CAP Exam question 2026 with
correct answers
Which one the following roles is responsible for testing the non‐technical controls in an
information system? - correct answers Security Control Assessor
Which reference provides detailed guidance on risk mitigation for the State Department? -
correct answers SP 800-53 Security and Privacy Controls for Federal Information Systems
and Organizations
Which of the following roles has the responsibility to ensure that the enterprise architecture
supports the mission and business processes? - correct answers a. Information Security
Architect
During which step of the Risk Management Framework (RMF) does the Information System
Owner register the information system? - correct answers Categorize Information System
Who signs the authorization decision letter? - correct answers Authorizing Official
Who develops and maintains information security policies, procedures, and control
techniques to address all applicable requirements? - correct answers b. Chief Information
Officer
A weakness in an information system, system security procedures, internal controls, or
implementation that could be exploited by a threat source is the definition of which key
term? - correct answers Vulnerability
Who procures, develops, integrates, or modifies an information system? - correct answers
Information System Owner
, Who has the responsibility to prepare the plan of action and milestones based on the findings
and recommendations of the security assessment report? - correct answers Common Control
Provider
You have just completed the Risk Assessment defined by NIST SP 800‐30. What reference
identifies the risk management strategy alternatives that can be applied to the information
system? - correct answers NIST SP 800-53
In which phase of the NIST SP 800‐30 process does one produce the first full Risk
Assessment Report (RAR)? - correct answers Step 2
Which step of the NIST SP 800‐30 process would most likely identify the CVE database as a
risk assessment information source? - correct answers Step 2
Organizations should view assessments as an information gathering activity, not as a security
producing activity. In accordance with NIST SP 800‐53A, security control assessments create
the following benefits: identify potential problems or shortfalls in the organization's
implementation of the NIST Risk Management Framework; support budgetary decisions and
capital investment processes, and: - correct answers Support information system
authorization decisions.
The last step in the Risk Assessment process model is called? - correct answers Maintain
When using NIST SP 800‐53A, during which SDLC phase are security assessments used to
increase confidence or assurance that the security controls are working correctly for a
system? - correct answers Development, Implementation, and Operations and Maintenance
Which of these is a valid response to address risk? - correct answers Accept the risk to the
system
correct answers
Which one the following roles is responsible for testing the non‐technical controls in an
information system? - correct answers Security Control Assessor
Which reference provides detailed guidance on risk mitigation for the State Department? -
correct answers SP 800-53 Security and Privacy Controls for Federal Information Systems
and Organizations
Which of the following roles has the responsibility to ensure that the enterprise architecture
supports the mission and business processes? - correct answers a. Information Security
Architect
During which step of the Risk Management Framework (RMF) does the Information System
Owner register the information system? - correct answers Categorize Information System
Who signs the authorization decision letter? - correct answers Authorizing Official
Who develops and maintains information security policies, procedures, and control
techniques to address all applicable requirements? - correct answers b. Chief Information
Officer
A weakness in an information system, system security procedures, internal controls, or
implementation that could be exploited by a threat source is the definition of which key
term? - correct answers Vulnerability
Who procures, develops, integrates, or modifies an information system? - correct answers
Information System Owner
, Who has the responsibility to prepare the plan of action and milestones based on the findings
and recommendations of the security assessment report? - correct answers Common Control
Provider
You have just completed the Risk Assessment defined by NIST SP 800‐30. What reference
identifies the risk management strategy alternatives that can be applied to the information
system? - correct answers NIST SP 800-53
In which phase of the NIST SP 800‐30 process does one produce the first full Risk
Assessment Report (RAR)? - correct answers Step 2
Which step of the NIST SP 800‐30 process would most likely identify the CVE database as a
risk assessment information source? - correct answers Step 2
Organizations should view assessments as an information gathering activity, not as a security
producing activity. In accordance with NIST SP 800‐53A, security control assessments create
the following benefits: identify potential problems or shortfalls in the organization's
implementation of the NIST Risk Management Framework; support budgetary decisions and
capital investment processes, and: - correct answers Support information system
authorization decisions.
The last step in the Risk Assessment process model is called? - correct answers Maintain
When using NIST SP 800‐53A, during which SDLC phase are security assessments used to
increase confidence or assurance that the security controls are working correctly for a
system? - correct answers Development, Implementation, and Operations and Maintenance
Which of these is a valid response to address risk? - correct answers Accept the risk to the
system
