ATO LEVEL II STUDY GUIDE 2025/2026 QUESTIONS WITH
ANSWERS GRADED A+
✔✔Which of the following describes how audit logs support continuous monitoring? -
✔✔Security auditing is a fundamental activity in continuous monitoring in order to
determine what activities occurred and which user or process was responsible for them
on an information system.
✔✔Which of the following identifies how the Risk Management Framework (RMF)
supports risk management? - ✔✔The RMF process emphasizes continuous monitoring
and timely correction of deficiencies.
✔✔Select ALL the correct responses. Which of the following are key information
provided in a security audit trail analysis? - ✔✔A.) Unsuccessful accesses to security-
relevant objects and directories B.) Successful and unsuccessful logons/logoffs C.)
Denial of access for excessive logon attempts
✔✔Which of the following fundamental concepts does continuous monitoring support
that means DoD information technology is managed to minimize shared risk by ensuring
the security posture of one system is not undermined by vulnerabilities of
interconnected systems? - ✔✔Interoperability and operational reciprocity
✔✔Which of the following ensures that a process is in place for authorized users to
report all cybersecurity-related events and potential threats and vulnerabilities and
initiates protective or corrective measures when a cybersecurity incident or vulnerability
is discovered? - ✔✔Information System Security Officer
✔✔Which of the following are the initial steps for finding the Security Event Log on a
computer running Windows 7? - ✔✔Select Control Panel from the Windows Start menu
and then select the System and Security link
✔✔During which of the following Risk Management Framework steps does continuous
monitoring take place? - ✔✔Step 6, monitor the security controls
✔✔Which of the following describes the role of counterintelligence and cybersecurity in
identifying threats to DoD information systems? - ✔✔Counterintelligence and
cybersecurity personnel share and report unauthorized accesses attempts, denial of
service attacks, exfiltrated data, and other threats/vulnerabilities.
✔✔Given the information system continuous monitoring (ISCM) process, in which step
is security-related information required for metrics, assessments, and reporting
collected and, where possible, the collection, analysis, and reporting of data is
automated? - ✔✔Step 3: Implement an ISCM program
,✔✔Which of the following configuration management controls supporting continuous
monitoring activities focuses on configuring the IS to provide only essential capabilities
to limit risk and to prevent unauthorized connection of devices, unauthorized transfer of
information, or unauthorized tunneling? - ✔✔Least Functionality
✔✔Select ALL the correct responses. Which of the following are requirements for audits
as outlined in the National Industrial Security Program Operating Manual (NISPOM)? -
✔✔A:) Audit trail contents must be protected against unauthorized access, modification,
or deletion. B.) Audit trail analysis and reporting of security events must be performed at
least weekly.
✔✔Which of the following describes the how the patch management process integrates
with security-focused configuration management (SecCM)? - ✔✔The patch
management process integrates with SecCM when performing a Security Impact
Analysis to determine whether unanticipated effects from a patch resulted in a change
to existing security controls.
✔✔The patch management process integrates with SecCM when performing a Security
Impact Analysis to determine whether unanticipated effects from a patch resulted in a
change to existing security controls. - ✔✔Phase 4: Monitoring
✔✔Select ALL the correct responses. Which of the following are sources of information
system change that security-focused configuration management (SecCM) addresses to
mitigate risk? - ✔✔A.) New, enhanced, corrected, or updated hardware and software
capabilities. B.) Patches for correcting software flaws and other errors to existing
components.
✔✔Which of the following requires that individual's actions on an information system be
auditable? - ✔✔National Industrial Security Program Operating Manual (NISPOM),
Chapter 8.
✔✔At what tier of the Risk Management Framework does continuous monitoring take
place? - ✔✔Tier 3 - the Information System level
✔✔Select ALL the correct responses. Which of the following describe how audit logs
support continuous monitoring? - ✔✔A.) Audit logs are essential in continuous
monitoring because they record system activity, application processes, and user
activity. B.) Audit logs are essential in continuous monitoring because they can be used
to detect security violations, performance problems, and flaws in applications.
