WGU D488 Cybersecurity Architecture and Engineering
Actual Exam 2026/2027 | Final Assessment | Complete
Questions and Verified Answers | Pass Guaranteed - A+
Graded
Foundations of Cybersecurity Architecture
Q1: When mapping security requirements to business needs, which framework is
specifically designed to use a set of abstractions—contextual, conceptual, logical,
physical, and component—to align security services with business operations?
A. TOGAF
B. SABSA [CORRECT]
C. NIST CSF
D. ITIL
Correct Answer: B
Rationale: The best answer is SABSA because it is a risk-driven, layered architecture
model specifically built to ensure security controls directly support business objectives,
unlike TOGAF which is broader enterprise architecture.
Q2: Under the NIST Risk Management Framework (RMF), what is the very first step an
organization must take when integrating a new system?
A. Implement security controls
B. Categorize the system and information [CORRECT]
C. Assess control effectiveness
D. Authorize the system for operation
Correct Answer: B
Rationale: This choice is correct because step one of the NIST RMF is categorization,
where you determine the impact level of the system based on the confidentiality,
integrity, and availability requirements of the information it processes.
Q3: An enterprise architect is trying to integrate security into the earliest phases of a
new project. In which TOGAF Architecture Development Model (ADM) phase should
security controls and requirements initially be defined?
A. Phase A: Architecture Vision
B. Phase B: Business Architecture
C. Phase C: Information Systems Architectures [CORRECT]
D. Phase E: Opportunities and Solutions
Correct Answer: C
,Rationale: The best answer is Phase C because this is where the data and application
architectures are developed, making it the optimal ADM phase to map specific security
requirements to the actual systems being designed.
Q4: A security manager needs to choose a framework that provides a globally
recognized standard for establishing, implementing, maintaining, and continually
improving an Information Security Management System (ISMS). Which framework fits
this exact description?
A. NIST SP 800-53
B. ISO/IEC 27001 [CORRECT]
C. CIS Controls
D. COBIT
Correct Answer: B
Rationale: This choice is correct because ISO/IEC 27001 is the premier international
standard specifically focused on creating and managing an ISMS, whereas NIST
800-53 is primarily a catalog of controls rather than a management system standard.
Q5: Your organization is highly regulated and needs a framework heavily focused on
integrating security into the system development lifecycle. Which NIST publication
provides detailed guidelines on engineering secure systems from the ground up?
A. NIST SP 800-53
B. NIST SP 800-37
C. NIST SP 800-160 [CORRECT]
D. NIST SP 800-61
Correct Answer: C
Rationale: The best answer is NIST SP 800-160 because it specifically addresses
systems security engineering and provides the playbook for building security into the
lifecycle, moving beyond just control catalogs or incident response.
Q6: When comparing the scope of NIST SP 800-53 to ISO 27001, how should a
security architect evaluate their application?
A. They are identical in structure and should be used interchangeably.
B. NIST 800-53 is strictly a management system standard, while ISO 27001 is a
technical control catalog.
C. ISO 27001 provides the ISMS framework, while NIST 800-53 provides a much
deeper, granular catalog of technical and administrative controls. [CORRECT]
D. ISO 27001 is only applicable to European organizations, making NIST 800-53 the
global default.
Correct Answer: C
, Rationale: This choice is correct because while both address information security, ISO
27001 focuses on the overarching management policies, and NIST 800-53 gives you a
massive, detailed checklist of specific controls to actually implement.
Q7: A Chief Information Security Officer (CISO) wants to transition the company from a
reactive security posture to a proactive, risk-based one. Which framework is best suited
to provide a high-level, strategic view of organizational risk management?
A. NIST Cybersecurity Framework (CSF) [CORRECT]
B. OWASP Top 10
C. MITRE ATT&CK
D. Common Vulnerability Scoring System (CVSS)
Correct Answer: A
Rationale: The best answer is the NIST CSF because its core function is to help
organizations understand and manage their cybersecurity risk at a strategic, executive
level, rather than getting bogged down in specific technical vulnerabilities or attack
tactics.
Q8: Which family of controls in NIST SP 800-53 is most directly concerned with
establishing who is allowed to access a system and verifying their identity?
A. System and Communications Protection (SC)
B. Access Control (AC) [CORRECT]
C. Identification and Authentication (IA)
D. Security Assessment and Authorization (CA)
Correct Answer: B
Rationale: This choice is correct because the Access Control (AC) family specifically
dictates policy requirements for managing account creation, least privilege, and access
enforcement, laying the groundwork for identity verification.
Q9: An organization is struggling with shadow IT and needs a framework that explicitly
addresses supply chain risk management and third-party integrations within its core
functions. Which framework has heavily emphasized this in its recent updates?
A. NIST CSF 2.0 [CORRECT]
B. COBIT 2019
C. ITIL v4
D. ISO 27000
Correct Answer: A
Rationale: The best answer is NIST CSF 2.0 because its latest iteration explicitly added
a new "Govern" function and expanded supply chain risk management guidance,
recognizing modern dependencies on third-party vendors.
