NIST Standards questions n answers
rated A+
NIST SP 800-33 - correct answer ✔✔ The National Institute of Standards and Technology (NIST)
Special Publication 800-33, "Underlying Technical Models for Information Technology Security,"
included the CIA Triad as three of its five security objectives, but added the concepts of
accountability (that actions of an entity may be traced uniquely to that entity) and assurance
(the basis for confidence that the security measures, both technical and operational, work as
intended to protect the system and the information it processes). The NIST work remains
influential as an effort to codify best-practice approaches to systems security.
Parkerian Hexad - correct answer ✔✔ Parkerian Hexad (see Figure 1.2). The Parkerian Hexad
contains the following concepts:
Confidentiality: The limits on who has access to information
Integrity: Whether the information is in its intended state
Availability: Whether the information can be accessed in a timely manner
Authenticity: The proper attribution of the person who created the information
Utility: The usefulness of the information
Possession or control: The physical state where the information is maintained
NIST SP 800-150 - correct answer ✔✔ NIST 800-150: NIST Special Publication 800-150, "Guide
to Cyber Threat Information Sharing," is one of the most comprehensive sources describing how
organizations can share cyberthreat information to improve their own and other organizations'
security postures.
ISO/NIST/ITIL - correct answer ✔✔ The ISO/NIST/ITIL frameworks are often leveraged as
guidelines; however, they may become policies or standards if the organization has a
compliance expectation. Other sources of guidelines include manufacturers' default
,configurations, industry-specific guidelines, or independent organizations such as the Open Web
Application Security Project (OWASP) work in software development.
NIST RMF and ISO 27000 Framework - correct answer ✔✔ the NIST Risk Management
Framework and the ISO 27000 framework, expect the organization to perform some level of
business continuity planning
NIST SP 800-34 - correct answer ✔✔ NIST Special Publication 800-34, "Contingency Planning
Guide for Federal Information Systems," provides a base of practice for the development of
resilience in information systems operations. NIST, through its collaborative process of standards
development, took into account a broad range of industry and nongovernmental BCM practices.
As a result of this process, the framework has been widely adopted by non-U.S. government
organizations.
NIST SP 800-34 - correct answer ✔✔ As an example, NIST 800-34 identifies plans in the areas
shown in Table 1.1.
BCP
COOP
Crisis comms plan
CIP
Cyberincident response plan
DRP
ISCP
OEP
NIST SP 800-171 - correct answer ✔✔ Many of the risk management and compliance
frameworks require organizations to address controls over third-party personnel. In the United
States, NIST Special Publication 800-171, "Protecting Controlled Unclassified Information in
Nonfederal Systems and Organizations," identifies personnel security controls that vendors must
address when managing certain types of sensitive information under federal contracts. Third-
party compliance with the Health Insurance Portability and Privacy Act also places expectations
, on contracting organizations to ensure that their partners use appropriate assurance practices
with their personnel
NIST SP 800-37 - correct answer ✔✔ Documented in NIST Special Publication 800-37, "Guide for
Applying the Risk Management Framework to Federal Information Systems," it prescribes a six-
step process through which the federal government manages the risks of operating information
systems.
FIPS 199 - correct answer ✔✔ FIPS 199, "Standards for Security Categorization of Federal
Information and Information Systems," requires agencies to categorize all of their information
systems based on the potential impact to the agency of the loss of confidentiality, integrity, or
availability. Implied in this process is that the agencies must have a comprehensive inventory of
systems to apply the categorization standard.
FIPS 200 and NIST SP 800-53 - correct answer ✔✔ FIPS 200 identifies 17 security-related areas
of control, but the details of which specific control is to be applied are found in NIST Special
Publication 800-53, "Recommended Security Controls for Federal Information Systems."
CIP version 5 standards - correct answer ✔✔ CIP Version 5 Standards
CIP 5 standards exist that cover a range of areas:
CIP-002: Identifies and categorizes BES Cyber Assets and their BES Cyber Systems. This is where
an impact rating is specified.
CIP-003: Specifies consistent and sustainable security management controls that establish
responsibility and accountability.
CIP-004: Requires an appropriate level of personnel risk assessment, training, and security
awareness.
CIP-005: Specifies a controlled Electronic Security Perimeter with border protections.
CIP-006: Specifies a physical security plan with a defined Physical Security Perimeter.
CIP-007: Specifies select technical, operational, and procedural requirements for the BES Cyber
Assets and BES Cyber Systems.
