Which of the following organizations incorporates building secure audio and video communications
equipment, making tamper protection products, and providing trusted microelectronics solutions?
B
Explanation:
Answer option A is incorrect. The Defense Technical Information Center (DTIC) is a repository of
scientific and technical documents for the United States Department of Defense. DTIC serves the
DoD community as the largest central resource for DoD and government-funded scientific, technical,
engineering, and business related information available today. DTIC's documents are available to
DoD personnel and defense contractors, with unclassified documents also available to the public.
DTIC's aim is to serve a vital link in the transfer of information among DoD personnel, DoD
contractors, and potential contractors and other U.S. Government agency personnel and their
contractors. Answer option D is incorrect. The Defense Advanced Research Projects Agency (DARPA)
is an agency of the United States Department of Defense responsible for the development of new
technology for use by the military. DARPA has been responsible for funding the development of
many technologies which have had a major effect on the world, including computer networking, as
well as NLS, which was both the first hypertext system, and an important precursor to the
contemporary ubiquitous graphical user interface. DARPA supplies technological options for the
entire Department, and is designed to be the "technological engine" for transforming DoD. Answer
option C is incorrect. The Defense-wide Information Assurance Program (DIAP) protects and
supports DoD information, information systems, and information networks, which is important to
the Department and the armed forces throughout the day-to-day operations, and in the time of
crisis.The DIAP uses the OSD method to plan, observe, organize, and incorporate IA activities. The
role of DIAP is to act as a facilitator for program execution by the combatant commanders, Military
Services, and Defense Agencies. The DIAP staff combines functional and programmatic skills for a
comprehensive Defense-wide approach to IA. The DIAP's main objective is to ensure that the DoD's
vital information resources are secured and protected by incorporating IA activities to get a secure
net-centric GIG operation enablement and information supremacy by applying a Defense-in-Depth
methodology that integrates the capabilities of people, operations, and technology to establish a
multi-layer, multidimensional protection.
Continuous Monitoring is the fourth phase of the security certification and accreditation process.
What activities are performed in the Continuous Monitoring process?
Each correct answer represents a complete solution. Choose all that apply.
C, B, and A
Explanation:
Continuous Monitoring is the fourth phase of the security certification and accreditation process.
The Continuous Monitoring process consists of the following three main activities:
Configuration management and control Security control monitoring and impact analyses of changes
to the information system Status reporting and documentation The objective of these tasks is to
observe and evaluate the information system security controls during the system life cycle. These
tasks determine whether the changes that have occurred will negatively impact the system security.
Answer options E and D are incorrect. Security accreditation decision and security accreditation
documentation are the two tasks of the security accreditation phase.
You are working as a project manager in your organization. You are nearing the final stages of project
execution and looking towards the final risk monitoring and controlling activities. For your project
archives, which one of the following is an output of risk monitoring and control?
C
Explanation:
Of all the choices presented, only requested changes is an output of the monitor and control risks
process. You might also have risk register
updates, recommended corrective and preventive actions, organizational process assets, and
updates to the project management plan.
Answer options D and A are incorrect. These are the plan risk management processes.
Answer option B is incorrect. Risk audit is a risk monitoring and control technique.
Which of the following are the major tasks of riskmanagement? Each correct answer represents
acomplete solution. Choose two.
A and D
Explanation:
The following are the two major tasks of risk management:
1.Risk identification
2.Risk control
Risk identification is the task of examining and documenting the security posture of an organization's
information technology and the risks it
faces.
Risk control is the task of applying controls to reduce risks to an organization's data and information
systems.
Answer options B and C are incorrect. Building risk free systems and assuring the integrity of
organizational data are the tasks related to the
implementation of security measures.
Which of the following types of cryptography defined by FIPS 185 describes a cryptographicalgorithm
or a tool accepted by the National Security Agency for protecting classified information?
D
Explanation:
The types ofcryptography defined by FIPS 185 are as follows:
Type I cryptography: It describes a cryptographic algorithm or a tool accepted bythe NationalSecurity
Agency for protecting classifiedinformation.
Type II cryptography: It describes a cryptographic algorithm or a tool accepted by
theNationalSecurity Agency for protectingsensitive, unclassifiedinformation in the systems as stated
in Section 2315 ofTitle 10, United StatesCode, or Section3502(2) ofTitle44, United States Code.
Type III cryptography: It describes a cryptographic algorithm or a tool accepted as a
FederalInformation Processing Standard.
Type III (E) cryptography: It describes a Type III algorithm or a tool that is accepted for export fromthe
United States.
Which of the following types of CNSS issuances establishes criteria, and assigns responsibilities?
D
Explanation:
The various CNSS issuances are as follows:
Policies: It assigns responsibilities and establishes criteria (NSTISSP) or (CNSSP).
Directives: It establishes or describes policy and programs, provides authority,or assigns
responsibilities (NSTISSD).
Instructions: It describes howto implement the policy or prescribes the manner of a policy (NSTISSI).
