QA from FITSP Manager Next Generation
The following legislation requires federal agencies to develop, document and implement an
agency-wide information security program: - ANSWER FISMA
The following legislation requires each agency with an Inspector General to conduct an annual
evaluation of agency's information security program, or to appoint an independent external
auditor, to conduct the evaluation on their behalf - ANSWER E-Government Act of 2002, Section
208
The following OMB guidance established the requirement for federal agencies to review the
security controls in each system when significant modifications are made to the system, or at
least every three years. This guidance also requires federal agencies to re-authorize information
systems every three years - ANSWER OMB Circular No. A-130, Appendix III, Security of Federal
Automated Information Resources
The Federal Information Security Modernization Act of 2014 (FISMA 2014) formally assigns
information security responsibilities to which of the following agencies/departments (select
two): - ANSWER DHS and OMB
Current regulations still require the re-authorization of federal information systems at least
every three years. - ANSWER True
The following OMB guidance established the requirement for federal agencies to review the
security controls in each system when significant modifications are made to the system, but at
least every three years. This guidance also requires federal agencies to re-authorize information
systems every three years. - ANSWER OMB Circular No. A-130, Appendix III, Security of Federal
Automated Information Resources
As part of monitoring the security posture of agency desktops, OMB requires federal agencies to
use vulnerability scanning tools that leverage the ________ protocol. - ANSWER SCAP
,Following the loss of 26 million records containing PII at the Department of Veteran Affairs,
OMB released M-06-16 Protection of Sensitive Agency Information. This memo required all of
the following EXCEPT: - ANSWER Encryption of all server backup tapes
This Homeland Security Presidential Directive requires all federal agencies to adopt a standard,
government wide card to reduce identity fraud, protect personal privacy, and provide for
authentication. This directive was called: - ANSWER HSPD-12 - Common Identification Standard
Current regulations still require the re-authorization of federal information systems at least
every three years. - ANSWER True
What elements are components of an information system? - ANSWER Hardware and software,
Interconnected systems, People
What is the main consideration in determining the scope of authorization for information
systems? - ANSWER System Boundaries
Which approach involves continually balancing the protection of agency information and assets
with the cost of security controls and mitigation strategies? - ANSWER Risk Management
Approach
What establishes the scope of protection for organizational information systems? - ANSWER
System Boundaries
List the 7 steps of the RMF process? - ANSWER Prepare, Categorize, Select, Implement, Assess,
Authorize, Monitor
During what phase of the SDLC should the organization consider the security requirements? -
ANSWER Initiation Phase / Development / Acquisition Phase
, Security Reauthorizations are conducted during which phase of the SDLC? - ANSWER
Operations/Maintenance
What NIST Special Publication superseded the original Special Publication 800-30 as the primary
source for guidance on risk management? - ANSWER SP 800-39
Applying the first three steps in the RMF to legacy systems can be viewed as a
____________________________ to determine if the necessary and sufficient security controls
have been appropriately selected and allocated. - ANSWER Gap Analysis
Which of the following is not a key document to be updated as part of ISCM? - ANSWER SCAP
Security status reporting is: - ANSWER Event driven, Time driven
Which of these is not one of the steps of system disposal? - ANSWER Documentation
Which of the following SCAP specifications provide a standard naming and dictionary of system
configuration issues? - ANSWER CPE
Which of these is not a resource for the National Vulnerability Database (NVB)? - ANSWER
MAEC
Vulnerability and Patch Management, Event and Incident Management, and Malware Detection
are all examples of which of the following? - ANSWER Security Automation Domains
Why do organizations look for automated solutions for ISCM? - ANSWER Lower costs, enhance
efficiency, improve reliability
The following legislation requires federal agencies to develop, document and implement an
agency-wide information security program: - ANSWER FISMA
The following legislation requires each agency with an Inspector General to conduct an annual
evaluation of agency's information security program, or to appoint an independent external
auditor, to conduct the evaluation on their behalf - ANSWER E-Government Act of 2002, Section
208
The following OMB guidance established the requirement for federal agencies to review the
security controls in each system when significant modifications are made to the system, or at
least every three years. This guidance also requires federal agencies to re-authorize information
systems every three years - ANSWER OMB Circular No. A-130, Appendix III, Security of Federal
Automated Information Resources
The Federal Information Security Modernization Act of 2014 (FISMA 2014) formally assigns
information security responsibilities to which of the following agencies/departments (select
two): - ANSWER DHS and OMB
Current regulations still require the re-authorization of federal information systems at least
every three years. - ANSWER True
The following OMB guidance established the requirement for federal agencies to review the
security controls in each system when significant modifications are made to the system, but at
least every three years. This guidance also requires federal agencies to re-authorize information
systems every three years. - ANSWER OMB Circular No. A-130, Appendix III, Security of Federal
Automated Information Resources
As part of monitoring the security posture of agency desktops, OMB requires federal agencies to
use vulnerability scanning tools that leverage the ________ protocol. - ANSWER SCAP
,Following the loss of 26 million records containing PII at the Department of Veteran Affairs,
OMB released M-06-16 Protection of Sensitive Agency Information. This memo required all of
the following EXCEPT: - ANSWER Encryption of all server backup tapes
This Homeland Security Presidential Directive requires all federal agencies to adopt a standard,
government wide card to reduce identity fraud, protect personal privacy, and provide for
authentication. This directive was called: - ANSWER HSPD-12 - Common Identification Standard
Current regulations still require the re-authorization of federal information systems at least
every three years. - ANSWER True
What elements are components of an information system? - ANSWER Hardware and software,
Interconnected systems, People
What is the main consideration in determining the scope of authorization for information
systems? - ANSWER System Boundaries
Which approach involves continually balancing the protection of agency information and assets
with the cost of security controls and mitigation strategies? - ANSWER Risk Management
Approach
What establishes the scope of protection for organizational information systems? - ANSWER
System Boundaries
List the 7 steps of the RMF process? - ANSWER Prepare, Categorize, Select, Implement, Assess,
Authorize, Monitor
During what phase of the SDLC should the organization consider the security requirements? -
ANSWER Initiation Phase / Development / Acquisition Phase
, Security Reauthorizations are conducted during which phase of the SDLC? - ANSWER
Operations/Maintenance
What NIST Special Publication superseded the original Special Publication 800-30 as the primary
source for guidance on risk management? - ANSWER SP 800-39
Applying the first three steps in the RMF to legacy systems can be viewed as a
____________________________ to determine if the necessary and sufficient security controls
have been appropriately selected and allocated. - ANSWER Gap Analysis
Which of the following is not a key document to be updated as part of ISCM? - ANSWER SCAP
Security status reporting is: - ANSWER Event driven, Time driven
Which of these is not one of the steps of system disposal? - ANSWER Documentation
Which of the following SCAP specifications provide a standard naming and dictionary of system
configuration issues? - ANSWER CPE
Which of these is not a resource for the National Vulnerability Database (NVB)? - ANSWER
MAEC
Vulnerability and Patch Management, Event and Incident Management, and Malware Detection
are all examples of which of the following? - ANSWER Security Automation Domains
Why do organizations look for automated solutions for ISCM? - ANSWER Lower costs, enhance
efficiency, improve reliability
