Latest Version: 6.0
Question: 1
Information developed from Federal Information Processing Standard (FIPS) 199 may be used as an input to which authorization package document?
Response:
A. Security assessment report (SAR)
B. System security plan (SSP)
C. Plan of actions and milestones (POA&M)
D. Authorization decision document
Question: 2
An effective continuous monitoring program can be used to
Response:
Answer: B
A. meet the Federal Information Processing Standard (FIPS) Publication 200 requirement for monthly risk assessments.
B. meet an organization’s requirement for periodic information assurance training of all computer users.
C. replace information system security audit logs.
D. support the Federal Information Security Management Act (FISMA) requirement for annual assessment of the security controls in information systems.
Answer: D
Question: 3
Which role has the supporting responsibility to coordinate changes to the system, assess the security impact and update the system security plan?
Response:
A. Information system security officer (ISSO)
B. Information system owner (ISO)
C. Common control provider
D. Senior agency information security officer
Answer: A
Question: 4
Why is security control volatility an important consideration in the development of a security control monitoring strategy?
Response:
A. It identifies needed security control monitoring exceptions.
B. It indicates a need for compensating controls.
C. It establishes priority for security control monitoring.
D. It provides justification for revisions to the configuration management and control plan.
Answer: C
Question: 5
When should the information system owner document the information system and authorization boundary description in the security plan?
Response:
A. After security controls are implemented
B. While assembling the authorization package
C. After security categorization
D. When reviewing the security control assessment plan
Question: 6
Answer: C
An organization’s information systems are a mix of Windows and UNIX systems located in a single computer room. Access to the computer room is restricted by the use of door locks that require proximity cards and personal identification numbers (PINs). Only a small percentage of the organizations employees have access to the computer room. The computer room access restriction is an example of what type of security control relative to the hardware in the computer room?
Response:
A. Managerial
B. System specific
C. Technical
D. Inherited
Answer: D
Question: 7
When attempting to categorize a system, which two Risk Management Framework (RMF) starting point inputs should be accounted for?
Response:
A. Federal laws and organizational policies
B. Federal laws and Office of Management and Budget (OMB) policies
C. Federal Information Security Management Act (FISMA) and the Privacy Act
D. Architectural descriptions and organizational inputs
Question: 8
An information system's boundary definition resides with who?
Response:
Answer: D
A. The Information System Owner, in which he or she would must be careful to consult with authorizing officials (AO), the CIO, CISO, and the risk executive (function)..
B. The Information System Owner, in which he would must be careless to consult with authorizing officials (AO), the CIO, CISO, and the risk executive (function)..
C. The Information System Owner, in which she would must be careful to consult with authorizing officials (AO), the CIO, CISO, and the risk executive (function)..
D. The Information System Owner, in which he or she would must be careful to consult with authorizing officials (AO), the CIO, CISO, and the safe executive (function)..
Answer: A
Question: 9
Which of the following statements correctly describes DIACAP residual risk?
Response:
A. It is the remaining risk to the information system after risk palliation has occurred.
B. It is a process of security authorization.
C. It is the technical implementation of the security design.
D. It is used to validate the information system.
Answer: A
Question: 10
According to the Risk Management Framework (RMF), which role has a primary responsibility to report the security status of the information system to the authorizing official (AO) and other appropriate organizational officials on an ongoing basis in accordance with the monitoring strategy?
Response:
A. Information system security officer (ISSO)
B. Common control provider
C. Independent assessor
D. Senior information assurance officer (SIAO)
Answer: B
