ATO LEVEL II EXAM SCRIPT 2025/2026 QUESTIONS WITH
ANSWERS GRADED A+
✔✔Select ALL the correct responses. Which of the following describe how audit logs
support continuous monitoring? - ✔✔A.) Audit logs are essential in continuous
monitoring because they record system activity, application processes, and user
activity. B.) Audit logs are essential in continuous monitoring because they can be used
to detect security violations, performance problems, and flaws in applications.
✔✔Which of the following configuration management controls supporting continuous
monitoring activities focuses on physical and logical access controls, workflow
automation, media libraries, abstract layers, and change windows and supports auditing
of the enforcement actions? - ✔✔Access Restrictions for Change
✔✔Which of the following describes how the Information System Continuous Monitoring
(ISCM) strategy supports the Tier 1 ORGANIZATION approach to risk management? -
✔✔Tier 1 ISCM strategies focus on how the organization plans to assess, respond to,
and monitor risk as well as the oversight required to ensure that the risk management
strategy is effective.
✔✔Select ALL the correct responses. Which of the following are requirements for audits
as outlined in the National Industrial Security Program Operating Manual (NISPOM)? -
✔✔A.) Audit trail contents must be protected against unauthorized access, modification,
or deletion. B.) Audit records must address individual accountability with unique
identification and periodic testing of the security posture by the ISSO or ISSM.
✔✔Which of the following identifies how the Risk Management Framework (RMF)
supports risk management? - ✔✔The RMF process ensures traceability and
transparency across all levels of the organization.
✔✔Which of the following is a risk management role in continuous monitoring (CM)? -
✔✔Addressing risks from an information system and platform information technology
system perspective to ensure a process for analyzing threats and vulnerabilities is in
place, defining the impact, and identifying countermeasures.
✔✔Which of the following Event Viewer Logs provides an audit of a user's log-on events
and are classified as successful or failed attempts? - ✔✔Security event log
✔✔Which of the following describes the how the patch management process integrates
with security-focused configuration management (SecCM)? - ✔✔The patch
management process integrates with SecCM when updating the baseline configuration
to the current patch level and then testing and approving patches as part of the
configuration change control process.
,✔✔Which of the following describes the relationship between configuration
management controls and continuous monitoring? - ✔✔A well-defined configuration
management process that integrates continuous monitoring ensures that the required
adjustments to the system configuration do not adversely affect the security of the
information system.
✔✔Which of the following describes continuous monitoring capabilities for detecting
threats and mitigating vulnerabilities? - ✔✔Investigation into events of unauthorized
downloads or uploads of sensitive data; unexplained storage of encrypted data; and
unauthorized use of removable media or other transfer devices.
✔✔Which of the following describes continuous monitoring supports interoperability,
operational resilience, and operational reciprocity? - ✔✔Continuous monitoring
capabilities and tools ensure cybersecurity products operate in a net-centric manner to
enhance the exchange of data and shared security policies.
