      DoD Directive 8500.2, “Information Assurance (IA) Implementation,” February 6, 2003

  • 117. 
    FISMA assigned the responsibility for developing standards to be used by all Federal agencies tocategorize all information and information systems to which one of the following organizations? 
    • A. 

      OMB

    • B. 

      NIST

    • C. 

      NSA

    • D. 

      DoD

  • 118. 
    Which publication categorizes information and information systems as part of the FISMA mandate? 
    • A. 

      OMB Circular A-130, Appendix III

    • B. 

      NIST SP 800-53, “Recommended Security Controls for Federal Information Systems”

    • C. 

      NIST SP 800-30 “Risk Management Guide for Information Technology Systems”

    • D. 

      FIPS Publication 199, “Standards for Security Categorization of Federal Information and Information Systems”

  • 119. 
    FIPS Publication 199 defines three levels of potential impact to the compromise of confidentiality, integrity, and availability.These levels are: 
    • A. 

      Minimum, Normal, Maximum

    • B. 

      Low, Moderate, High

    • C. 

      Unclassified, Confidential, Secret

    • D. 

      Confidential, Secret, Top Secret

  • 120. 
    Which one of the following best describes FIPS 199 security categories? 
    • A. 

      A function of the potential strength of an information system when proper information assurance controls are applied

    • B. 

      A function of the potential weakness of an information system when proper information assurance controls are applied

    • C. 

      A function of the potential flexibility of an information system when different IT operations are performed

    • D. 

      A function of the potential impact on information or information systems as a result of threat realized exploiting a system vulnerability.

  • 121. 
    The general formula for categorization of an information type developed in FIPS Publication 199,“Standards for Security Categorization of Federal Information and Information Systems,” is which one of the following? 
    • A. 

      SC information type = {(confidentiality, risk), (integrity, risk), (availability, risk)}

    • B. 

      SC information type = {(confidentiality, controls), (integrity, controls), (availability, controls)}

    • C. 

      SC information type = {(assurance, impact), (integrity, impact), (authentication, impact)}

    • D. 

      SC information type = {(confidentiality, impact), (integrity, impact), (availability, impact)}

  • 122. 
    In order to determine the security category (SC) for an information system, the potential impactvalues assigned to the security objectives of confidential, integrity, and availability must be which one of the following? 
    • A. 

      The maximum values assigned among the security categories that have been assigned to the different types of information residing on the system

    • B. 

      The minimum values assigned among the security categories that have been assigned to the different types of information residing on the system

    • C. 

      The average of the values assigned among the security categories that have been assigned to the different types of information residing on the system

    • D. 

      None of the above

  • 123. 
    NIST SP 800-30, “Risk Management Guide for Information Technology Systems,” defines a term as“either (1) intent and method targeted at the intentional exploitation of a vulnerability or (2) a situation and method that may accidentally trigger a vulnerability.” Which one of the following items is the term in the definition? 
    • A. 

      Risk

    • B. 

      Impact

    • C. 

      Threat source

    • D. 

      Assurance

  • 124. 
    Impact is defined by NIST SP 800-30 as which one of the following? 
    • A. 

      The magnitude of the vulnerability

    • B. 

      The magnitude of harm that could be caused by a threat’s exercise of vulnerability

    • C. 

      The magnitude of the risk

    • D. 

      The quality of the security controls on the system

  • 125. 
    NIST SP 800-30 includes threat identification, control analysis, likelihood determination, impact analysis, and control recommendations as components of which one of the following activities? 
    • A. 

      Penetration testing

    • B. 

      Intrusion detection

    • C. 

      Risk assessment

    • D. 

      Vulnerability assessment

  • 126. 
    What NIST document provides a questionnaire and checklist through which systems can be evaluatedfor compliance against specific control objectives? 
    • A. 

      SP 800-30, “Risk Management Guide for Information Technology Systems”

    • B. 

      SP 800-37, “Guide for the Security Certification and Accreditation of Federal Information Systems”

    • C. 

      SP 800-26, “Security Self-Assessment Guide for Information Technology Systems”

    • D. 

      FIPS Publication 199, “Standards for Security Categorization of Federal Information and Information Systems”

  • 127. 
    Initiation, development and acquisition, implementation and installation, operational maintenance,and disposal are components of what activity? 
    • A. 

      The system development life cycle (SDLC)

    • B. 

