CAP Review Questions & Verified Solutions for
2024.
1. During which Risk Management Framework (RMF) step is the system security plan
initially approved?
A. RMF Step 1 Categorize Information System
B. RMF Step 2 Select Security Controls
C. RMF Step 3 Implement Security Controls
D. RMF Step 5 Authorize Information System - Correct answer B. RMF Step 2 Select
Security Controls
The system security plan is first approved by the authorizing official or AO designated
representative during execution of RMF Step 2, Task 2-4.
Security Plan Approval. See: CAP® CBK® Chapter 2, Task 2-4: Approval Security Plan;
NIST SP800-37, Revision 1, RMF Step 2, Task 2-4: Security Plan Approval.
2. Which organizational official is responsible for the procurement, development,
integration, modification, operation, maintenance, and disposal of an information
system?
A. Information system security engineer (ISSE)
B. Chief information officer (CIO)
C. Information system owner (ISO)
D. Information security architect - Correct answer C. Information system owner (ISO)
According to National Institute of Standards and Technology Special Publication (NIST
SP) 800-37, Revision 1, Appendix D.9 Information System Owner, the information
system owner is an organizational official responsible for the procurement,
development, integration, modification, operation, maintenance, and disposal of an
information system. The information system owner serves as the focal point for the
information system. In that capacity, the information system owner (ISO) serves both as
an owner and as the central point of contact between the authorization process and the
owners of components of the system. See also CAP® CBK® Chapter 1, System
Authorization Roles and Responsibilities, Primary Roles and Responsibilities.
3. Which authorization approach considers time elapsed since the authorization results
were produced, the environment of operation, the criticality/sensitivity of the information,
and the risk tolerance of the other?
Organization?
A. Leveraged
B. Single
C. Joint
D. Site specific - Correct answer A. Leveraged
,With this approach, the leveraging organization considers risk factors such as the time
elapsed since the authorization results were originally produced; the current
environment of operation (if different from the environment of operation reflected in the
authorization package); the criticality/sensitivity of the information to be processed,
stored, or transmitted (if different from the state of the original authorization); as well as
the overall risk tolerance of the leveraging organization (in the event that the risk
tolerance posture has changed over time).
See NIST SP 800-37, Revision 1, Appendix F.9 Authorization Approaches.
4. System authorization programs are marked by frequent failure due to, among other
things, poor planning, poor systems inventory, failure to fix responsibility at the system
level, and
A. inability to work with remote teams.
B. lack of a program management office.
C. insufficient system rights.
D. lack of management support. - Correct answer D. lack of management support.
Lack of management support results from failure to connect system authorization to
budgeting for resources, as well as excessive paperwork, lack of enforcement, and poor
timing and, among others.
See CAP® CBK® Chapter 1, Why System Authorization Programs Fail.
5. In what phases of the Risk Management Framework (RMF) and system development
life cycle (SDLC), respectively, does documentation of control implementation start?
A. Categorization and initiation
B. Implement security controls and development/acquisition
C. Authorization and operations/maintenance
D. Monitor and sunset - Correct answer B. Implement security controls and
development/acquisition
Security control documentation that describes how system-specific, hybrid, and
common controls are implemented are part of the RMF Step 3—implement security
controls and the SDLC development/acquisition; implementation phases. The
documentation formalizes plans and expectations regarding the overall functionality of
the information system. The functional description of the security control implementation
includes planned inputs, expected behavior, and expected outputs where appropriate,
typically for those technical controls that are employed in the hardware, software, or
firmware components of the information system. See CAP® CBK® Chapter 4,
Application of Security Controls, Task 3-1: Implement Security Controls; NIST SP 800-
37, Revision 1, Step 3, Task 3-1: Security Control Implementation.
6. The tiers of the National Institute of Standards and Technology (NIST) risk
management framework are
, A. operational, management, system.
B. confidentiality, integrity, availability.
C. organization, mission/business process, information system.
D. prevention, detection, recovery. - Correct answer C. organization, mission/business
process, and information system.
According to NIST SP 800-39, 2.2 Multitier Risk Management, the three tiers of the
RMF are organization, mission/business process, and information systems. Answer a
("operational, management,
System") is a distracter. Answer B ("confidentiality, integrity, availability") refers to
security impacts of information and systems determined during categorization. Answer
D relates to a common typology for
Security controls.
See also CAP® CBK® Chapter 1, Fundamentals of Information Systems Risk
Management, and Guidance on Organization-Wide Risk Management.
7. National Institute of Standards and Technology (NIST) guidance classifies security
controls as
A. production, development. And test.
B. people, process, and technology.
C. system-specific, common and hybrid.
D. technical, administrative, and program. - Correct answer C. system-specific, common
and hybrid.
According to NIST SP 800-37, Revision 1, Chapter Two—The Fundamentals, 2.4
Security Control Allocation, security control allocation classifies controls as either
system specific, common controls, or a hybrid with qualities of each. Answer A relates
to operating environments. Answer B is a common taxonomy for security components.
Answer D is a common taxonomy for types of security controls but is not used in NIST
guidance. See also CAP® CBK® Chapter 1, Fundamentals of Information Systems
Risk Management.
8. Which of the following specifies security requirements for federal information and
information systems in 17 security-related areas that represent a broad-based,
balanced information security program?
A. Federal Information Processing Standard (FIPS) 199, Standards for Security
Categorization of Federal Information and Information Systems
B. FIPS 200, Minimum Security Requirements for Federal Information and Information
Systems
C. Committee on National Security Systems (CNSS) Instruction No. 1253, Security
Categorization and Control Selection for National Security Systems