SAPPC Example Questions Please note: Cyber items are indicated with a ** at the end of the practice test questions. 1. The ability for your Information Technology (IT) personnel to rapidly broadcast any changes to the various security controls is advantageous to your organization because of the wide variety of systems it uses. What type of control provide them the ability to do this?** a. Common Control b. Hybrid Control c. Machine Specific Control d. System Specific Control NIST SP 800-53 r4 (April 2013) ////17 Info Sec & Cyber 2. Security controls can be categorized as,, or. ** a. Common; hybrid; machine-specific b. Common; machine-specific; blended c. Common; system-specific; blended d. Common; system-specific; hybrid NIST SP 800-53 r4 (April 2013) ////14 Info Sec & Cyber 3. After you complete and submit a security controls proposal, your organizational leadership notes one of the selected controls exceeds the available budget and cannot be purchased. They would like you to review other similar, cheaper security controls, also known as a security control.** a. Compensating b. Countering c. Neutralizing d. Replacement CNSSI No. 1253 (March 27, 2014) //// Info Sec & Cyber SAPPC CPT Page 1
4. According to the Authorized Classification and Control Markings Register, the marking title -Gamma may be used with what other US markings? a. Top Secret, Secret, Confidential, Restricted b. Top Secret, Secret, Confidential c. Top Secret, Secret d. Top Secret 5200.01, Volume 2, March 19, 2013, page 11-12 Info Sec 5. Which statement below most accurately compares goals of cybersecurity to the goals of information security?** a. The goal of cybersecurity is to prevent damage to, protect, and restore computers, electronic communications systems, etc., including the information therein to ensure the information s availability, integrity, authentication, confidentiality and nonrepudiation; whereas, the goal of information security is to protect classified information and controlled unclassified information. b. The goal of cybersecurity is to prevent damage to, protect, and restore computers, electronic communications systems, etc., including the information therein to ensure the information s availability, integrity, authentication, confidentiality and non-repudiation; whereas, the goal of information security is to protect unclassified information such as proprietary information and trade secrets. c. The goal of cybersecurity is to protect controlled unclassified information residing in information systems; whereas, the goal of information security is to protect classified information and controlled unclassified information. d. The goal of cybersecurity is to protect classified information residing in information systems; whereas, the goal of information security is specifically to protect controlled unclassified information. 5200.01- V3; DoD Instruction 8500.01 March 14, 2014; National Security Presidential Directive 54 / Homeland Security Presidential Directive 23 Info Sec & Cyber SAPPC CPT Page 2
6. Which of the following is TRUE regarding debriefing in cases of unauthorized access? a. Debriefing is unnecessary if the unauthorized access was by a person with the appropriate security clearance. b. If the person involved is neither a member of a U.S. Government organization nor an employee of a U.S. Government contractor, the decision is much more situational. The key question is whether the debriefing shall have a positive effect on the person s ability or willingness to protect the information. c. In any case where the person to be debriefed may be the subject of criminal prosecution or disciplinary action, the individual must be debriefed. d. Debriefing is only required in cases where a damage assessment reveals that weapons systems or capabilities have been thoroughly compromised. DoD 5200.01, Volume 3, February 24,2012, Incorporating Change 2, March 19,2013 Info Sec 7. What is the security professionals role in pursuing and meeting cybersecurity goals? (Select the best response).** a. Security professionals are in all of these roles. b. The security professional s role includes supporting the personnel security program which validates personnel who perform both classified and unclassified duties on information systems. c. The security professional s role includes providing oversight and expert guidance related to the physical security of information systems and equipment. d. The security professional s role includes oversight of and expert guidance related to protection of classified and controlled unclassified information. This includes supporting measures to ensure such information s availability, integrity, authentication, and confidentiality when that information resides in an information system. DoD Instruction 8500.01 Cybersecurity; DoD Manual 5200.01 Volume 3 Info Sec & Cyber SAPPC CPT Page 3
8. How would an Original Classification Authority (OCA) conduct a damage assessment? a. The damage assessment would be conducted following a classification review, and will consist of an extensive examination of the details regarding the compromise in order to determine the effects on DoD programs, operations, systems, materials and intelligence. b. The damage assessment would be conducted prior to the classification review in order to examine the details regarding the compromise to determine the effects on the DoD programs, operations, systems, materials and intelligence. c. The damage assessment would be conducted immediately upon the discovery of compromise to reduce risk, minimize damage, and hinder further compromise. d. The damage assessment. DoDM 5200.01-V3 Info Sec 9. Classified information has been leaked and published on public media. Which of the following is NOT involved in conducting a damage assessment? a. The Original Classification Authority b. Subject Matter Experts c. Security Officials d. Assistant Secretary of Defense for Public Affairs DoDM 5200.01-V3 Info Sec SAPPC CPT Page 4
10.You just reviewed several classified documents related to the new initiative you are supporting. Kevin, a new employee, tells you that he is trying to get up to speed on relevant projects that he might be working on and asks that you provide him the documents. What do you do? a. Provide him copies of the documents so that you can keep your own copies. Make sure that he knows not to leave them out and to secure them at the end of the day. b. Check with your supervisor to ensure that Kevin s clearance have passed and that he is allowed access to documents classified at this level. c. Verify Kevin s need to know and his roles with his supervisor before allowing him access to the information. d. Give Kevin your copies since there should not be extra copies of the materials in the office. 5200.01, Volume 1, February 24, 2012, page 76,80 Info Sec SAPPC CPT Page 5