      The system engineering life cycle

    • C. 

      The capability maturity model (CMM)

    • D. 

      Risk management life cycle

  • 128. 
    The term ST&E stands for: 
    • A. 

      System test and evaluation

    • B. 

      Security, timing, and evaluation

    • C. 

      Security, test, and evaluation

    • D. 

      System timing and evaluation

  • 129. 
    Which one of the following lists describes different types of penetration tests? 
    • A. 

      Zero-knowledge test, partial-knowledge test, full-knowledge test

    • B. 

      Hard test, soft test, moderate test

    • C. 

      Complete test, partial test, minimal test

    • D. 

      Technical test, cursory test, partial-knowledge test

  • 130. 
    FIPS Publication 199 defines three levels of potential impact to the compromise of confidentiality, integrity, and availability. Which one of the following statements taken from FIPS 199 describes a moderate level of impact on confidentiality? 
    • A. 

      The unauthorized disclosure of information could be expected to have a serious adverse affect on organizational operations, organizational assets, or individuals.

    • B. 

      The unauthorized modification or destruction of information could be expected to have a limited adverse affect on organizational operations, organizational assets, or individuals.

    • C. 

      The disruption of access to or the use of information or an information system could be expected to have a serious adverse affect on organizational operations, organizational assets, or individuals.

    • D. 

      The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse affect on organizational operations, organizational assets, or individuals.

  • 131. 
    The definition “All components of an information system to be accredited by an authorizing officialand excludes separately accredited systems, to which the information system is connected” taken from NIST SP 800-37 refers to which one of the following terms? 
    • A. 

      Assurance boundary

    • B. 

      Assurance perimeter

    • C. 

      Testing perimeter

    • D. 

      Accreditation boundary

  • 132. 
    Which activity referred to in OMB Circular A-130 has to consider legal liability issues resultingfrom omissions and errors, failure to exercise due care in the operation of an information system, and unauthorized disclosure, modification, or destruction of data? 
    • A. 

      Risk avoidance

    • B. 

      Risk management

    • C. 

      Testing

    • D. 

      Dry run

  • 133. 
    What NIST Special Publication provides guidance in the selection and configuration of securitycontrols for Federal information systems? 
    • A. 

      NIST SP 800-42

    • B. 

      NIST SP 800-30

    • C. 

      NIST SP 800-53

    • D. 

      NIST SP 800-57

  • 134. 
    Which one of the following NIST publications links to SP 800-53 and specifies minimum securityrequirements for information systems, including access control, awareness and training, configuration management, and personnel security? 
    • A. 

      NIST SP 800-30, “Risk Management Guide for Information Technology Systems”

    • B. 

      NIST SP 800-53, “Recommended Security Controls for Federal Information Systems”

    • C. 

      NIST SP 800-37, “Guide for the Security Certification and Accreditation of Federal Information Systems”

    • D. 

      FIPS 200 standard, “Minimum Security Requirements for Federal Information and Federal Information Systems”

  • 135. 
    The Security Controls of NIST SP 800-53 are organized into which three classes? 
    • A. 

      Physical, operational, technical

    • B. 

      Management, operational, technical

    • C. 

      Personnel, operational, technical

    • D. 

      Management, physical, technical

  • 136. 
    If AC represents the Access Control family in NIST SP 800-53, what does AC-15 denote? 
    • A. 

      The 15th control of the Access Control Family

    • B. 

      The 15th class of the Access Control Family

    • C. 

      The 15th field of the Access Control Family

    • D. 

      None of the above

  • 137. 
    The control structure in NIST SP 800-53 comprises three parts. Which one of the following is thecorrect listing of the three parts? 
    • A. 

      Management section, supplemental guidance section, control enhancements section

    • B. 

      Management section, technical section, control enhancements section

    • C. 

      Control section, technical section, control enhancements section

    • D. 

      Control section, supplemental guidance section, control enhancements section

  • 138. 
    A description of one element of the access control family listed in NIST SP 800-53 is LOW AC-17,MOD AC-17 (1) (2) (3), HIGH AC-17 (1) (2) (3) for low-impact, moderate-impact, and high-impact information systems, based on FIPS 199. What do the terms in parentheses represent? 
    • A. 

      Basic controls implementing access control in the family

    • B. 

      Control enhancements adding to the functionality or increasing the strength of a basic control

    • C. 

      Basic controls implementing access control in the class

    • D. 

