NIST SP 800's Exam 2025 Questions and
Answers
NIST Cybersecurity Framework (CSF) - ANS The NIST Cybersecurity Framework (CSF) is a set
of standards designed to serve as a voluntary risk-based framework for securing information
and systems.
NIST SP 800-12. "An Introduction to Computer Security" - ANS
NIST SP 800-12.
"An Introduction to Computer Security" - ANS NIST 800-12 is an introduction to computer
security, provides very good information for structuring a security program. It provides
assistance in securing computer-based resources (including hardware, software, and
information) by explaining important concepts, cost considerations, and interrelationships of
security controls. It illustrates the benefits of security controls, the major techniques or
approaches for each control, and important related considerations.
The handbook provides a broad overview of computer security to help readers understand their
computer security needs and develop a sound approach to the selection of appropriate security
controls. It does not describe the detailed steps necessary to implement a computer security
program. The purpose of this handbook is not to specify requirements but, rather, to discuss
the benefits of various computer security controls and situations in which their application may
be appropriate.
NIST SP 800-14 "Generally Accepted Principles and Practices for Securing Information
Technology Systems" - ANS
Pg. 1 Copyright © 2025 Jasonmcconell. ALL RIGHTS RESERVED.
, NIST SP 800-14
"Generally Accepted Principles and Practices for Securing Information Technology Systems" -
ANS NIST 800-14, Generally Accepted Principles and Practices for Securing Information
Technology Systems, helps organizations to improve their operational and management
controls.
Role of NIST
• Developing IT standards for Federal systems, specifically to include security standards and
guidelines;
• Conducting research to identify information security vulnerabilities and developing
techniques to provide cost-effective security;
• Assessing private-sector policies, practices, and commercially available technologies;
• Assisting the private sector, upon request; and
• Evaluating security policies and practices developed for national security systems to assess
potential application for non-national security systems
NIST SP 800-18 "Guide for Developing Security Plans for Federal Information Systems" - ANS
NIST SP 800-18
"Guide for Developing Security Plans for Federal Information Systems". Data Owner Definition!
- ANS According to NIST SP 800-18, a system owner should "UPDATE THE SYSTEM SECURITY
PLAN" when the system they are responsible for undergoes a significant change. Classification,
selection of custodians, and designing ways to protect data confidentiality might occur if new
data was added but should have already been done otherwise.
NIST SP 800-18 describes system owner responsibilities that include helping to develop system
security plans, maintaining the plan, ensuring training, and identifying, implementing, and
assessing security controls. A data owner is more likely to delegate these tasks to the system
Pg. 2 Copyright © 2025 Jasonmcconell. ALL RIGHTS RESERVED.
Answers
NIST Cybersecurity Framework (CSF) - ANS The NIST Cybersecurity Framework (CSF) is a set
of standards designed to serve as a voluntary risk-based framework for securing information
and systems.
NIST SP 800-12. "An Introduction to Computer Security" - ANS
NIST SP 800-12.
"An Introduction to Computer Security" - ANS NIST 800-12 is an introduction to computer
security, provides very good information for structuring a security program. It provides
assistance in securing computer-based resources (including hardware, software, and
information) by explaining important concepts, cost considerations, and interrelationships of
security controls. It illustrates the benefits of security controls, the major techniques or
approaches for each control, and important related considerations.
The handbook provides a broad overview of computer security to help readers understand their
computer security needs and develop a sound approach to the selection of appropriate security
controls. It does not describe the detailed steps necessary to implement a computer security
program. The purpose of this handbook is not to specify requirements but, rather, to discuss
the benefits of various computer security controls and situations in which their application may
be appropriate.
NIST SP 800-14 "Generally Accepted Principles and Practices for Securing Information
Technology Systems" - ANS
Pg. 1 Copyright © 2025 Jasonmcconell. ALL RIGHTS RESERVED.
, NIST SP 800-14
"Generally Accepted Principles and Practices for Securing Information Technology Systems" -
ANS NIST 800-14, Generally Accepted Principles and Practices for Securing Information
Technology Systems, helps organizations to improve their operational and management
controls.
Role of NIST
• Developing IT standards for Federal systems, specifically to include security standards and
guidelines;
• Conducting research to identify information security vulnerabilities and developing
techniques to provide cost-effective security;
• Assessing private-sector policies, practices, and commercially available technologies;
• Assisting the private sector, upon request; and
• Evaluating security policies and practices developed for national security systems to assess
potential application for non-national security systems
NIST SP 800-18 "Guide for Developing Security Plans for Federal Information Systems" - ANS
NIST SP 800-18
"Guide for Developing Security Plans for Federal Information Systems". Data Owner Definition!
- ANS According to NIST SP 800-18, a system owner should "UPDATE THE SYSTEM SECURITY
PLAN" when the system they are responsible for undergoes a significant change. Classification,
selection of custodians, and designing ways to protect data confidentiality might occur if new
data was added but should have already been done otherwise.
NIST SP 800-18 describes system owner responsibilities that include helping to develop system
security plans, maintaining the plan, ensuring training, and identifying, implementing, and
assessing security controls. A data owner is more likely to delegate these tasks to the system
Pg. 2 Copyright © 2025 Jasonmcconell. ALL RIGHTS RESERVED.
