SFPC SPeD Exam Study Set 2026/2027 Edition | Security
Professional Fundamentals Certification (DCSA) Verified
Questions with DoD Security Standards Alignment - 138
Questions
Section 1: General (Questions 1-138)
1 A defense contractor is initiating a new program requiring access to Top Secret information. Which of the
following foundational requirements, beyond basic personnel security clearances, is paramount for the facility to
be eligible to process and store such information, as stipulated by DCSA and DoD directives?
A) Establishment of an Insider Threat Program compliant with NISPOM Change 2 requirements, regardless of
classified contract value.
B) Implementation of a robust Physical Security Plan, including an alarm system certified to UL 2050 standards,
prior to facility clearance processing.
C) Designation of a Facility Security Officer (FSO) with at least five years of experience in industrial security.
D) Possession of a current Industrial Security Clearance (FCL) at the Top Secret level, sponsored by the
Government Contracting Activity (GCA).
Answer: D
Rationale: To process and store classified information, especially at the Top Secret level, a facility must first possess
a Facility Clearance (FCL) commensurate with the highest level of classified information to be accessed. This FCL
is sponsored by the Government Contracting Activity (GCA) and is a prerequisite for all other security measures.
While other options are important, they are either subsequent requirements or not the foundational eligibility
criterion.
2 In the context of the National Industrial Security Program (NISP), a cleared defense contractor (CDC) discovers
a potential compromise of classified information. What immediate action is mandated by NISPOM, and to
which entity must this be reported first?
A) Conduct an internal investigation to determine the extent of the compromise, then report findings to the
Contracting Officer's Representative (COR).
B) Immediately notify the DCSA Industrial Security Representative (ISR) and initiate a comprehensive damage
assessment.
C) Secure the area of compromise, notify local law enforcement, and await instructions from the DCSA.
D) Report the incident to the appropriate Government Contracting Activity (GCA) Security Office within 24
hours, followed by DCSA notification.
Answer: B
Rationale: NISPOM mandates that any actual or suspected compromise of classified information must be
immediately reported to the DCSA Industrial Security Representative (ISR). The ISR will then provide guidance on
further actions, including damage assessment and investigation. Reporting to other entities first would be a
deviation from prescribed procedures.
3 A Cleared Defense Contractor (CDC) is preparing to host foreign national visitors for a classified discussion
under a valid Technology Control Plan (TCP). Which of the following is the most critical pre-visit security
requirement to ensure compliance with DoD and DCSA policies?
,A) Verification that all foreign nationals possess valid visas and have undergone a background check by their
respective governments.
B) Confirmation that the visit has been approved by the Government Contracting Activity (GCA) and DCSA,
with a DCSA-approved Visitor Group Security Agreement (VGSA) in place if applicable.
C) Ensuring all discussion materials are clearly marked with appropriate classification levels and caveats, and
that a secure meeting space is prepared.
D) Briefing all participating U.S. personnel on foreign disclosure policies and potential counterintelligence
threats prior to the visit.
Answer: B
Rationale: For foreign national visits involving classified discussions, the paramount pre-requisite is formal
approval from the GCA and DCSA. A DCSA-approved VGSA is often required, which outlines the specific
security protocols and limitations for the visit. Other options are important but are either subsequent steps or
general security practices that don't specifically address the foreign national visit approval process.
4 An FSO is tasked with establishing an effective security education and awareness program for a workforce
handling Secret and Top Secret information. Which element is most indicative of a program that meets DCSA
standards for fostering a robust security culture, beyond mere compliance training?
A) Annual refresher training covering classification markings, insider threat indicators, and reporting procedures.
B) Integration of scenario-based exercises and interactive discussions on real-world security challenges,
emphasizing critical thinking and proactive threat identification.
C) Distribution of security posters and monthly newsletters highlighting recent security incidents and best
practices.
D) Mandatory sign-off by all employees acknowledging receipt and understanding of the company's security
policies.
Answer: B
Rationale: A robust security culture moves beyond passive compliance. Scenario-based exercises and interactive
discussions promote critical thinking, allow employees to apply security principles to novel situations, and
encourage proactive threat identification, which is a hallmark of an effective security education program that meets
DCSA expectations for fostering a true security culture.
5 A DCSA Industrial Security Representative (ISR) is conducting an annual security review at a cleared facility.
The ISR observes several discrepancies related to the handling of classified material. Which of the following
findings would most likely result in a 'Serious' or 'Critical' deficiency rating, requiring immediate corrective
action and potentially impacting the facility's FCL?
