NIST Cybersecurity Framework. Exam 2025
Questions and Answers
Asset Management (ID.AM) - ANS The data, personnel, devices, systems, and facilities that
enable the organization to achieve business purposes are identified and managed consistent
with their relative importance to organizational objectives and the organization's risk strategy.
Business Environment (ID.BE) - ANS The organization's mission, objectives, stakeholders, and
activities are understood and prioritized; this information is used to inform cybersecurity roles,
responsibilities, and risk management decisions.
Governance (ID.GV) - ANS The policies, procedures, and processes to manage and monitor
the organization's regulatory, legal, risk, environmental, and operational requirements are
understood and inform the management of cybersecurity risk.
Risk Assessment (ID.RA) - ANS The organization understands the cybersecurity risk to
organizational operations (including mission, functions, image, or reputation), organizational
assets, and individuals.
Risk Management Strategy (ID.RM) - ANS The organization's priorities, constraints, risk
tolerances, and assumptions are established and used to support operational risk decisions.
Supply Chain Risk Management (ID.SC) - ANS The organization's priorities, constraints, risk
tolerances, and assumptions are established and used to support risk decisions associated with
Pg. 1 Copyright © 2025 Jasonmcconell. ALL RIGHTS RESERVED.
, managing supply chain risk. The organization has established and implemented the processes
to identify, assess and manage supply chain risks.
Identity Management, Authentication and Access Control (PR.AC) - ANS Access to physical
and logical assets and associated facilities is limited to authorized users, processes, and devices,
and is managed consistent with the assessed risk of unauthorized access to authorized activities
and transactions.
Awareness and Training (PR.AT) - ANS The organization's personnel and partners are
provided cybersecurity awareness education and are trained to perform their cybersecurity-
related duties and responsibilities consistent with related policies, procedures, and agreements.
Data Security (PR.DS) - ANS Information and records (data) are managed consistent with the
organization's risk strategy to protect the confidentiality, integrity, and availability of
information.
Information Protection Processes and Procedures (PR.IP) - ANS Security policies (that
address purpose, scope, roles, responsibilities, management commitment, and coordination
among organizational entities), processes, and procedures are maintained and used to manage
protection of information systems and assets.
Maintenance (PR.MA) - ANS Maintenance and repairs of industrial control and information
system components are performed consistent with policies and procedures.
Protective Technology (PR.PT) - ANS Technical security solutions are managed to ensure the
security and resilience of systems and assets, consistent with related policies, procedures, and
agreements.
Anomalies and Events (DE.AE) - ANS Anomalous activity is detected and the potential impact
of events is understood.
Pg. 2 Copyright © 2025 Jasonmcconell. ALL RIGHTS RESERVED.
Questions and Answers
Asset Management (ID.AM) - ANS The data, personnel, devices, systems, and facilities that
enable the organization to achieve business purposes are identified and managed consistent
with their relative importance to organizational objectives and the organization's risk strategy.
Business Environment (ID.BE) - ANS The organization's mission, objectives, stakeholders, and
activities are understood and prioritized; this information is used to inform cybersecurity roles,
responsibilities, and risk management decisions.
Governance (ID.GV) - ANS The policies, procedures, and processes to manage and monitor
the organization's regulatory, legal, risk, environmental, and operational requirements are
understood and inform the management of cybersecurity risk.
Risk Assessment (ID.RA) - ANS The organization understands the cybersecurity risk to
organizational operations (including mission, functions, image, or reputation), organizational
assets, and individuals.
Risk Management Strategy (ID.RM) - ANS The organization's priorities, constraints, risk
tolerances, and assumptions are established and used to support operational risk decisions.
Supply Chain Risk Management (ID.SC) - ANS The organization's priorities, constraints, risk
tolerances, and assumptions are established and used to support risk decisions associated with
Pg. 1 Copyright © 2025 Jasonmcconell. ALL RIGHTS RESERVED.
, managing supply chain risk. The organization has established and implemented the processes
to identify, assess and manage supply chain risks.
Identity Management, Authentication and Access Control (PR.AC) - ANS Access to physical
and logical assets and associated facilities is limited to authorized users, processes, and devices,
and is managed consistent with the assessed risk of unauthorized access to authorized activities
and transactions.
Awareness and Training (PR.AT) - ANS The organization's personnel and partners are
provided cybersecurity awareness education and are trained to perform their cybersecurity-
related duties and responsibilities consistent with related policies, procedures, and agreements.
Data Security (PR.DS) - ANS Information and records (data) are managed consistent with the
organization's risk strategy to protect the confidentiality, integrity, and availability of
information.
Information Protection Processes and Procedures (PR.IP) - ANS Security policies (that
address purpose, scope, roles, responsibilities, management commitment, and coordination
among organizational entities), processes, and procedures are maintained and used to manage
protection of information systems and assets.
Maintenance (PR.MA) - ANS Maintenance and repairs of industrial control and information
system components are performed consistent with policies and procedures.
Protective Technology (PR.PT) - ANS Technical security solutions are managed to ensure the
security and resilience of systems and assets, consistent with related policies, procedures, and
agreements.
Anomalies and Events (DE.AE) - ANS Anomalous activity is detected and the potential impact
of events is understood.
Pg. 2 Copyright © 2025 Jasonmcconell. ALL RIGHTS RESERVED.
