Cyber Security Certified Authorization Professional CAP Exam Study Questions

Cyber Security Certified Authorization Professional CAP Exam Study Questions What is included in the Plan of Action and Milestones (POA&M) that is presented in the Authorizing Official (AO) as part of the initial authorization package? A. All items identified throughout the Risk Management Framework (RMF) process B. Only volatile findings that require prioritization in remediation C. Deficiencies that have not yet been remediate and verified throughout the Risk Management Framework (RMF) process D. Only findings that have evaluated as moderate or high - Deficiencies that have not yet been remediate and verified throughout the Risk Management Framework (RMF) process What are the steps of a risk assessment? A. Prepare, Conduct, Communicate, Maintain B. Prepare, Conduct, Communicate C. Prepare, Communicate, Conduct D. Prepare, Communicate, Maintain, Conduct - Prepare,Conduct,Communicate,Maintain ***Which of the following cannot be delegated by the Authorizing Official (AO)? A. Certificate resources** B. Authorization decision C. Acceptance of Security Plan (SP) D. Determination of risk to agency operations - Authorization Decision Configuring an Information System (IS) to prohibit the use of unused ports and protocols A. Helps provide least privilege B. Helps provide least functionality C. Streamlines the functionality of the system D. Violates configuration management best practice - Helps provide least functionality The Authorization boundary of a system undergoing assessment includes A. The Information System (IS) components to be authorized for operation B. The Information (IS) components to be authorized for operation and any outside system it connects to C. Any components or systems the Information Owner (IO) states should be included in the assessment D. Any components found within the given Internet Protocol (IP) range - The Information System(IS) components to be authorized for operation Which of the following BEST describes a government-wide standard for security Assessment and Authorization (A&A) and continuous monitoring for cloud products, which is mandatory for federal agencies and Cloud Service Providers (CSP)? A. Federal Risk and Authorization Management Program (FedRAMP) B. National Institute of Standards and Technology (NIST) C. Federal Information Technology Acquisition Reform Act (FITARA) D. National Cyber Security Program (NCSP) - Federal Risk and Authorization Management Program(FedRAMP) All Federal agencies are required by law to conduct which of the following activities? A. Protect Information Systems (IS) used or operated by a contractor of an agency or other organization on behalf of an agency B. Coordinate with the National Institutes of Standards and Technologies (NIST) to develop binding operational directives C. Report the effectiveness of information security policies and practices to the Office of Personnel Management (OPM) D. Monitor the implementation of information security policies and practices of other agencies to ensure compliance - Protect Information Systems(IS) used or operated by a contractor of an agency or other organization on behalf of an agency What is the PRIMARY goal of an Information Security Continuous Monitoring (ISCM) strategy? A. Create expedited assessment process for cost savings B. Maintain visibility of an organization's high-cost controls C. Support organization risk management decisions D. Assess the organizational tiers - Support organization risk management decisions An organization is developing a risk assessment for a newly installed Information System (IS) to determine the best configuration or a supporting Information Technology (IT) product. Which of the following specific factors is often overlooked in this analysis? A. Exposure of interconnections to organizational core mission functions B. Effectiveness of inherited security controls C. Cost benefits that can be gained from a broad-based security implementation D. Implementation of stove-piped activities that enhance security solutions - Effectiveness of inherited security controls If an assessment of a common control determines that it is not effective, what documentation is required? A. Letter describing findings sent to system owners using the common control B. Security Plan (SP) addendum for each system using the common control C. Plan of Action and Milestones (POA&M) D. Continuous monitoring plan - Plan of Action and Milestones (POA&M) As part of an annual Federal Information Security Management Act (FISMA) compliance audit the inspector general security program review has identified vulnerabilities to an Information System (IS) in an operational division, which of the following activities is the MOST likely to occur? A. Update the Plan of Action and Milestones (POA&M) B. Perform additional security scans of systems C. Update the Security Plan (SP) immediately D. Revoke the Authorization to Operate (ATO) - Update the Plan of Action and Milestones(POA&M) Which of the following documents provides a function description of the Information System (IS) control implementation? A. Security and Privacy assessment reports B. Security and Privacy Plans C. Plans of Action and Milestones (POA&M) D. Risk Assessment Report - Risk Assessment Report Which is the likelihood that security controls