✔✔Which of the following configuration management controls supporting continuous
monitoring activities focuses on physical and logical access controls, workflow
automation, media libraries, abstract layers, and change windows and supports auditing
of the enforcement actions? - ✔✔Access Restrictions for Change
, ✔✔Which of the following describes how the Information System Continuous Monitoring
(ISCM) strategy supports the Tier 1 ORGANIZATION approach to risk management? -
✔✔Tier 1 ISCM strategies focus on how the organization plans to assess, respond to,
and monitor risk as well as the oversight required to ensure that the risk management
strategy is effective.
✔✔Select ALL the correct responses. Which of the following are requirements for audits
as outlined in the National Industrial Security Program Operating Manual (NISPOM)? -
✔✔A.) Audit trail contents must be protected against unauthorized access, modification,
or deletion. B.) Audit records must address individual accountability with unique
identification and periodic testing of the security posture by the ISSO or ISSM.
✔✔Which of the following identifies how the Risk Management Framework (RMF)
supports risk management? - ✔✔The RMF process ensures traceability and
transparency across all levels of the organization.
✔✔Which of the following is a risk management role in continuous monitoring (CM)? -
✔✔Addressing risks from an information system and platform information technology
system perspective to ensure a process for analyzing threats and vulnerabilities is in
place, defining the impact, and identifying countermeasures.
✔✔Which of the following Event Viewer Logs provides an audit of a user's log-on events
and are classified as successful or failed attempts? - ✔✔Security event log
✔✔Which of the following describes the how the patch management process integrates
with security-focused configuration management (SecCM)? - ✔✔The patch
management process integrates with SecCM when updating the baseline configuration
to the current patch level and then testing and approving patches as part of the
configuration change control process.
✔✔Which of the following describes the relationship between configuration
management controls and continuous monitoring? - ✔✔A well-defined configuration
management process that integrates continuous monitoring ensures that the required
adjustments to the system configuration do not adversely affect the security of the
information system.
✔✔Which of the following describes continuous monitoring capabilities for detecting
threats and mitigating vulnerabilities? - ✔✔Investigation into events of unauthorized
downloads or uploads of sensitive data; unexplained storage of encrypted data; and
unauthorized use of removable media or other transfer devices.
✔✔Which of the following describes continuous monitoring supports interoperability,
operational resilience, and operational reciprocity? - ✔✔Continuous monitoring
ANSWERS GRADED A+
✔✔Which of the following describes how audit logs support continuous monitoring? -
✔✔Security auditing is a fundamental activity in continuous monitoring in order to
determine what activities occurred and which user or process was responsible for them
on an information system.
✔✔Which of the following identifies how the Risk Management Framework (RMF)
supports risk management? - ✔✔The RMF process emphasizes continuous monitoring
and timely correction of deficiencies.
✔✔Select ALL the correct responses. Which of the following are key information
provided in a security audit trail analysis? - ✔✔A.) Unsuccessful accesses to security-
relevant objects and directories B.) Successful and unsuccessful logons/logoffs C.)
Denial of access for excessive logon attempts
✔✔Which of the following fundamental concepts does continuous monitoring support
that means DoD information technology is managed to minimize shared risk by ensuring
the security posture of one system is not undermined by vulnerabilities of
interconnected systems? - ✔✔Interoperability and operational reciprocity
✔✔Which of the following ensures that a process is in place for authorized users to
report all cybersecurity-related events and potential threats and vulnerabilities and
initiates protective or corrective measures when a cybersecurity incident or vulnerability
is discovered? - ✔✔Information System Security Officer
✔✔Which of the following are the initial steps for finding the Security Event Log on a
computer running Windows 7? - ✔✔Select Control Panel from the Windows Start menu
and then select the System and Security link
✔✔During which of the following Risk Management Framework steps does continuous
monitoring take place? - ✔✔Step 6, monitor the security controls
✔✔Which of the following describes the role of counterintelligence and cybersecurity in
identifying threats to DoD information systems? - ✔✔Counterintelligence and
cybersecurity personnel share and report unauthorized accesses attempts, denial of
service attacks, exfiltrated data, and other threats/vulnerabilities.
