FITSI Manager Federal IT Security
Institute Exam Questions and Answers
Graded A+
Primary NIST RMF Documents - Correct answer-800-30, 800-37, 800-39, 800-53,
800-53A
RMF Tier 1 Risks - Correct answer-(Organizational) Strategic, Governance,
Methodologies, Risk Tolerance
RMF Tier 2 Risks - Correct answer-(Mission/Business Perspective) Enterprise
Architecture, Defining Core Missions, Subordinate Organization limits
RMF Tier 3 Risks - Correct answer-(Information System) Security Controls
CISO - Correct answer-Chief Information Security Officer
CCE - Correct answer-Common Configuration Enumeration
CPE - Correct answer-Common Platform Enumeration
CWE - Correct answer-Common Weakness Enumeration
CVSS - Correct answer-Common Vulnerability Scoring System
©COPYRIGHT 2025, ALL RIGHTS RESERVED 1
,XCCDF - Correct answer-Extensible Configuration Checklist Description Format
OVAL - Correct answer-Open Vulnerability Assessment Language
OCIL - Correct answer-Open Checklist Interactive Language
NVD - Correct answer-National Vulnerability Database
CVE - Correct answer-Common Vulnerabilities and Exposures
E-Authentication Levels - Correct answer-Level 1: no identity proofing
requirement
Level 2: single factor remote authentication
Level 3: multi-factor remote authentication
Level 4: multi-factor remote authentication; hard crypto tokens
FISMA - Correct answer-FISMA 2002 - Federal Information Security Management
Act; FISMA 2014 - Federal Information Security Modernization Act
CNSS - Correct answer-Committee on National Security Systems: Guides assess,
approves and oversees mitigating action of national security systems
NISTIR - Correct answer-NIST Interagency/Internal Report - Irregularly published
on special topics, transitory or limited interest items
©COPYRIGHT 2025, ALL RIGHTS RESERVED 2
, Information System Boundaries - Correct answer-- Establish scope of protection
for systems
- Established in coordination w/ security categorization process, before developing
security plans
CCA - Correct answer-Clinger Cohen Act of 1996 aka Information Technology
Management Reform Act
- CIOs for all agencies
- CPIC/Capital Planning Investment Controls for IT $
- OMB OMB oversight of IT $
- Enterprise Architecture
SP 800-37 Rev 2 - Correct answer-NIST SP 800 Rev 2 Risk Management
Framework for Information Systems and Organizations
- Common information security framework
- Shift from A&A to Risk Management Framework
PPD-21 - Correct answer-PPD-21 - Critical Infrastructure Security & Resilience
- Supersedes HSPD-7
HSPD-20 - Correct answer-HSPD-20
©COPYRIGHT 2025, ALL RIGHTS RESERVED 3
Institute Exam Questions and Answers
Graded A+
Primary NIST RMF Documents - Correct answer-800-30, 800-37, 800-39, 800-53,
800-53A
RMF Tier 1 Risks - Correct answer-(Organizational) Strategic, Governance,
Methodologies, Risk Tolerance
RMF Tier 2 Risks - Correct answer-(Mission/Business Perspective) Enterprise
Architecture, Defining Core Missions, Subordinate Organization limits
RMF Tier 3 Risks - Correct answer-(Information System) Security Controls
CISO - Correct answer-Chief Information Security Officer
CCE - Correct answer-Common Configuration Enumeration
CPE - Correct answer-Common Platform Enumeration
CWE - Correct answer-Common Weakness Enumeration
CVSS - Correct answer-Common Vulnerability Scoring System
©COPYRIGHT 2025, ALL RIGHTS RESERVED 1
,XCCDF - Correct answer-Extensible Configuration Checklist Description Format
OVAL - Correct answer-Open Vulnerability Assessment Language
OCIL - Correct answer-Open Checklist Interactive Language
NVD - Correct answer-National Vulnerability Database
CVE - Correct answer-Common Vulnerabilities and Exposures
E-Authentication Levels - Correct answer-Level 1: no identity proofing
requirement
Level 2: single factor remote authentication
Level 3: multi-factor remote authentication
Level 4: multi-factor remote authentication; hard crypto tokens
FISMA - Correct answer-FISMA 2002 - Federal Information Security Management
Act; FISMA 2014 - Federal Information Security Modernization Act
CNSS - Correct answer-Committee on National Security Systems: Guides assess,
approves and oversees mitigating action of national security systems
NISTIR - Correct answer-NIST Interagency/Internal Report - Irregularly published
on special topics, transitory or limited interest items
©COPYRIGHT 2025, ALL RIGHTS RESERVED 2
, Information System Boundaries - Correct answer-- Establish scope of protection
for systems
- Established in coordination w/ security categorization process, before developing
security plans
CCA - Correct answer-Clinger Cohen Act of 1996 aka Information Technology
Management Reform Act
- CIOs for all agencies
- CPIC/Capital Planning Investment Controls for IT $
- OMB OMB oversight of IT $
- Enterprise Architecture
SP 800-37 Rev 2 - Correct answer-NIST SP 800 Rev 2 Risk Management
Framework for Information Systems and Organizations
- Common information security framework
- Shift from A&A to Risk Management Framework
PPD-21 - Correct answer-PPD-21 - Critical Infrastructure Security & Resilience
- Supersedes HSPD-7
HSPD-20 - Correct answer-HSPD-20
©COPYRIGHT 2025, ALL RIGHTS RESERVED 3