A) Several classified documents found in an unapproved container within a secure area, but still under
GSA-approved security container guidelines.
B) Failure to conduct monthly security checks on all security containers, as documented in the facility's Standard
Practice Procedures (SPP).
C) An unescorted uncleared cleaner observed briefly in a limited access area where classified processing occurs,
though no classified material was openly exposed.
D) A Top Secret document left unattended on a desk in an open office environment for a verifiable period,
accessible to uncleared personnel.
Answer: D
Rationale: Leaving a Top Secret document unattended in an open office accessible to uncleared personnel
constitutes a direct and egregious compromise of classified information, or a high probability thereof. This would
unequivocally be categorized as a 'Serious' or 'Critical' deficiency, demanding immediate and severe corrective
action, potentially impacting the FCL. The other options, while serious, represent lesser degrees of immediate
,compromise or procedural non-compliance.
6 Regarding the secure transmission of classified information, a Cleared Defense Contractor (CDC) intends to
send Secret-level data to another cleared facility via an encrypted network. What is the primary
DCSA-mandated technical assurance required for this transmission method?
A) The use of a commercial encryption solution certified to FIPS 140-2 Level 1 or higher.
B) Employment of a DCSA-approved and accredited classified information system (CIS) operating within an
authorized network environment.
C) Verification that both sender and receiver possess valid Secret clearances and appropriate need-to-know.
D) Implementation of a Virtual Private Network (VPN) with multi-factor authentication for all users.
Answer: B
Rationale: For the electronic transmission of classified information, DCSA mandates the use of an approved and
accredited classified information system (CIS) operating within an authorized network environment. This ensures
that the system meets stringent DoD security requirements for confidentiality, integrity, and availability, going
beyond mere FIPS 140-2 certification or general VPN usage.
7 A Cleared Defense Contractor (CDC) is developing a new classified program. During the initial planning phase,
it is determined that a specific component will be developed by a subcontractor who currently only holds a
Secret FCL, but the component itself will require access to Top Secret information. What is the most appropriate
DCSA-compliant action for the prime contractor to take?
A) Proceed with the subcontract, but ensure all Top Secret information is downgraded to Secret before being
provided to the subcontractor.
B) Require the subcontractor to obtain a Top Secret FCL, initiating the sponsorship process through the prime
contractor's GCA.
C) Establish a secure compartmented information facility (SCIF) at the subcontractor's location, managed by the
prime contractor's FSO.
D) Implement a 'build-to-print' arrangement where the subcontractor manufactures the component without direct
access to the Top Secret design details.
Answer: B
Rationale: If a subcontractor requires access to Top Secret information, they must possess a Top Secret Facility
Clearance (FCL). The prime contractor, in conjunction with the GCA, would need to sponsor the subcontractor for
the upgrade of their FCL. Downgrading information is not always feasible or appropriate, and establishing a SCIF
does not negate the need for the appropriate FCL. 'Build-to-print' might be an option in some cases, but direct
access requires the appropriate clearance.
8 In the context of the NISPOM, what is the fundamental purpose of the Reporting Requirements for Cleared
Contractors, particularly concerning changes in company ownership or control?
A) To ensure continuous financial viability of the contractor to perform classified contracts.
B) To allow DCSA to re-evaluate the company's eligibility for continued access to classified information based
on foreign ownership, control, or influence (FOCI).
C) To update the contractor's profile in the DCSA's industrial security database for administrative purposes.
D) To facilitate the transfer of classified contracts from the previous entity to the new ownership without
interruption.
Answer: B
Rationale: Reporting changes in company ownership or control is critical for DCSA to assess potential Foreign
Ownership, Control, or Influence (FOCI). FOCI can pose a significant risk to national security by providing foreign
entities unauthorized access to classified information. DCSA must re-evaluate the FCL under new ownership to
, ensure continued eligibility and mitigate FOCI risks.
9 A Cleared Defense Contractor (CDC) is performing a classified contract at a Government facility. Which entity
retains ultimate responsibility for safeguarding classified information, even when the CDC personnel are
operating under the direct supervision of Government personnel?
A) The Government Contracting Activity (GCA) Security Office.
B) The DCSA Industrial Security Representative (ISR) assigned to the Government facility.
C) The Facility Security Officer (FSO) of the prime contractor.
