NIST CYBERSECURITY FRAMEWORK FOUNDATION Practice Exam, Exams of Technology

This exam assesses foundational understanding of the NIST CSF Core (Identify–Protect–Detect–Respond–Recover), Profiles, and Implementation Tiers. Candidates must map controls to cybersecurity objectives, interpret CSF categories/subcategories, understand risk-based planning, and evaluate organizational cybersecurity maturity. Scenario items reinforce the ability to translate business needs into CSF-aligned security practices.

Typology: Exams

2024/2025

Available from 12/03/2025

shilpi-jain-1
shilpi-jain-1 🇮🇳

4.2

(5)

29K documents

1 / 111

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
NIST CYBERSECURITY FRAMEWORK FOUNDATION
Practice Exam
**Question 1. Which of the following best describes the primary purpose of the
NIST Cybersecurity Framework (CSF)?**
A) To enforce mandatory cybersecurity controls for all U.S. organizations.
B) To provide a voluntary, riskbased approach for managing and reducing
cybersecurity risk.
C) To replace all existing industryspecific security standards.
D) To certify organizations as “cybersecure.”
Answer: B
Explanation: The CSF is a voluntary, riskbased framework designed to help
organizations manage and reduce cybersecurity risk, not to mandate or certify
compliance.
**Question 2. Who is the intended primary audience for the NIST CSF?**
A) Only federal agencies.
B) Executives, risk managers, and cybersecurity practitioners across all sectors.
C) Endusers of IT systems.
D) Software vendors exclusively.
Answer: B
Explanation: The framework is written for a broad audience, including senior
leaders, risk managers, and technical staff, to facilitate shared understanding of
cybersecurity risk.
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56
pf57
pf58
pf59
pf5a
pf5b
pf5c
pf5d
pf5e
pf5f
pf60
pf61
pf62
pf63
pf64

Partial preview of the text

Download NIST CYBERSECURITY FRAMEWORK FOUNDATION Practice Exam and more Exams Technology in PDF only on Docsity!

Practice Exam

Question 1. Which of the following best describes the primary purpose of the NIST Cybersecurity Framework (CSF)? A) To enforce mandatory cybersecurity controls for all U.S. organizations. B) To provide a voluntary, risk‑based approach for managing and reducing cybersecurity risk. C) To replace all existing industry‑specific security standards. D) To certify organizations as “cyber‑secure.” Answer: B Explanation: The CSF is a voluntary, risk‑based framework designed to help organizations manage and reduce cybersecurity risk, not to mandate or certify compliance. Question 2. Who is the intended primary audience for the NIST CSF? A) Only federal agencies. B) Executives, risk managers, and cybersecurity practitioners across all sectors. C) End‑users of IT systems. D) Software vendors exclusively. Answer: B Explanation: The framework is written for a broad audience, including senior leaders, risk managers, and technical staff, to facilitate shared understanding of cybersecurity risk.

Practice Exam

Question 3. Which of the following components is NOT part of the CSF structure? A) Core. B) Implementation Tiers. C) Profiles. D) Certification Levels. Answer: D Explanation: The CSF consists of the Core, Implementation Tiers, and Profiles. It does not contain certification levels. Question 4. In the CSF terminology, what does “Current Profile” refer to? A) The set of cybersecurity outcomes an organization wishes to achieve. B) The organization’s existing cybersecurity outcomes. C) The industry‑wide best practices for security. D) The regulatory requirements applicable to the organization. Answer: B Explanation: The Current Profile describes the cybersecurity outcomes an organization is presently achieving. Question 5. Which term defines the amount of risk an organization is willing to accept in pursuit of its objectives? A) Risk Management.

Practice Exam

D) EO 14028 – Enhancing the nation’s cybersecurity. Answer: B Explanation: Executive Order 13636 (2013) directed the development of a framework to improve critical infrastructure cybersecurity, leading to the CSF. Question 8. The addition of which function distinguishes CSF version 2.0 from the original version? A) Identify. B) Govern. C) Protect. D) Recover. Answer: B Explanation: CSF 2.0 introduced the “Govern” (GV) function to address governance, risk management, and compliance activities. Question 9. Which Core function focuses on developing and implementing safeguards to limit the impact of a cybersecurity event? A) Identify. B) Protect. C) Detect. D) Respond. Answer: B

