FITSP ACTUAL EXAM QUESTIONS AND
COMPLETE STUDY GUIDE 2026
▶ How do you know you can safely purchase a product from a vendor?.
Answer: By checking the Common Vulnerabilities and Exposures (CVE)
and the Cryptographic Module Validation Program (CMVP) which utilize a
common criteria certification process to provide product validation.
▶ The National Vulnerability Database (NVD) is. Answer: The U.S.
government repository of standards based vulnerability management data
represented using the Security Content Automation Protocol (SCAP). This
data enables automation of vulnerability management, security
measurement, and compliance. The NVD includes databases of security
checklist references, security-related software flaws, misconfigurations,
product names, and impact metrics.
▶ M-02-01. Answer: Guidance for Preparing and Submitting Security
Plans of Action and Milestones (POAMS)
▶ M-14-03 Enhancing the Security of Federal Information and Information
Systems. Answer: Established Continuous monitoring (REMOVED 3 year
authorization requirement IF CM is in place)
▶ M-11-11. Answer: Continued Implementation of Homeland Security
Presidential Directive (HSPD) 12- Policy for a Common Identification
Standard for Federal Employees and Contractors
▶ NIST Risk Management Framework (RMF). Answer: Prepare
Categorize
Select
Implement
Assess
Authorize
Monitor
, Pretty cool system if anyone asks me
▶ What are the assessment methods defined by NIST?. Answer: Test
Interview
Examine
▶ What are the Five Elements of the NIST Cybersecurity Framework?.
Answer: Identify
Detect
Protect
Respond
Recover
These core functions aid organizations in their effort to spot, manage and
counter cybersecurity events promptly.
▶ FIPS 140-2. Answer: Cryptographic modules; Superseded by FIPS 140-
3
-Establishes the Cryptographic Module Validation Program (CMVP)
-Defines security requirements for Cryptographic Modules:
Level 1: Basic
Level 2: Adds tamper evident coating and role-based authentication
Level 3: Adds identity based authentication, intrusion prevention, and
critical access parameters
Level 4: It requires hardware to be tamper-active. Any tampering of the
module to erase all critical security information
▶ FIPS-197. Answer: AES (Advanced encryption standard)
-The AES algorithm is a symmetric block cipher that can encrypt (encipher)
and decrypt (decipher).
Rijndael algorithm
▶ What cryptographic keys does the AES algorithm use and what size data
blocks can it encrypt/decrypt?. Answer: Keys: 128, 192, and 256
Can encrypt/decrypt data blocks of 128 bits
▶ FIPS-198. Answer: Keyed Hash Message Authentication Code (HMAC)
HMACs have two functionally distinct parameters, a message input and a
secret key known only to the message originator and intended receiver(s).
COMPLETE STUDY GUIDE 2026
▶ How do you know you can safely purchase a product from a vendor?.
Answer: By checking the Common Vulnerabilities and Exposures (CVE)
and the Cryptographic Module Validation Program (CMVP) which utilize a
common criteria certification process to provide product validation.
▶ The National Vulnerability Database (NVD) is. Answer: The U.S.
government repository of standards based vulnerability management data
represented using the Security Content Automation Protocol (SCAP). This
data enables automation of vulnerability management, security
measurement, and compliance. The NVD includes databases of security
checklist references, security-related software flaws, misconfigurations,
product names, and impact metrics.
▶ M-02-01. Answer: Guidance for Preparing and Submitting Security
Plans of Action and Milestones (POAMS)
▶ M-14-03 Enhancing the Security of Federal Information and Information
Systems. Answer: Established Continuous monitoring (REMOVED 3 year
authorization requirement IF CM is in place)
▶ M-11-11. Answer: Continued Implementation of Homeland Security
Presidential Directive (HSPD) 12- Policy for a Common Identification
Standard for Federal Employees and Contractors
▶ NIST Risk Management Framework (RMF). Answer: Prepare
Categorize
Select
Implement
Assess
Authorize
Monitor
, Pretty cool system if anyone asks me
▶ What are the assessment methods defined by NIST?. Answer: Test
Interview
Examine
▶ What are the Five Elements of the NIST Cybersecurity Framework?.
Answer: Identify
Detect
Protect
Respond
Recover
These core functions aid organizations in their effort to spot, manage and
counter cybersecurity events promptly.
▶ FIPS 140-2. Answer: Cryptographic modules; Superseded by FIPS 140-
3
-Establishes the Cryptographic Module Validation Program (CMVP)
-Defines security requirements for Cryptographic Modules:
Level 1: Basic
Level 2: Adds tamper evident coating and role-based authentication
Level 3: Adds identity based authentication, intrusion prevention, and
critical access parameters
Level 4: It requires hardware to be tamper-active. Any tampering of the
module to erase all critical security information
▶ FIPS-197. Answer: AES (Advanced encryption standard)
-The AES algorithm is a symmetric block cipher that can encrypt (encipher)
and decrypt (decipher).
Rijndael algorithm
▶ What cryptographic keys does the AES algorithm use and what size data
blocks can it encrypt/decrypt?. Answer: Keys: 128, 192, and 256
Can encrypt/decrypt data blocks of 128 bits
▶ FIPS-198. Answer: Keyed Hash Message Authentication Code (HMAC)
HMACs have two functionally distinct parameters, a message input and a
secret key known only to the message originator and intended receiver(s).