D) The individual Government security officer overseeing the CDC personnel.
Answer: A
Rationale: When classified work is performed at a Government facility, the Government Contracting Activity
(GCA) Security Office retains ultimate responsibility for the safeguarding of classified information. While the FSO
and individual security officers have responsibilities, the GCA bears the overarching accountability for security
within its domain, as per DoD and DCSA directives.
10 Consider a scenario where a Cleared Defense Contractor (CDC) is operating under a Special Security
Agreement (SSA) to mitigate Foreign Ownership, Control, or Influence (FOCI). Which of the following
committees or positions is explicitly required by DCSA for the SSA and plays a critical role in ensuring
compliance and safeguarding classified information?
A) A Corporate Governance Committee composed solely of independent directors.
B) A Government Security Committee (GSC) with a majority of U.S. citizen, FOCI-free members.
C) An Internal Audit Board responsible for reviewing classified program expenditures.
D) A Chief Compliance Officer reporting directly to the CEO and DCSA.
Answer: B
Rationale: For companies operating under an SSA to mitigate FOCI, the establishment of a Government Security
Committee (GSC) is a mandatory and critical requirement. The GSC, composed primarily of U.S. citizen,
FOCI-free members, oversees the company's compliance with the SSA and ensures the protection of classified
information, acting as a crucial interface with DCSA.
11 A Security Professional is reviewing an incident involving classified information disclosure. The investigation
indicates that a cleared individual, while authorized access, inadvertently discussed details of a Special Access
Program (SAP) in a public setting, believing the information to be unclassified due to its age and prior limited
dissemination. Which foundational security principle was primarily violated, and what is the most appropriate
initial administrative action?
A) Need-to-Know; Immediate suspension of all security clearances.
B) Compartmentation; Re-education on classification markings and SAP procedures.
C) Safeguarding; Revocation of SAP access and mandatory security refresher training.
D) Original Classification Authority (OCA) delegation; Formal reprimand and re-evaluation of clearance
eligibility.
Answer: B
Rationale: The violation centers on compartmentation, as SAP information requires specific access and discussions,
regardless of its perceived age or general classification. The individual failed to recognize the distinct protection
level. Re-education is a crucial initial step to correct this misunderstanding.
Professional Fundamentals Certification (DCSA) Verified
Questions with DoD Security Standards Alignment - 138
Questions
Section 1: General (Questions 1-138)
1 A defense contractor is initiating a new program requiring access to Top Secret information. Which of the
following foundational requirements, beyond basic personnel security clearances, is paramount for the facility to
be eligible to process and store such information, as stipulated by DCSA and DoD directives?
A) Establishment of an Insider Threat Program compliant with NISPOM Change 2 requirements, regardless of
classified contract value.
B) Implementation of a robust Physical Security Plan, including an alarm system certified to UL 2050 standards,
prior to facility clearance processing.
C) Designation of a Facility Security Officer (FSO) with at least five years of experience in industrial security.
D) Possession of a current Industrial Security Clearance (FCL) at the Top Secret level, sponsored by the
Government Contracting Activity (GCA).
Answer: D
Rationale: To process and store classified information, especially at the Top Secret level, a facility must first possess
a Facility Clearance (FCL) commensurate with the highest level of classified information to be accessed. This FCL
is sponsored by the Government Contracting Activity (GCA) and is a prerequisite for all other security measures.
While other options are important, they are either subsequent requirements or not the foundational eligibility
criterion.
2 In the context of the National Industrial Security Program (NISP), a cleared defense contractor (CDC) discovers
a potential compromise of classified information. What immediate action is mandated by NISPOM, and to
which entity must this be reported first?
A) Conduct an internal investigation to determine the extent of the compromise, then report findings to the
Contracting Officer's Representative (COR).
B) Immediately notify the DCSA Industrial Security Representative (ISR) and initiate a comprehensive damage
assessment.
C) Secure the area of compromise, notify local law enforcement, and await instructions from the DCSA.
D) Report the incident to the appropriate Government Contracting Activity (GCA) Security Office within 24
hours, followed by DCSA notification.
Answer: B
Rationale: NISPOM mandates that any actual or suspected compromise of classified information must be
immediately reported to the DCSA Industrial Security Representative (ISR). The ISR will then provide guidance on
further actions, including damage assessment and investigation. Reporting to other entities first would be a
deviation from prescribed procedures.
