CISSP - Questions with Answers
Advertisement Area

1. Which statement is NOT true about the NIACAP SSAA?

  1. The SSAA is used throughout the entire NIACAP process.
  2. The SSAA is a formal agreement among the DAA(S), certifier, user representative, and program manager.
  3. The SSAA is used only through Phase 3, Validation.
  4. The SSAA documents the conditions of the C&A for an IS.

Answer: C

Hint: The SSAA is used throughout the entire NIACAP pocess. After accreditation, the SSAA becomes the baseline security configuration document and is maintained during Phase 4.

2. Which choice BEST describes NIACAP Phase 1, Definition?

  1. The objective of Phase 1 is to ensure the fully intergrated system will be ready for certication testing.
  2. The objective of Phase 1 is to produce the required evidence to support the DAA in making an informed decision to grant approval to operate the system (acreditation or Interim Approval to Operate [IATO]).
  3. The objective of Phase 1 is to agree on the security requirements, C&A boundary, schedule, level of effort, and resources required.
  4. The objective of Phase 1 is to ensure secure system management, operation, and maintenance to preserve an acceptable level of residual risk.

Answer: C

Hint: Phase1, Definition, is focused on understanding the IS business case, environment, and architecture to determine the security requirements and level of effort necessary to achieve certificate and accreditation. The objective of Phase 1 is to agree on the security security requirements, C&A boundary, schedule, level of effort, and resources required. Answer A describes the objectives of Phase 2. Answer B describes the objectives of Phase 3. Answer D describes the objectives of Phase 4.

3. Which choice BEST describes NIACAP Phase 3, Accreditation?

  1. The objective of Phase 3 is to ensure the fully integrated system will be ready for certificate testing.
  2. The objective of Phase 3 is to agree on the security requirements, C&A boundary , schedule, level of effort, and resources required.
  3. The objective of Phase 3 is to enure secure system management, operation, and maintenance to preserve an acceptable level of residual risk.
  4. The objective of Phase 3 is to produce the required evidence to support the DAA in making an informed decision to grant approval to operate the system (accreditation or Interim Approval to Operate [IATO].)

Answer: D

Hint: Phase 3, Validation, validates compliance of the fully integrated system with the security policy and requirements stated in the SSAA. The objective of Phase 3 is to produce the required evidence to support the DAA in making an informed decision to grant approval to operate the system. Answer A describes the objectives of Phase 2. Answer B describes the objectives of Phase 1. Answer C describes the objectives of Phase 4.

4. Which NIACAP role is also referred to as the accreditor?

  1. IS program manager
  2. Designated Approving Authority (DAA)
  3. Certification agent
  4. User representative

Answer: B

Hint: The Designated Approving Authority (DAA) is also referred to as the accreditor.

5. Which is NOT a NIACAP role?

  1. IS program manager
  2. Certifier
  3. Vendor representative
  4. User representative

Answer: C

Hint: Answer C is a distracter; the other answers are all NIACAP roles.

6. Which is NOT a NIACAP accreditation type?

  1. Site accreditation
  2. Process accreditation
  3. Type accreditation
  4. System accreditation

Answer: B

Hint: Answer B is a distracter; the NIACAP applies to each of the other three accreditation types and may be tailored to meet the specific needs of the organization and IS. Answer A, a site accreditation, evaluates the applications and systems at a specific, self-contained location. Answer C, a type accreditation, evaluates an application or system that is distributed to a number of different locations. Answer D, a system accreditation, evaluates a major application or general support system.

7. Which statement is NOT true about the Designated Approving Authority (DAA)?

  1. The DAA determines the existing level of residual risk and makes an accreditation recommendation.
  2. The DAA is the primary government official responsible for implementing system security.
  3. The DAA is an executive with the authority and abiliy to balance the needs of the system with the security risks.
  4. The DAA can grant an accreditation or an Interim Approval to Operate(IATO), or may determine that the system's risks are not at an acceptable level and it is not ready to be operational.

Answer: A

Hint: The certifier, not the DAA. determines the existing level of residual risk and makes the accreditation recommendation. The DAA determines the acceptable, not existing, level of risk for a system. The other answers about the DAA are true.

8. Which statement is NOT true about the certification agent?

  1. The certifier provides the technical expertise to conduct the certification throughout the system's life cycle based on the security requirements documented in the SSAA.
  2. The certifier determines the acceptable level of residual risk for a system.
  3. The certifier determines wheather a system is ready for certification and conducts the certification process.
  4. The certifier should be independent from the organization responsible for the system development or operation.