11. Who has overall responsibility for addressing incidents involving compromise of classified information resident on computers or in Information Technology (IT) systems?** a. Inquiries into and resolution of incidents involving compromising of classified information resident on computers or IT systems requires coordination with and assistance from the local cybersecurity officials, but the overall responsibility relies on the activity security manager. b. Inquiries into and resolution of incidents involving compromising of classified information resident on computers or in IT systems requires coordination with and assistance from the local cybersecurity officials Overall responsibility relies on the activity cybersecurity officials. c. Inquiries into and resolution of incidents involving compromising of classified information resident on computers or in IT systems requires coordination with and assistance from the local cybersecurity officials Overall responsibility relies on the system administrator. d. Inquiries into and resolution of incidents involving compromising of classified information resident on computers or in IT systems are the responsibility of the activity security manager and should never require coordination with or assistance from the local cybersecurity officials. DoDI 8500.01, March 14, 2014 DoD M 5200.01, V3 Info Sec & Cyber 12. Indicate in which of the following examples the security professional used the appropriate procedures for handling a potential compromise. a. The security officer reported a security incident when he realized that the security container s combination had been changed when required. b. The security officer conducted an in-depth investigation of the security infraction involving the inadvertent loss of classified materials. c. The security officer conducted an inquiry to determine whether or not unauthorized individuals got access to the missing classified materials. d. The security officer filed a copy of the reported security incident and worked with training to develop an awareness program about the incident. 5200.01, Volume 3, March 19, 2013, page 86 Info Sec SAPPC CPT Page 6
13. Indicate which of the following examples best describes when or why inquiries versus investigations are conducted. a. An in-depth investigation is always conducted when a security violation is reported. b. All security incidents involving classified information require a security inquiry, a security investigation, or both. c. When a security infraction is not believed to have resulted in a loss, an inquiry is not conducted. d. A security investigation is conducted at the lowest echelon possible in the DoD Component. 5200.01, Volume 3, March 19, 2013, page 86-87. Info Sec SAPPC CPT Page 7
14. Which of the following statements is correct? a. The Freedom of Information Act (FOIA) (5 U.S.C. 552, as amended), generally provides any person with the statutory right, enforceable in court, to obtain access to Government information in executive branch agency records. This right to access is limited when such information is protected from disclosure by one of FOIA s nine (9) statutory exemptions. It is essential that the public be informed concerning the activities of its Government, but the interests of the United States and its citizens require that certain information concerning the national defense and foreign relations be protected against unauthorized disclosure. b. The Freedom of Information Act, (FOIA) (5 U.S.C. 552, as amended), generally provides any U.S. Citizen with the statutory right, enforceable in court, to obtain access to Government information in any U.S. Government records. This right to access is limited when such information is protected from disclosure by one of FOIA s nine statutory exemptions. It is essential that the public be informed concerning the activities of its Government, so an individual may be granted a Limited Access Authorization to obtain access to classified information related to a FOIA request. c. The Freedom of Information Act (FOIA) (5 U.S.C. 552, as amended), generally provides any U.S. Citizen with the statutory right, enforceable in court, to obtain access to Government information in executive branch agency records. This right to access is unlimited. When classified information is included in a FOIA request the request must be processed by a U.S. District Court which releases the information only to the individual requester who is required to sign a nondisclosure agreement. d. The Freedom of Information Act (FOIA) (5 U.S.C. 552, as amended), generally provides any person with the statutory right, enforceable in court, to obtain access to Government information in executive branch agency records. It is essential that the public be informed concerning the activities of its Government, but the interests of the United States and its citizens require that certain information concerning the national defense and foreign relations be protected against unauthorized disclosure. Executive Order 13526 Classified National Security Information specifically exempts classified information from the provisions of the FOIA. 5200.01, Volume 1, February 24, 2012, page 46 Info Sec SAPPC CPT Page 8
15. A new piece of equipment that will protect personnel from improvised explosive devices (IEDs) while riding in vehicles has been provided to your organization. The fact that this equipment exists is classified CONFIDENTIAL. Certain aspects of the internal design of this equipment are classified SECRET. Mechanics from your organization who have SECRET personnel clearances will install and repair the new equipment in all vehicles used by your organization. Which of the following is the most appropriate application of need-to-know? a. The mechanics need to know the fact that the equipment exists and design information that is relevant to how the equipment is installed. b. The mechanics only need to know the fact that the new equipment exists and they must not have access to design information. c. The mechanics need to know all design and technical information about the equipment. d. Mechanics from your organization may not be used to install the new equipment because they do not have a need-toknow designation. E.O. 12968 DoD 5200.2R Info Sec SAPPC CPT Page 9
