FITSP PRACTICE EXAM QUESTIONS AND
DETAILED SOLUTIONS 2026
▶ Who publishes Standards(if required) and Guidelines for OMB policies?.
Answer: NIST
▶ What agency is tasked with implementation, oversight and monitoring
against established policies, standards, and guidelines?. Answer: DHS
▶ What agency determines the FISMA metrics (as directed by OMB)?.
Answer: DHS
▶ What two types of documents does OMB publish?. Answer: -Circulars
(A-###)
-Memorandum (M-FY-##)
▶ How long are OMB Circulars in effect?. Answer: Two or more years
(circulars have longer lives than memoranda).
▶ OMB Circular A-130, Managing Information as a Strategic Resource.
Answer: -Establishes policy for the management of Federal information
resources
-Appendix III, Security of Federal Automated Information Resources
-Requires accreditation of Federal Information Systems to operate
according to assessment of management, operational, and technical
controls
▶ OMB Circular A-130 Section III. Answer: Applies Government Wide and
mandates security ASSESSMENTS & AUTHORIZATIONS every 3 years
(unless continuous monitoring is in place)
▶ What metric based reporting, which changes every year based on
evolving threats and vulnerabilities, is required to be submitted to DHS and
at what frequency?. Answer: Cyberscope, which is submitted monthly
,▶ Security Content Automation Protocol (SCAP). Answer: Is a suite of
specifications used to standardize the communication of software flaws and
security configurations.
▶ What are the main reference data sources for Security Content
Automation Protocol (SCAP) (SP 800-126)?. Answer: -National
Vulnerability Database
-Security Configuration Checklists
▶ Open Vulnerability and Assessment Language (OVAL). Answer: A
language for specifying low-level testing procedures used by checklists
▶ Open Checklist Interactive Language (OCIL). Answer: Language for
expressing security checks that cannot be evaluated without some human
interaction or feedback. (Think "Interactive" requires human intervention)
▶ The Common Vulnerability Scoring System (CVSS), from NIST, is a.
Answer: Specification for measuring the relative severity of software flaw
vulnerabilities.
Scoring = Measuring
▶ The Common Vulnerabilities and Exposures (CVE) is a. Answer:
Nomenclature and dictionary of security related software flaws. (acronym
ends in e, it's a dictionary)
▶ The Common Configuration Enumeration (CCE) is a. Answer:
Nomenclature and dictionary of system security issues. (acronym ends in
e, it's a dictionary)
▶ The Common Platform Enumeration (CPE) is a. Answer: Nomenclature
and dictionary of product names and versions. (acronym ends in e, it's a
dictionary)
▶ The Cryptographic Module Validation Program (CMVP). Answer:
Promotes the use of validated cryptographic modules and provide Federal
agencies with a security metric to use in procuring equipment containing
validated cryptographic modules. It is a joint effort between the National
Institute of Standards and Technology under the Department of Commerce
and the Canadian Centre for Cyber Security.
, ▶ How do you know you can safely purchase a product from a vendor?.
Answer: By checking the Common Vulnerabilities and Exposures (CVE)
and the Cryptographic Module Validation Program (CMVP) which utilize a
common criteria certification process to provide product validation.
▶ The National Vulnerability Database (NVD) is. Answer: The U.S.
government repository of standards based vulnerability management data
represented using the Security Content Automation Protocol (SCAP). This
data enables automation of vulnerability management, security
measurement, and compliance. The NVD includes databases of security
checklist references, security-related software flaws, misconfigurations,
product names, and impact metrics.
▶ M-02-01. Answer: Guidance for Preparing and Submitting Security
Plans of Action and Milestones (POAMS)
▶ M-14-03 Enhancing the Security of Federal Information and Information
Systems. Answer: Established Continuous monitoring (REMOVED 3 year
authorization requirement IF CM is in place)
▶ M-11-11. Answer: Continued Implementation of Homeland Security
Presidential Directive (HSPD) 12- Policy for a Common Identification
Standard for Federal Employees and Contractors
▶ NIST Risk Management Framework (RMF). Answer: Prepare
Categorize
Select
Implement
Assess
Authorize
Monitor
Pretty cool system if anyone asks me
▶ What are the assessment methods defined by NIST?. Answer: Test
Interview
Examine
▶ What are the Five Elements of the NIST Cybersecurity Framework?.