Answer: B

Hint: The DAA, not the certifier, determines the acceptable level of residual risk for a system and must have the authority to oversee the budget and IS business operations of systems under his/her purview. The other statements about the certifier are true.

9. What is the task of the certifier at the completion of the certification effort?

  1. Recommends to the DAA whether or not to accredit the system based on documented residual risk.
  2. Provides details of the system and its life cycle management to the DAA.
  3. Ensures that the security requirements are integrated in a way that will result in an acceptable level of risk.
  4. Keeps all NIACAP participants informed of life cycle actions, security requirements, and documented user needs.

Answer: A

Hint: At the completion of the certification effort the certifier reports the status of certification and makes a recommendation to the DAA. The other answers are tasks assigned to the program manager.

10. Why does NIACAP have a user representative?

  1. The user representative is an executive with the authority and ability to balance the needs of the system with the security risks.
  2. The user representative is concerned with system availability, access, integrity, functionality,performance, and confidentiality as they relate to the mission environment.
  3. The user representative determines the acceptable level of residual risk for a system.
  4. The user representative is the primary government official responsible for implementing system security.

Answer: B

Hint: The operational interests of system users are vested in the user representative. In the NIACAP process, the user representative is concerned with system availability, access, integrity, functionality, performance, and confidentiality as they relate to the mission environment. Users and their representative are found at all levels of an agency. The other answers are qualities of the DAA.

11. Which is NOT a responsibility of the NIACAP user representative?

  1. The user representative is responsible for the secure operation of a certified and accredited IS.
  2. The user representative determines wheather a system is ready for certification and conducts the certification process.
  3. The user representative represents the user community.
  4. The user representative functions as the liaison for the user community throughout the life cycle of the system.

Answer: C

Hint: Answer C is a task for the certifier. As noted in the SSAA, the user representative;
- Is responsible for the identification of operational requirements
- Is responsible for the secure operational of a cerified and accredited IS
- Represents the user community
- Assists in the C&A process
- Functions as the liaison for the user community throughout the life cycle of the system
- Defines the system's operations and functional requirements
- Is responsible for ensuring that the user's operational interests are maintained throughout system development, modification, integration, acquisition, and deployment

12. Which is NOT an activity in NIACAP Phase 2 ?

  1. System Development and Integration
  2. Initial Certification Analysis
  3. Refine the SSAA
  4. Negotiation

Answer: D

Hint: Negotiation is a Phase 1 activity. The other three are the Phase 2 activities.

13. Which statement about certification and accreditation (C&A) is NOT correct?

  1. Certification is the comprehensive evaluation of the technical and non-technical security features of an information system.
  2. C&A is optional for most federal agencies' security systems.
  3. Accreditation is the formal declaration by a DAA appoving an information system to operate.
  4. C&A consists of formal methods applied to ensure that the appropriate information system security safeguards are in place and that they are functioning per the specifications.

Answer: B

Hint: NSTISSP No.6 establishes the requirement for federal departments and agencies to implement a C&A process for national security systems. The requirements of the NSTISSI No. 6 apply to all U.S. government executive branch departments, agencies, and their conractors and consultants. The other three answers are correct statements about C&A.

14. Which is NOT an activity in NIACAP Phase 1?

  1. Preparation
  2. Initial Certification Analysis
  3. Registration
  4. Negotiation

Answer: B

Hint: Initial certification Analysis is a Phase 2 activity. The other three are the Phase 1 activities.

15. During which NIACAP phase does the Security Test and Evaluation (ST&E) occur?

  1. Phase 1
  2. Phase 2
  3. Phase 3
  4. Phase 4

Answer: C

Hint: The Security Test and Evaluation (ST&E) is a major activity in Phase 3.

16. Which choice below BEST describes the objective of the Security Test and Evaluation (ST&E)?

  1. The objective of the ST&E is to update the SSAA to include changes made during system development and the results of the certification analysis.
  2. The objective of the ST&E is to evaluate thr integration of COTS software, hardware, and firmware.
  3. The objective of the ST&E is to verify that change control and configuration management practices are in place.
  4. The objective of the ST&E is to assess the technical implementation of the security design.

Answer: D

Hint: The objective of the ST&E is to assess the technical implementation of the security design; to ascertain that security software, hardware, and firmware features affecting confidentiality, integrity, availability, and that accountability have been implemented as documented in the SSAA; and that the features perform properly. ST&E validates the correct implementation of identification and authentication, audit capabilities, access controls, objrct reuse, trusted recovery, and network connection rule compliance. The other answers are distracters.

