FITSP Operator Exam UPDATED ACTUAL
QUESTIONS AND CORRECT ANSWERS
FIPS 199 - CORRECT ANSWER Security categorization based on impact levels
(Confidentiality, Integrity, Availability).
RMF Steps - CORRECT ANSWER Prepare, Categorize, Select, Implement, Assess,
Authorize, Monitor.
FISMA - CORRECT ANSWER Act requiring federal agencies to establish a security
program with annual reporting.
NIST Cybersecurity Framework Core Functions - CORRECT ANSWER Identify,
Protect, Detect, Respond, Recover.
Privacy Act of 1974 - CORRECT ANSWER Protect personally identifiable
information (PII) by requiring a valid reason for its collection and retention.
Digital Signature - CORRECT ANSWER A mechanism using a sender's private key to
ensure non-repudiation and integrity of a message.
OMB Circular A-130 - CORRECT ANSWER Policy for managing federal information
resources, including security and privacy guidelines.
Symmetric vs Asymmetric Encryption - CORRECT ANSWER Symmetric uses the
same key for encryption and decryption; asymmetric uses a public/private key pair.
FIPS 199 Impact Levels - CORRECT ANSWER Low, Moderate, High.
SP 800-53A - CORRECT ANSWER Methods for assessing the effectiveness of
security controls.
,CIA Triad - CORRECT ANSWER Confidentiality, Integrity, Availability.
SP 800-88 - CORRECT ANSWER Media sanitization - clearing, purging, and
destruction.
HSPD-12 - CORRECT ANSWER Common Identification Standard for Federal
Employees.
SCAP - CORRECT ANSWER Security Content Automation Protocol.
FIPS 140-2 - CORRECT ANSWER Cryptographic module standards.
FIPS 200 - CORRECT ANSWER Minimum security requirements for federal
information systems.
SP 800-122 - CORRECT ANSWER Guide to protecting confidentiality of PII.
Risk Avoidance - CORRECT ANSWER Proactively eliminating risk by avoiding
related activities.
Risk Rejection - CORRECT ANSWER Ignoring or dismissing the existence of a risk.
Cold Site - CORRECT ANSWER A low-cost disaster recovery site with no pre-
installed equipment.
Hot Site - CORRECT ANSWER A high-cost disaster recovery site with pre-installed
equipment for rapid recovery.
, RTO - CORRECT ANSWER Recovery Time Objective - the maximum time to restore
operations.
RPO - CORRECT ANSWER Recovery Point Objective - the acceptable data loss in
case of an incident.
Layer 7 Firewall - CORRECT ANSWER Inspects and filters traffic at the application
layer.
IDS vs IPS - CORRECT ANSWER IDS detects intrusions; IPS prevents intrusions.
Trojan - CORRECT ANSWER Malicious software disguised as legitimate.
Rootkit - CORRECT ANSWER Malicious software providing unauthorized
administrative access.
Backdoor Detection - CORRECT ANSWER Using HIDS or behavioral-based
detection for suspicious activity.
Worm - CORRECT ANSWER Self-propagating malicious code.
Virus - CORRECT ANSWER Malicious code that attaches to a host file.
NIST SP 800-37 - CORRECT ANSWER Risk Management Framework
documentation.
SP 800-39 - CORRECT ANSWER Overall approach to risk management (FARM -
Frame, Assess, Respond, Monitor).
QUESTIONS AND CORRECT ANSWERS
FIPS 199 - CORRECT ANSWER Security categorization based on impact levels
(Confidentiality, Integrity, Availability).
RMF Steps - CORRECT ANSWER Prepare, Categorize, Select, Implement, Assess,
Authorize, Monitor.
FISMA - CORRECT ANSWER Act requiring federal agencies to establish a security
program with annual reporting.
NIST Cybersecurity Framework Core Functions - CORRECT ANSWER Identify,
Protect, Detect, Respond, Recover.
Privacy Act of 1974 - CORRECT ANSWER Protect personally identifiable
information (PII) by requiring a valid reason for its collection and retention.
Digital Signature - CORRECT ANSWER A mechanism using a sender's private key to
ensure non-repudiation and integrity of a message.
OMB Circular A-130 - CORRECT ANSWER Policy for managing federal information
resources, including security and privacy guidelines.
Symmetric vs Asymmetric Encryption - CORRECT ANSWER Symmetric uses the
same key for encryption and decryption; asymmetric uses a public/private key pair.
FIPS 199 Impact Levels - CORRECT ANSWER Low, Moderate, High.
SP 800-53A - CORRECT ANSWER Methods for assessing the effectiveness of
security controls.
,CIA Triad - CORRECT ANSWER Confidentiality, Integrity, Availability.
SP 800-88 - CORRECT ANSWER Media sanitization - clearing, purging, and
destruction.
HSPD-12 - CORRECT ANSWER Common Identification Standard for Federal
Employees.
SCAP - CORRECT ANSWER Security Content Automation Protocol.
FIPS 140-2 - CORRECT ANSWER Cryptographic module standards.
FIPS 200 - CORRECT ANSWER Minimum security requirements for federal
information systems.
SP 800-122 - CORRECT ANSWER Guide to protecting confidentiality of PII.
Risk Avoidance - CORRECT ANSWER Proactively eliminating risk by avoiding
related activities.
Risk Rejection - CORRECT ANSWER Ignoring or dismissing the existence of a risk.
Cold Site - CORRECT ANSWER A low-cost disaster recovery site with no pre-
installed equipment.
Hot Site - CORRECT ANSWER A high-cost disaster recovery site with pre-installed
equipment for rapid recovery.
, RTO - CORRECT ANSWER Recovery Time Objective - the maximum time to restore
operations.
RPO - CORRECT ANSWER Recovery Point Objective - the acceptable data loss in
case of an incident.
Layer 7 Firewall - CORRECT ANSWER Inspects and filters traffic at the application
layer.
IDS vs IPS - CORRECT ANSWER IDS detects intrusions; IPS prevents intrusions.
Trojan - CORRECT ANSWER Malicious software disguised as legitimate.
Rootkit - CORRECT ANSWER Malicious software providing unauthorized
administrative access.
Backdoor Detection - CORRECT ANSWER Using HIDS or behavioral-based
detection for suspicious activity.
Worm - CORRECT ANSWER Self-propagating malicious code.
Virus - CORRECT ANSWER Malicious code that attaches to a host file.
NIST SP 800-37 - CORRECT ANSWER Risk Management Framework
documentation.
SP 800-39 - CORRECT ANSWER Overall approach to risk management (FARM -
Frame, Assess, Respond, Monitor).