3 A Cleared Defense Contractor (CDC) is preparing to host foreign national visitors for a classified discussion
under a valid Technology Control Plan (TCP). Which of the following is the most critical pre-visit security
requirement to ensure compliance with DoD and DCSA policies?
,A) Verification that all foreign nationals possess valid visas and have undergone a background check by their
respective governments.
B) Confirmation that the visit has been approved by the Government Contracting Activity (GCA) and DCSA,
with a DCSA-approved Visitor Group Security Agreement (VGSA) in place if applicable.
C) Ensuring all discussion materials are clearly marked with appropriate classification levels and caveats, and
that a secure meeting space is prepared.
D) Briefing all participating U.S. personnel on foreign disclosure policies and potential counterintelligence
threats prior to the visit.
Answer: B
Rationale: For foreign national visits involving classified discussions, the paramount pre-requisite is formal
approval from the GCA and DCSA. A DCSA-approved VGSA is often required, which outlines the specific
security protocols and limitations for the visit. Other options are important but are either subsequent steps or
general security practices that don't specifically address the foreign national visit approval process.
4 An FSO is tasked with establishing an effective security education and awareness program for a workforce
handling Secret and Top Secret information. Which element is most indicative of a program that meets DCSA
standards for fostering a robust security culture, beyond mere compliance training?
A) Annual refresher training covering classification markings, insider threat indicators, and reporting procedures.
B) Integration of scenario-based exercises and interactive discussions on real-world security challenges,
emphasizing critical thinking and proactive threat identification.
C) Distribution of security posters and monthly newsletters highlighting recent security incidents and best
practices.
D) Mandatory sign-off by all employees acknowledging receipt and understanding of the company's security
policies.
Answer: B
Rationale: A robust security culture moves beyond passive compliance. Scenario-based exercises and interactive
discussions promote critical thinking, allow employees to apply security principles to novel situations, and
encourage proactive threat identification, which is a hallmark of an effective security education program that meets
DCSA expectations for fostering a true security culture.
5 A DCSA Industrial Security Representative (ISR) is conducting an annual security review at a cleared facility.
The ISR observes several discrepancies related to the handling of classified material. Which of the following
findings would most likely result in a 'Serious' or 'Critical' deficiency rating, requiring immediate corrective
action and potentially impacting the facility's FCL?
A) Several classified documents found in an unapproved container within a secure area, but still under
GSA-approved security container guidelines.
B) Failure to conduct monthly security checks on all security containers, as documented in the facility's Standard
Practice Procedures (SPP).
C) An unescorted uncleared cleaner observed briefly in a limited access area where classified processing occurs,
though no classified material was openly exposed.
D) A Top Secret document left unattended on a desk in an open office environment for a verifiable period,
accessible to uncleared personnel.
Answer: D
Rationale: Leaving a Top Secret document unattended in an open office accessible to uncleared personnel
constitutes a direct and egregious compromise of classified information, or a high probability thereof. This would
unequivocally be categorized as a 'Serious' or 'Critical' deficiency, demanding immediate and severe corrective
action, potentially impacting the FCL. The other options, while serious, represent lesser degrees of immediate
,compromise or procedural non-compliance.
6 Regarding the secure transmission of classified information, a Cleared Defense Contractor (CDC) intends to
send Secret-level data to another cleared facility via an encrypted network. What is the primary
DCSA-mandated technical assurance required for this transmission method?
A) The use of a commercial encryption solution certified to FIPS 140-2 Level 1 or higher.
B) Employment of a DCSA-approved and accredited classified information system (CIS) operating within an
authorized network environment.
C) Verification that both sender and receiver possess valid Secret clearances and appropriate need-to-know.
D) Implementation of a Virtual Private Network (VPN) with multi-factor authentication for all users.
Answer: B
Rationale: For the electronic transmission of classified information, DCSA mandates the use of an approved and
accredited classified information system (CIS) operating within an authorized network environment. This ensures
that the system meets stringent DoD security requirements for confidentiality, integrity, and availability, going
beyond mere FIPS 140-2 certification or general VPN usage.
7 A Cleared Defense Contractor (CDC) is developing a new classified program. During the initial planning phase,
it is determined that a specific component will be developed by a subcontractor who currently only holds a
Secret FCL, but the component itself will require access to Top Secret information. What is the most appropriate
DCSA-compliant action for the prime contractor to take?