CIP-008: Specifies incident response requirements.
rated A+
NIST SP 800-33 - correct answer ✔✔ The National Institute of Standards and Technology (NIST)
Special Publication 800-33, "Underlying Technical Models for Information Technology Security,"
included the CIA Triad as three of its five security objectives, but added the concepts of
accountability (that actions of an entity may be traced uniquely to that entity) and assurance
(the basis for confidence that the security measures, both technical and operational, work as
intended to protect the system and the information it processes). The NIST work remains
influential as an effort to codify best-practice approaches to systems security.
Parkerian Hexad - correct answer ✔✔ Parkerian Hexad (see Figure 1.2). The Parkerian Hexad
contains the following concepts:
Confidentiality: The limits on who has access to information
Integrity: Whether the information is in its intended state
Availability: Whether the information can be accessed in a timely manner
Authenticity: The proper attribution of the person who created the information
Utility: The usefulness of the information
Possession or control: The physical state where the information is maintained
NIST SP 800-150 - correct answer ✔✔ NIST 800-150: NIST Special Publication 800-150, "Guide
to Cyber Threat Information Sharing," is one of the most comprehensive sources describing how
organizations can share cyberthreat information to improve their own and other organizations'
security postures.
ISO/NIST/ITIL - correct answer ✔✔ The ISO/NIST/ITIL frameworks are often leveraged as
guidelines; however, they may become policies or standards if the organization has a
compliance expectation. Other sources of guidelines include manufacturers' default
,configurations, industry-specific guidelines, or independent organizations such as the Open Web
Application Security Project (OWASP) work in software development.
NIST RMF and ISO 27000 Framework - correct answer ✔✔ the NIST Risk Management
Framework and the ISO 27000 framework, expect the organization to perform some level of
business continuity planning
NIST SP 800-34 - correct answer ✔✔ NIST Special Publication 800-34, "Contingency Planning
Guide for Federal Information Systems," provides a base of practice for the development of
resilience in information systems operations. NIST, through its collaborative process of standards
development, took into account a broad range of industry and nongovernmental BCM practices.
As a result of this process, the framework has been widely adopted by non-U.S. government
organizations.
NIST SP 800-34 - correct answer ✔✔ As an example, NIST 800-34 identifies plans in the areas
shown in Table 1.1.
BCP
COOP
Crisis comms plan
CIP
Cyberincident response plan
DRP
ISCP
OEP
NIST SP 800-171 - correct answer ✔✔ Many of the risk management and compliance
frameworks require organizations to address controls over third-party personnel. In the United
States, NIST Special Publication 800-171, "Protecting Controlled Unclassified Information in
Nonfederal Systems and Organizations," identifies personnel security controls that vendors must
address when managing certain types of sensitive information under federal contracts. Third-
party compliance with the Health Insurance Portability and Privacy Act also places expectations
, on contracting organizations to ensure that their partners use appropriate assurance practices
with their personnel
NIST SP 800-37 - correct answer ✔✔ Documented in NIST Special Publication 800-37, "Guide for
Applying the Risk Management Framework to Federal Information Systems," it prescribes a six-
step process through which the federal government manages the risks of operating information
systems.
FIPS 199 - correct answer ✔✔ FIPS 199, "Standards for Security Categorization of Federal
Information and Information Systems," requires agencies to categorize all of their information
systems based on the potential impact to the agency of the loss of confidentiality, integrity, or
availability. Implied in this process is that the agencies must have a comprehensive inventory of
systems to apply the categorization standard.
FIPS 200 and NIST SP 800-53 - correct answer ✔✔ FIPS 200 identifies 17 security-related areas
of control, but the details of which specific control is to be applied are found in NIST Special
Publication 800-53, "Recommended Security Controls for Federal Information Systems."
CIP version 5 standards - correct answer ✔✔ CIP Version 5 Standards
CIP 5 standards exist that cover a range of areas:
CIP-002: Identifies and categorizes BES Cyber Assets and their BES Cyber Systems. This is where
an impact rating is specified.
CIP-003: Specifies consistent and sustainable security management controls that establish
responsibility and accountability.
CIP-004: Requires an appropriate level of personnel risk assessment, training, and security
awareness.
CIP-005: Specifies a controlled Electronic Security Perimeter with border protections.
CIP-006: Specifies a physical security plan with a defined Physical Security Perimeter.
CIP-007: Specifies select technical, operational, and procedural requirements for the BES Cyber
Assets and BES Cyber Systems.
CIP-008: Specifies incident response requirements.