Advisory memoranda: It providesguidance on policy and may cover avariety of topics
involvinginformation assurance,
telecommunications security, and network security (NSTISSAM).
Which of the following security controls will you use for the deployment phase of the SDLC to build
secure software? Each correct answer represents a complete solution. Choose all that apply.
C, B, and A
Explanation:
The various security controls in the SDLC deployment phase are as follows:
Secure Installation: While performing any software installation, it should kept in mind that the
security configuration of the
environment should never be reduced. If it is reduced then security issues and overall risks can affect
the environment.
Vulnerability Assessment and Penetration Testing: Vulnerability assessments (VA) and penetration
testing (PT) is used to determine
the risk and attest to the strength of the software after it has been deployed.
Security Certification and Accreditation (C&A): Security certification is the process used to ensure
controls which are effectively
implemented through established verification techniques and procedures, giving organization
officials confidence that the appropriate
safeguards and countermeasures are in place as means of protection. Accreditation is the
provisioning of the necessary security
authorization by a senior organization official to process, store, or transmit information.
Risk Adjustments: Contingency plans and exceptions should be generated so that the residual risk be
above the acceptable threshold.
Registration Task 5 identifies the system security requirements. Which of the following elements of
Registration Task 5 defines the type of data processed by the system?
A
Explanation:
Data security requirement defines the type of data processed by the system.
Answer option C is incorrect. Applicable instruction or directive defines the security instructions or
directives applicable to the system.
Answer option D is incorrect. Security concept of operation defines the following elements:
Security CONOPS
System input
System processing
Final outputs
Security controls and interactions
Connections with external systems
Answer option B is incorrect. Network connection rule is used to find the additional requirements
incurred if the system is to be connected to
any other network or system.
John works as a security engineer for BlueWell Inc. He wants to identify the different functions that
the system will need to perform to meet the documented mission/business needs. Which of the
following processes will John use to achieve the task?
C
Explanation:
The Functional requirements are used to classify the different functions that the system will need to
perform to meet the documented
mission/business needs.
Answer option B is incorrect. The Performance requirements are the agreed-upon terms of how well
the system functions.
Answer option A is incorrect. The modes of operation defines the mode, such as training mode, pre-
production mode, etc.
Answer option D is incorrect. The Technical performance measures are key indicators of system
performance such as key critical measures of
effectiveness that will put the project at risk.
Which of the following requires all general support systems and major applications to be fully
certified and accredited before these systems and applications are put into production? Each correct
answer represents a part of the solution. Choose all that apply.
C and A
Explanation:
FISMA and Office of Management and Budget (OMB) require all general support systems and major
applications to be fully certified and
accredited before they are put into production. General support systems and major applications are
also referred to as information systems
and are required to be reaccredited every three years.
Answer option B is incorrect. The National Institute of Standards and Technology (NIST), known
between 1901 and 1988 as the National
Bureau of Standards (NBS), is a measurement standards laboratory which is a non-regulatory agency
of the United States Department of
Commerce. The institute's official mission is to promote U.S. innovation and industrial
competitiveness by advancing measurement science,
standards, and technology in ways that enhance economic security and improve quality of life.
Answer option D is incorrect. The Federal Information Processing Standards (FIPS) are publicly
announced standards developed by the United
States federal government for use by all non-military government agencies and by government
contractors. Many FIPS standards are modified
versions of standards used in the wider community (ANSI, IEEE, ISO, etc.).
Some FIPS standards were originally developed by the U.S. government. For instance, standards for
encoding data (e.g., country codes), but
more significantly some encryption standards, such as the Data Encryption Standard (FIPS 46-3) and
the Advanced Encryption Standard (FIPS
197). In 1994, NOAA (Noaa) began broadcasting coded signals called FIPS (Federal Information
Processing System) codes along with their
standard weather broadcasts from local stations. These codes identify the type of emergency and
the specific geographic area (such as a
county) affected by the emergency.
Which of the following are the benefits of SE as stated by MIL-STD-499B? Each correct answer
represents a complete solution. Choose all that apply.
C, B, and A
Explanation:
The benefits of SE as stated by MIL-STD-499B are as follows :
It encompasses the scientific and engineering efforts related to the development, manufacturing,
verification, deployment, operations,
support, and disposal of system products and processes.
It develops needed user training equipment, procedures, and data.
It establishes and maintains configuration management of the system.
It develops work breakdown structures and statements of work.
It provides information for management decision-making.
Answer option D is incorrect. This is the objective of SE as defined by IEEE 1220.
Which of the following types of cryptography defined by FIPS 185 describes a cryptographic
algorithm or a tool accepted as a Federal Information Processing Standard?
B
Explanation:
The types of cryptography defined by FIPS 185 are as follows:
Type I cryptography: It describes a cryptographic algorithm or a tool accepted by the National
Security Agency for protecting classified
information.