A) Proceed with the subcontract, but ensure all Top Secret information is downgraded to Secret before being
provided to the subcontractor.
B) Require the subcontractor to obtain a Top Secret FCL, initiating the sponsorship process through the prime
contractor's GCA.
C) Establish a secure compartmented information facility (SCIF) at the subcontractor's location, managed by the
prime contractor's FSO.
D) Implement a 'build-to-print' arrangement where the subcontractor manufactures the component without direct
access to the Top Secret design details.
Answer: B
Rationale: If a subcontractor requires access to Top Secret information, they must possess a Top Secret Facility
Clearance (FCL). The prime contractor, in conjunction with the GCA, would need to sponsor the subcontractor for
the upgrade of their FCL. Downgrading information is not always feasible or appropriate, and establishing a SCIF
does not negate the need for the appropriate FCL. 'Build-to-print' might be an option in some cases, but direct
access requires the appropriate clearance.
8 In the context of the NISPOM, what is the fundamental purpose of the Reporting Requirements for Cleared
Contractors, particularly concerning changes in company ownership or control?
A) To ensure continuous financial viability of the contractor to perform classified contracts.
B) To allow DCSA to re-evaluate the company's eligibility for continued access to classified information based
on foreign ownership, control, or influence (FOCI).
C) To update the contractor's profile in the DCSA's industrial security database for administrative purposes.
D) To facilitate the transfer of classified contracts from the previous entity to the new ownership without
interruption.
Answer: B
Rationale: Reporting changes in company ownership or control is critical for DCSA to assess potential Foreign
Ownership, Control, or Influence (FOCI). FOCI can pose a significant risk to national security by providing foreign
entities unauthorized access to classified information. DCSA must re-evaluate the FCL under new ownership to
, ensure continued eligibility and mitigate FOCI risks.
9 A Cleared Defense Contractor (CDC) is performing a classified contract at a Government facility. Which entity
retains ultimate responsibility for safeguarding classified information, even when the CDC personnel are
operating under the direct supervision of Government personnel?
A) The Government Contracting Activity (GCA) Security Office.
B) The DCSA Industrial Security Representative (ISR) assigned to the Government facility.
C) The Facility Security Officer (FSO) of the prime contractor.
D) The individual Government security officer overseeing the CDC personnel.
Answer: A
Rationale: When classified work is performed at a Government facility, the Government Contracting Activity
(GCA) Security Office retains ultimate responsibility for the safeguarding of classified information. While the FSO
and individual security officers have responsibilities, the GCA bears the overarching accountability for security
within its domain, as per DoD and DCSA directives.
10 Consider a scenario where a Cleared Defense Contractor (CDC) is operating under a Special Security
Agreement (SSA) to mitigate Foreign Ownership, Control, or Influence (FOCI). Which of the following
committees or positions is explicitly required by DCSA for the SSA and plays a critical role in ensuring
compliance and safeguarding classified information?
A) A Corporate Governance Committee composed solely of independent directors.
B) A Government Security Committee (GSC) with a majority of U.S. citizen, FOCI-free members.
C) An Internal Audit Board responsible for reviewing classified program expenditures.
D) A Chief Compliance Officer reporting directly to the CEO and DCSA.
Answer: B
Rationale: For companies operating under an SSA to mitigate FOCI, the establishment of a Government Security
Committee (GSC) is a mandatory and critical requirement. The GSC, composed primarily of U.S. citizen,
FOCI-free members, oversees the company's compliance with the SSA and ensures the protection of classified
information, acting as a crucial interface with DCSA.
11 A Security Professional is reviewing an incident involving classified information disclosure. The investigation
indicates that a cleared individual, while authorized access, inadvertently discussed details of a Special Access
Program (SAP) in a public setting, believing the information to be unclassified due to its age and prior limited
dissemination. Which foundational security principle was primarily violated, and what is the most appropriate
initial administrative action?
A) Need-to-Know; Immediate suspension of all security clearances.
B) Compartmentation; Re-education on classification markings and SAP procedures.
C) Safeguarding; Revocation of SAP access and mandatory security refresher training.
D) Original Classification Authority (OCA) delegation; Formal reprimand and re-evaluation of clearance
eligibility.
Answer: B
Rationale: The violation centers on compartmentation, as SAP information requires specific access and discussions,
regardless of its perceived age or general classification. The individual failed to recognize the distinct protection
level. Re-education is a crucial initial step to correct this misunderstanding.