17. Penetration Testing is part of which NIACAP phase ?

  1. Phase 1
  2. Phase 2
  3. Phase 3
  4. Phase 4

Answer: C

Hint: Penetration testing assesses the system's ability to withstand intentional attempts to circumvent system security features by exploiting technical security vulnerabilities. Penetration testing may include insider and outsider penetration attempts based on common vulnerabilities for the technology being used.

18. The DAA accreditation decision is made at the last step of which phase?

  1. Phase 1
  2. Phase 2
  3. Phase 3
  4. Phase 4

Answer: C

Hint: After receipt of the certifier's recommendation, the DAA reviews the SSAA and makes an accreditation determination. This determination is added to the SSAA. The final SSAA accreditation package includes the certifier's recommendation, the DAA authorization to operate, and supporting documentation. The SSAA must contain all information necessary to support the certifier's recommended decision, including security findings, deficiencies, risks to operation, and actions to resolve any deficiencies.

19. If the DAA does not accredit the system, what happens?

  1. The NIACAP process reverts to Phase 1.
  2. The NIACAP process moves on to Phase 4.
  3. The NIACAP project is ended.
  4. The NIACAP stays in Phase 3 until the system is accredited.

Answer: A

Hint: If the decision is made to not authorize the system to operate. the NIACAP process reverts to Phase 1, and the DAA, certifier, program manager, and user representative must agree to proposed solutions to meet an acceptable level of risk. The decision must state the specific reasons for denial and, if possible, provide suggested sloutions.

20. What is the main purpose of the post-accreditation phase?

  1. To initate the rik management agreement process among the four principle; the DAA, certifier,program manager, and user representative
  2. To continue to operate and manage the system so that it will maintain an acceptable level of residual risk
  3. To ensure that SSAA properly and clearly defines the approach and level of effort
  4. To collect Information and documentation about the systen, such as capabilities and functions the system will perform

Answer: B

Hint: Phase 4 contains activities required to continue to operate and manage the system so that it will maintain an acceptable level of resident risk. Post-accreditation activities must include ongoing maintenance of the SSAA, system operations, security operations, change management, and compliance validation. The other answers relate to Phase 1.

21. How long does Phase 4 last ?

  1. Until the initial certification analysis determines wheather the IS is ready to be evaluated and tested
  2. Until the DAA reviews the SSAA and makes an accreditation determination
  3. Until the information system is removed from service, a major change is planned for the system, or a periodic compliance validation is required
  4. Until the responsible organizations adopt the SSAA and concur that those objectives have been reached

Answer: C

Hint: Phase 4 must continue until the information system is removed from service, a major change is planned for system, or a periodic compliance validation is required. The other answers are distracters.

22. SSAA maintenance continues under which phase ?

  1. Phase 1
  2. Phase 2
  3. Phase 3
  4. Phase 4

Answer: D

Hint: Phase 4 involves ongoing review of the SSAA to ensure it remains current. The user representative, DAA, certifier, and program manager must approve revisions to the SSAA. On approval, the necessary changes to the mission, environment, and architecture are documented in the SSAA.

23. Change management is initiated under which phase?

  1. Phase 1
  2. Phase 2
  3. Phase 3
  4. Phase 4

Answer: D

Hint: After an IS appoved for operation in a specific computing environment, changes to the IS and the computing environment must be controlled. While changes may adversely affect the overall security posture of the infrastructure and the IS, change is ongoing as it esponds to the needs of the user and new technology developments. As the threats become more sophisticated or focused on a particular asset, countermeasures must be strengthened or added to provide adequate protection. Therefore, change management is requied to maintain an acceptable level of residual risk.

24. How many levels of certification does NIACAP specify to ensure that the appropriate C&A is performed for varying schedule and budget limitations?

  1. Two
  2. Three
  3. Four
  4. Five

Answer: C

Hint: NIACAP has four levels of certification to ensure that the appropriate C&A is performed for varying schedule and budget limitations. TO determine the appropriate level of certification, the certifier must analyze the system's business functions; national, departmental, and agency security requirements; criticality of the system to the organizational mission; software poducts; computer infrastructure; the types of data pocessed by the system, and types of users. The levels are as follows;

- Level 1 -- Basic Security Review
- Level 2 -- Minimum Analysis
- Level 3 -- Detailed Analysis
- Level 4 -- Comprehensive Analysis

25. What happens to the SSAA after the NIACAP accreditation?

  1. The SSAA becomes the baseline security configuration document.
  2. The SSAA is discarded as the project is finished.
  3. The SSAA cannot be reviewed or changed.
  4. The ISSO can revise the SSAA independently.

