(ISC)2 CAP EXAM 2025 WITH 100%
CORRECT ANSWERS
What is included in the Plan of Action and Milestones (POA&M) that is presented to the
Authorizing Official (AO) as part of the initial authorization package?
A. All items identified throughout the Risk Management Framework (RMF) process
B. Only volatile findings that require prioritization in remediation
C. Deficiencies that have not yet been remediated and verified throughout the Risk
Management Framework (RMF) process
D. Only findings that have been evaluated as moderate or high - CORRECT
ANSWER✔✔Deficiencies that have not yet been remediated and verified throughout the Risk
Management Framework (RMF) process
What are the steps of a risk assessment?
A. Prepare, Conduct, Communicate, Maintain
B. Prepare, Conduct , Communicate
C. Prepare ,Communicate, Conduct
D. Prepare, Communicate ,Maintain, Conduct - CORRECT ANSWER✔✔Prepare, Conduct,
Communicate, Maintain
Which of the following cannot be delegated by the Authorizing Official (AO)?
A. Certificate resources
B. Authorization decision
C. Acceptance of Security Plan (SP)
D. Determination of risk to agency operations - CORRECT ANSWER✔✔Authorization decision
,Configuring an Information System (IS) to prohibit the use of unused ports and protocols
A. Helps provide least privilege
B. Helps provide least functionality
C. Streamlines the functionality of the system
D. Violates configuration management best practices - CORRECT ANSWER✔✔Helps provide
least functionality
The Authorization boundary of a system undergoing assessment includes
A. The information System (IS) components to be authorized for operation.
B. The information (IS) components to be authorized for operation and any outside system it
connects to.
C. Any components or systems the Information Owner (IO) states should be included in the
assessment
D. Any components found within the given Internet Protocol (IP) range - CORRECT
ANSWER✔✔A. The information System (IS) components to be authorized for operation.
Which of the following BEST describes a government -wide standard for security Assessment
and Authorization (A&A), and continuous monitoring for cloud products and services, which is
mandatory for federal agencies and Cloud Services Providers (CSP)?
A. Federal Risk and Authorization Management Program ( FedRAMP)
B. National Institute of Standards and Technology (NIST)
C. Federal Information Technology Acquisition Reform ACT (FITARA)
D. National Cyber Security Program (NCSP) - CORRECT ANSWER✔✔A. Federal Risk and
Authorization Management Program ( FedRAMP)
All Federal agencies are required by federal law to conduct which of the following activities?
,A. Protect Information Systems (IS) used or operated by a contractor of an agency or other
organization on behalf of an agency.
B. Coordinate with the National Institutes of Standards and Technologies (NIST) to develop
binding operational directives.
C. Report the effectiveness of information security policies and practices to the Office of
Personnel Management ( OPM)
D. Monitor the implementation of information security policies and practices of other agencies
to ensure compliance. - CORRECT ANSWER✔✔A. Protect Information Systems (IS) used or
operated by a contractor of an agency or other organization on behalf of an agency.
What is the PRIMWhat is the PRIMARY goal of an Information Security Continuous Monitoring
(ISCM) strategy?ARY goal of an Information Security Continuous Monitoring (ISCM) strategy?
A. Create expedited assessment process for cost savings.
B. Maintain visibility of an organization's high-cost controls.
C. Support organization risk management decisions.
D. Assess the organizational tiers - CORRECT ANSWER✔✔C. Support organization risk
management decisions.
An organization is developing a risk assessment for a newly installed Information System (IS) to
determine the best configuration or a supporting Information Technology (IT) product. Which of
the following specific factors is often overlooked in this analysis?
A. Exposure of interconnections to organizational core mission functions
B. Effectiveness of inherited security controls
C. Cost benefits that can be gained from a broad-based security implementation
D. Implementation of stove-piped activities that enhance security solutions - CORRECT
ANSWER✔✔B. Effectiveness of inherited security controls
, If an assessment of a common control determines that it is not effective, what documentation is
required?
A. Letter describing findings sent to system owners using the common control
B. Security Plan (SP) addendum for each system using the common control
C. Plan of Action and Milestones (POA&M)
D. Continuous monitoring plan - CORRECT ANSWER✔✔C. Plan of Action and Milestones
(POA&M)
As part of an annual Federal Information Security Management Act (FISMA) compliance audit,
the inspector general security program review has identified vulnerabilities to an Information
System (IS) in an operational division, which of the following activities is the MOST likely to
occur?
A. Update the Plan of Action and Milestones (POA&M)
B. Perform additional security scans of systems
C. Update the Security Plan (SP) immediately
D. D. Revoke the Authorization to Operate (ATO) - CORRECT ANSWER✔✔A. Update the Plan of
Action and Milestones (POA&M)
Which of the following documents provides a functional description of the Information System's
(IS) control implementation?
A. Security and Privacy assessment reports
B. Security and Privacy Plans
C. Plans of Action and Milestones (POA&M)
D. Risk Assessment Report ( RAR) - CORRECT ANSWER✔✔Security and Privacy Plans
CORRECT ANSWERS
What is included in the Plan of Action and Milestones (POA&M) that is presented to the
Authorizing Official (AO) as part of the initial authorization package?
