1
CAP test B Questions with Answers (100% Correct
Answers)
Which of the following documents is mostly used in RMF step 5?
Answer: NIST SP 800-37
SDLC stands for Systems Development Life Cycle (SDLC). Which of
the following are documented to provide utility in the SDLC
guideline? Answer: •Insight into the major activities and milestones
•Decision points or control gates
•Specified outputs that provide vital information into the system
design
•Project accomplishments
•System maintenance, security, and operational considerations
Which of the following tasks are performed by the information
custodian? Answer: •He performs data restoration from the backups
whenever required.
© 2025 All rights reserved
,2
•He runs regular backups and routinely tests the validity of the
backup data.
•He maintains the retained records in accordance with the established
information classification policy.
•He administers the classification scheme occasionally.
Which of the following are responsibilities of an information system
owner (ISO)? Answer: •Maintains the system security plan and
ensures that the system is deployed
•Assists in the identification, implementation, and assessment of the
common security controls
•Updates the system security plan whenever a significant change
occurs
Which of the following statements about the availability concept of
information security management is true? Answer: It ensures reliable
and timely access to resources.
Vulnerability discovery is used to deal with the identification of
vulnerabilities, which include the following methods: Answer:
© 2025 All rights reserved
,3
Dynamic code analysis is used to assess applications for vulnerabilities
that might be exploited from an application user's perspective.
•Network vulnerability scanning is used to probe operating systems,
databases, and firewalls, which prevent all deployed information
technology services from vulnerabilities that are accessible from the
Internet.
•Security health checking is used to check systems with scripts and
assess the configurations of local and network services of operating
systems, databases, middleware packages, and applications for bugs
that could lead to potentially exploitable vulnerabilities.
Which of the following DoD directives refers to the Defense
Information Management (IM) Program? Answer: DoDD 8000.1: This
DoD directive refers to the 'Defense Information Management (IM)
Program'.
Which of the following is an authorization of a DoD information
system to process, store, or transmit information? Answer: Approval
to Operate (ATO) is an authorization of a DoD information system to
process, store, or transmit information.
© 2025 All rights reserved
, 4
Which of the following governance bodies directs and coordinates
implementations of the information security program? Answer: The
chief information security officer (CISO) directs and coordinates
implementations of the information security program.
Describe Passive and Active acceptance responses Answer: •Passive
acceptance: It is a strategy in which no plans are made to avoid or
mitigate the risk.
•Active acceptance: Such responses include developing contingency
reserves to deal with risks in case they occur.
Jason works as a senior organizational official in uCertify Inc. He
wants to create new corporate policies. Which of the following key
points should he keep in mind while accomplishing his task? Answer:
•Be clear and unambiguous
◦Legal and Regulatory obligations
◦Responsibilities (Ownership)
•Strategic approach
◦Adherence to standards
© 2025 All rights reserved
CAP test B Questions with Answers (100% Correct
Answers)
Which of the following documents is mostly used in RMF step 5?
Answer: NIST SP 800-37
SDLC stands for Systems Development Life Cycle (SDLC). Which of
the following are documented to provide utility in the SDLC
guideline? Answer: •Insight into the major activities and milestones
•Decision points or control gates
•Specified outputs that provide vital information into the system
design
•Project accomplishments
•System maintenance, security, and operational considerations
Which of the following tasks are performed by the information
custodian? Answer: •He performs data restoration from the backups
whenever required.
© 2025 All rights reserved
,2
•He runs regular backups and routinely tests the validity of the
backup data.
•He maintains the retained records in accordance with the established
information classification policy.
•He administers the classification scheme occasionally.
Which of the following are responsibilities of an information system
owner (ISO)? Answer: •Maintains the system security plan and
ensures that the system is deployed
•Assists in the identification, implementation, and assessment of the
common security controls
•Updates the system security plan whenever a significant change
occurs
Which of the following statements about the availability concept of
information security management is true? Answer: It ensures reliable
and timely access to resources.
Vulnerability discovery is used to deal with the identification of
vulnerabilities, which include the following methods: Answer:
© 2025 All rights reserved
,3
Dynamic code analysis is used to assess applications for vulnerabilities
that might be exploited from an application user's perspective.
•Network vulnerability scanning is used to probe operating systems,
databases, and firewalls, which prevent all deployed information
technology services from vulnerabilities that are accessible from the
Internet.
•Security health checking is used to check systems with scripts and
assess the configurations of local and network services of operating
systems, databases, middleware packages, and applications for bugs
that could lead to potentially exploitable vulnerabilities.
Which of the following DoD directives refers to the Defense
Information Management (IM) Program? Answer: DoDD 8000.1: This
DoD directive refers to the 'Defense Information Management (IM)
Program'.
Which of the following is an authorization of a DoD information
system to process, store, or transmit information? Answer: Approval
to Operate (ATO) is an authorization of a DoD information system to
process, store, or transmit information.
© 2025 All rights reserved
, 4
Which of the following governance bodies directs and coordinates
implementations of the information security program? Answer: The
chief information security officer (CISO) directs and coordinates
implementations of the information security program.
Describe Passive and Active acceptance responses Answer: •Passive
acceptance: It is a strategy in which no plans are made to avoid or
mitigate the risk.
•Active acceptance: Such responses include developing contingency
reserves to deal with risks in case they occur.
Jason works as a senior organizational official in uCertify Inc. He
wants to create new corporate policies. Which of the following key
points should he keep in mind while accomplishing his task? Answer:
•Be clear and unambiguous
◦Legal and Regulatory obligations
◦Responsibilities (Ownership)
•Strategic approach
◦Adherence to standards
© 2025 All rights reserved
