FITSP-M

Question 1

SP 800-30, rev 1

Answer 1

Conducting Risk Assessments

Question 2

SP 800-34

Answer 2

Contingency Planning Guide for Federal IT Systems

Question 3

SP 800-37, rev 2

Answer 3

Applying RMF

Question 4

SP 800-39

Answer 4

Managing Information Security Risk

Question 5

SP 800-40 rev 3

Answer 5

Patch and Vulnerability Management Program

Question 6

SP 800-41 rev 1

Answer 6

Firewalls and Firewall Policy

Question 7

SP 800-45 rev 2

Answer 7

Guidelines on e-mail security

Question 8

SP 800-47

Answer 8

Interconnecting IT systems

Question 9

SP 800-50

Answer 9

IT Security Awareness and Training Program

Question 10

SP 800-53, rev 4

Answer 10

Security Controls for Federal IT Systems

Question 11

SP 800-53A, rev 4

Answer 11

Assessing Security Controls

Question 12

SP 800-55, rev 1

Answer 12

Performance Measurement Guide for Information Systems

Question 13

SP 800-60

Answer 13

Mapping Information types to Security Categories

Question 14

SP 800-61, rev 2

Answer 14

Computer Security Incident Handling Guide

Question 15

SP 800-66, rev 1

Answer 15

HIPAA

Question 16

SP 800-70, rev 2

Answer 16

National Checklist Program

Question 17

SP 800-83

Answer 17

Malware Incident Prevention and Handling

Question 18

SP 800-92

Answer 18

Computer Security Log Management

Question 19

SP 800-94

Answer 19

IDS/IPS (IDPS)

Question 20

SP 800-100

Answer 20

Information Security Handbook: Managers

Question 21

SP 800-115

Answer 21

Technical Guide Information Security Testing and Assessments

Question 22

SP 800-122

Answer 22

Guide to Protecting Confidentiality of PII

Question 23

SP 800-128

Answer 23

Configuration Management

Question 24

SP 800-137

Answer 24

Continuous Monitoring (ISCM)

Question 25

SP 800-144

Answer 25

Security and Privacy in Public Cloud Computing

Question 26

FIPS 140-2

Answer 26

Cryptography

Question 27

FIPS 180-4

Answer 27

Secure Hash Standard

Question 28

FIPS 181

Answer 28

Automated Password Generator

Question 29

FIPS 186-4

Answer 29

Digital Signature Standard

Question 30

FIPS 190

Answer 30

Advanced Authentication

Question 31

FIPS 191

Answer 31

LAN Security (Confidentiality, Integrity and Availability of the data)

Question 32

FIPS 197

Answer 32

AES

Question 33

FIPS 198-1

Answer 33

HMAC (Keyed-Hash Message Authentication Code)

Question 34

FIPS 199

Answer 34

Security Categorization based on impact levels (low, moderate, or high)

Question 35

FIPS 200

Answer 35

Minimum Security Requirements (Baselines)

Question 36

FIPS 201-2

Answer 36

Personal Identity Verification PIV (smart cards)

Question 37

HSPD-1

Answer 37

Creates Homeland Security Council and functions

Question 38

HSPD-3

Answer 38

Homeland Security Advisory Team

Question 39

HSPD-5

Answer 39

Management of Domestic Incidents

Question 40

HSPD-7

Answer 40

(Replaced with PDD-21) Critical Infrastructure Identification/Priority/Protection

Question 41

HSPD-8

Answer 41

National Preparedness

Question 42

HSPD-12

Answer 42

Common Identification Standard for Federal Employees

Question 43

HSPD-20

Answer 43

NSPD-51 National Continuity Policy / Continuity of government/operation.

Question 44

HSPD 24

Answer 44

Biometrics for Identification for National Security

Question 45

BOD 20-01

Answer 45

Develop and Publish a Vulnerability Disclosure Policy

Question 46

BOD 19-02

Answer 46

Vulnerability Remediation Requirements for Internet-Accessible Systems

Question 47

BOD 18-02

Answer 47

Securing High Value Assets

Question 48

BOD 18-01

Answer 48

Enhance Email and Web Security

Question 49

BOD 17-01

Answer 49

Removal of Kaspersky-branded Products

Question 50

BOD 16-03

Answer 50

2016 Agency Cybersecurity Reporting Requirements

Question 51

BOD 16-02

Answer 51

Threat to Network Infrastructure Devices

Question 52

When a message is input to a hash algorithm, the output result is called a ____

Answer 52

Massage digest

Question 53

FIPS 199 = Standards for security categorization of federal systems puts systems into what 3 categories?

Answer 53

Low- Limited damage Moderate- Serious damage High- Severe / Catastrophic damage

Question 54

SP800-60 established security impact levels for loss of what 3 information types?

Answer 54

Confidentiality (encryption, Access control) Integrity (unauthorized modification = Hashing) Availability (add redundancy, power, weather)

Question 55

SP800-____ is a dictionary of all controls to choose from for your system.

Answer 55

SP800-60 Mapping information types to security categories.

Question 56

___ and ____ provide a disciplined and standard process that integrates information security and risk management activities into the system development life cycle.

Answer 56

Risk Management Framework (RMF) | NIST SP800-37

Question 57

Who is responsible for the information system?

Answer 57

Information System Owner

Question 58

Who is responsible for the data on the system?

Answer 58

Information Owner

Question 59

Who is responsible for the overall procurement of the system?

Answer 59

Program Manager

Question 60

What does FedRAMP stand for?

Answer 60

Federal Risk Authorization Management Program

Question 61

What are the 2 control documents?