Answer: A

Hint: After accreditation, the SSAA becomes the baseline security configuration document. Phase 4 involves ongoing review of the SSAA to ensure it remains current. The user representative. DAA, and program manager must approve revisions to the SSAA. On approval, the necessary changes to the mission, environment, and architecture are doucumented in the SSAA.

26. Which policy document determines that all federal government departments and agencies establish and implement programs mandating the certification nd accreditation (C&A) of national security systems under their operational control?

  1. DoD 8510.1-M,"Deparment of Defense Information Technology Security Certification and Accreditation Process (DITSCAP) Application Manual, "July 31,2000
  2. FIPS PUB102," Guidelines for Computer Security Certification and Accreditation, September 27, 1983"
  3. NSTISS Instruction (NSTISSI) No.1000," National Information Assurance Certification and Accreditation Process (NIACAP), April 2000
  4. NSTISS Policy (NSTISSP) No.6,'National Policy on Certification and Accreditation of National security Telecommunications and Information Systems, 8 April 1994

Answer: D

Hint: NSTISSP No.6 determines that all federal government departments and agencies establish and implement programs mandating the certification and accreditation (C&A) of national security systems under their operational control. These C&A programs must ensure that information processed, stored, or transmitted by national security systems is adequately protected for confidentiality. integrity, and availability.

27. Which assessment methodology below is a self-guided assessment implemented in a series of short workshops focusing on key organizational areas and conducted in three phases?

  1. Federal Information Technology Security Assessment Framework (FITSAF)
  2. Operationally Critical Threat, Asset, and Vulnerability Evaluation(OCTAVE)
  3. Office of Management and Budget (OMB) Circular A-130
  4. INFOSEC Assessment Methodology (IAM)

Answer: B

Hint: Carnegie Mellon University's Software Engineering Institute (SEI) created the Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE). OCTAVE is a self-guided assessment implemented in a series of short workkshops focusing on key organizational areas.

It is conducted in three phases:
1. Identify critical assets and the threats to those assets
2. Identify the vulnerabilities that expose threats
3. Develop an appropriate protection strategy for the organization's mission and priorities.

28. Which assessment methodology below is a 6-step comprehensive C&A guide ?

  1. Federal Information Processing Standard (FIPS) 102
  2. Operationally Critical Threat, Asset, and Vulnerability Evaluation
  3. Federal Information Technology Security Assessment Framework
  4. INFOSEC Assessment Methodology (IAM)

Answer: A

Hint: The Federal Information Processing Standard (FIPS) 102, the Guideline for Computer Security Certification and Accreditation, is a comprehensive guide explaining how to establish a C&A program and execute a complete C&A.

FIPS 102 details a 6-step approach:
1. Planning
2. Data Collection
3. Basic Evaluation
4. Detailed Evaluation
5. Report of Findings
6. Accreditation

29. Which assessment methodology below was developed by the National Security Agency to assist both assessment suppliers and consumers?

  1. Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)
  2. Federal Information Processing Standard (FIPS) 102
  3. Federal Information Technology Security Assessment Framework (FITSAF)
  4. INFOSEC Assessment Methodology (IAM)

Answer: D

Hint: The INFOSEC assessment methodology (IAM) is a detailed and systematic way of examining cyber vulnerabilities that was developed by the Nationl Security Agency to assist both INFOSEC assessment suppliers and consumers requiring assessments. The IAM examines the mission, organization, security policies and programs, and information systems and the threat to these systems.

30. What is the order of phases in a DITSCAP assessment ?

  1. Verification, Definition, Validation, and Post Accreditation
  2. Definition, Verification, Validation, and Post Accreditation
  3. Definition, Validation. Verification, and Post Accreditation
  4. Validation. Definition, Verification, and Post Accreditation

Answer: B

Hint: The DITSCAP phases are identical to the NIACAP phases;
- Phase 1, Definition
- Phase 2, Verification
- Phase 3, Validation
- Phase 4, Post Accreditation

Suggested Read Articles:
Contents/Index
  1. Chapter 1 (30 Questions)
  2. Chapter 2 (30 Questions)
  3. Chapter 3 (46 Questions)
  4. Chapter 4 (35 Questions)
  5. Chapter 5 (34 Questions)
  6. Chapter 6 (30 Questions)
  7. Chapter 7 (30 Questions)
  8. Chapter 8 (32 Questions)
  9. Chapter 9 (30 Questions)
  10. Chapter 10 (30 Questions)
  11. Chapter 11 (30 Questions)
  12. Chapter 12 (30 Questions)
  13. Chapter 13 (30 Questions)
  14. Chapter 14 (30 Questions)
Advertisement Area