Answer: Identify
DETAILED SOLUTIONS 2026
▶ Who publishes Standards(if required) and Guidelines for OMB policies?.
Answer: NIST
▶ What agency is tasked with implementation, oversight and monitoring
against established policies, standards, and guidelines?. Answer: DHS
▶ What agency determines the FISMA metrics (as directed by OMB)?.
Answer: DHS
▶ What two types of documents does OMB publish?. Answer: -Circulars
(A-###)
-Memorandum (M-FY-##)
▶ How long are OMB Circulars in effect?. Answer: Two or more years
(circulars have longer lives than memoranda).
▶ OMB Circular A-130, Managing Information as a Strategic Resource.
Answer: -Establishes policy for the management of Federal information
resources
-Appendix III, Security of Federal Automated Information Resources
-Requires accreditation of Federal Information Systems to operate
according to assessment of management, operational, and technical
controls
▶ OMB Circular A-130 Section III. Answer: Applies Government Wide and
mandates security ASSESSMENTS & AUTHORIZATIONS every 3 years
(unless continuous monitoring is in place)
▶ What metric based reporting, which changes every year based on
evolving threats and vulnerabilities, is required to be submitted to DHS and
at what frequency?. Answer: Cyberscope, which is submitted monthly
,▶ Security Content Automation Protocol (SCAP). Answer: Is a suite of
specifications used to standardize the communication of software flaws and
security configurations.
▶ What are the main reference data sources for Security Content
Automation Protocol (SCAP) (SP 800-126)?. Answer: -National
Vulnerability Database
-Security Configuration Checklists
▶ Open Vulnerability and Assessment Language (OVAL). Answer: A
language for specifying low-level testing procedures used by checklists
▶ Open Checklist Interactive Language (OCIL). Answer: Language for
expressing security checks that cannot be evaluated without some human
interaction or feedback. (Think "Interactive" requires human intervention)
▶ The Common Vulnerability Scoring System (CVSS), from NIST, is a.
Answer: Specification for measuring the relative severity of software flaw
vulnerabilities.
Scoring = Measuring
▶ The Common Vulnerabilities and Exposures (CVE) is a. Answer:
Nomenclature and dictionary of security related software flaws. (acronym
ends in e, it's a dictionary)
▶ The Common Configuration Enumeration (CCE) is a. Answer:
Nomenclature and dictionary of system security issues. (acronym ends in
e, it's a dictionary)
▶ The Common Platform Enumeration (CPE) is a. Answer: Nomenclature
and dictionary of product names and versions. (acronym ends in e, it's a
dictionary)
▶ The Cryptographic Module Validation Program (CMVP). Answer:
Promotes the use of validated cryptographic modules and provide Federal
agencies with a security metric to use in procuring equipment containing
validated cryptographic modules. It is a joint effort between the National
Institute of Standards and Technology under the Department of Commerce
and the Canadian Centre for Cyber Security.
, ▶ How do you know you can safely purchase a product from a vendor?.
Answer: By checking the Common Vulnerabilities and Exposures (CVE)
and the Cryptographic Module Validation Program (CMVP) which utilize a
common criteria certification process to provide product validation.
▶ The National Vulnerability Database (NVD) is. Answer: The U.S.
government repository of standards based vulnerability management data
represented using the Security Content Automation Protocol (SCAP). This
data enables automation of vulnerability management, security
measurement, and compliance. The NVD includes databases of security
checklist references, security-related software flaws, misconfigurations,
product names, and impact metrics.
▶ M-02-01. Answer: Guidance for Preparing and Submitting Security
Plans of Action and Milestones (POAMS)
▶ M-14-03 Enhancing the Security of Federal Information and Information
Systems. Answer: Established Continuous monitoring (REMOVED 3 year
authorization requirement IF CM is in place)
▶ M-11-11. Answer: Continued Implementation of Homeland Security
Presidential Directive (HSPD) 12- Policy for a Common Identification
Standard for Federal Employees and Contractors
▶ NIST Risk Management Framework (RMF). Answer: Prepare
Categorize
Select
Implement
Assess
Authorize
Monitor
Pretty cool system if anyone asks me
▶ What are the assessment methods defined by NIST?. Answer: Test
Interview
Examine
▶ What are the Five Elements of the NIST Cybersecurity Framework?.
Answer: Identify
