Which of the following organizations incorporates building secure audio and video communications
equipment, making tamper protection products, and providing trusted microelectronics solutions?
B
Explanation:
Answer option A is incorrect. The Defense Technical Information Center (DTIC) is a repository of
scientific and technical documents for the United States Department of Defense. DTIC serves the
DoD community as the largest central resource for DoD and government-funded scientific, technical,
engineering, and business related information available today. DTIC's documents are available to
DoD personnel and defense contractors, with unclassified documents also available to the public.
DTIC's aim is to serve a vital link in the transfer of information among DoD personnel, DoD
contractors, and potential contractors and other U.S. Government agency personnel and their
contractors. Answer option D is incorrect. The Defense Advanced Research Projects Agency (DARPA)
is an agency of the United States Department of Defense responsible for the development of new
technology for use by the military. DARPA has been responsible for funding the development of
many technologies which have had a major effect on the world, including computer networking, as
well as NLS, which was both the first hypertext system, and an important precursor to the
contemporary ubiquitous graphical user interface. DARPA supplies technological options for the
entire Department, and is designed to be the "technological engine" for transforming DoD. Answer
option C is incorrect. The Defense-wide Information Assurance Program (DIAP) protects and
supports DoD information, information systems, and information networks, which is important to
the Department and the armed forces throughout the day-to-day operations, and in the time of
crisis.The DIAP uses the OSD method to plan, observe, organize, and incorporate IA activities. The
role of DIAP is to act as a facilitator for program execution by the combatant commanders, Military
Services, and Defense Agencies. The DIAP staff combines functional and programmatic skills for a
comprehensive Defense-wide approach to IA. The DIAP's main objective is to ensure that the DoD's
vital information resources are secured and protected by incorporating IA activities to get a secure
net-centric GIG operation enablement and information supremacy by applying a Defense-in-Depth
methodology that integrates the capabilities of people, operations, and technology to establish a
multi-layer, multidimensional protection.
153/154
Questions & Answers PDF
P-
154/154
Continuous Monitoring is the fourth phase of the security certification and accreditation process.
What activities are performed in the Continuous Monitoring process?
Each correct answer represents a complete solution. Choose all that apply.
C, B, and A
Explanation:
Continuous Monitoring is the fourth phase of the security certification and accreditation process.
152/154
Questions & Answers PDF
P-
The Continuous Monitoring process consists of the following three main activities:
Configuration management and control Security control monitoring and impact analyses of changes
to the information system Status reporting and documentation The objective of these tasks is to
observe and evaluate the information system security controls during the system life cycle. These
tasks determine whether the changes that have occurred will negatively impact the system security.
Answer options E and D are incorrect. Security accreditation decision and security accreditation
documentation are the two tasks of the security accreditation phase.
You are working as a project manager in your organization. You are nearing the final stages of project
execution and looking towards the final risk monitoring and controlling activities. For your project
archives, which one of the following is an output of risk monitoring and control?
C
Explanation:
Of all the choices presented, only requested changes is an output of the monitor and control risks
process. You might also have risk register
updates, recommended corrective and preventive actions, organizational process assets, and
updates to the project management plan.
Answer options D and A are incorrect. These are the plan risk management processes.
Answer option B is incorrect. Risk audit is a risk monitoring and control technique.
Which of the following are the major tasks of riskmanagement? Each correct answer represents
acomplete solution. Choose two.
A and D
Explanation:
The following are the two major tasks of risk management:
1.Risk identification
151/154
Questions & Answers PDF
P-
2.Risk control
Risk identification is the task of examining and documenting the security posture of an organization's
information technology and the risks it
faces.
Risk control is the task of applying controls to reduce risks to an organization's data and information
systems.
Answer options B and C are incorrect. Building risk free systems and assuring the integrity of
organizational data are the tasks related to the
implementation of security measures.
Which of the following types of cryptography defined by FIPS 185 describes a cryptographicalgorithm
or a tool accepted by the National Security Agency for protecting classified information?
D
Explanation:
The types ofcryptography defined by FIPS 185 are as follows:
Type I cryptography: It describes a cryptographic algorithm or a tool accepted bythe NationalSecurity
Agency for protecting classifiedinformation.
Type II cryptography: It describes a cryptographic algorithm or a tool accepted by
theNationalSecurity Agency for protectingsensitive, unclassifiedinformation in the systems as stated
in Section 2315 ofTitle 10, United StatesCode, or Section3502(2) ofTitle44, United States Code.
Type III cryptography: It describes a cryptographic algorithm or a tool accepted as a
FederalInformation Processing Standard.