Actual Exam 2026/2027 | Final Assessment | Complete
Questions and Verified Answers | Pass Guaranteed - A+
Graded
Foundations of Cybersecurity Architecture
Q1: When mapping security requirements to business needs, which framework is
specifically designed to use a set of abstractions—contextual, conceptual, logical,
physical, and component—to align security services with business operations?
A. TOGAF
B. SABSA [CORRECT]
C. NIST CSF
D. ITIL
Correct Answer: B
Rationale: The best answer is SABSA because it is a risk-driven, layered architecture
model specifically built to ensure security controls directly support business objectives,
unlike TOGAF which is broader enterprise architecture.
Q2: Under the NIST Risk Management Framework (RMF), what is the very first step an
organization must take when integrating a new system?
A. Implement security controls
B. Categorize the system and information [CORRECT]
C. Assess control effectiveness
D. Authorize the system for operation
Correct Answer: B
Rationale: This choice is correct because step one of the NIST RMF is categorization,
where you determine the impact level of the system based on the confidentiality,
integrity, and availability requirements of the information it processes.
Q3: An enterprise architect is trying to integrate security into the earliest phases of a
new project. In which TOGAF Architecture Development Model (ADM) phase should
security controls and requirements initially be defined?
A. Phase A: Architecture Vision
B. Phase B: Business Architecture
C. Phase C: Information Systems Architectures [CORRECT]
D. Phase E: Opportunities and Solutions
Correct Answer: C
,Rationale: The best answer is Phase C because this is where the data and application
architectures are developed, making it the optimal ADM phase to map specific security
requirements to the actual systems being designed.
Q4: A security manager needs to choose a framework that provides a globally
recognized standard for establishing, implementing, maintaining, and continually
improving an Information Security Management System (ISMS). Which framework fits
this exact description?
A. NIST SP 800-53
B. ISO/IEC 27001 [CORRECT]
C. CIS Controls
D. COBIT
Correct Answer: B
Rationale: This choice is correct because ISO/IEC 27001 is the premier international
standard specifically focused on creating and managing an ISMS, whereas NIST
800-53 is primarily a catalog of controls rather than a management system standard.
Q5: Your organization is highly regulated and needs a framework heavily focused on
integrating security into the system development lifecycle. Which NIST publication
provides detailed guidelines on engineering secure systems from the ground up?
A. NIST SP 800-53
B. NIST SP 800-37
C. NIST SP 800-160 [CORRECT]
D. NIST SP 800-61
Correct Answer: C
Rationale: The best answer is NIST SP 800-160 because it specifically addresses
systems security engineering and provides the playbook for building security into the
lifecycle, moving beyond just control catalogs or incident response.
Q6: When comparing the scope of NIST SP 800-53 to ISO 27001, how should a
security architect evaluate their application?
A. They are identical in structure and should be used interchangeably.
B. NIST 800-53 is strictly a management system standard, while ISO 27001 is a
technical control catalog.
C. ISO 27001 provides the ISMS framework, while NIST 800-53 provides a much
deeper, granular catalog of technical and administrative controls. [CORRECT]
D. ISO 27001 is only applicable to European organizations, making NIST 800-53 the
global default.
Correct Answer: C
, Rationale: This choice is correct because while both address information security, ISO
27001 focuses on the overarching management policies, and NIST 800-53 gives you a
massive, detailed checklist of specific controls to actually implement.
Q7: A Chief Information Security Officer (CISO) wants to transition the company from a
reactive security posture to a proactive, risk-based one. Which framework is best suited
to provide a high-level, strategic view of organizational risk management?
A. NIST Cybersecurity Framework (CSF) [CORRECT]
B. OWASP Top 10
C. MITRE ATT&CK
D. Common Vulnerability Scoring System (CVSS)
Correct Answer: A
Rationale: The best answer is the NIST CSF because its core function is to help
organizations understand and manage their cybersecurity risk at a strategic, executive
level, rather than getting bogged down in specific technical vulnerabilities or attack
tactics.
Q8: Which family of controls in NIST SP 800-53 is most directly concerned with
establishing who is allowed to access a system and verifying their identity?
A. System and Communications Protection (SC)
B. Access Control (AC) [CORRECT]
C. Identification and Authentication (IA)
D. Security Assessment and Authorization (CA)
Correct Answer: B
Rationale: This choice is correct because the Access Control (AC) family specifically
dictates policy requirements for managing account creation, least privilege, and access
enforcement, laying the groundwork for identity verification.
Q9: An organization is struggling with shadow IT and needs a framework that explicitly
addresses supply chain risk management and third-party integrations within its core
functions. Which framework has heavily emphasized this in its recent updates?
A. NIST CSF 2.0 [CORRECT]
B. COBIT 2019
C. ITIL v4
D. ISO 27000
Correct Answer: A
Rationale: The best answer is NIST CSF 2.0 because its latest iteration explicitly added
a new "Govern" function and expanded supply chain risk management guidance,
recognizing modern dependencies on third-party vendors.