      The quality of the security controls on the system

  • 139. 
    The security certification and accreditation process comprises which one of the following sets ofphases? 
    • A. 

      Establishment, security certification, security accreditation, and continuous monitoring

    • B. 

      Initiation, security certification, security accreditation, and maintenance

    • C. 

      Initiation, security certification, security accreditation, and continuous monitoring

    • D. 

      Initiation, security certification, security accreditation, and operation

  • 140. 
    NIST SP 800-53 defines a term as “the grounds for confidence that the security controls implementedwithin an information system are effective in their application.” Which one of the following is that term? 
    • A. 

      Threat source

    • B. 

      Vulnerability

    • C. 

      Assurance

    • D. 

      Evaluation

  • 141. 
    Which choice best describes DITSCAP Phase 1, Definition? 
    • A. 

      The objective of Phase 1 is to ensure the fully integrated system will be ready for certification testing.

    • B. 

      The objective of Phase 1 is to produce the required evidence to support the DAA in making an informed decision to grant approval to operate the system (accreditation or Interim Approval to Operate [IATO]).

    • C. 

      The objective of Phase 1 is to agree on the security requirements, C&A boundary, schedule, level of effort, and resources required.

    • D. 

      The objective of Phase 1 is to ensure secure system management, operation, and maintenance to preserve an acceptable level of residual risk.

  • 142. 
    Which is not an activity in DITSCAP Phase 2? 
    • A. 

      System Development and Integration

    • B. 

      Initial Certification Analysis

    • C. 

      Refine the SSAA

    • D. 

      Negotiation

  • 143. 
    Which is not an activity in DITSCAP Phase 1? 
    • A. 

      Preparation

    • B. 

      Initial Certification Analysis

    • C. 

      Registration

    • D. 

      Negotiation

  • 144. 
    According to NIST 800-37, which of the following subtasks does not belong to the Security Certification Phase? 
    • A. 

      Present the accreditation recommendation to the DAA

    • B. 

      Prepare the security certification documentation

    • C. 

      Gather the documentation

    • D. 

      Perform the security control assessment

  • 145. 
    Which of the following is not a good description of the goal of the C&A Certification Phase? 
    • A. 

      To determine how well the information system security controls are implemented

    • B. 

      To determine whether the information system security controls are meeting the security requirements for the system

    • C. 

      To produce the required evidence to support the DAA in making an informed decision to grant approval to operate the system

    • D. 

      To determine whether the information system security controls are operating as intended

  • 146. 
    Which choice is not an objective of the security control assessment task? 
    • A. 

      Document the results of the assessment

    • B. 

      Organize and track the security requirements of the target system to be accredited

    • C. 

      Prepare for the assessment of the security controls in the information system

    • D. 

      Conduct the assessment of the security controls

  • 147. 
    The acronym RTM refers to what? 
    • A. 

      Resource Tracking Method

    • B. 

      Requirements Traceability Matrix

    • C. 

      Requirements Testing Matrix

    • D. 

      Requirements Testing Milestone

  • 148. 
    The SSAA is the product of which DITSCAP phase? 
    • A. 

      1

    • B. 

      2

    • C. 

      3

    • D. 

      4

  • 149. 
    What is the primary purpose of the RTM? 
    • A. 

      To establish an evolving yet binding agreement on the level of security required

    • B. 

      To organize and track the security requirements of the target system to be accredited

    • C. 

      To produce the required evidence to support the DAA in making an informed decision to grant approval to operate the system

    • D. 

      To determine whether the information system security controls are operating as intended

  • 150. 
    In which DITSCAP phase is the RTM developed? 
    • A. 

      1

    • B. 

      2

    • C. 

      3

    • D. 

      4

  • 151. 
    What is the primary purpose of the SSAA? 
    • A. 

      To determine whether the information system security controls are operating as intended

    • B. 

      To organize and track the security requirements of the target system to be accredited

    • C. 

      To determine how well the information system security controls are implemented

    • D. 

      To establish an evolving yet binding agreement on the level of security required before the system development begins or changes to a system are made

  • 152. 
    In which DITSCAP phase is the SSAA developed? 
    • A. 

      1

    • B. 

      2

    • C. 

      3

    • D. 

      4

  • 153. 
    What is the overall goal of the DITSCAP Phase 2? 
    • A. 

      To track whether and how all security requirements are being met by the system

    • B. 

