FITSP CERTIFICATION EXAM QUESTIONS
AND VERIFIED ANSWERS 2026
▶ The Paperwork Reduction Act of 1980 granted.... Answer: OMB
responsibility for creating Policies, helping other agencies comply with
federal mandates. (think: Paper / Policies)
▶ Computer Fraud and Abuse Act of 1986 is..... Answer: Intended to
reduce cracking of computer systems and to address Federal computer
related offenses
▶ Computer Security Act of 1987. Answer: -Assigned NIST to create
security standards/guidelines
-Required security policies and security plans
-Mandated security training
-Superseded by FISMA (OMB (creates policies) and
DHS(enforces/implements)).
▶ The Clinger-Cohen Act (Information Technology Reform Act of 1996).....
Answer: -Implemented The Capital Planning Investment Control (CPIC) IT
budget planning process
-Granted the Director of OMB oversight of acquisitions
-Established CIO positions in every Federal department and agency
-Defined Federal Enterprise Architecture
-Requires annual reporting to Congress
(Think C's)
▶ The Cybersecurity Protection Act of 2014. Answer: Amends the
Homeland Security Act of 2002 to establish a national cybersecurity and
communications integration center in the Department of Homeland Security
(DHS) to carry out the responsibilities of the DHS Under Secretary
responsible for overseeing critical infrastructure protection, cybersecurity,
and related DHS programs.
,▶ The USA PATRIOT Act of 2001.... Answer: "Uniting and Strengthening
America by Providing Appropriate Tools Required to Intercept and Obstruct
Terrorism Act"
-Amended the definition of electronic surveillance
-Created law enforcement initiatives to forestall and respond to threats
against the US
▶ The USA PATRIOT Act redefined money laundering to include. Answer:
-Making a financial transaction in the US to commit a crime
-Bribery of public officials and fraudulent use of public funds
-Smuggling or illegal export of controlled munitions
-Smuggling of any item controlled under export regulations
▶ Cyber Security Workforce Act requires agencies to.... Answer: -
Classify/identify cybersecurity positions
-Identify employees with cybersecurity training/certifications
▶ The NICE (National Initiative for Cyber Security Education) is.... Answer:
-Operated by NIST
-A partnership between government, academia, and the private sector
-Focused on cybersecurity education, training, and workforce development.
▶ Who sets policy and determines reporting frequency?. Answer: OMB
▶ Who publishes Standards(if required) and Guidelines for OMB policies?.
Answer: NIST
▶ What agency is tasked with implementation, oversight and monitoring
against established policies, standards, and guidelines?. Answer: DHS
▶ What agency determines the FISMA metrics (as directed by OMB)?.
Answer: DHS
▶ What two types of documents does OMB publish?. Answer: -Circulars
(A-###)
-Memorandum (M-FY-##)
▶ How long are OMB Circulars in effect?. Answer: Two or more years
(circulars have longer lives than memoranda).
, ▶ OMB Circular A-130, Managing Information as a Strategic Resource.
Answer: -Establishes policy for the management of Federal information
resources
-Appendix III, Security of Federal Automated Information Resources
-Requires accreditation of Federal Information Systems to operate
according to assessment of management, operational, and technical
controls
▶ OMB Circular A-130 Section III. Answer: Applies Government Wide and
mandates security ASSESSMENTS & AUTHORIZATIONS every 3 years
(unless continuous monitoring is in place)
▶ What metric based reporting, which changes every year based on
evolving threats and vulnerabilities, is required to be submitted to DHS and
at what frequency?. Answer: Cyberscope, which is submitted monthly
▶ Security Content Automation Protocol (SCAP). Answer: Is a suite of
specifications used to standardize the communication of software flaws and
security configurations.
▶ What are the main reference data sources for Security Content
Automation Protocol (SCAP) (SP 800-126)?. Answer: -National
Vulnerability Database
-Security Configuration Checklists
▶ Open Vulnerability and Assessment Language (OVAL). Answer: A
language for specifying low-level testing procedures used by checklists
▶ Open Checklist Interactive Language (OCIL). Answer: Language for
expressing security checks that cannot be evaluated without some human
interaction or feedback. (Think "Interactive" requires human intervention)
▶ The Common Vulnerability Scoring System (CVSS), from NIST, is a.
Answer: Specification for measuring the relative severity of software flaw
vulnerabilities.