Answer 61

SP800-53, SP800-53A

Question 62

PII - the confidentiality impact level generally falls into the _____ range.

Answer 62

Moderate

Question 63

What does SDLC stand for?

Answer 63

System Development Life Cycle

Question 64

Risk Management is a process that requires organizations to do what 4 things?

Answer 64

FARM | Frame Risk, Assess Risk, Respond to Risk, Monitor Risk

Question 65

NIST Control Families There are how many control families? What are the 3 categories the control families are put in?

Answer 65

18 | 4 Technical, 9 Operational, 5 Managerial

Question 66

NIST SP | FIPS 200 mandates the use of SP800-_____

Answer 66

SP800-53 Organizations must employ all security controls in the respective security control baselines unless specific exceptions are allowed based on the tailoring guidance provided in NIST Special Publication 800-53.

Question 67

A Security Control Assessment can only be _____ or ______.

Answer 67

satisfactory or other

Question 68

_______ is a suite of specifications for organizing and expressing security-related in standard ways as well as related reference data, such as identifiers for software laws and security configuration issues.

Answer 68

SCAP Security Control Automation Protocol

Question 69

FedRAMP is the automation tool for bringing ______ and ____ into the accreditation process.

Answer 69

Cloud and Virtualization

Question 70

RMF Step 1 Categorize Information System | The security categorization process is carried out by the _____ and ____.

Answer 70

Information System Owner and Information Owner/steward

Question 71

What are the 3 levels of impact on organizations, operations, assets, or individuals?

Answer 71

Low- Limited Moderate- Serious High- Severe/Catastrophic

Question 72

Continuous Monitoring Vocabulary | What does CAESARS stand for?

Answer 72

Continous asset Evaluation, Situational awareness, and Risk Scoring = CAESARS

Question 73

What is a dictionary of weaknesses that can lead to exploitable vulnerabilities?

Answer 73

Common Weakness Enumeration (CWE)

Question 74

What complies with the National Vulnerability Database (NVD) and is the basis for automating all FISMA reporting?

Answer 74

SCAP - Security Control Automation Protocol

Question 75

What are the 3 ways monitoring activities are recorded and reported?

Answer 75

Event driven Time driven Both

Question 76

What are the five basic areas of the NIST Cybersecurity Framework?

Answer 76

``` Identify Protect Detect Respond Recover ```

Question 77

The Security Assessment Report (SAR) contains a list of _____.

Answer 77

Vulnerability findings

Question 78

Name the 3 types of authorizations.

Answer 78

Authority to Operate (ATO) Denial of Authority of Operate (DATO) Interim Authorization to Test (IATT)

Question 79

RMF Assess Security Controls | What are the 3 methods of assessment?

Answer 79

Testing Interviewing Examination

Question 80

Name 3 roles that are assigned to government personal only.

Answer 80

CIO Risk Executive Senior Informational Security Officer

Question 81

What are the 3 risk documents?

Answer 81

SP800-30 SP800-37 SP800-39

Question 82

What are the 3 documents in a Security Authorization Package?

Answer 82

System Security Plan (SSP) Security Assessment Report (SAR) Plan of Action Milestones (POAM)

Question 83

Security Categorization | {(Confidentiality), (Integrity), (Availability)}

Answer 83

Security Categorization | {(Confidentiality), (Integrity), (Availability)}

Question 84

What are the 7 RMF steps?

Answer 84

``` 1 Prepare 2 Categorize 3 Select 4 Implement 5 Assess 6 Authorize 7 Monitor ```

Question 85

Cyberscope = FISMA Compliance reporting Agencies must send security data about their system how often?

Answer 85

Monthy

Question 86

DHS operates ____ for computer-related incidents. DHS oversees the implementation of the ____ initiative.

Answer 86

US-CERT - US Computer Emergency Readiness Team Trusted Internet Connection (TIC)

Question 87

OMB is the ____ agency and | DHS is the ____ agency for Cybersecurity Data and events.

Answer 87

``` OMB= reporting agency DHS= Gathering agency ```

Question 88

3 steps to address security at a higher level.

Answer 88

Prevention Reaction Correction

Question 89

The Information Technology Management Reform Act of ____ is also called __________. What are the 4 requirements?

Answer 89

1996, Clinger-Cohen Act CIO OMB oversite Enterprise Archetecture CPIC (Capital Planning and Investment Control)

Question 90

What is FEA

Answer 90

Federal Enterprise Architecture

Question 91

What is FISMA? When/how enacted?

Answer 91

Federal Information Security Management Act | enacted 2002 as Title 3 of E-Government Act of 2002

Question 92

What are FIPS?

Answer 92

Federal Information Processing Standard FISMA requires federal agencies to comply with the standards

Question 93

What are SPs?

Answer 93

Special Publications | recommendations and guidance documents

Question 94

What is NIST? and what does NIST issue?

Answer 94

National Institute of Standards and Technology | FIPS and SPs

Question 95

OMB issues what 2 types of documents?

Answer 95

Circulars - good for 2 years | Memorandums - provide further explanations and guidance.

Question 96

How long does OMB give you to report a PII breach? and who do you report it to?

Answer 96

1 hour | CERT (Computer Emergency Readiness Team)

Question 97

What type of encryption is EAS?

Answer 97

Symetric

Question 98

SP800-64

Answer 98

Security in SDLC

Question 99

SP800-18

Answer 99

Developing System Security Plan

Question 100

SP800-65

Answer 100

Integration of IT Security into the Capital Planning and Investment Control Process / Asset Management