FITSP - Auditor Exam Questions and Answers |Fall 2025/2026
Update | 100% Correct
Question 1
During what phase of the SDLC should the organization consider the security
requirements (mark all that apply)?
a) Initiation Phase/Development/Acquisition Phase
b) Implementation Phase
c) Operation/Maintenance Phase
d) System Disposal Phase
Correct Answer
Initiation Phase/Development/Acquisition Phase, Implementation Phase, Operation/Maintenance Phase< System
Disposal Phase
Question 2
Security categories are to be used in conjunction with what other information in assessing the risk to
an organization?
Correct Answer
Vulnerability and threat information
Page 1 of 102
,Question 3
As part of monitoring the security posture of agency desktops, OMB requires Federal agencies to
use vulnerability scanning tools that leverage the protocol.
a) SNMP
b) SMTP
c) SCAP
d) LDAP
Correct Answer
SCAP
Question 4
SP 800-57 and SP 800-107 provide guidance for what kind of cryptographic algorithms?
a) DSS/HMAC
b) AES/3DES
c) X.509/PKCS #1
d) ccMP/TK|P
Correct Answer
DSS/HMAC
Question 5
Give an example of Tier 1 risk.
Correct Answer
One of: Program/Acquisition (Cost, Schedule, Performance); Compliance And
Regulatory; Financial; Legal; Operational (Mission/Business); Political; Project; Reputational;
Safety; Strategic Planning; Supply Chain.
Page 2 of 102
,Question 6
What are two types of authorization decisions that can be rendered by authorizing officials?
a) Accept/Deny
b) Allow/Denial
c) Authorize/Denial
d) Access/Type
Correct Answer
Authorize/Denial
Question 7
What program uses a "do once, use many times" framework that will save cost, time, and staff
required to conduct agency security assessments?
Correct Answer
FedRAMP
Page 3 of 102
, Question 8
The Information Security Program Plan can be represented in a single document or compilation of documents at the
discretion of the organization. The plan documents
which TWO of the following components?
a) Organization-wide program management controls
b) Organization-defined common controls
c) System Security Plan compilation
d) Authorization Decision Letters
e ) Common Control Implementation Plan
Correct Answer
Organization-wide program management controls and Organization-defined common controls
Question 9
In the sanitization guidelines of NIST SPO 800-88, what is the recommended disposal method for paper-based medical
records containing sensitive Pll?
a) Classified Recycling Bin
b) Purge
c) Controlled Refuse Area
d) Cross—cut shredders
Correct Answer
Cross—cut shredders
Page 4 of 102
Update | 100% Correct
Question 1
During what phase of the SDLC should the organization consider the security
requirements (mark all that apply)?
a) Initiation Phase/Development/Acquisition Phase
b) Implementation Phase
c) Operation/Maintenance Phase
d) System Disposal Phase
Correct Answer
Initiation Phase/Development/Acquisition Phase, Implementation Phase, Operation/Maintenance Phase< System
Disposal Phase
Question 2
Security categories are to be used in conjunction with what other information in assessing the risk to
an organization?
Correct Answer
Vulnerability and threat information
Page 1 of 102
,Question 3
As part of monitoring the security posture of agency desktops, OMB requires Federal agencies to
use vulnerability scanning tools that leverage the protocol.
a) SNMP
b) SMTP
c) SCAP
d) LDAP
Correct Answer
SCAP
Question 4
SP 800-57 and SP 800-107 provide guidance for what kind of cryptographic algorithms?
a) DSS/HMAC
b) AES/3DES
c) X.509/PKCS #1
d) ccMP/TK|P
Correct Answer
DSS/HMAC
Question 5
Give an example of Tier 1 risk.
Correct Answer
One of: Program/Acquisition (Cost, Schedule, Performance); Compliance And
Regulatory; Financial; Legal; Operational (Mission/Business); Political; Project; Reputational;
Safety; Strategic Planning; Supply Chain.
Page 2 of 102
,Question 6
What are two types of authorization decisions that can be rendered by authorizing officials?
a) Accept/Deny
b) Allow/Denial
c) Authorize/Denial
d) Access/Type
Correct Answer
Authorize/Denial
Question 7
What program uses a "do once, use many times" framework that will save cost, time, and staff
required to conduct agency security assessments?
Correct Answer
FedRAMP
Page 3 of 102
, Question 8
The Information Security Program Plan can be represented in a single document or compilation of documents at the
discretion of the organization. The plan documents
which TWO of the following components?
a) Organization-wide program management controls
b) Organization-defined common controls
c) System Security Plan compilation
d) Authorization Decision Letters
e ) Common Control Implementation Plan
Correct Answer
Organization-wide program management controls and Organization-defined common controls
Question 9
In the sanitization guidelines of NIST SPO 800-88, what is the recommended disposal method for paper-based medical
records containing sensitive Pll?
a) Classified Recycling Bin
b) Purge
c) Controlled Refuse Area
d) Cross—cut shredders
Correct Answer
Cross—cut shredders
Page 4 of 102
