FISMA Compliance: Multiple Choice Questions on Security Assessment and Authorization, Exams of Business Mathematics

A series of multiple-choice questions focused on key concepts within the federal information security management act (fisma) framework. it covers topics such as risk assessment, authorization, continuous monitoring, and the roles and responsibilities of various stakeholders in ensuring information system security. The questions are designed to test understanding of fisma compliance requirements and best practices, making it a valuable resource for students and professionals in information security. the questions delve into the specifics of poa&ms, security plans, and risk management processes, providing a comprehensive overview of the subject matter. the depth of the questions makes it suitable for university-level study and professional development.

Typology: Exams

2024/2025

Available from 05/23/2025

locaz-turus-1
locaz-turus-1 šŸ‡ŗšŸ‡ø

5

(1)

13K documents

1 / 39

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
CAP exam study questions
What is included in the Plan of Action and Milestones (POA&M) that is presented in the
Authorizing Official (AO) as part of the initial authorization package?
A. All items identified throughout the Risk Management Framework (RMF) process
B. Only volatile findings that require prioritization in remediation
C. Deficiencies that have not yet been remediate and verified throughout the Risk
Management Framework (RMF) process
D. Only findings that have evaluated as moderate or high correct answer Deficiencies that have
not yet been remediate and verified throughout the Risk
Management Framework (RMF) process
What are the steps of a risk assessment?
A. Prepare, Conduct, Communicate, Maintain
B. Prepare, Conduct, Communicate
C. Prepare, Communicate, Conduct
D. Prepare, Communicate, Maintain, Conduct correct answer
Prepare,Conduct,Communicate,Maintain
***Which of the following cannot be delegated by the Authorizing Official (AO)?
A. Certificate resources**
B. Authorization decision
C. Acceptance of Security Plan (SP)
D. Determination of risk to agency operations correct answer Authorization Decision
Configuring an Information System (IS) to prohibit the use of unused ports and protocols
A. Helps provide least privilege
B. Helps provide least functionality
C. Streamlines the functionality of the system
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27

Partial preview of the text

Download FISMA Compliance: Multiple Choice Questions on Security Assessment and Authorization and more Exams Business Mathematics in PDF only on Docsity!

CAP exam study questions What is included in the Plan of Action and Milestones (POA&M) that is presented in the Authorizing Official (AO) as part of the initial authorization package? A. All items identified throughout the Risk Management Framework (RMF) process B. Only volatile findings that require prioritization in remediation C. Deficiencies that have not yet been remediate and verified throughout the Risk Management Framework (RMF) process D. Only findings that have evaluated as moderate or high correct answer Deficiencies that have not yet been remediate and verified throughout the Risk Management Framework (RMF) process What are the steps of a risk assessment? A. Prepare, Conduct, Communicate, Maintain B. Prepare, Conduct, Communicate C. Prepare, Communicate, Conduct D. Prepare, Communicate, Maintain, Conduct correct answer Prepare,Conduct,Communicate,Maintain *Which of the following cannot be delegated by the Authorizing Official (AO)? A. Certificate resources B. Authorization decision C. Acceptance of Security Plan (SP) D. Determination of risk to agency operations correct answer Authorization Decision Configuring an Information System (IS) to prohibit the use of unused ports and protocols A. Helps provide least privilege B. Helps provide least functionality C. Streamlines the functionality of the system

D. Violates configuration management best practice correct answer Helps provide least functionality The Authorization boundary of a system undergoing assessment includes A. The Information System (IS) components to be authorized for operation B. The Information (IS) components to be authorized for operation and any outside system it connects to C. Any components or systems the Information Owner (IO) states should be included in the assessment D. Any components found within the given Internet Protocol (IP) range correct answer The Information System(IS) components to be authorized for operation Which of the following BEST describes a government-wide standard for security Assessment and Authorization (A&A) and continuous monitoring for cloud products, which is mandatory for federal agencies and Cloud Service Providers (CSP)? A. Federal Risk and Authorization Management Program (FedRAMP) B. National Institute of Standards and Technology (NIST) C. Federal Information Technology Acquisition Reform Act (FITARA) D. National Cyber Security Program (NCSP) correct answer Federal Risk and Authorization Management Program(FedRAMP) All Federal agencies are required by law to conduct which of the following activities? A. Protect Information Systems (IS) used or operated by a contractor of an agency or other organization on behalf of an agency B. Coordinate with the National Institutes of Standards and Technologies (NIST) to develop binding operational directives C. Report the effectiveness of information security policies and practices to the Office of Personnel Management (OPM) D. Monitor the implementation of information security policies and practices of other

