Completing this exam is mandatory as part of your overall course completion and receiving your certificate. Completing this exam is what is important, even if you do not pass. However, 80% is considered a passing grade. Remember, you can only retake this Exam once. Upon completion, please remember to take a screenshot of your results page and upload it in the final section: COURSE COMPLETION CONFIRMATION UPLOAD. Good luck!
0 of 127 questions completed
You have already completed the quiz before. Hence you can not start it again.
Quiz is loading…
You must sign in or sign up to start the quiz.
You must first complete the following:
0 of 127 questions answered correctly
Time has elapsed
You have reached 0 of 0 point(s), (0)
Earned Point(s): 0 of 0, (0)
0 Essay(s) Pending (Possible Point(s): 0)
Thank you for Completing this sample Exam. Please remember to take a screenshot of your results page and upload it in the final section: COURSE COMPLETION CONFIRMATION UPLOAD.
Q16. In order to receive an Authorization to Operate (ATO), the Plan of Action and Milestones (POA&M) MUST
Q32. If the protection offered by a common control proves to be unacceptable or insufficient, how would the problem be corrected?
Q66. Common security controls are those that apply to one or more of which of the following?
Q82. The Chief Information Officer (CIO) is establishing a policy of monthly assessment for access controls. What is the BEST corresponding action the system security officer should complete?
Q99. The security category of information 1 is determined to be:
Security Category Information type = (Confidentiality, NOT APPLICABLE), (integrity, MODERATE), (availability, LOW)
And the security category of information 2 is determined to be:
Security Category Information type = (Confidentiality, LOW), (integrity, LOW), (availability, HIGH)
What is the security category for the Information System (IS)
Q116. Which of the following BEST determines the level of details required when describing the Information System (IS)?
Q134. FITSAF stands for Federal Information Technology Security Assessment Framework. It is a methodology for assessing the security of information systems. Which of the following FITSAF levels shows that the procedures and controls have been implemented?
Q17. Which of the following documents is updated when a vulnerability is discovered during continuous monitoring?
Q33. Which of the following phases is identified as one of the four Incident Response (IR) phases?
Q50. What is the MOST important reason for developing a continuous monitoring strategy?
A. To maintain an up-to-date Configuration Management Plan
B. To conduct a point-in-time assessment to demonstrate due diligence and compliance
C. To determine if the deployed security controls continue to be effective over time
D. To validate an Interconnection Service Agreement (ISA)
Q67. At which point in the Risk Management Framework (RMF) process is a system analyzed for changes that impact the security and privacy posture of the system?
Q83. When a system contains Personally Identifiable Information (PII) what additional action MUST be performed related to the specific system?
Q100. Which of the following BEST defines the purpose of the security assessment?
Q117. What is a key component of the initial security and privacy assessment reports?
Q136. System Authorization is the risk management process. System Authorization Plan (SAP) is a comprehensive and uniform approach to the System Authorization Process.
What are the different phases of the System Authorization Plan?
Each correct answer represents a part of the solution. Choose all that apply.
Q127. The Information System Security Officer (ISSO) and Information System Security Engineer (ISSE) play the role of a supporter and advisor, respectively. Which of the following statements are true about ISSO and ISSE?
Each correct answer represents a complete solution. Choose all that apply.
Q18. The process of uniquely assigning information resources to an Information System (IS) defines the
Q34. What document is based on the findings and recommendations of the assessment report?
Q51. The determination of risk for a particular threat/vulnerability pair include assessment of the
Q68. Security controls that are shared throughout an organization’s enterprise require
Q84. Which role has the PRIMARY responsibility for the documentation of control implementation?
Q101. Which role does an System Owner (SO) coordinate inherited controls implemented with?
Q118. An organization should consider which elements when selecting an assessment team?
Q1. What is included in the Plan of Action and Milestones (POA&M) that is presented in the Authorizing Official (AO) as part of the initial authorization package?
Q19. The PRIMARY benefit of documenting the control implementation is that it
Q35. Which of the following is the BEST approach to authorizing operations of complex systems?
Q52. Organizations consider which of the following factors when selecting security or privacy control assessors?
Q70. Determining the level of acceptable risk associated with the operation of an Information System (IS), organization shall give
Q86. An organization-wide approach to identifying common controls early in the Risk Management Framework (RMF) process does which of the following?
Q102. A Security Control Assessment (SCA) was completed over two years ago, but the surrounding environment has changed. What, if anything, should the assessment team do with the previous results?
Q119. What is a consequence of an authorization boundary that is too expensive?
Q2. What are the steps of a risk assessment?
Q20. What is used by System Owners (SO) to establish a disciplined and structured process to monitor the residual risk in the Information System (IS)?
Q36. What should be included in a functional description of security control implementation?
Q53. Overlays can be implemented as part of control tailoring after the completion of what process?