✔✔Which of the following would not be considered a possible indicator of recruitment? -
✔✔Termination notice to go work for a competing company
✔✔An unwitting insider is best described as: - ✔✔a person with access to information
who unknowingly reveals more than they should to persons without a need to know
✔✔An insider threat could pose a threat to: - ✔✔All of the above
✔✔Failure to report suspicious behaviors or possible insider threat indicators could
result in punitive or disciplinary actions. - ✔✔True
✔✔Exploitable weaknesses considered by a Foreign Intelligence Service when
considering a source for recruitment may include: - ✔✔All of the above
✔✔Known or suspected espionage should always be reported to the FBI. - ✔✔True
✔✔Removing classification markings from a document is not necessarily considered a
possible insider threat indicator and should not be reported to the security office unless
there are other suspicious behaviors displayed. - ✔✔False
✔✔If a coworker seeks additional information outside the scope of his or her
responsibility, this is always a sign that the individual is an insider threat. - ✔✔False
✔✔Elicitation is an effective means of information collection by an insider. When done
well, elicitation can seem like simple small talk. - ✔✔True
, ✔✔A coworker, who may be of Middle Eastern descent and often speaks in Farsi from
his work telephone, is considered suspicious behavior and should always be reported to
the security officer. - ✔✔False
✔✔Collection methods of operation frequently used by Foreign Intelligence Entities to
collect information from DoD on the critical technology being produced within the
cleared defense contractor facilities we support include: - ✔✔All of the above
✔✔Select ALL the correct responses. Which of the following are examples of a
"Security Anomaly" and should be reported? - ✔✔A.) Foreign officials reveal details they
should not have known B.) An adversary conducts activities with precision that indicates
prior knowledge
✔✔To be an "Insider Threat" a person MUST knowingly cause malicious damage to
their organization. - ✔✔False
✔✔Personnel who fail to report CI Activities of concern as outlined in Enclosure 4 of
DoD Directive 5240.06 are subject to appropriate disciplinary action under regulations. -
✔✔True
✔✔The following actions can potentially reduce or compromise your network security
and place in jeopardy the lives of our men and women: - ✔✔All of the above
✔✔Cyber Vulnerabilities to DoD Systems may include: - ✔✔All of the above
✔✔Select ALL the correct responses. To minimize the ability of an Insider Threat to go
undetected, you and your coworkers must: - ✔✔A.) Report all security infractions,
violations, or suspicious activity to your supervisor and the Office of Security B.) Follow
all security rules and regulations
✔✔DoD personnel who suspect a coworker of possible espionage should: - ✔✔Report
directly to your CI or Security Office
✔✔An adversary uses technical countermeasures to block a previously undisclosed or
classified U.S. intercept technology. This is an example of: - ✔✔A Security Anomaly
✔✔Offers or Invitations for cultural exchanges, individual-to-individual exchanges, or
ambassador programs are indicators of this collection method: - ✔✔Solicitation and
Marketing of Services
✔✔This is used to collect documentation regarding FOCI, KMP Lists, SF-328 and other
facility documents to the DSS. - ✔✔Electronic Facility Clearance (e-FCL) System
ANSWERS GRADED A+
✔✔Select ALL the correct responses. Which of the following describe how audit logs
support continuous monitoring? - ✔✔A.) Audit logs are essential in continuous
monitoring because they record system activity, application processes, and user
activity. B.) Audit logs are essential in continuous monitoring because they can be used
to detect security violations, performance problems, and flaws in applications.
✔✔Which of the following configuration management controls supporting continuous
monitoring activities focuses on physical and logical access controls, workflow
automation, media libraries, abstract layers, and change windows and supports auditing
of the enforcement actions? - ✔✔Access Restrictions for Change
✔✔Which of the following describes how the Information System Continuous Monitoring
(ISCM) strategy supports the Tier 1 ORGANIZATION approach to risk management? -
✔✔Tier 1 ISCM strategies focus on how the organization plans to assess, respond to,
and monitor risk as well as the oversight required to ensure that the risk management
strategy is effective.
✔✔Select ALL the correct responses. Which of the following are requirements for audits
as outlined in the National Industrial Security Program Operating Manual (NISPOM)? -
✔✔A.) Audit trail contents must be protected against unauthorized access, modification,
or deletion. B.) Audit records must address individual accountability with unique
identification and periodic testing of the security posture by the ISSO or ISSM.
✔✔Which of the following identifies how the Risk Management Framework (RMF)
supports risk management? - ✔✔The RMF process ensures traceability and
transparency across all levels of the organization.
✔✔Which of the following is a risk management role in continuous monitoring (CM)? -
✔✔Addressing risks from an information system and platform information technology
system perspective to ensure a process for analyzing threats and vulnerabilities is in
place, defining the impact, and identifying countermeasures.
✔✔Which of the following Event Viewer Logs provides an audit of a user's log-on events
and are classified as successful or failed attempts? - ✔✔Security event log
✔✔Which of the following describes the how the patch management process integrates
with security-focused configuration management (SecCM)? - ✔✔The patch
management process integrates with SecCM when updating the baseline configuration
to the current patch level and then testing and approving patches as part of the
configuration change control process.