System (IS) in an operational division, which of the following activities is the MOST likely to occur? A. Update the Plan of Action and Milestones (POA&M) B. Perform additional security scans of systems C. Update the Security Plan (SP) immediately D. Revoke the Authorization to Operate (ATO) correct answer Update the Plan of Action and Milestones(POA&M) Which of the following documents provides a function description of the Information System (IS) control implementation? A. Security and Privacy assessment reports B. Security and Privacy Plans C. Plans of Action and Milestones (POA&M) D. Risk Assessment Report correct answer Risk Assessment Report Which is the likelihood that security controls with a low level of volatility will change? A. Likely to change from year to year B. Unlikely to change from year to year C. Likely to change during system upgrades D. Unlikely to change during system upgrades correct answer Unlikely to change from year to year A System Owner (SO) is implementing a new system with their existing organization Information Technology (IT) environment. What objectives are considered when determining possible impact to risk? A. Low, Moderate, and High B. Authentication, Authorization, and Accountability C. Common, Hybrid, and System-Specific

D. Integrity, Confidentiality, and Availability correct answer Integrity ,Confidentiality ,and Availability Besides the System Owner (SO), what role has the PRIMARY responsibility for implementing the security controls into the security and privacy plans for the Information Systems (IS?) A. System Security Officer B. System administrator C. Common Control Provider (CCP) D. Information Owner correct answer System Security Officer In order to receive an Authorization to Operate (ATO), the Plan of Action and Milestones (POA&M) MUST A. Be implemented within 90 days B. Have all vulnerabilities mitigated C. Be implemented after the ATO is granted D. Address the remaining vulnerabilities correct answer Address the remaining vulnerabilities *Which of the following documents is updated when a vulnerability is discovered during continuous monitoring? A. Plan of Action and Milestones (POA&M) B. Business Impact Analysis (BIA) C. Security Assessment Report (SAR) D. Incident Response Plan (IRP) correct answer Security Assessment Report(SAR) The process of uniquely assigning information resources to an Information System (IS) defines the A. Overall security management program B. Authorization boundary C. Rules of engagement

C. It is required for authorization to operate D. It will be used across accreditation boundaries correct answer It can affect the overall security and privacy posture of the system What is a KEY consideration when selecting a media sanitization method of destruction tool when decommissioning an Information System (IS)? A. Accountability B. Confidentiality C. Availability D. Integrity correct answer Confidentiality The potential impact value "not applicable" applies to which of the following security objectives A. Confidentiality B. Availability C. Integrity D. Non-repudiation correct answer Confidentiality The new Authorizing Official (AO) is reviewing all moderate and high systems to determine formal authorization action is needed for any of the systems. Which of the following documents BEST facilities this process? A. The recent Risk Assessment Report (RAR) for each system B. The recent assessment reports for each system C. The recent vulnerability scan for each system D. The recent security status report for each system correct answer The recent Risk Assessment Report(RAR) for each system The baseline configuration of an information system should be consistent with the A. Enterprise architecture B. Original design specification

C. Disaster Recovery (DR) procedures D. Security authorization Process correct answer Original design specification When implementing the organizational disposal process, what factors are considered when making a final decision about sanitization of media? A. Cost versus benefit B. Function versus security C. Availability versus integrity D. Accountability versus authentication correct answer Cost Versus Benefit In establishing the rules of behavior for a system, which of the following is necessary? A. For a user to have system access before reviewing the rules B. Ensuring that users submit a formal acknowledgement of the rules C. That testing is conducted in order to validate the rules D. Ensuring that all applicable controls are detailed within the rules correct answer Ensuring that users submit a formal acknowledgement of the rules Which of the following BEST describes the objective of the Security Assessment Plan (SAP)? A. It provides a detailed roadmap for how to conduct the assessment. B. It provides an assessment process for the integration of software and hardware C. It describes how to verify the change control and Configuration Management (CM) practices. D. It ensures that changes made during system development are included in security assessments. correct answer It provides a detailed roadmap for how to conduct the assessment. An Information System (IS) is registered with appropriate program/management offices in order to

