FITSP-M Flashcards
SP 800-30, rev 1
Conducting Risk Assessments
SP 800-34
Contingency Planning Guide for Federal IT Systems
SP 800-37, rev 2
Applying RMF
SP 800-39
Managing Information Security Risk
SP 800-40 rev 3
Patch and Vulnerability Management Program
SP 800-41 rev 1
Firewalls and Firewall Policy
SP 800-45 rev 2
Guidelines on e-mail security
SP 800-47
Interconnecting IT systems
SP 800-50
IT Security Awareness and Training Program
SP 800-53, rev 4
Security Controls for Federal IT Systems
SP 800-53A, rev 4
Assessing Security Controls
SP 800-55, rev 1
Performance Measurement Guide for Information Systems
SP 800-60
Mapping Information types to Security Categories
SP 800-61, rev 2
Computer Security Incident Handling Guide
SP 800-66, rev 1
HIPAA
SP 800-70, rev 2
National Checklist Program
SP 800-83
Malware Incident Prevention and Handling
SP 800-92
Computer Security Log Management
SP 800-94
IDS/IPS (IDPS)
SP 800-100
Information Security Handbook: Managers
SP 800-115
Technical Guide Information Security Testing and Assessments
SP 800-122
Guide to Protecting Confidentiality of PII
SP 800-128
Configuration Management
SP 800-137
Continuous Monitoring (ISCM)
SP 800-144
Security and Privacy in Public Cloud Computing
FIPS 140-2
Cryptography
FIPS 180-4
Secure Hash Standard
FIPS 181
Automated Password Generator
FIPS 186-4
Digital Signature Standard
FIPS 190
Advanced Authentication
FIPS 191
LAN Security (Confidentiality, Integrity and Availability of the data)
FIPS 197
AES
FIPS 198-1
HMAC (Keyed-Hash Message Authentication Code)
FIPS 199
Security Categorization based on impact levels (low, moderate, or high)
FIPS 200
Minimum Security Requirements (Baselines)
FIPS 201-2
Personal Identity Verification PIV (smart cards)
HSPD-1
Creates Homeland Security Council and functions
HSPD-3
Homeland Security Advisory Team
HSPD-5
Management of Domestic Incidents
HSPD-7
(Replaced with PDD-21) Critical Infrastructure Identification/Priority/Protection
HSPD-8
National Preparedness
HSPD-12
Common Identification Standard for Federal Employees
HSPD-20
NSPD-51 National Continuity Policy / Continuity of government/operation.
HSPD 24
Biometrics for Identification for National Security
BOD 20-01
Develop and Publish a Vulnerability Disclosure Policy
BOD 19-02
Vulnerability Remediation Requirements for Internet-Accessible Systems
BOD 18-02
Securing High Value Assets
BOD 18-01
Enhance Email and Web Security
BOD 17-01
Removal of Kaspersky-branded Products
BOD 16-03
2016 Agency Cybersecurity Reporting Requirements
BOD 16-02
Threat to Network Infrastructure Devices
When a message is input to a hash algorithm, the output result is called a ____
Massage digest
FIPS 199 = Standards for security categorization of federal systems puts systems into what 3 categories?
Low- Limited damage
Moderate- Serious damage
High- Severe / Catastrophic damage
SP800-60 established security impact levels for loss of what 3 information types?
Confidentiality (encryption, Access control)
Integrity (unauthorized modification = Hashing)
Availability (add redundancy, power, weather)
SP800-____ is a dictionary of all controls to choose from for your system.
SP800-60 Mapping information types to security categories.
___ and ____ provide a disciplined and standard process that integrates information security and risk management activities into the system development life cycle.
Risk Management Framework (RMF)
NIST SP800-37
Who is responsible for the information system?
Information System Owner
Who is responsible for the data on the system?
Information Owner
Who is responsible for the overall procurement of the system?
Program Manager
What does FedRAMP stand for?
Federal Risk Authorization Management Program
What are the 2 control documents?
SP800-53, SP800-53A
PII - the confidentiality impact level generally falls into the _____ range.
Moderate
What does SDLC stand for?
System Development Life Cycle
Risk Management is a process that requires organizations to do what 4 things?