Practice Exam

Explanation: The Protect function is dedicated to implementing safeguards that ensure delivery of critical services and limit impact. Question 10. In the Protect function, which category deals with limiting access to assets through authentication and authorization? A) PR.AA – Identity Management and Access Control. B) PR.DS – Data Security. C) PR.PS – Platform Security. D) PR.IR – Technology Infrastructure Resilience. Answer: A Explanation: PR.AA specifically addresses identity management, authentication, and access control mechanisms. Question 11. Which subcategory under PR.DS refers to the use of encryption to protect data at rest? A) PR.DS‑1: Data is classified. B) PR.DS‑2: Data is protected (e.g., encryption) while in transit. C) PR.DS‑3: Data is protected (e.g., encryption) at rest. D) PR.DS‑4: Integrity checking mechanisms are used. Answer: C Explanation: PR.DS‑3 explicitly states that data at rest is protected using encryption or similar methods.

Practice Exam

Question 14. In the Recover function, “Improvements” (RC.IM) primarily deals with: A) Updating the incident response playbook based on lessons learned. B) Encrypting backup data. C) Deploying intrusion detection systems. D) Conducting continuous monitoring of network traffic. Answer: A Explanation: RC.IM focuses on incorporating lessons learned from incidents into future recovery and resilience activities. Question 15. Which Implementation Tier is characterized by informal, reactive risk management that is incident‑driven? A) Tier 1 – Partial. B) Tier 2 – Risk‑Informed. C) Tier 3 – Repeatable. D) Tier 4 – Adaptive. Answer: A Explanation: Tier 1 (Partial) describes organizations with informal, reactive risk management practices. Question 16. An organization that has documented, organization‑wide policies and consistent communication about cybersecurity is most likely at which Tier?

Practice Exam

A) Tier 1. B) Tier 2. C) Tier 3. D) Tier 4. Answer: C Explanation: Tier 3 (Repeatable) signifies formal, documented policies and consistent communication across the organization. Question 17. Which Tier reflects a proactive, continuously improving cybersecurity posture that is integrated into the organizational culture? A) Tier 1. B) Tier 2. C) Tier 3. D) Tier 4. Answer: D Explanation: Tier 4 (Adaptive) describes organizations that are proactive, risk‑adaptive, and continuously improving. Question 18. What is the primary purpose of a “Profile” in the CSF? A) To certify an organization’s compliance with NIST standards. B) To select specific Categories and Subcategories that align with business objectives.

Practice Exam

Answer: C Explanation: GV.SC specifically focuses on cybersecurity supply chain risk management. Question 21. In the Identify function, “Asset Management” (ID.AM) includes which of the following activities? A) Conducting penetration testing on external networks. B) Maintaining an inventory of physical devices and software. C) Developing a business continuity plan. D) Implementing multi‑factor authentication. Answer: B Explanation: ID.AM is about inventorying and managing assets such as devices, software, and data. Question 22. Which subcategory under ID.RA (Risk Assessment) involves prioritizing identified risks based on potential impact? A) ID.RA‑1: Threats are identified. B) ID.RA‑2: Vulnerabilities are identified. C) ID.RA‑3: Risk is prioritized based on impact and likelihood. D) ID.RA‑4: Risk assessments are performed annually. Answer: C

Practice Exam

Explanation: ID.RA‑3 explicitly states that risk is prioritized considering impact and likelihood. Question 23. The “Business Environment” (ID.BE) category helps an organization understand: A) The technical specifications of its firewalls. B) Its mission, objectives, and role within critical infrastructure. C) The pricing models of security vendors. D) The number of active user accounts. Answer: B Explanation: ID.BE focuses on the organization’s mission, objectives, and position within the broader critical infrastructure sector. Question 24. Which of the following is an example of a “Technology Infrastructure Resilience” (PR.IR) activity? A) Conducting user awareness training. B) Implementing system redundancy and failover mechanisms. C) Classifying data based on sensitivity. D. Monitoring network traffic for anomalies. Answer: B Explanation: PR.IR deals with maintaining resilient systems, such as redundancy and capacity planning.