Type III (E) cryptography: It describes a Type III algorithm or a tool that is accepted for export fromthe
United States.
Which of the following types of CNSS issuances establishes criteria, and assigns responsibilities?
D
Explanation:
The various CNSS issuances are as follows:
150/154
Questions & Answers PDF
P-
Policies: It assigns responsibilities and establishes criteria (NSTISSP) or (CNSSP).
Directives: It establishes or describes policy and programs, provides authority,or assigns
responsibilities (NSTISSD).
Instructions: It describes howto implement the policy or prescribes the manner of a policy (NSTISSI).
Advisory memoranda: It providesguidance on policy and may cover avariety of topics
involvinginformation assurance,
telecommunications security, and network security (NSTISSAM).
Which of the following security controls will you use for the deployment phase of the SDLC to build
secure software? Each correct answer represents a complete solution. Choose all that apply.
C, B, and A
Explanation:
The various security controls in the SDLC deployment phase are as follows:
Secure Installation: While performing any software installation, it should kept in mind that the
security configuration of the
environment should never be reduced. If it is reduced then security issues and overall risks can affect
the environment.
Vulnerability Assessment and Penetration Testing: Vulnerability assessments (VA) and penetration
testing (PT) is used to determine
the risk and attest to the strength of the software after it has been deployed.
Security Certification and Accreditation (C&A): Security certification is the process used to ensure
controls which are effectively
implemented through established verification techniques and procedures, giving organization
officials confidence that the appropriate
safeguards and countermeasures are in place as means of protection. Accreditation is the
provisioning of the necessary security
authorization by a senior organization official to process, store, or transmit information.
Risk Adjustments: Contingency plans and exceptions should be generated so that the residual risk be
above the acceptable threshold.
Registration Task 5 identifies the system security requirements. Which of the following elements of
Registration Task 5 defines the type of data processed by the system?
A
Explanation:
Data security requirement defines the type of data processed by the system.
Answer option C is incorrect. Applicable instruction or directive defines the security instructions or
directives applicable to the system.
Answer option D is incorrect. Security concept of operation defines the following elements:
Security CONOPS
System input
System processing
Final outputs
Security controls and interactions
Connections with external systems
149/154
Questions & Answers PDF
P-
Answer option B is incorrect. Network connection rule is used to find the additional requirements
incurred if the system is to be connected to
any other network or system.
148/154
Questions & Answers PDF
P-
John works as a security engineer for BlueWell Inc. He wants to identify the different functions that
the system will need to perform to meet the documented mission/business needs. Which of the
following processes will John use to achieve the task?
C
Explanation:
The Functional requirements are used to classify the different functions that the system will need to
perform to meet the documented
mission/business needs.
Answer option B is incorrect. The Performance requirements are the agreed-upon terms of how well
the system functions.
Answer option A is incorrect. The modes of operation defines the mode, such as training mode, pre-
production mode, etc.
Answer option D is incorrect. The Technical performance measures are key indicators of system
performance such as key critical measures of
effectiveness that will put the project at risk.
Which of the following requires all general support systems and major applications to be fully
certified and accredited before these systems and applications are put into production? Each correct
answer represents a part of the solution. Choose all that apply.
C and A
Explanation:
FISMA and Office of Management and Budget (OMB) require all general support systems and major
applications to be fully certified and
accredited before they are put into production. General support systems and major applications are
also referred to as information systems
and are required to be reaccredited every three years.
Answer option B is incorrect. The National Institute of Standards and Technology (NIST), known
between 1901 and 1988 as the National
Bureau of Standards (NBS), is a measurement standards laboratory which is a non-regulatory agency
of the United States Department of
Commerce. The institute's official mission is to promote U.S. innovation and industrial
competitiveness by advancing measurement science,
standards, and technology in ways that enhance economic security and improve quality of life.
Answer option D is incorrect. The Federal Information Processing Standards (FIPS) are publicly
announced standards developed by the United
States federal government for use by all non-military government agencies and by government
contractors. Many FIPS standards are modified
versions of standards used in the wider community (ANSI, IEEE, ISO, etc.).
Some FIPS standards were originally developed by the U.S. government. For instance, standards for
encoding data (e.g., country codes), but
more significantly some encryption standards, such as the Data Encryption Standard (FIPS 46-3) and
the Advanced Encryption Standard (FIPS
197). In 1994, NOAA (Noaa) began broadcasting coded signals called FIPS (Federal Information
Processing System) codes along with their
standard weather broadcasts from local stations. These codes identify the type of emergency and
the specific geographic area (such as a
county) affected by the emergency.