SAPPC Study Guide Questions and
Answers with Certified Solutions
Describe the purpose, intent, and security professional's role in each step of the Command Cyber
Readiness Inspections (CCRI) process ✔✔Defining the scope, the inspection phase,
documentation of observations, and reporting findings. A security professional would have
responsibilities in defining the scope of the inspection, overseeing the self-inspection and
remediation efforts, and coordinating with the CCRI team throughout the remainder of the
process
List two factors that should be considered when determining position sensitivity ✔✔(1) Level of
access to classified information (2) IT level needed (3) Duties associated with position
Explain the process for responding to a "spillage" ✔✔1. Detection (implied)
2. Notification and preliminary inquiry
3. Containment and continuity of operations
4. Formal inquiry
5. Resolution
6. Reporting
,Explain how the adjudication process contributes to effective risk management of DoD assets
✔✔Determines an individual's loyalty, reliability, and trustworthiness are in the best interest of
national security
Explain why access control measures are contingent on Force Protection Conditions ✔✔The
Force Protection Conditions determine the amount of control measures needed to be taken in
response to various levels of threats against military facilities or installations.
Define the purpose and function of the militarily critical technologies list (MCTL) ✔✔Serves as
a technical reference for the development and implementation of DoD technology, security
policies on international transfers of defense-related goods, services, and technologies as
administered by the Director, Defense Technology Security Administration (DTSA).
Describe how authorization of Limited Access Authority impacts risk to DoD assets
✔✔Increases risk by allowing a foreign national access to classified information. Reduces risk
by ensuring Foreign Nationals with a unique or unusual skills set have been properly
investigated, adjudicated or vetted before being granted access to specific pieces of classified
information only.
List three different types of threats to classified information ✔✔(1) Insider threat
, (2) Foreign Intelligence entities
(3) Cybersecurity Threat
What is the security professionals' role in pursuing and meeting cyber security goals? ✔✔The
role of the cyberspace workforce is to "secure, defend, and preserve data, networks, net-centric
capabilities, and other designated systems by ensuring appropriate security controls and
measures are in place, and taking internal defense actions" (DoDD 8140.01). Per DoDI 8500.01,
Cybersecurity (March 14, 2014), personnel occupying cybersecurity positions must be assigned
in writing and trained / qualified in accordance with their role.
Identify specific baseline administrative and/or physical security controls applicable to each
system categorization ✔✔Controls are identified by enumerating the common controls,
identifying those relevant to the categorization level as defined in NIST SP 800-53, potentially
tailored by the Authorizing Official, and overlays are applied based on the nature of the system.
List three (3) factors for determining whether US companies are under Foreign Ownership
Control of Influence (FOCI) ✔✔1. Record of economic and government espionage against the
US targets.
2. Record of enforcement/engagement in unauthorized technology transfer.
3. Type and sensitivity of the information that shall be accessed.
Answers with Certified Solutions
Describe the purpose, intent, and security professional's role in each step of the Command Cyber
Readiness Inspections (CCRI) process ✔✔Defining the scope, the inspection phase,
documentation of observations, and reporting findings. A security professional would have
responsibilities in defining the scope of the inspection, overseeing the self-inspection and
remediation efforts, and coordinating with the CCRI team throughout the remainder of the
process
List two factors that should be considered when determining position sensitivity ✔✔(1) Level of
access to classified information (2) IT level needed (3) Duties associated with position
Explain the process for responding to a "spillage" ✔✔1. Detection (implied)
2. Notification and preliminary inquiry
3. Containment and continuity of operations
4. Formal inquiry
5. Resolution
6. Reporting
,Explain how the adjudication process contributes to effective risk management of DoD assets
✔✔Determines an individual's loyalty, reliability, and trustworthiness are in the best interest of
national security
Explain why access control measures are contingent on Force Protection Conditions ✔✔The
Force Protection Conditions determine the amount of control measures needed to be taken in
response to various levels of threats against military facilities or installations.
Define the purpose and function of the militarily critical technologies list (MCTL) ✔✔Serves as
a technical reference for the development and implementation of DoD technology, security
policies on international transfers of defense-related goods, services, and technologies as
administered by the Director, Defense Technology Security Administration (DTSA).
Describe how authorization of Limited Access Authority impacts risk to DoD assets
✔✔Increases risk by allowing a foreign national access to classified information. Reduces risk
by ensuring Foreign Nationals with a unique or unusual skills set have been properly
investigated, adjudicated or vetted before being granted access to specific pieces of classified
information only.
List three different types of threats to classified information ✔✔(1) Insider threat
, (2) Foreign Intelligence entities
(3) Cybersecurity Threat
What is the security professionals' role in pursuing and meeting cyber security goals? ✔✔The
role of the cyberspace workforce is to "secure, defend, and preserve data, networks, net-centric
capabilities, and other designated systems by ensuring appropriate security controls and
measures are in place, and taking internal defense actions" (DoDD 8140.01). Per DoDI 8500.01,
Cybersecurity (March 14, 2014), personnel occupying cybersecurity positions must be assigned
in writing and trained / qualified in accordance with their role.
Identify specific baseline administrative and/or physical security controls applicable to each
system categorization ✔✔Controls are identified by enumerating the common controls,
identifying those relevant to the categorization level as defined in NIST SP 800-53, potentially
tailored by the Authorizing Official, and overlays are applied based on the nature of the system.
List three (3) factors for determining whether US companies are under Foreign Ownership
Control of Influence (FOCI) ✔✔1. Record of economic and government espionage against the
US targets.
2. Record of enforcement/engagement in unauthorized technology transfer.
3. Type and sensitivity of the information that shall be accessed.