B. Plan of Action and Milestones (POA&M) C. Security and Privacy Plans D. Configuration Management Plan (CMP) correct answer Plan of Action and Milestones(POA&M) Which of the following is the BEST approach to authorizing operations of complex systems? A. Assuring the system works both in a secure and functional manner B. Decomposing and authorizing the system into multiple subsystems C. Documenting the decomposition of the information in the Security Plan (SP) D. Decomposing the system into smaller subsystems and authorizing them as a single system correct answer Decomposing the system into smaller subsystems and authorizing them as a single system What should be included in a functional description of security control implementation? A. Planned inputs, expected behavior, and expected outputs B. Owner, process, and procedure C. Controls metrics and monitoring plan D. Planned metrics, expected behavior, and monitoring description correct answer Planned inputs ,expected behavior ,and expected outputs The results of the completed control assessments, including recommendations for correcting any weaknesses or deficiencies in the control, are documented in which document? A. Plan of Action and Milestones (POA&M) B. Security and privacy assessment plans C. Risk Assessment Report (RAR) D. Security and privacy assessment reports correct answer Risk Assessment Report(RAR) What can an organization choose to eliminate the authorization termination data?

A. The authorization termination date can never be eliminated B. A continuous monitoring plan is approved by the Risk executive (function) C. Risk acceptance activities are performed by the Information System Security Officer (ISSO) so that the effectiveness of common controls are inherited periodically D. The continuous monitoring program is sufficiently robust to provide the Authorizing Official (AO) with the needed information to conduct risk determination. correct answer The continuous monitoring program is sufficiently robust to provide the Authorizing Official (AO) with the needed information to conduct risk determination. Which of the following is the principal vehicle used to verify that Information Systems (IS) are meeting their stated security goals and objectives? A. Security Plan (SP) B. Risk assessment C. Security Control Assessment (SCA) D. Requirements traceability Matrix (RMT) correct answer Security Control Assessment(SCA) When should a Plan of Action and Milestones (POA&M) be updated? A. When time permits B. On an ongoing basis C. When the budget allows it D. After the Security Plan (SP) is updated correct answer On an ongoing basis In determining residual risk, an organization considers impact on which of the following? A. System budget and personnel B. Operations, assets, and individual C. System maintenance and Disaster Recovery (DR) D. Administrative, technical, and operational functions correct answer Administrative, technical ,and operational functions

B. Tailoring and scoping C. Compensating controls D. Baseline and scoping correct answer Baseline and tailoring Which of the following roles within the organization is responsible for clearly defining the impact level of the information the system processes? A. Risk executive (function) B. Information Owner (IO) C. Authorizing Official (AO) D. System security officer correct answer Information Owner(IO) Who has the authority to divide a complex system in order to establish realistic security authorization boundaries? A. Authorizing Official (AO) and Information System Security Officer (ISSO) B. Authorizing Official (AO) and Senior Information Security Officer (SISO) C. Security Control Assessor (SCA) and risk executive D. Security Control Assessor (SCA) and Information System Security Officer (ISSO) correct answer Authorizing Official (AO) and Information System Security Officer(ISSO) Which document in support of the authorization package defines the well-defined set of security and privacy controls? A. Security Plan (SP) B. Initial risk assessment C. Security and privacy assessment reports D. Plan of Action and Milestones (POA&M) correct answer Security Plan(SP) The organization has implemented a project to move the physical servers to virtual machines (VM) over the next year. Which risk perspective addresses this project? A. Mission and business

B. Organization-wide C. Information system (IS) D. Enterprise-wide correct answer Organization-wide What is the MOST important reason for developing a continuous monitoring strategy? A. To maintain an up-to-date Configuration Management Plan B. To conduct a point-in-time assessment to demonstrate due diligence and compliance C. To determine if the deployed security controls continue to be effective over time D. To validate an Interconnection Service Agreement (ISA) correct answer To determine if the deployed security controls continue to be effective overtime The determination of risk for a particular threat/vulnerability pair include assessment of the A. Probability assigned for each threat likelihood examined during initiation B. Cost of remediating the vulnerability and the value of the data C. Value of confidentiality, availability, or integrity of the system concerned D. Likelihood of a given threat source's attempt to exercise the vulnerability correct answer Likelihood of a given threat source's attempt to exercise the vulnerability Organizations consider which of the following factors when selecting security or privacy control assessors? A. Technical expertise and level of independence B. System knowledge C. Technical expertise and relevant certifications D. Assessor certification correct answer Technical expertise and level of independence Overlays can be implemented as part of control tailoring after the completion of what process? A. Privacy Impact Assessment (PIA) B. Security Categorization