      To prepare the Plan of Action and Milestones document

    • C. 

      To obtain a fully integrated system for certification testing and accreditation

    • D. 

      To assist in the development of test scripts for the ST&E

  • 154. 
    Which of the following is not an example of a DITSCAP Phase 2 process activity? 
    • A. 

      Certification analysis

    • B. 

      System development

    • C. 

      Document Mission Need

    • D. 

      Continuing refinement of the SSAA

  • 155. 
    Which choice is not an example of an Initial Certification Analysis task? 
    • A. 

      Verify that the system architecture complies with the architecture description in the SSAA

    • B. 

      Verify that change control and configuration management practices are in place

    • C. 

      Evaluate the integration of COTS or GOTS software

    • D. 

      Assist in the development of test scripts for the System Test and Evaluation (ST&E)

  • 156. 
    What is the purpose of the Initial Certification Analysis? 
    • A. 

      To organize and track the security requirements of the target system to be accredited

    • B. 

      To support the documentation that all system security requirements have been met in the accreditation phase of the C&A

    • C. 

      To assist in the development of test scripts for the System Test and Evaluation (ST&E)

    • D. 

      To determine whether the system is ready to be evaluated and tested under Phase 3 of the Accreditation Phase

  • 157. 
    What role would commonly be in charge of preparing the Action Plan? 
    • A. 

      DAA

    • B. 

      Information System Owner

    • C. 

      Certification Agent

    • D. 

      User Representative

  • 158. 
    What choice is the best description of the DAA? 
    • A. 

      The interests of the system’s users are vested in the DAA.

    • B. 

      The DAA defines the system level security requirements.

    • C. 

      The DAA provides the technical expertise to conduct the certification.

    • D. 

      The DAA is responsible for carrying out the Chief Information Officer responsibilities under FISMA.

  • 159. 
    Which choice is not a use for the SSAA? 
    • A. 

      To document the formal agreement among the DAA(s), the CA, the user representative, and the program manager

    • B. 

      To document a commander’s assumptions or intent in regard to an IS and how it relates to the concept of operations embodied in campaign plans and operational plans

    • C. 

      To document all requirements necessary for accreditation

    • D. 

      To document the DITSCAP plan

  • 160. 
    What happens to the SSAA after the DITSCAP accreditation? 
    • A. 

      The SSAA becomes the baseline security configuration document.

    • B. 

      The SSAA is discarded as the project is finished.

    • C. 

      The SSAA cannot be reviewed or changed.

    • D. 

      The ISSO can revise the SSAA independently.

  • 161. 
    Which choice best describes DITSCAP Phase 3, Accreditation? 
    • A. 

      The objective of Phase 3 is to ensure that the fully integrated system will be ready for certification testing.

    • B. 

      The objective of Phase 3 is to agree on the security requirements, C&A boundary, schedule, level of effort, and resources required.

    • C. 

      The objective of Phase 3 is to ensure secure system management, operation, and maintenance to preserve an acceptable level of residual risk.

    • D. 

      The objective of Phase 3 is to produce the required evidence to support the DAA in making an informed decision to grant approval to operate the system (accreditation or Interim Approval to Operate [IATO]).

  • 162. 
    During which DITSCAP phase does the Security Test and Evaluation (ST&E) occur? 
    • A. 

      1

    • B. 

      2

    • C. 

      3

    • D. 

      4

  • 163. 
    What does DATO refer to?
    • A. 

      The information system is accredited without any restrictions or limitations.

    • B. 

      A determination that a DoD information system cannot operate.

    • C. 

      A limited authorization under specific terms and conditions.

    • D. 

      A temporary approval to conduct system testing.

  • 164. 
    Which choice is the best description of the objective of the Security Accreditation Decision task? 
    • A. 

      To accredit the information system without any restrictions or limitations on its operation

    • B. 

      To indicate the DAA’s accreditation decision

    • C. 

      To determine whether the agency-level risk is acceptable

    • D. 

      To approve revisions to the SSAA

  • 165. 
    Which choice is not a responsibility of the ISSO during DITSCAP Phase 4? 
    • A. 

      Obtaining approval of security-relevant changes

    • B. 

      Documenting the implementation of security-relevant changes in the SSAA

    • C. 

      Approving revisions to the SSAA

    • D. 

      Determining the extent that a change affects the security posture of the information system

  • 166. 
    Which choice best describes the final security accreditation decision letter? 
    • A. 