A. All items identified throughout the Risk Management Framework (RMF) process
B. Only volatile findings that require prioritization in remediation
C. Deficiencies that have not yet been remediated and verified throughout the Risk
Management Framework (RMF) process
D. Only findings that have been evaluated as moderate or high - CORRECT
ANSWER✔✔Deficiencies that have not yet been remediated and verified throughout the Risk
Management Framework (RMF) process
What are the steps of a risk assessment?
A. Prepare, Conduct, Communicate, Maintain
B. Prepare, Conduct , Communicate
C. Prepare ,Communicate, Conduct
D. Prepare, Communicate ,Maintain, Conduct - CORRECT ANSWER✔✔Prepare, Conduct,
Communicate, Maintain
Which of the following cannot be delegated by the Authorizing Official (AO)?
A. Certificate resources
B. Authorization decision
C. Acceptance of Security Plan (SP)
D. Determination of risk to agency operations - CORRECT ANSWER✔✔Authorization decision
,Configuring an Information System (IS) to prohibit the use of unused ports and protocols
A. Helps provide least privilege
B. Helps provide least functionality
C. Streamlines the functionality of the system
D. Violates configuration management best practices - CORRECT ANSWER✔✔Helps provide
least functionality
The Authorization boundary of a system undergoing assessment includes
A. The information System (IS) components to be authorized for operation.
B. The information (IS) components to be authorized for operation and any outside system it
connects to.
C. Any components or systems the Information Owner (IO) states should be included in the
assessment
D. Any components found within the given Internet Protocol (IP) range - CORRECT
ANSWER✔✔A. The information System (IS) components to be authorized for operation.
Which of the following BEST describes a government -wide standard for security Assessment
and Authorization (A&A), and continuous monitoring for cloud products and services, which is
mandatory for federal agencies and Cloud Services Providers (CSP)?
A. Federal Risk and Authorization Management Program ( FedRAMP)
B. National Institute of Standards and Technology (NIST)
C. Federal Information Technology Acquisition Reform ACT (FITARA)
D. National Cyber Security Program (NCSP) - CORRECT ANSWER✔✔A. Federal Risk and
Authorization Management Program ( FedRAMP)
All Federal agencies are required by federal law to conduct which of the following activities?
,A. Protect Information Systems (IS) used or operated by a contractor of an agency or other
organization on behalf of an agency.
B. Coordinate with the National Institutes of Standards and Technologies (NIST) to develop
binding operational directives.
C. Report the effectiveness of information security policies and practices to the Office of
Personnel Management ( OPM)
D. Monitor the implementation of information security policies and practices of other agencies
to ensure compliance. - CORRECT ANSWER✔✔A. Protect Information Systems (IS) used or
operated by a contractor of an agency or other organization on behalf of an agency.
What is the PRIMWhat is the PRIMARY goal of an Information Security Continuous Monitoring
(ISCM) strategy?ARY goal of an Information Security Continuous Monitoring (ISCM) strategy?
A. Create expedited assessment process for cost savings.
B. Maintain visibility of an organization's high-cost controls.
C. Support organization risk management decisions.
D. Assess the organizational tiers - CORRECT ANSWER✔✔C. Support organization risk
management decisions.
An organization is developing a risk assessment for a newly installed Information System (IS) to
determine the best configuration or a supporting Information Technology (IT) product. Which of
the following specific factors is often overlooked in this analysis?
A. Exposure of interconnections to organizational core mission functions
B. Effectiveness of inherited security controls
C. Cost benefits that can be gained from a broad-based security implementation
D. Implementation of stove-piped activities that enhance security solutions - CORRECT
ANSWER✔✔B. Effectiveness of inherited security controls
, If an assessment of a common control determines that it is not effective, what documentation is
required?
A. Letter describing findings sent to system owners using the common control
B. Security Plan (SP) addendum for each system using the common control
C. Plan of Action and Milestones (POA&M)
D. Continuous monitoring plan - CORRECT ANSWER✔✔C. Plan of Action and Milestones
(POA&M)
As part of an annual Federal Information Security Management Act (FISMA) compliance audit,
the inspector general security program review has identified vulnerabilities to an Information
System (IS) in an operational division, which of the following activities is the MOST likely to
occur?
A. Update the Plan of Action and Milestones (POA&M)
B. Perform additional security scans of systems
C. Update the Security Plan (SP) immediately
D. D. Revoke the Authorization to Operate (ATO) - CORRECT ANSWER✔✔A. Update the Plan of
Action and Milestones (POA&M)
Which of the following documents provides a functional description of the Information System's
(IS) control implementation?
A. Security and Privacy assessment reports
B. Security and Privacy Plans
C. Plans of Action and Milestones (POA&M)
D. Risk Assessment Report ( RAR) - CORRECT ANSWER✔✔Security and Privacy Plans