D. Under the same higher management authority correct answer Under the same higher management authority Residual risk can be categorized as risk A. That exists before the implementation of security controls B. That exists after the implementation of security controls C. Introduced by the implementation of security controls D. Introduced by implementing security controls correct answer That exists after the implementation of security controls The Information Technology (IT) manager is responsible to the Information Officer for the implementation of Role Based Access Control (RBAC) assigned divisional resource. Specifically, the IT manager must facilitate the Identity and Access Management (IAM) for configured assets. Which System Development Life Cycle (SDLC) phase will enable the system security officer to verify accountability and authentication of these implemented safeguards? A. Development/Acquisition B. Planning C. Designing D. Initiation correct answer Development/Acquisition *The Authorizing Official may accept authorization recommendations based on A. Residual risks of similar system B. Impact to mission personnel C. Impact of environmental factors D. Residual risk of the specific systems correct answer Residual risks of similar system The final Security Assessment Report (SAR) should contain which of the following A. Determination of the residual risk B. Security Control Assessment (SCA) plan

C. System Security Plan (SSP) and Concept of Operations (CONOPS) D. Recommendations for correct deficiencies correct answer Recommendations for correct deficiencies Which of the following triggers a Security Plan (SP) update? A. A vulnerability scan run against a system B. Inspector general's Security Assessment Report (SAR) C. Change in Information System Owner (ISO) D. Leave of absence of Authorizing Official (AO) correct answer Inspector general's Security Assessment Report(SAR) When a security control selected for a system cannot be applied, A. The security control list is deleted B. A compensating control is implemented C. A less restrictive security control is employed D. The security control is marked as non-applicable correct answer The security control is marked as non-applicable What is the MOST appropriate action to take after weaknesses or deficiencies in controls are corrected? A. The remediated controls are reassessed B. The system is given an Authority to Operate (ATO) C. An assessment report is generated D. The original assessment results are changed correct answer The remediated controls are reassessed The assessment effort for effective incident handling MUST include the determination that an organization A. Implements an incident handling capability for security incidents

B. Risk mitigation C. Risk tolerance D. Risk transfer correct answer Risk tolerance Determining the level of acceptable risk associated with the operation of an Information System (IS), organization shall give A. Appropriate weight to mission and security requirements B. Greater weight to mission requirements than security requirements C. Appropriate weight to system performance and security requirements D. Greater weight to security requirements than performance requirements correct answer Appropriate weight to mission and security requirements What factor MUST be analyzed during risk determination activities? A. Threats, impacts, vulnerabilities, likelihood of occurrence, and predisposing conditions B. Threats, impacts, vulnerabilities, risk assessment results, and predisposing conditions C. Threats, impacts, vulnerabilities, likelihood of occurrence, and compliance verification D. Threats, impacts, vulnerabilities, risk assessment results, and compliance verification correct answer Threats, impacts ,vulnerabilities, likelihood of occurrence, and predisposing conditions The Least Privilege security control is a member of which control family? A. Access Control B. System and Information Integrity C. Audit and Accountability D. Identification and Authentication correct answer Access Control ***Which process guides the selection of security controls to ensure adequate security commensurate with the risk of the organization? A. Risk assessment

B. Security categorization** C. Vulnerability assessment D. Privacy Impact Assessment (PIA) correct answer Risk assessment Which of the following is an essential element when an organization updates its authorization package documents? A. Version control B. Technical control C. Administrative control D. Operational control correct answer Version control When implementing a control on wireless access, the organization MUST do which of the following? A. Monitor for unauthorized access B. Prevent Denial of Service (DoS) conditions. C. Not broadcast the Service Set Identifier (SSID) D. Increase monitoring for non-wireless networks correct answer Monitor for unauthorized access Organization A has merged with another similar organization, organization B, and has expanded the data center operations to include Information Technology (IT) assets from both locations. What is the BEST reason for requiring an updated risk assessments? A. System Owner has changed B. System authorization boundary has changed C. System technical requirements has changed D. System regulatory and legal requirements has changed correct answer System authorization boundary has changed Which of the following is an example of the test assessment method?