Q71. What factor MUST be analyzed during risk determination activities?
Q87. From an organizational viewpoint, what effect does the designation of some security controls as common controls have?
Q103. The Authorizing Official (AO) issues an Authorization decision for an information system after
Q120. Which of the following are acceptable assessment methods for a control assessment?
Q3. Which of the following cannot be delegated by the Authorizing Official (AO)?
Q21. In the security and privacy assessment reports, the control assessor identified some weaknesses and proposed initial remediation actions. Based on the identified weaknesses, it is determined that certain findings are inconsequential and present no threat to the organization. Who is PRIMARILY responsible for determining the initial risk response?
Q38. What can an organization choose to eliminate the authorization termination data?
Q54. Security controls are designed to be technology and implementation
Q72. The Least Privilege security control is a member of which control family?
Q88. What does a finding of “other than satisfied” reflect in an assessment report?
Q104. When documenting how system-specific and hybrid security controls are implemented, an organization takes into account
Q121. Which security control baseline does not require an independent assessment of security controls, as part of continuous monitoring?
Q4. Configuring an Information System (IS) to prohibit the use of unused ports and protocols
Q22. When addressing Configuration Management (CM), why is it MOST important to document the proposed changes?
Q39. Which of the following is the principal vehicle used to verify that Information Systems (IS) are meeting their stated security goals and objectives?
Q55. When monitoring controls, changes to the system should be
Q73. Which process guides the selection of security controls to ensure adequate security commensurate with the risk of the organization?
Q89. What is considered when establishing a system authorization boundary?
Q105. Which process must be conducted during security categorization?
Q122. Which process follows the selection of the initial baseline security controls?
Q5. The Authorization boundary of a system undergoing assessment includes
Q23. What is a KEY consideration when selecting a media sanitization method of destruction tool when decommissioning an Information System (IS)?
Q40. When should a Plan of Action and Milestones (POA&M) be updated?
Q56. Which of the following is a key step in the overall Contingency planning process?
Q74. Which of the following is an essential element when an organization updates its authorization package documents?
Q90. Which organizational reference can an Information Systems Security Officer (ISSO) use to help prioritize the remediation of a vulnerability found during a weekly vulnerability scan?
Q106. When determining the likelihood of a threat-source exploiting a system vulnerability, one MUST consider which of the following?
Q123. A minor application is being added to an existing accredited distributed system. This application does not require any additional security functionality other than that provided by the distributed system. Which of the following actions is taken?
Q6. Which of the following BEST describes a government-wide standard for security Assessment and Authorization (A&A) and continuous monitoring for cloud products, which is mandatory for federal agencies and Cloud Service Providers (CSP)?
Q24. The potential impact value “not applicable” applies to which of the following security objectives
Q41. In determining residual risk, an organization considers impact on which of the following?
Q57. Subsystems are considered part of a larger system provided that they are
Q75. When implementing a control on wireless access, the organization MUST do which of the following?
Q91. What consideration leads to a less frequent assessment and monitoring activity?
Q107. Security Content Automation Protocol (SCAP) is a method for which of the following?
Q124. Which of the following documents tracks an Information System’s (IS) remediation actions?
Q7. All Federal agencies are required by law to conduct which of the following activities?
Q25. The new Authorizing Official (AO) is reviewing all moderate and high systems to determine formal authorization action is needed for any of the systems. Which of the following documents BEST facilities this process?
Q42. Which of the following MUST be done when a federal Information System (IS) is removed from service?
Q58. Residual risk can be categorized as risk
Q77. Which of the following is an example of the test assessment method?
Q92. Which of the following is the mutual agreement among participating organizations to accept one another’s security assessments in order to reuse system resources or to accept each other’s assessed security posture in order to share information?
Q108. Common controls protecting multiple organizational Information Systems (IS) of different levels are implemented at the which impact level?
Q125. Which of the following professionals plays the role of a monitor and takes part in the organization’s configuration management process?
Q8. What is the PRIMARY goal of an Information Security Continuous Monitoring (ISCM) strategy?
Q26. The baseline configuration of an information system should be consistent with the
Q43. Which will an Authorizing Official (AO) find implementation details for a control?
Q60. The Authorizing Official may accept authorization recommendations based on
Q78. Which of the following is TRUE when applying the Risk Management Framework (RMF) steps and associated tasks to existing systems?
Q93. What is essential when documenting the implementation of security controls?
Q109. What are the classifications of the system level security controls?
Q126. The Chief Information Officer (CIO), or Information Technology (IT) director, is a job title commonly given to the most senior executive in an enterprise. What are the responsibilities of a Chief Information Officer?
Each correct answer represents a complete solution. Choose all that apply.
Q9. An organization is developing a risk assessment for a newly installed Information System (IS) to determine the best configuration or a supporting Information Technology (IT) product. Which of the following specific factors is often overlooked in this analysis?
