CAP EXAM STUDY QUESTIONS AND
ANSWERS – PD 2025-2026
What is included in the Plan of Action and Milestones (POA&M) that is presented in the
Authorizing Official (AO) as part of the initial authorization package?
A. All items identified throughout the Risk Management Framework (RMF) process
B. Only volatile findings that require prioritization in remediation
C. Deficiencies that have not yet been remediate and verified throughout the Risk
Management Framework (RMF) process
D. Only findings that have evaluated as moderate or high - ANS -Deficiencies that have not yet
been remediate and verified throughout the Risk
Management Framework (RMF) process
What are the steps of a risk assessment?
A. Prepare, Conduct, Communicate, Maintain
B. Prepare, Conduct, Communicate
C. Prepare, Communicate, Conduct
D. Prepare, Communicate, Maintain, Conduct - ANS -Prepare,Conduct,Communicate,Maintain
***Which of the following cannot be delegated by the Authorizing Official (AO)?
A. Certificate resources**
B. Authorization decision
C. Acceptance of Security Plan (SP)
D. Determination of risk to agency operations - ANS -Authorization Decision
,Configuring an Information System (IS) to prohibit the use of unused ports and protocols
A. Helps provide least privilege
B. Helps provide least functionality
C. Streamlines the functionality of the system
D. Violates configuration management best practice - ANS -Helps provide least functionality
The Authorization boundary of a system undergoing assessment includes
A. The Information System (IS) components to be authorized for operation
B. The Information (IS) components to be authorized for operation and any outside system
it connects to
C. Any components or systems the Information Owner (IO) states should be included in the
assessment
D. Any components found within the given Internet Protocol (IP) range - ANS -The Information
System(IS) components to be authorized for operation
Which of the following BEST describes a government-wide standard for security Assessment and
Authorization (A&A) and continuous monitoring for cloud products, which is mandatory for
federal agencies and Cloud Service Providers (CSP)?
A. Federal Risk and Authorization Management Program (FedRAMP)
B. National Institute of Standards and Technology (NIST)
C. Federal Information Technology Acquisition Reform Act (FITARA)
D. National Cyber Security Program (NCSP) - ANS -Federal Risk and Authorization Management
Program(FedRAMP)
All Federal agencies are required by law to conduct which of the following activities?
A. Protect Information Systems (IS) used or operated by a contractor of an agency or other
,organization on behalf of an agency
B. Coordinate with the National Institutes of Standards and Technologies (NIST) to develop
binding operational directives
C. Report the effectiveness of information security policies and practices to the Office of
Personnel Management (OPM)
D. Monitor the implementation of information security policies and practices of other
agencies to ensure compliance - ANS -Protect Information Systems(IS) used or operated by a
contractor of an agency or other
organization on behalf of an agency
What is the PRIMARY goal of an Information Security Continuous Monitoring (ISCM) strategy?
A. Create expedited assessment process for cost savings
B. Maintain visibility of an organization's high-cost controls
C. Support organization risk management decisions
D. Assess the organizational tiers - ANS -Support organization risk management decisions
An organization is developing a risk assessment for a newly installed Information System (IS) to
determine the best configuration or a supporting Information Technology (IT) product. Which of
the following specific factors is often overlooked in this analysis?
A. Exposure of interconnections to organizational core mission functions
B. Effectiveness of inherited security controls
C. Cost benefits that can be gained from a broad-based security implementation
D. Implementation of stove-piped activities that enhance security solutions - ANS -Effectiveness
of inherited security controls
If an assessment of a common control determines that it is not effective, what documentation is
required?
, A. Letter describing findings sent to system owners using the common control
B. Security Plan (SP) addendum for each system using the common control
C. Plan of Action and Milestones (POA&M)
D. Continuous monitoring plan - ANS -Plan of Action and Milestones (POA&M)
As part of an annual Federal Information Security Management Act (FISMA) compliance audit
the inspector general security program review has identified vulnerabilities to an Information
System (IS) in an operational division, which of the following activities is the MOST likely to
occur?
A. Update the Plan of Action and Milestones (POA&M)
B. Perform additional security scans of systems
C. Update the Security Plan (SP) immediately
D. Revoke the Authorization to Operate (ATO) - ANS -Update the Plan of Action and
Milestones(POA&M)
Which of the following documents provides a function description of the Information System
(IS) control implementation?
A. Security and Privacy assessment reports
B. Security and Privacy Plans
C. Plans of Action and Milestones (POA&M)
D. Risk Assessment Report - ANS -Risk Assessment Report
Which is the likelihood that security controls with a low level of volatility will change?