,✔✔Which of the following describes the relationship between configuration
management controls and continuous monitoring? - ✔✔A well-defined configuration
management process that integrates continuous monitoring ensures that the required
adjustments to the system configuration do not adversely affect the security of the
information system.
✔✔Which of the following describes continuous monitoring capabilities for detecting
threats and mitigating vulnerabilities? - ✔✔Investigation into events of unauthorized
downloads or uploads of sensitive data; unexplained storage of encrypted data; and
unauthorized use of removable media or other transfer devices.
✔✔Which of the following describes continuous monitoring supports interoperability,
operational resilience, and operational reciprocity? - ✔✔Continuous monitoring
capabilities and tools ensure cybersecurity products operate in a net-centric manner to
enhance the exchange of data and shared security policies.
✔✔Which of the following would not be considered a possible indicator of recruitment? -
✔✔Termination notice to go work for a competing company
✔✔An unwitting insider is best described as: - ✔✔a person with access to information
who unknowingly reveals more than they should to persons without a need to know
✔✔An insider threat could pose a threat to: - ✔✔All of the above
✔✔Failure to report suspicious behaviors or possible insider threat indicators could
result in punitive or disciplinary actions. - ✔✔True
✔✔Exploitable weaknesses considered by a Foreign Intelligence Service when
considering a source for recruitment may include: - ✔✔All of the above
✔✔Known or suspected espionage should always be reported to the FBI. - ✔✔True
✔✔Removing classification markings from a document is not necessarily considered a
possible insider threat indicator and should not be reported to the security office unless
there are other suspicious behaviors displayed. - ✔✔False
✔✔If a coworker seeks additional information outside the scope of his or her
responsibility, this is always a sign that the individual is an insider threat. - ✔✔False
✔✔Elicitation is an effective means of information collection by an insider. When done
well, elicitation can seem like simple small talk. - ✔✔True
, ✔✔A coworker, who may be of Middle Eastern descent and often speaks in Farsi from
his work telephone, is considered suspicious behavior and should always be reported to
the security officer. - ✔✔False
✔✔Collection methods of operation frequently used by Foreign Intelligence Entities to
collect information from DoD on the critical technology being produced within the
cleared defense contractor facilities we support include: - ✔✔All of the above
✔✔Select ALL the correct responses. Which of the following are examples of a
"Security Anomaly" and should be reported? - ✔✔A.) Foreign officials reveal details they
should not have known B.) An adversary conducts activities with precision that indicates
prior knowledge
✔✔To be an "Insider Threat" a person MUST knowingly cause malicious damage to
their organization. - ✔✔False
✔✔Personnel who fail to report CI Activities of concern as outlined in Enclosure 4 of
DoD Directive 5240.06 are subject to appropriate disciplinary action under regulations. -
✔✔True
✔✔The following actions can potentially reduce or compromise your network security
and place in jeopardy the lives of our men and women: - ✔✔All of the above
✔✔Cyber Vulnerabilities to DoD Systems may include: - ✔✔All of the above
✔✔Select ALL the correct responses. To minimize the ability of an Insider Threat to go
undetected, you and your coworkers must: - ✔✔A.) Report all security infractions,
violations, or suspicious activity to your supervisor and the Office of Security B.) Follow
all security rules and regulations
✔✔DoD personnel who suspect a coworker of possible espionage should: - ✔✔Report
directly to your CI or Security Office
✔✔An adversary uses technical countermeasures to block a previously undisclosed or
classified U.S. intercept technology. This is an example of: - ✔✔A Security Anomaly
✔✔Offers or Invitations for cultural exchanges, individual-to-individual exchanges, or
ambassador programs are indicators of this collection method: - ✔✔Solicitation and
Marketing of Services
✔✔This is used to collect documentation regarding FOCI, KMP Lists, SF-328 and other
facility documents to the DSS. - ✔✔Electronic Facility Clearance (e-FCL) System
