QA from FITSP - Manager, Next Generation || Questions and
Answers.
The following legislation requires federal agencies to develop, document and implement an
agency-wide information security program: correct answers FISMA
The following legislation requires each agency with an Inspector General to conduct an annual
evaluation of agency's information security program, or to appoint an independent external
auditor, to conduct the evaluation on their behalf correct answers E-Government Act of 2002,
Section 208
The following OMB guidance established the requirement for federal agencies to review the
security controls in each system when significant modifications are made to the system, or at
least every three years. This guidance also requires federal agencies to re-authorize information
systems every three years correct answers OMB Circular No. A-130, Appendix III, Security of
Federal Automated Information Resources
The Federal Information Security Modernization Act of 2014 (FISMA 2014) formally assigns
information security responsibilities to which of the following agencies/departments (select two):
correct answers DHS and OMB
Current regulations still require the re-authorization of federal information systems at least every
three years. correct answers True
The following OMB guidance established the requirement for federal agencies to review the
security controls in each system when significant modifications are made to the system, but at
least every three years. This guidance also requires federal agencies to re-authorize information
systems every three years. correct answers OMB Circular No. A-130, Appendix III, Security of
Federal Automated Information Resources
As part of monitoring the security posture of agency desktops, OMB requires federal agencies to
use vulnerability scanning tools that leverage the ________ protocol. correct answers SCAP
,Following the loss of 26 million records containing PII at the Department of Veteran Affairs,
OMB released M-06-16 Protection of Sensitive Agency Information. This memo required all of
the following EXCEPT: correct answers Encryption of all server backup tapes
This Homeland Security Presidential Directive requires all federal agencies to adopt a standard,
government wide card to reduce identity fraud, protect personal privacy, and provide for
authentication. This directive was called: correct answers HSPD-12 - Common Identification
Standard
Current regulations still require the re-authorization of federal information systems at least every
three years. correct answers True
What elements are components of an information system? correct answers Hardware and
software, Interconnected systems, People
What is the main consideration in determining the scope of authorization for information
systems? correct answers System Boundaries
Which approach involves continually balancing the protection of agency information and assets
with the cost of security controls and mitigation strategies? correct answers Risk Management
Approach
What establishes the scope of protection for organizational information systems? correct answers
System Boundaries
List the 7 steps of the RMF process? correct answers Prepare, Categorize, Select, Implement,
Assess, Authorize, Monitor
During what phase of the SDLC should the organization consider the security requirements?
correct answers Initiation Phase / Development / Acquisition Phase
, Security Reauthorizations are conducted during which phase of the SDLC? correct answers
Operations/Maintenance
What NIST Special Publication superseded the original Special Publication 800-30 as the
primary source for guidance on risk management? correct answers SP 800-39
Applying the first three steps in the RMF to legacy systems can be viewed as a
____________________________ to determine if the necessary and sufficient security controls
have been appropriately selected and allocated. correct answers Gap Analysis
Which of the following is not a key document to be updated as part of ISCM? correct answers
SCAP
Security status reporting is: correct answers Event driven, Time driven
Which of these is not one of the steps of system disposal? correct answers Documentation
Which of the following SCAP specifications provide a standard naming and dictionary of system
configuration issues? correct answers CPE
Which of these is not a resource for the National Vulnerability Database (NVB)? correct answers
MAEC
Vulnerability and Patch Management, Event and Incident Management, and Malware Detection
are all examples of which of the following? correct answers Security Automation Domains
Why do organizations look for automated solutions for ISCM? correct answers Lower costs,
enhance efficiency, improve reliability
What is the first step of the ISCM process? correct answers Define an ISCM strategy
Answers.
The following legislation requires federal agencies to develop, document and implement an
agency-wide information security program: correct answers FISMA
The following legislation requires each agency with an Inspector General to conduct an annual
evaluation of agency's information security program, or to appoint an independent external
auditor, to conduct the evaluation on their behalf correct answers E-Government Act of 2002,
Section 208
The following OMB guidance established the requirement for federal agencies to review the
security controls in each system when significant modifications are made to the system, or at
least every three years. This guidance also requires federal agencies to re-authorize information
systems every three years correct answers OMB Circular No. A-130, Appendix III, Security of
Federal Automated Information Resources
The Federal Information Security Modernization Act of 2014 (FISMA 2014) formally assigns
information security responsibilities to which of the following agencies/departments (select two):
correct answers DHS and OMB
Current regulations still require the re-authorization of federal information systems at least every
three years. correct answers True
The following OMB guidance established the requirement for federal agencies to review the
security controls in each system when significant modifications are made to the system, but at
least every three years. This guidance also requires federal agencies to re-authorize information
systems every three years. correct answers OMB Circular No. A-130, Appendix III, Security of
Federal Automated Information Resources
As part of monitoring the security posture of agency desktops, OMB requires federal agencies to
use vulnerability scanning tools that leverage the ________ protocol. correct answers SCAP
,Following the loss of 26 million records containing PII at the Department of Veteran Affairs,
OMB released M-06-16 Protection of Sensitive Agency Information. This memo required all of
the following EXCEPT: correct answers Encryption of all server backup tapes
This Homeland Security Presidential Directive requires all federal agencies to adopt a standard,
government wide card to reduce identity fraud, protect personal privacy, and provide for
authentication. This directive was called: correct answers HSPD-12 - Common Identification
Standard
Current regulations still require the re-authorization of federal information systems at least every
three years. correct answers True
What elements are components of an information system? correct answers Hardware and
software, Interconnected systems, People
What is the main consideration in determining the scope of authorization for information
systems? correct answers System Boundaries
Which approach involves continually balancing the protection of agency information and assets
with the cost of security controls and mitigation strategies? correct answers Risk Management
Approach
What establishes the scope of protection for organizational information systems? correct answers
System Boundaries
List the 7 steps of the RMF process? correct answers Prepare, Categorize, Select, Implement,
Assess, Authorize, Monitor
During what phase of the SDLC should the organization consider the security requirements?
correct answers Initiation Phase / Development / Acquisition Phase
, Security Reauthorizations are conducted during which phase of the SDLC? correct answers
Operations/Maintenance
What NIST Special Publication superseded the original Special Publication 800-30 as the
primary source for guidance on risk management? correct answers SP 800-39
Applying the first three steps in the RMF to legacy systems can be viewed as a
____________________________ to determine if the necessary and sufficient security controls
have been appropriately selected and allocated. correct answers Gap Analysis
Which of the following is not a key document to be updated as part of ISCM? correct answers
SCAP
Security status reporting is: correct answers Event driven, Time driven
Which of these is not one of the steps of system disposal? correct answers Documentation
Which of the following SCAP specifications provide a standard naming and dictionary of system
configuration issues? correct answers CPE
Which of these is not a resource for the National Vulnerability Database (NVB)? correct answers
MAEC
Vulnerability and Patch Management, Event and Incident Management, and Malware Detection
are all examples of which of the following? correct answers Security Automation Domains
Why do organizations look for automated solutions for ISCM? correct answers Lower costs,
enhance efficiency, improve reliability
What is the first step of the ISCM process? correct answers Define an ISCM strategy
