FITSP-A || Answered Perfectly 100%.
What elements are components of an information system? correct answers OMB Circular A-130,
App III: "A system normally includes hardware, software, information, data, applications,
communications, and people."
What are some of the threats that the information system faces? correct answers NIST SP 800-
39rl, p. 1: "Threats to information and information systems can include purposeful attacks,
environmental disruptions, and human/machine errors and result in great harm to the national
and economic security interests of the United States."
During what phase of the SDLC should the organization consider the security requirements
(mark all that apply)? correct answers Initiation Phase / Development / Acquisition
Phase,Implementation Phase, Operation / Maintenance Phase, System Disposal Phase
The PIA, BIA and Security Categorisation are all done in this phase of the SDLC: correct
answers Initiation
Security Reauthorizations are conducted during which phase of the SDLC? correct answers
Operations/Maintenance
Which approach involves continually balancing the protection of agency Information and assets
with the cost of security controls and mitigation strategies? correct answers Risk Management
Approach
Which of the following must be assigned to government personnel only (select all that apply)?
correct answers SISO and AO
Place the 4 components of risk management in the correct order. correct answers Frame, Assess,
Respond, Monitor (FARM)
,The following are the possible outcomes of the Authorization Decision (mark all that apply):
correct answers ATO and Not authorized to operate
List the 6 steps of the RMF process? correct answers Categorize, Select, Implement, Assess,
Authorize, Monitor
What NIST Special Publication superseded the original Special Publication 800-30 as the source
for guidance on risk management? correct answers SP 800-39
The risk management processes, at the information system level, link to risk management
processes at the organization level through what newly defined role in the RMF? correct answers
Risk Executive (Function)
Applying the first three steps in the RMF to legacy systems can be viewed as a
_______________ to determine if the necessary and sufficient security controls have been
appropriately selected and allocated. correct answers Gap Analysis
What establishes the scope of protection for organizational information systems? correct answers
System Boundaries
Name the factors that influence the level of effort expended when implementing the RMF tasks?
correct answers "Importance of the System, Criticality of the System, Categorization of the
System"
The Risk Management Framework (RMF) places heavy emphasis on correct answers Selection,
implementation and monitoring of security controls
"Tier 2 of the three-tiered risk management approach addresses risk-related concerns at which
level?" correct answers Mission/Business Process
, Early integration of security in the SDLC enables agencies to maximize return on investment in
their security programs through correct answers Awareness of potential engineering challenges
caused by mandatory security controls
FedRAMP is a government-wide program that provides a standardized approach to correct
answers Security assessment, authorization and continuous monitoring for cloud products and
services
"ISCM is designed to improve security by replacing the ""every 3 year"" reauthorization
requirement with a continuous process. What NIST Special Publication provides guidance for
implementing ISCM?" correct answers SP 800-137
List the 3 security objectives under FISMA correct answers Confidentiality, Integrity,
Availability
FIPS 199 standards apply to which types of systems? correct answers Unclassified System and
Financial systems
Where are security controls documented? correct answers System Security Plan
What is the correct order of the Risk Management Framework process? correct answers
Categorize, Select, Implement, Assess, Authorize, Monitor
After the information and information system security categorization is completed, which
publication specifies the minimum security requirements for the determined security category?
correct answers FIPS 200
What are the three levels of potential impact from a security breach? correct answers Low,
Moderate, High
What elements are components of an information system? correct answers OMB Circular A-130,
App III: "A system normally includes hardware, software, information, data, applications,
communications, and people."
What are some of the threats that the information system faces? correct answers NIST SP 800-
39rl, p. 1: "Threats to information and information systems can include purposeful attacks,
environmental disruptions, and human/machine errors and result in great harm to the national
and economic security interests of the United States."
During what phase of the SDLC should the organization consider the security requirements
(mark all that apply)? correct answers Initiation Phase / Development / Acquisition
Phase,Implementation Phase, Operation / Maintenance Phase, System Disposal Phase
The PIA, BIA and Security Categorisation are all done in this phase of the SDLC: correct
answers Initiation
Security Reauthorizations are conducted during which phase of the SDLC? correct answers
Operations/Maintenance
Which approach involves continually balancing the protection of agency Information and assets
with the cost of security controls and mitigation strategies? correct answers Risk Management
Approach
Which of the following must be assigned to government personnel only (select all that apply)?
correct answers SISO and AO
Place the 4 components of risk management in the correct order. correct answers Frame, Assess,
Respond, Monitor (FARM)
,The following are the possible outcomes of the Authorization Decision (mark all that apply):
correct answers ATO and Not authorized to operate
List the 6 steps of the RMF process? correct answers Categorize, Select, Implement, Assess,
Authorize, Monitor
What NIST Special Publication superseded the original Special Publication 800-30 as the source
for guidance on risk management? correct answers SP 800-39
The risk management processes, at the information system level, link to risk management
processes at the organization level through what newly defined role in the RMF? correct answers
Risk Executive (Function)
Applying the first three steps in the RMF to legacy systems can be viewed as a
_______________ to determine if the necessary and sufficient security controls have been
appropriately selected and allocated. correct answers Gap Analysis
What establishes the scope of protection for organizational information systems? correct answers
System Boundaries
Name the factors that influence the level of effort expended when implementing the RMF tasks?
correct answers "Importance of the System, Criticality of the System, Categorization of the
System"
The Risk Management Framework (RMF) places heavy emphasis on correct answers Selection,
implementation and monitoring of security controls
"Tier 2 of the three-tiered risk management approach addresses risk-related concerns at which
level?" correct answers Mission/Business Process
, Early integration of security in the SDLC enables agencies to maximize return on investment in
their security programs through correct answers Awareness of potential engineering challenges
caused by mandatory security controls
FedRAMP is a government-wide program that provides a standardized approach to correct
answers Security assessment, authorization and continuous monitoring for cloud products and
services
"ISCM is designed to improve security by replacing the ""every 3 year"" reauthorization
requirement with a continuous process. What NIST Special Publication provides guidance for
implementing ISCM?" correct answers SP 800-137
List the 3 security objectives under FISMA correct answers Confidentiality, Integrity,
Availability
FIPS 199 standards apply to which types of systems? correct answers Unclassified System and
Financial systems
Where are security controls documented? correct answers System Security Plan
What is the correct order of the Risk Management Framework process? correct answers
Categorize, Select, Implement, Assess, Authorize, Monitor
After the information and information system security categorization is completed, which
publication specifies the minimum security requirements for the determined security category?
correct answers FIPS 200
What are the three levels of potential impact from a security breach? correct answers Low,
Moderate, High