A. Likely to change from year to year
B. Unlikely to change from year to year
C. Likely to change during system upgrades
D. Unlikely to change during system upgrades - ANS -Unlikely to change from year to year
ANSWERS – PD 2025-2026
What is included in the Plan of Action and Milestones (POA&M) that is presented in the
Authorizing Official (AO) as part of the initial authorization package?
A. All items identified throughout the Risk Management Framework (RMF) process
B. Only volatile findings that require prioritization in remediation
C. Deficiencies that have not yet been remediate and verified throughout the Risk
Management Framework (RMF) process
D. Only findings that have evaluated as moderate or high - ANS -Deficiencies that have not yet
been remediate and verified throughout the Risk
Management Framework (RMF) process
What are the steps of a risk assessment?
A. Prepare, Conduct, Communicate, Maintain
B. Prepare, Conduct, Communicate
C. Prepare, Communicate, Conduct
D. Prepare, Communicate, Maintain, Conduct - ANS -Prepare,Conduct,Communicate,Maintain
***Which of the following cannot be delegated by the Authorizing Official (AO)?
A. Certificate resources**
B. Authorization decision
C. Acceptance of Security Plan (SP)
D. Determination of risk to agency operations - ANS -Authorization Decision
,Configuring an Information System (IS) to prohibit the use of unused ports and protocols
A. Helps provide least privilege
B. Helps provide least functionality
C. Streamlines the functionality of the system
D. Violates configuration management best practice - ANS -Helps provide least functionality
The Authorization boundary of a system undergoing assessment includes
A. The Information System (IS) components to be authorized for operation
B. The Information (IS) components to be authorized for operation and any outside system
it connects to
C. Any components or systems the Information Owner (IO) states should be included in the
assessment
D. Any components found within the given Internet Protocol (IP) range - ANS -The Information
System(IS) components to be authorized for operation
Which of the following BEST describes a government-wide standard for security Assessment and
Authorization (A&A) and continuous monitoring for cloud products, which is mandatory for
federal agencies and Cloud Service Providers (CSP)?
A. Federal Risk and Authorization Management Program (FedRAMP)
B. National Institute of Standards and Technology (NIST)
C. Federal Information Technology Acquisition Reform Act (FITARA)
D. National Cyber Security Program (NCSP) - ANS -Federal Risk and Authorization Management
Program(FedRAMP)
All Federal agencies are required by law to conduct which of the following activities?
A. Protect Information Systems (IS) used or operated by a contractor of an agency or other
,organization on behalf of an agency
B. Coordinate with the National Institutes of Standards and Technologies (NIST) to develop
binding operational directives
C. Report the effectiveness of information security policies and practices to the Office of
Personnel Management (OPM)
D. Monitor the implementation of information security policies and practices of other
agencies to ensure compliance - ANS -Protect Information Systems(IS) used or operated by a
contractor of an agency or other
organization on behalf of an agency
What is the PRIMARY goal of an Information Security Continuous Monitoring (ISCM) strategy?
A. Create expedited assessment process for cost savings
B. Maintain visibility of an organization's high-cost controls
C. Support organization risk management decisions
D. Assess the organizational tiers - ANS -Support organization risk management decisions
An organization is developing a risk assessment for a newly installed Information System (IS) to
determine the best configuration or a supporting Information Technology (IT) product. Which of
the following specific factors is often overlooked in this analysis?
A. Exposure of interconnections to organizational core mission functions
B. Effectiveness of inherited security controls
C. Cost benefits that can be gained from a broad-based security implementation
D. Implementation of stove-piped activities that enhance security solutions - ANS -Effectiveness
of inherited security controls
If an assessment of a common control determines that it is not effective, what documentation is
required?
, A. Letter describing findings sent to system owners using the common control
B. Security Plan (SP) addendum for each system using the common control
C. Plan of Action and Milestones (POA&M)
D. Continuous monitoring plan - ANS -Plan of Action and Milestones (POA&M)
As part of an annual Federal Information Security Management Act (FISMA) compliance audit
the inspector general security program review has identified vulnerabilities to an Information
System (IS) in an operational division, which of the following activities is the MOST likely to
occur?
A. Update the Plan of Action and Milestones (POA&M)
B. Perform additional security scans of systems
C. Update the Security Plan (SP) immediately
D. Revoke the Authorization to Operate (ATO) - ANS -Update the Plan of Action and
Milestones(POA&M)
Which of the following documents provides a function description of the Information System
(IS) control implementation?
A. Security and Privacy assessment reports
B. Security and Privacy Plans
C. Plans of Action and Milestones (POA&M)
D. Risk Assessment Report - ANS -Risk Assessment Report
Which is the likelihood that security controls with a low level of volatility will change?
A. Likely to change from year to year
B. Unlikely to change from year to year
C. Likely to change during system upgrades
D. Unlikely to change during system upgrades - ANS -Unlikely to change from year to year