✔✔Given the information system continuous monitoring (ISCM) process, in which step
is security-related information required for metrics, assessments, and reporting
collected and, where possible, the collection, analysis, and reporting of data is
automated? - ✔✔Step 3: Implement an ISCM program
,✔✔Which of the following configuration management controls supporting continuous
monitoring activities focuses on configuring the IS to provide only essential capabilities
to limit risk and to prevent unauthorized connection of devices, unauthorized transfer of
information, or unauthorized tunneling? - ✔✔Least Functionality
✔✔Select ALL the correct responses. Which of the following are requirements for audits
as outlined in the National Industrial Security Program Operating Manual (NISPOM)? -
✔✔A:) Audit trail contents must be protected against unauthorized access, modification,
or deletion. B.) Audit trail analysis and reporting of security events must be performed at
least weekly.
✔✔Which of the following describes the how the patch management process integrates
with security-focused configuration management (SecCM)? - ✔✔The patch
management process integrates with SecCM when performing a Security Impact
Analysis to determine whether unanticipated effects from a patch resulted in a change
to existing security controls.
✔✔The patch management process integrates with SecCM when performing a Security
Impact Analysis to determine whether unanticipated effects from a patch resulted in a
change to existing security controls. - ✔✔Phase 4: Monitoring
✔✔Select ALL the correct responses. Which of the following are sources of information
system change that security-focused configuration management (SecCM) addresses to
mitigate risk? - ✔✔A.) New, enhanced, corrected, or updated hardware and software
capabilities. B.) Patches for correcting software flaws and other errors to existing
components.
✔✔Which of the following requires that individual's actions on an information system be
auditable? - ✔✔National Industrial Security Program Operating Manual (NISPOM),
Chapter 8.
✔✔At what tier of the Risk Management Framework does continuous monitoring take
place? - ✔✔Tier 3 - the Information System level
✔✔Select ALL the correct responses. Which of the following describe how audit logs
support continuous monitoring? - ✔✔A.) Audit logs are essential in continuous
monitoring because they record system activity, application processes, and user
activity. B.) Audit logs are essential in continuous monitoring because they can be used
to detect security violations, performance problems, and flaws in applications.
✔✔Which of the following configuration management controls supporting continuous
monitoring activities focuses on physical and logical access controls, workflow
automation, media libraries, abstract layers, and change windows and supports auditing
of the enforcement actions? - ✔✔Access Restrictions for Change
, ✔✔Which of the following describes how the Information System Continuous Monitoring
(ISCM) strategy supports the Tier 1 ORGANIZATION approach to risk management? -
✔✔Tier 1 ISCM strategies focus on how the organization plans to assess, respond to,
and monitor risk as well as the oversight required to ensure that the risk management
strategy is effective.
✔✔Select ALL the correct responses. Which of the following are requirements for audits
as outlined in the National Industrial Security Program Operating Manual (NISPOM)? -
✔✔A.) Audit trail contents must be protected against unauthorized access, modification,
or deletion. B.) Audit records must address individual accountability with unique
identification and periodic testing of the security posture by the ISSO or ISSM.
✔✔Which of the following identifies how the Risk Management Framework (RMF)
supports risk management? - ✔✔The RMF process ensures traceability and
transparency across all levels of the organization.
✔✔Which of the following is a risk management role in continuous monitoring (CM)? -
✔✔Addressing risks from an information system and platform information technology
system perspective to ensure a process for analyzing threats and vulnerabilities is in
place, defining the impact, and identifying countermeasures.
✔✔Which of the following Event Viewer Logs provides an audit of a user's log-on events
and are classified as successful or failed attempts? - ✔✔Security event log
✔✔Which of the following describes the how the patch management process integrates
with security-focused configuration management (SecCM)? - ✔✔The patch
management process integrates with SecCM when updating the baseline configuration
to the current patch level and then testing and approving patches as part of the
configuration change control process.
✔✔Which of the following describes the relationship between configuration
management controls and continuous monitoring? - ✔✔A well-defined configuration
management process that integrates continuous monitoring ensures that the required
adjustments to the system configuration do not adversely affect the security of the
information system.
✔✔Which of the following describes continuous monitoring capabilities for detecting
threats and mitigating vulnerabilities? - ✔✔Investigation into events of unauthorized
downloads or uploads of sensitive data; unexplained storage of encrypted data; and
unauthorized use of removable media or other transfer devices.
✔✔Which of the following describes continuous monitoring supports interoperability,
operational resilience, and operational reciprocity? - ✔✔Continuous monitoring