Q27. When implementing the organizational disposal process, what factors are considered when making a final decision about sanitization of media?
Q44. The compliance schedules for National Institutes of Standards and Technology (NIST) security standards and guidelines are established by the
Q61. The final Security Assessment Report (SAR) should contain which of the following
Q79. The organizational and system monitoring strategies identifies
Q94. What activity MUST be completed before the System Owner (SO) considers the minimum security requirement of the system?
Q110. An Information System (IS) has the following Security Categories (SC) for each information type:
SC public information = (confidentiality, NA), (integrity, HIGH), (availability, LOW)
SC investigation information = (confidentiality, MODERATE), (integrity, HIGH), (availability, MODERATE)
SC administrative = (confidentiality, NA), (integrity, LOW), (availability, LOW
What is the overall IS security category for confidentiality?
Q128. Which of the following professionals is responsible for starting the Certification & Accreditation (C&A) process?
Q10. If an assessment of a common control determines that it is not effective, what documentation is required?
Q28. In establishing the rules of behavior for a system, which of the following is necessary?
Q45. An organization’s Information System (IS) is categorized as a high-impact system.
The organization’s architecture does NOT support wireless connectivity. The initial
security control baseline requires the organization to implement AC-18: wireless access.
What process can the organization implement to eliminate this unnecessary control?
Q62. Which of the following triggers a Security Plan (SP) update?
Q80. An effective continuous monitoring strategy includes which of the following?
Q95. During the assessment of a new system, the System Owner (SO) mentioned that if unauthorized modification or destruction of medical information in the system occurred, it could result in potential loss of life because the system is the authoritative source of information about patient healthcare records including current and previous medications and ongoing medical procedures. Which of the following is the BEST Security categorization (SC) for the information type?
Q111. The functional description of the control implementation includes
Q129. Which of the following assessment methodologies defines a six-step technical security evaluation?
Q11. As part of an annual Federal Information Security Management Act (FISMA) compliance audit the inspector general security program review has identified vulnerabilities to an Information System (IS) in an operational division, which of the following activities is the MOST likely to occur?
Q 29. Which of the following BEST describes the objective of the Security Assessment Plan (SAP)?
Q46. Which of the following roles within the organization is responsible for clearly defining the impact level of the information the system processes?
Q63. When a security control selected for a system cannot be applied,
Q69. A key part of the risk decision process is the recognition that, regardless of the risk response there typically remains a degree of residual risk. On what basis does an organization determine the acceptable degrees of residual risk?
Q96. One of the primary goals in conducting analysis of the test results from a scan during Security Control Assessment (SCA) is to
Q112. During which phase of the System Development Life Cycle (SDLC) of an existing system does the system owner conduct remediation action based on the results of ongoing monitoring activities, assessment of risk, and outstanding items in the Plan of Action and Milestones (POA&M)?
Q130. DIACAP applies to the acquisition, operation, and sustainment of an DoD system that collects, stores, transmits, or processes unclassified or classified information since December 1997. What phases are identified by DIACAP?
Each answer represents a complete solution. Choose all that apply.
Q12. Which of the following documents provides a function description of the Information System (IS) control implementation?
Q30. An Information System (IS) is registered with appropriate program/management offices in order to
Q47. Who has the authority to divide a complex system in order to establish realistic security authorization boundaries?
Q64. What is the MOST appropriate action to take after weaknesses or deficiencies in controls are corrected?
Q76. Organization A has merged with another similar organization, organization B, and has expanded the data center operations to include Information Technology (IT) assets from both locations. What is the BEST reason for requiring an updated risk assessments?
Q97. Regardless of the task ordering, what is the last step before an Information System (IS) is placed into operation?
Q113. While conducting an internal control review of a high impact system’s technical controls, the information System Security Officer (ISSO) notes that system’s audit logs are collecting only user login time. This is a violation of which of the following?
Q131. Mark works as a Network Administrator for NetTech Inc. He wants users to access only those resources that are required for them. Which of the following access control
models will he use?
Q13: Which is the likelihood that security controls with a low level of volatility will change?
Q31. For a new system, the controls are selected and the security and privacy plans are written during which System Development Life Cycle (SDLC) phase?
Q48. Which document in support of the authorization package defines the well-defined set of security and privacy controls?
Q65. The assessment effort for effective incident handling MUST include the determination that an organization
Q81. Which of the following includes the resource required for mitigation?
Q98. Who is responsible for accepting the risk when a system undergoes a significant change?
Q114. What is the PRIMARY goal for establishing Information System (IS) boundaries?
Q133. James works as an IT systems personnel in SoftTech Inc. He performs the following tasks: Runs regular backups and routine tests of the validity of the backup data. Performs data restoration from the backups whenever required. Maintains the retained records in accordance with the established information classification policy.
What is the role played by James in the organization?