      The accreditation decision letter documents the implementation of security-relevant changes in the SSAA.

    • B. 

      The accreditation decision letter deems that the agency-level risk is unacceptably high.

    • C. 

      The accreditation decision letter indicates to the information system owner the DAA’s accreditation decision.

    • D. 

      The accreditation decision letter determines whether the remaining known vulnerabilities in the information system pose an acceptable level of risk.

  • 167. 
    Change management is initiated under which phase?
    • A. 

      1

    • B. 

      2

    • C. 

      3

    • D. 

      4

  • 168. 
    Which of the following best describes the objective of the Security Test and Evaluation (ST&E)? 
    • A. 

      The objective of the ST&E is to update the SSAA to include changes made during system development and the results of the certification analysis.

    • B. 

      The objective of the ST&E is to evaluate the integration of COTS software, hardware, and firmware.

    • C. 

      The objective of the ST&E is to verify that change control and configuration management practices are in place.

    • D. 

      The objective of the ST&E is to assess the technical implementation of the security design.

  • 169. 
    Which choice is the best description of the purpose of the Security Accreditation Phase? 
    • A. 

      To assesses the system’s ability to withstand intentional attempts to circumvent system security features by exploiting technical security vulnerabilities

    • B. 

      To determine whether the remaining known vulnerabilities in the information system pose an acceptable level of risk

    • C. 

      To conduct a final risk assessment by the Information System Owner

    • D. 

      To help prepare the final security accreditation decision letter

  • 170. 
    How many determination options does the authorizing official have in a DIACAP process? 
    • A. 

      2

    • B. 

      3

    • C. 

      4

    • D. 

      5

  • 171. 
    How many levels of certification does NIACAP specify to ensure that the appropriate C&A isperformed for varying schedule and budget limitations? 
    • A. 

      Two

    • B. 

      Three

    • C. 

      Four

    • D. 

      Five

  • 172. 
    Which choice is not an accreditation decision the DITSCAP DAA can make? 
    • A. 

      ATO

    • B. 

      IATO

    • C. 

      NCO

    • D. 

      NA

  • 173. 
    When does the DAA make the accreditation determination? 
    • A. 

      After reviewing all the relevant information and consulting with key agency officials

    • B. 

      Before determining the acceptability of the risk to the agency

    • C. 

      After preparing the final security accreditation decision letter

    • D. 

      After the Information System Owner updates the system security plan

  • 174. 
    Which one of the following activities is not a component of the continuous monitoring process? 
    • A. 

      Operation and maintenance

    • B. 

      Security control monitoring and impact analyses

    • C. 

      Status reporting and documentation

    • D. 

      Configuration management and control

  • 175. 
    Which one of the following publications provides details of the continuous monitoring process? 
    • A. 

      NIST SP 800-14

    • B. 

      NIST SP 800-42

    • C. 

      NIST SP 800-37

    • D. 

      NIST SP 800-41

  • 176. 
    Which one of the following questions is not asked as part of the continuous monitoring process? 
    • A. 

      Could any of the changes to the information system affect the current, identified vulnerabilities in the system or introduce new vulnerabilities into the system?

    • B. 

      If new vulnerabilities are introduced into an information system, would the resulting risk to agency operations, agency assets, or individuals be unacceptable?

    • C. 

      What maintenance schedule should be followed during the operation/maintenance phase of the information system?

    • D. 

      When will the information system need to be reaccredited in accordance with federal or agency policy?

  • 177. 
    In configuration management and control, if necessary, updates have to be made to which of thefollowing documents? 
    • A. 

      System security plan

    • B. 

      System security plan and plan of action and milestones

    • C. 

      Plan of action and milestones

    • D. 

      System deficiency report and plan of action and milestones

  • 178. 
    Selecting controls to be monitored can be best aided by what document? 
    • A. 

      FIPS 199

    • B. 

      NIST SP 800-37

    • C. 

      FISMA

    • D. 

      NIST SP 800-18

  • 179. 
    Appendix D of NIST SP 800-53A describes what three basic types of assessment methods? 
    • A. 

      The interview, the examination, and testing

    • B. 

      The interview, the validation, and testing

    • C. 

      The interview, the examination, and remediation

    • D. 

      The interview, the verification, and testing

  • 180. 
    NIST SP 800-53A defines which of the following three types of interviews, depending on the level ofassessment conducted? 
    • A. 

