NIST Framework Exam 2025 Questions and
Answers
Physical devices and systems within the organization are inventoried - ANS Identify
Software platforms and applications within the organization are inventoried - ANS Identify
Organizational communication and data flows are mapped - ANS Identify
External information systems are catalogued - ANS Identify
Resources (e.g., hardware, devices, data, time, and software) are prioritized based on their
classification, criticality, and business value - ANS Identify
Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders
(e.g., suppliers, customers, partners) are established - ANS Identify
Priorities for organizational mission, objectives, and activities are established and
communicated - ANS Identify
Resilience requirements to support delivery of critical services are established for all operating
states (e.g. under duress/ attack, during recovery, normal operations) - ANS Identify
Pg. 1 Copyright © 2025 Jasonmcconell. ALL RIGHTS RESERVED.
, Information security roles & responsibilities are coordinated and aligned with internal roles and
external partners - ANS Identify
Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties
obligations, are understood and managed - ANS Identify
Cyber threat intelligence and vulnerability information is received from information sharing
forums and sources - ANS Identify
Organizational risk tolerance is determined and clearly expressed - ANS Identify
The organization's determination of risk tolerance is informed by its role in critical
infrastructure and sector specific risk analysis - ANS Identify
Suppliers and partners are required by contract to implement appropriate measures designed
to meet the objectives of the Information Security program or Cyber Supply Chain Risk
Management Plan. - ANS Identify
Suppliers and partners are monitored to confirm that they have satisfied their obligations as
required. Reviews of audits, summaries of test results, or other equivalent evaluations of
suppliers/providers are conducted - ANS Identify
Response and recovery planning and testing are conducted with critical suppliers/providers -
ANS Identify
Identities and credentials are issued, managed, revoked, and audited for authorized devices,
users, and processes - ANS Protect
Physical access to assets is managed and protected - ANS Protect
Pg. 2 Copyright © 2025 Jasonmcconell. ALL RIGHTS RESERVED.
Answers
Physical devices and systems within the organization are inventoried - ANS Identify
Software platforms and applications within the organization are inventoried - ANS Identify
Organizational communication and data flows are mapped - ANS Identify
External information systems are catalogued - ANS Identify
Resources (e.g., hardware, devices, data, time, and software) are prioritized based on their
classification, criticality, and business value - ANS Identify
Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders
(e.g., suppliers, customers, partners) are established - ANS Identify
Priorities for organizational mission, objectives, and activities are established and
communicated - ANS Identify
Resilience requirements to support delivery of critical services are established for all operating
states (e.g. under duress/ attack, during recovery, normal operations) - ANS Identify
Pg. 1 Copyright © 2025 Jasonmcconell. ALL RIGHTS RESERVED.
, Information security roles & responsibilities are coordinated and aligned with internal roles and
external partners - ANS Identify
Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties
obligations, are understood and managed - ANS Identify
Cyber threat intelligence and vulnerability information is received from information sharing
forums and sources - ANS Identify
Organizational risk tolerance is determined and clearly expressed - ANS Identify
The organization's determination of risk tolerance is informed by its role in critical
infrastructure and sector specific risk analysis - ANS Identify
Suppliers and partners are required by contract to implement appropriate measures designed
to meet the objectives of the Information Security program or Cyber Supply Chain Risk
Management Plan. - ANS Identify
Suppliers and partners are monitored to confirm that they have satisfied their obligations as
required. Reviews of audits, summaries of test results, or other equivalent evaluations of
suppliers/providers are conducted - ANS Identify
Response and recovery planning and testing are conducted with critical suppliers/providers -
ANS Identify
Identities and credentials are issued, managed, revoked, and audited for authorized devices,
users, and processes - ANS Protect
Physical access to assets is managed and protected - ANS Protect
Pg. 2 Copyright © 2025 Jasonmcconell. ALL RIGHTS RESERVED.
