FITSP A questions and answers with
solutions
What elements are components of an information system? - ANSWER OMB Circular A-130, App
III: "A system normally includes hardware, software, information, data, applications,
communications, and people."
What are some of the threats that the information system faces? - ANSWER NIST SP 800-39rl, p.
1: "Threats to information and information systems can include purposeful attacks,
environmental disruptions, and human/machine errors and result in great harm to the national
and economic security interests of the United States."
During what phase of the SDLC should the organization consider the security requirements
(mark all that apply)? - ANSWER Initiation Phase / Development / Acquisition
Phase,Implementation Phase, Operation / Maintenance Phase, System Disposal Phase
The PIA, BIA and Security Categorisation are all done in this phase of the SDLC: - ANSWER
Initiation
Security Reauthorizations are conducted during which phase of the SDLC? - ANSWER
Operations/Maintenance
Which approach involves continually balancing the protection of agency Information and assets
with the cost of security controls and mitigation strategies? - ANSWER Risk Management
Approach
Which of the following must be assigned to government personnel only (select all that apply)? -
ANSWER SISO and AO
,Place the 4 components of risk management in the correct order. - ANSWER Frame, Assess,
Respond, Monitor (FARM)
The following are the possible outcomes of the Authorization Decision (mark all that apply): -
ANSWER ATO and Not authorized to operate
List the 6 steps of the RMF process? - ANSWER Categorize, Select, Implement, Assess, Authorize,
Monitor
What NIST Special Publication superseded the original Special Publication 800-30 as the source
for guidance on risk management? - ANSWER SP 800-39
The risk management processes, at the information system level, link to risk management
processes at the organization level through what newly defined role in the RMF? - ANSWER Risk
Executive (Function)
Applying the first three steps in the RMF to legacy systems can be viewed as a
_______________ to determine if the necessary and sufficient security controls have been
appropriately selected and allocated. - ANSWER Gap Analysis
What establishes the scope of protection for organizational information systems? - ANSWER
System Boundaries
Name the factors that influence the level of effort expended when implementing the RMF
tasks? - ANSWER "Importance of the System, Criticality of the System, Categorization of the
System"
The Risk Management Framework (RMF) places heavy emphasis on - ANSWER Selection,
implementation and monitoring of security controls
,"Tier 2 of the three-tiered risk management approach addresses risk-related concerns at which
level?" - ANSWER Mission/Business Process
Early integration of security in the SDLC enables agencies to maximize return on investment in
their security programs through - ANSWER Awareness of potential engineering challenges
caused by mandatory security controls
FedRAMP is a government-wide program that provides a standardized approach to - ANSWER
Security assessment, authorization and continuous monitoring for cloud products and services
"ISCM is designed to improve security by replacing the ""every 3 year"" reauthorization
requirement with a continuous process. What NIST Special Publication provides guidance for
implementing ISCM?" - ANSWER SP 800-137
List the 3 security objectives under FISMA - ANSWER Confidentiality, Integrity, Availability
FIPS 199 standards apply to which types of systems? - ANSWER Unclassified System and
Financial systems
Where are security controls documented? - ANSWER System Security Plan
What is the correct order of the Risk Management Framework process? - ANSWER Categorize,
Select, Implement, Assess, Authorize, Monitor
After the information and information system security categorization is completed, which
publication specifies the minimum security requirements for the determined security category?
- ANSWER FIPS 200
, What are the three levels of potential impact from a security breach? - ANSWER Low, Moderate,
High
Privacy security requirements are adequately addressed by the standard catalog of security
controls? - ANSWER TRUE
Which Are the types of security controls - ANSWER System Specific, Hybrid, Common
When would you use a gap analysis in the RMF process? - ANSWER When applying security to a
legacy system
Who has the primary responsibility for implementing the security controls specified in the
system security plan? - ANSWER Information System Owner
what is the first Step to assigning Impact levels for security categorization - ANSWER Identify
Information Type
What are security controls that are inheritable by one or more organizational information
systems - ANSWER Common Controls
What kind of security control is a management, operational, or technical control employed by
an organization in lieu of a recommended security control? - ANSWER Compensating Control
What is the most significant change, regarding security control selection, in the revision of the
SP 800-37? - ANSWER RMF Step 2 Monitoring Strategy
What is the basis for the identification of information types? - ANSWER Business Reference
Model
solutions
What elements are components of an information system? - ANSWER OMB Circular A-130, App
III: "A system normally includes hardware, software, information, data, applications,
communications, and people."