      Initial, substantial, comprehensive

    • B. 

      Abbreviated, substantial, comprehensive

    • C. 

      Abbreviated, moderate, comprehensive

    • D. 

      Abbreviated, substantial, detailed

  • 181. 
    What NIST SP 800-53A assessment method is used to review, inspect, and analyze assessment objects such as polices,plans, requirements, designs, hardware, firmware, and security activities to determine the effectiveness of information systemsecurity controls?
    • A. 

      Verification

    • B. 

      Interview

    • C. 

      Examination

    • D. 

      Validation

  • 182. 
    Observing or conducting the operation of physical devices, hardware, software, and firmware anddetermining whether they exhibit the desired and expected behavior describes what type of SP 800-53A assessment method? 
    • A. 

      Examination

    • B. 

      Testing

    • C. 

      Validation

    • D. 

      Remediation

  • 183. 
    Determination of the effect of changes to the information system on the security of the informationsystem is called: 
    • A. 

      Validation analysis

    • B. 

      Verification

    • C. 

      Impact analysis

    • D. 

      Continuous improvement

  • 184. 
    What guidance document is useful in determining the impact level of a particular threat on agencysystems? 
    • A. 

      FIPS 199

    • B. 

      NIST SP 800-53

    • C. 

      NIST SP 800-14

    • D. 

      NIST SP 800-41

  • 185. 
    As part of the documentation process, reports are usually sent to which of the following personnelin the agency? 
    • A. 

      Authorizing official

    • B. 

      Authorizing official and senior agency information security officer

    • C. 

      Senior agency information security officer

    • D. 

      User

  • 186. 
    In continuous monitoring, what personnel will normally be using the updated plans in the documentation report to guide future assessment activities? 
    • A. 

      The senior agency information security officer

    • B. 

      The authorizing official

    • C. 

      The information system owner and security assessor

    • D. 

      All the above

  • 187. 
    The frequency of generating the system security plan and the plan of action and milestones is at the discretion of which of the following personnel? 
    • A. 

      The authorizing official

    • B. 

      The information system owner

    • C. 

      The agency information system security officer

    • D. 

      All the above

  • 188. 
    Generating the system security plan and plan of action and milestones should be done at what frequency? 
    • A. 

      Every three months

    • B. 

      Reasonable intervals to ensure that significant changes to the security posture of the information system are reported

    • C. 

      At the discretion of the authorizing official

    • D. 

      Every three years

  • 189. 
    Who determines whether a security reaccreditation is required after reviewing the plan of actions and milestones? 
    • A. 

      The senior information system security officer

    • B. 

      The authorizing official

    • C. 

      The senior information security officer and the authorizing official

    • D. 

      The information system owner

  • 190. 
    Continuous monitoring documentation reports are also used to meet which one of the following reporting requirements? 
    • A. 

      NIST

    • B. 

      FISMA

    • C. 

      HIPAA

    • D. 

      FBI

  • 191. 
    NIST SP 800-53A defines a form of testing as one that “assumes (some) explicit knowledge of the internal structure of the item under assessment (e.g., low-level design, source code implementation representation).” Which one of the following items is that form of testing? 
    • A. 

      Validation

    • B. 

      Black-box

    • C. 

      Structural

    • D. 

      Evaluation

  • 192. 
    What are the types of assessment tests addressed in NIST SP 800-53A? 
    • A. 

      Functional, structural, penetration

    • B. 

      Functional, evaluation, penetration

    • C. 

      Validation, structural, black-box

    • D. 

      Validation, structural, penetration

  • 193. 
    A test methodology in which assessors, using all available documentation (e.g., system design, source code, manuals) and working under no constraints, attempt to circumvent the security features of an information system is defined in NIST SP 800-53A as what type of test? 
    • A. 

      Validation

    • B. 

      Functional

    • C. 

      Structural

    • D. 

      Penetration

  • 194. 
    In the continuous monitoring examination assessment method, three examination depth levels are defined in NIST SP 800-53A. The definition “examinations that consist of brief, high-level reviews, observations, orinspections of selected specifications, mechanisms, or activities associated with the security control being assessed using a limited body of evidence or documentation” refers to which one of the following examination assessment types? 
    • A. 

      Functional

    • B. 

      Abbreviated

    • C. 

      Substantial

    • D. 

      Comprehensive