FITSP-A Module 8 QUESTIONS WITH COMPLETE SOLUTIONS

1. The implementation of a continuous monitoring program results in ongoing updates to all of the following documents, EXCEPT: a) Security Plan b) Security Assessment Plan c) Security Assessment Report d) Plan of Action & Milestones correct answer: Correct answer: b) Security Assessment Plan NIST SP 800-137, Chapter 1 states: "Frequent updates to security plans, security assessment reports, plans of action and milestones, hardware and software inventories, and other system information are also supported." Incorrect answers: All the other choices reflect documents that are updated under ISCM. 2. Vulnerability information can be found in all of the following sources, EXCEPT: a) CVE b) Red Team Exercises c) CWE d) CCE correct answer: Correct answer: d) CCE According to NISTSP 800-137, CCE is a Common Configuration Enumeration and does not contain vulnerability information Incorrect answers: All other choices are sources of vulnerability information per SP 800-137. 3. Name the two prominent security testing and evaluation programs now in place to assess the security features and assurances of commercial off-the-shelf (COTS) products. (Choose 2) a) Common Criteria b) Software Assurance Program c) Cryptographic Module Verification d) Trusted Computer System Evaluation Criteria correct answer: Correct answer: a) Common Criteria and c) Cryptographic Module Verification NIST SP 800-35, Paragraph 5.1.6 states: "Two prominent security testing and evaluation programs are now in place to assess the security features and assurances of commercial off-the-shelf (COTS) products: National Information Assurance Partnership (NIAP) Common Criteria (CC) Evaluation and Validation Scheme (CCEVS) and NIST Cryptographic Module Validation Program (CMVP)"