Practice Exam

Question 27. The “Roles, Responsibilities, and Authorities” (GV.RR) category ensures which of the following? A) That all employees have the same level of access. B) Clear accountability for managing cybersecurity risk across the organization. C) That only the IT department can make security decisions. D. That risk assessments are performed quarterly. Answer: B Explanation: GV.RR establishes clear roles and accountability for cybersecurity risk management. Question 28. Which of the following best illustrates a “Current Profile” activity? A) Defining the organization’s future security goals. B) Mapping existing security controls to CSF subcategories. C) Selecting new security technologies for the next fiscal year. D. Conducting a market analysis of security vendors. Answer: B Explanation: Creating a Current Profile involves assessing which CSF subcategories are already being met. Question 29. In the context of the CSF, “Informative References” are:

Practice Exam

A) Mandatory legal regulations. B) Standards, guidelines, and best‑practice documents that support the Framework’s outcomes. C) Internal policies that supersede the CSF. D. Vendor‑specific security certifications. Answer: B Explanation: Informative References provide additional guidance and examples to help implement the CSF. Question 30. Which of the following statements about the CSF’s relationship to Enterprise Risk Management (ERM) is correct? A) The CSF replaces ERM for all organizations. B) The CSF is a subset of ERM focusing specifically on cybersecurity risk. C) ERM is a component of the CSF’s Protect function. D. The CSF only applies to IT risk, not business risk. Answer: B Explanation: The CSF complements ERM by providing a cybersecurity‑specific lens within the broader risk management process. Question 31. The “Govern” function’s “Policy” (GV.PO) category is primarily concerned with: A) Drafting, reviewing, and enforcing cybersecurity policies.

Practice Exam

C) PR.PS‑1 and PR.PS‑2. D. DE.CM‑1 and DE.CM‑2. Answer: A Explanation: PR.DS‑2 addresses encryption in transit, while PR.DS‑3 addresses encryption at rest. Question 34. Which Core function would you consult to develop a formal incident response plan? A) Identify. B) Protect. C) Respond. D) Recover. Answer: C Explanation: The Respond function includes RS.MA, which focuses on establishing and executing an incident response plan. Question 35. The “Recovery Planning” (RC.RP) category is most closely aligned with which business activity? A) Conducting employee background checks. B. Developing and testing Business Continuity and Disaster Recovery plans. C. Performing regular penetration testing. D. Managing software license inventories.

Practice Exam

Answer: B Explanation: RC.RP directly addresses the creation, maintenance, and testing of recovery procedures. Question 36. An organization wants to adopt a “risk‑informed” approach but has not yet formalized organization‑wide policies. Which Implementation Tier does this align with? A) Tier 1 – Partial. B) Tier 2 – Risk‑Informed. C) Tier 3 – Repeatable. D) Tier 4 – Adaptive. Answer: B Explanation: Tier 2 describes organizations that have approved but not fully organization‑wide risk‑informed practices. Question 37. Which of the following is an example of a “Detection Process” (DE.DP) activity? A. Conducting quarterly tabletop exercises to test detection capabilities. B. Installing firewalls on the perimeter network. C. Developing a data classification scheme. D. Negotiating service level agreements with vendors. Answer: A

Practice Exam

Question 40. A firm wants to ensure that its supply chain partners meet the same cybersecurity standards. Which Govern subcategory should it address? A) GV.SC – Cybersecurity Supply Chain Risk Management. B) GV.PO – Policy. C) GV.OC – Organizational Context. D) GV.RM – Risk Management Strategy. Answer: A Explanation: GV.SC deals directly with managing cybersecurity risks associated with suppliers and third parties. Question 41. In the CSF, which function is primarily responsible for establishing a baseline of normal operations? A) Identify. B) Detect. C) Respond. D) Recover. Answer: B Explanation: DE.AE (Anomalies and Events) within the Detect function focuses on establishing baselines and identifying deviations. Question 42. Which of the following best describes a “Target Profile”? A) The set of security controls mandated by law.

Practice Exam

B) Desired cybersecurity outcomes an organization aims to achieve. C) The current inventory of assets. D) The list of all known vulnerabilities. Answer: B Explanation: The Target Profile defines the future state the organization wants to reach. Question 43. Which CSF Core function would you consult to improve employee security awareness? A) Identify. B) Protect. C) Detect. D) Respond. Answer: B Explanation: PR.AT (Awareness and Training) under the Protect function focuses on workforce education. Question 44. Which subcategory under PR.PS (Platform Security) addresses secure configuration management? A) PR.PS‑1: Baseline configurations are established and maintained. B) PR.PS‑2: Software updates are applied promptly. C) PR.PS‑3: Vulnerability scanning is performed regularly.