Type II cryptography: It describes a cryptographic algorithm or a tool accepted by the National
Security Agency for protecting
sensitive, unclassified information in the systems as stated in Section 2315 of Title 10, United States
Code, or Section 3502(2) of Title
44, United States Code.
Type III cryptography: It describes a cryptographic algorithm or a tool accepted as a Federal
Information Processing Standard.
Type III (E) cryptography: It describes a Type III algorithm or a tool that is accepted for export from
the United States.
Which of the following are the functional analysis and allocation tools? Each correct answer
represents a complete solution. Choose all that apply.
D, A, and C
Explanation:
The various functional analysis and allocation tools are as follows:
Functional hierarchy diagram: It models the hierarchy of functions that the system is in charge for
performing, the sub-functions that
are required by those functions, and any business processes that are used to invoke those sub
functions. The objective of functional
hierarchy diagram is to show all of the function requirements and their groupings in one diagram.
Functional flow block diagram (FFBD): The objective of FFBDs is to construct the system
requirements into functional terms. The FFBD
classifies the major system-level (or top-level) functions that must be performed by the system to
accomplish its mission.
Timeline analysis diagram: It presents a graphical view of whether the functions are to be
accomplished in series or in parallel.
Answer option B is incorrect. The activity diagram is not a part of the functional analysis and
allocation tools.
Which of the following DoD policies establishes policies and assigns responsibilities to achieve DoD
IA through a defense-in-depth approach that integrates the capabilities of personnel, operations, and
technology, and supports the evolution to network-centric warfare?
D
Explanation:
DoD 8500.1 Information Assurance (IA) sets up policies and allots responsibilities to achieve DoD IA
through a defense-in-depth approach that
integrates the capabilities of personnel, operations, and technology, and supports the evolution to
network-centric warfare.
DoD 8500.1 also summarizes the roles and responsibilities for the persons responsible for carrying
out the IA policies.
Answer option A is incorrect. The DoD 8500.2 Information Assurance Implementation pursues
8500.1. It provides assistance on how to
implement policy, assigns responsibilities, and prescribes procedures for applying integrated, layered
protection of the DoD information
systems and networks.
DoD Instruction 8500.2 allots tasks and sets procedures for applying integrated layered protection of
the DOD information systems and
networks in accordance with the DoD 8500.1 policy. It also provides some important guidelines on
how to implement an IA program.
Answer option C is incorrect. DoDI 5200.40 executes the policy, assigns responsibilities, and
recommends procedures under reference for
Certification and Accreditation(C&A) of information technology (IT).
Answer option B is incorrect. DoD 8510.1-M DITSCAP provides standardized activities leading to
accreditation, and establishes a process and
management baseline.
Which of the following laws is the first to implement penalties for the creator of viruses, worms, and
other types of malicious code that causes harm to the computer systems?
A
Explanation:
The Computer Fraud and Abuse Act as amended, provides civil penalties for the creator of viruses,
worms, and other types of malicious code
that causes harm to the computer systems.
The Computer Fraud and Abuse Act is a law passed by the United States Congress in 1984 intended
to reduce cracking of computer systems
and to address federal computer-related offenses. The Computer Fraud and Abuse Act (codified as
18 U.S.C. 1030) governs cases with a
compelling federal interest, where computers of the federal government or certain financial
institutions are involved, where the crime itself is
interstate in nature, or computers used in interstate and foreign commerce. It was amended in
1986, 1994, 1996, in 2001 by the USA PATRIOT
Act, and in 2008 by the Identity Theft Enforcement and Restitution Act. Section (b) of the act
punishes anyone who not just commits or
attempts to commit an offense under the Computer Fraud and Abuse Act but also those who
conspire to do so.
Answer option B is incorrect. The Computer Security Act was passed by the United States Congress.
It was passed to improve the security
and privacy of sensitive information in Federal computer systems and to establish a minimum
acceptable security practices for such systems. It
requires the creation of computer security plans, and the appropriate training of system users or
owners where the systems house sensitive
information.
Answer option C is incorrect. The Gramm-Leach-Bliley Act (GLBA) is also known as the Financial
Services Modernization Act of 1999. It is an act
of the 106th United States Congress (1999-2001) signed into law by President Bill Clinton which
repealed part of the Glass-Steagall Act of
1933, opening up the market among banking companies, securities companies and insurance
companies.
The Gramm-Leach-Bliley Act allowed commercial banks, investment banks, securities firms, and
insurance companies to consolidate. This law
also provides regulations regarding the way financial institutions handle private information
belongings to their clients.
Answer option D is incorrect. The Digital Millennium Copyright Act (DMCA) is a United States
copyright law that implements two 1996 treaties of
the World Intellectual Property Organization (WIPO). It criminalizes production and dissemination of
technology, devices, or services intended
to circumvent measures (commonly known as digital rights management or DRM) that control
access to copyrighted works.
It also criminalizes the act of circumventing an access control, whether or not there is actual
infringement of copyright itself. In addition, the
DMCA heightens the penalties for copyright infringement on the Internet.