FARM
Frame Risk, Assess Risk, Respond to Risk, Monitor Risk
NIST Control Families
There are how many control families?
What are the 3 categories the control families are put in?
18
4 Technical, 9 Operational, 5 Managerial
NIST SP
FIPS 200 mandates the use of SP800-_____
SP800-53
Organizations must employ all security controls in the respective security control baselines unless specific exceptions are allowed based on the tailoring guidance provided in NIST Special Publication
800-53.
A Security Control Assessment can only be _____ or ______.
satisfactory or other
_______ is a suite of specifications for organizing and expressing security-related in standard ways as well as related reference data, such as identifiers for software laws and security configuration issues.
SCAP Security Control Automation Protocol
FedRAMP is the automation tool for bringing ______ and ____ into the accreditation process.
Cloud and Virtualization
RMF Step 1 Categorize Information System
The security categorization process is carried out by the _____ and ____.
Information System Owner and Information Owner/steward
What are the 3 levels of impact on organizations, operations, assets, or individuals?
Low- Limited
Moderate- Serious
High- Severe/Catastrophic
Continuous Monitoring Vocabulary
What does CAESARS stand for?
Continous asset Evaluation, Situational awareness, and Risk Scoring = CAESARS
What is a dictionary of weaknesses that can lead to exploitable vulnerabilities?
Common Weakness Enumeration (CWE)
What complies with the National Vulnerability Database (NVD) and is the basis for automating all FISMA reporting?
SCAP - Security Control Automation Protocol
What are the 3 ways monitoring activities are recorded and reported?
Event driven
Time driven
Both
What are the five basic areas of the NIST Cybersecurity Framework?
Identify Protect Detect Respond Recover
The Security Assessment Report (SAR) contains a list of _____.
Vulnerability findings
Name the 3 types of authorizations.
Authority to Operate (ATO)
Denial of Authority of Operate (DATO)
Interim Authorization to Test (IATT)
RMF Assess Security Controls
What are the 3 methods of assessment?
Testing
Interviewing
Examination
Name 3 roles that are assigned to government personal only.
CIO
Risk Executive
Senior Informational Security Officer
What are the 3 risk documents?
SP800-30
SP800-37
SP800-39
What are the 3 documents in a Security Authorization Package?
System Security Plan (SSP)
Security Assessment Report (SAR)
Plan of Action Milestones (POAM)
Security Categorization
{(Confidentiality), (Integrity), (Availability)}
Security Categorization
{(Confidentiality), (Integrity), (Availability)}
What are the 7 RMF steps?
1 Prepare 2 Categorize 3 Select 4 Implement 5 Assess 6 Authorize 7 Monitor
Cyberscope = FISMA Compliance reporting
Agencies must send security data about their system how often?
Monthy
DHS operates ____ for computer-related incidents.
DHS oversees the implementation of the ____ initiative.
US-CERT - US Computer Emergency Readiness Team
Trusted Internet Connection (TIC)
OMB is the ____ agency and
DHS is the ____ agency for Cybersecurity Data and events.
OMB= reporting agency DHS= Gathering agency
3 steps to address security at a higher level.
Prevention
Reaction
Correction
The Information Technology Management Reform Act of ____ is also called __________.
What are the 4 requirements?
1996, Clinger-Cohen Act
CIO
OMB oversite
Enterprise Archetecture
CPIC (Capital Planning and Investment Control)
What is FEA
Federal Enterprise Architecture
What is FISMA? When/how enacted?
Federal Information Security Management Act
enacted 2002 as Title 3 of E-Government Act of 2002
What are FIPS?
Federal Information Processing Standard
FISMA requires federal agencies to comply with the standards
What are SPs?
Special Publications
recommendations and guidance documents
What is NIST? and what does NIST issue?
National Institute of Standards and Technology
FIPS and SPs
OMB issues what 2 types of documents?
Circulars - good for 2 years
Memorandums - provide further explanations and guidance.
How long does OMB give you to report a PII breach? and who do you report it to?
1 hour
CERT (Computer Emergency Readiness Team)
What type of encryption is EAS?
Symetric
SP800-64
Security in SDLC
SP800-18
Developing System Security Plan
SP800-65
Integration of IT Security into the Capital Planning and Investment Control Process / Asset Management