Scoring = Measuring
▶ The Common Vulnerabilities and Exposures (CVE) is a. Answer:
Nomenclature and dictionary of security related software flaws. (acronym
ends in e, it's a dictionary)
AND VERIFIED ANSWERS 2026
▶ The Paperwork Reduction Act of 1980 granted.... Answer: OMB
responsibility for creating Policies, helping other agencies comply with
federal mandates. (think: Paper / Policies)
▶ Computer Fraud and Abuse Act of 1986 is..... Answer: Intended to
reduce cracking of computer systems and to address Federal computer
related offenses
▶ Computer Security Act of 1987. Answer: -Assigned NIST to create
security standards/guidelines
-Required security policies and security plans
-Mandated security training
-Superseded by FISMA (OMB (creates policies) and
DHS(enforces/implements)).
▶ The Clinger-Cohen Act (Information Technology Reform Act of 1996).....
Answer: -Implemented The Capital Planning Investment Control (CPIC) IT
budget planning process
-Granted the Director of OMB oversight of acquisitions
-Established CIO positions in every Federal department and agency
-Defined Federal Enterprise Architecture
-Requires annual reporting to Congress
(Think C's)
▶ The Cybersecurity Protection Act of 2014. Answer: Amends the
Homeland Security Act of 2002 to establish a national cybersecurity and
communications integration center in the Department of Homeland Security
(DHS) to carry out the responsibilities of the DHS Under Secretary
responsible for overseeing critical infrastructure protection, cybersecurity,
and related DHS programs.
,▶ The USA PATRIOT Act of 2001.... Answer: "Uniting and Strengthening
America by Providing Appropriate Tools Required to Intercept and Obstruct
Terrorism Act"
-Amended the definition of electronic surveillance
-Created law enforcement initiatives to forestall and respond to threats
against the US
▶ The USA PATRIOT Act redefined money laundering to include. Answer:
-Making a financial transaction in the US to commit a crime
-Bribery of public officials and fraudulent use of public funds
-Smuggling or illegal export of controlled munitions
-Smuggling of any item controlled under export regulations
▶ Cyber Security Workforce Act requires agencies to.... Answer: -
Classify/identify cybersecurity positions
-Identify employees with cybersecurity training/certifications
▶ The NICE (National Initiative for Cyber Security Education) is.... Answer:
-Operated by NIST
-A partnership between government, academia, and the private sector
-Focused on cybersecurity education, training, and workforce development.
▶ Who sets policy and determines reporting frequency?. Answer: OMB
▶ Who publishes Standards(if required) and Guidelines for OMB policies?.
Answer: NIST
▶ What agency is tasked with implementation, oversight and monitoring
against established policies, standards, and guidelines?. Answer: DHS
▶ What agency determines the FISMA metrics (as directed by OMB)?.
Answer: DHS
▶ What two types of documents does OMB publish?. Answer: -Circulars
(A-###)
-Memorandum (M-FY-##)
▶ How long are OMB Circulars in effect?. Answer: Two or more years
(circulars have longer lives than memoranda).
, ▶ OMB Circular A-130, Managing Information as a Strategic Resource.
Answer: -Establishes policy for the management of Federal information
resources
-Appendix III, Security of Federal Automated Information Resources
-Requires accreditation of Federal Information Systems to operate
according to assessment of management, operational, and technical
controls
▶ OMB Circular A-130 Section III. Answer: Applies Government Wide and
mandates security ASSESSMENTS & AUTHORIZATIONS every 3 years
(unless continuous monitoring is in place)
▶ What metric based reporting, which changes every year based on
evolving threats and vulnerabilities, is required to be submitted to DHS and
at what frequency?. Answer: Cyberscope, which is submitted monthly
▶ Security Content Automation Protocol (SCAP). Answer: Is a suite of
specifications used to standardize the communication of software flaws and
security configurations.
▶ What are the main reference data sources for Security Content
Automation Protocol (SCAP) (SP 800-126)?. Answer: -National
Vulnerability Database
-Security Configuration Checklists
▶ Open Vulnerability and Assessment Language (OVAL). Answer: A
language for specifying low-level testing procedures used by checklists
▶ Open Checklist Interactive Language (OCIL). Answer: Language for
expressing security checks that cannot be evaluated without some human
interaction or feedback. (Think "Interactive" requires human intervention)
▶ The Common Vulnerability Scoring System (CVSS), from NIST, is a.
Answer: Specification for measuring the relative severity of software flaw
vulnerabilities.
Scoring = Measuring
▶ The Common Vulnerabilities and Exposures (CVE) is a. Answer:
Nomenclature and dictionary of security related software flaws. (acronym
ends in e, it's a dictionary)