What are some of the threats that the information system faces? - ANSWER NIST SP 800-39rl, p.
1: "Threats to information and information systems can include purposeful attacks,
environmental disruptions, and human/machine errors and result in great harm to the national
and economic security interests of the United States."
During what phase of the SDLC should the organization consider the security requirements
(mark all that apply)? - ANSWER Initiation Phase / Development / Acquisition
Phase,Implementation Phase, Operation / Maintenance Phase, System Disposal Phase
The PIA, BIA and Security Categorisation are all done in this phase of the SDLC: - ANSWER
Initiation
Security Reauthorizations are conducted during which phase of the SDLC? - ANSWER
Operations/Maintenance
Which approach involves continually balancing the protection of agency Information and assets
with the cost of security controls and mitigation strategies? - ANSWER Risk Management
Approach
Which of the following must be assigned to government personnel only (select all that apply)? -
ANSWER SISO and AO
,Place the 4 components of risk management in the correct order. - ANSWER Frame, Assess,
Respond, Monitor (FARM)
The following are the possible outcomes of the Authorization Decision (mark all that apply): -
ANSWER ATO and Not authorized to operate
List the 6 steps of the RMF process? - ANSWER Categorize, Select, Implement, Assess, Authorize,
Monitor
What NIST Special Publication superseded the original Special Publication 800-30 as the source
for guidance on risk management? - ANSWER SP 800-39
The risk management processes, at the information system level, link to risk management
processes at the organization level through what newly defined role in the RMF? - ANSWER Risk
Executive (Function)
Applying the first three steps in the RMF to legacy systems can be viewed as a
_______________ to determine if the necessary and sufficient security controls have been
appropriately selected and allocated. - ANSWER Gap Analysis
What establishes the scope of protection for organizational information systems? - ANSWER
System Boundaries
Name the factors that influence the level of effort expended when implementing the RMF
tasks? - ANSWER "Importance of the System, Criticality of the System, Categorization of the
System"
The Risk Management Framework (RMF) places heavy emphasis on - ANSWER Selection,
implementation and monitoring of security controls
,"Tier 2 of the three-tiered risk management approach addresses risk-related concerns at which
level?" - ANSWER Mission/Business Process
Early integration of security in the SDLC enables agencies to maximize return on investment in
their security programs through - ANSWER Awareness of potential engineering challenges
caused by mandatory security controls
FedRAMP is a government-wide program that provides a standardized approach to - ANSWER
Security assessment, authorization and continuous monitoring for cloud products and services
"ISCM is designed to improve security by replacing the ""every 3 year"" reauthorization
requirement with a continuous process. What NIST Special Publication provides guidance for
implementing ISCM?" - ANSWER SP 800-137
List the 3 security objectives under FISMA - ANSWER Confidentiality, Integrity, Availability
FIPS 199 standards apply to which types of systems? - ANSWER Unclassified System and
Financial systems
Where are security controls documented? - ANSWER System Security Plan
What is the correct order of the Risk Management Framework process? - ANSWER Categorize,
Select, Implement, Assess, Authorize, Monitor
After the information and information system security categorization is completed, which
publication specifies the minimum security requirements for the determined security category?
- ANSWER FIPS 200
, What are the three levels of potential impact from a security breach? - ANSWER Low, Moderate,
High
Privacy security requirements are adequately addressed by the standard catalog of security
controls? - ANSWER TRUE
Which Are the types of security controls - ANSWER System Specific, Hybrid, Common
When would you use a gap analysis in the RMF process? - ANSWER When applying security to a
legacy system
Who has the primary responsibility for implementing the security controls specified in the
system security plan? - ANSWER Information System Owner
what is the first Step to assigning Impact levels for security categorization - ANSWER Identify
Information Type
What are security controls that are inheritable by one or more organizational information
systems - ANSWER Common Controls
What kind of security control is a management, operational, or technical control employed by
an organization in lieu of a recommended security control? - ANSWER Compensating Control
What is the most significant change, regarding security control selection, in the revision of the
SP 800-37? - ANSWER RMF Step 2 Monitoring Strategy
What is the basis for the identification of information types? - ANSWER Business Reference
Model