16. When a spillage of classified information onto an unclassified information system has occurred, who should be included on a team formed to conduct a formal inquiry?** a. The team should include the Information Assurance Manager/Information System Security Manager/ Information equivalent, Activity Security Manager, information owner, responsible Incident Response Center (IRC), and others as appropriate. b. The formal inquiry should be conducted exclusively by the responsible IRC. c. The team should include the Information System Security Manager, Activity Security Manager, and cleared employees who were involved in the incident. d. The information owner determines who should be included on the team. CNSS Instruction 1001 Info Sec & Cyber 17. Which of the following best describes the roles of the International Program office and the Foreign Disclosure Officer (FDO)? a. An International Programs office manages and implements International Security Assistance programs, Cooperative Development programs, and Technology Security policy. A FDO categorizes and is the approval authority for the release of military information to foreign government representatives. b. A FDO is always an official within an International Programs office. c. An International Programs office is the approval authority for the release of military information to foreign government representatives and a FDO manages International Security Assistance programs. d. An International Program office is typically within a deployed military unit and a FDO is typically located within headquarters of a Major Command. International Programs Security Handbook found at http://www.iscs.dsca. mil/documents/ips/ HandbookCover_04152010. pdf Understanding Foreign Disclosure found at https:// www.army.mil/article/28810/ Security_awareness Understanding_foreign_ disclosure/ Info Sec SAPPC CPT Page 10
18. Senior and executive-level subject matter experts within your organization have identified specific information related to vulnerabilities of your installation which they say must remain classified beyond the declassify on date. Disclosure of this information would lead to mission failure, causing serious damage to national security. As the security professional for the organization, what steps should you take? a. Challenge the classification guidance, with the support of the Original Classification Authority. b. Inform your superiors that the information must be declassified as indicated on the declassify on line and there is nothing they can legally do to prevent this. c. Change the declassify on line on all documents containing this information to Original Agency Determination Required (OADR). d. Advise the subject matter experts that they must develop different methods of operation that are not dependent upon protection of this particular information. CDSE Course: Derivative Classification Info Sec 19. In the process of derivative classification individuals should only use authorized sources of classification guidance. Which of the following is NOT an authorized source of classification guidance: a. Advice from a subject-matter expert based on prior experience. b. Security Classification Guides (SCG) c. Properly marked source documents d. Department of Defense (DD) Form 254 (for Contractors) CDSE Derivative Classification Training Job aid Info Sec SAPPC CPT Page 11
20. What is the difference between classification markings of national security information and control markings specified by the Controlled Access Program Coordination Office (CAPCO)? a. Classified national security information is marked Confidential (C), Secret (S), or Top Secret (TS) to identify the level of damage to national security which would be caused by unauthorized disclosure of the information; while control markings specified by CAPCO consist of nine categories of markings including the overall classification level plus guidance on dissemination controls, sensitive compartmented information (SCI) control systems, other controls and declassification. b. Classification markings include Confidential (C), Secret (S), and Top Secret (TS) to identify the level of damage to national security which would be caused by unauthorized disclosure of the information; while control markings specified by CAPCO specify protection required for controlled unclassified information (CUI). c. Classification markings use only upper case letters; while CAPCO control markings use a combination of upper and lower case letters. d. Classified national security information is marked Confidential (C), Secret (S), or Top Secret (TS) to identify the level of damage to national security which would be caused by unauthorized disclosure of the information; while control markings specified by CAPCO apply only to foreign government information. CDSE course Derivative Classification DoD Manual NUMBER 5105.21, Volume 1 October 19, 2012 Intell commun authorized class vol. 5 addition 1 2011 updated March 2012 (capco DC office) Info Sec SAPPC CPT Page 12
21. A Senior Executive in your organization who is designated as an Original Classification Authority has asked you for guidance regarding what level of classification should be applied to a particular item of information about a new piece of military equipment. The equipment would be ineffective if an adversary had knowledge of this item of information. The Senior Executive states that this would cause serious damage to national security possibly including loss of life of U.S. military service members. What level of classification should be applied to this information? a. Secret b. Top Secret c. Confidential d. Controlled Unclassified Information Executive Order 13526 Info Sec SAPPC CPT Page 13
22. Secret information may NOT be stored by which of the following methods? a. In an open storage area without supplemental controls, provided the senior agency official determines in writing that security-in-depth exists. b. In the same manner as prescribed for Top Secret information c. In a General Services Administration (GSA)-approved security container or vault built to FED-STD 832 specifications, without supplementary controls. d. In an open storage area meeting the requirements of the Appendix to Enclosure 3 of DoD Manual 5200.01, provided the senior agency official determines in writing that security-in-depth exists, and an IDS with the personnel responding to the alarm arriving within 30 minutes of the alarm annunciation. DoD Manual 5200.01 Volume 3 Info Sec 23. When providing classification assistance and when reviewing proposed Internet postings, how should a security professional regard unclassified information that is related to a classified system or operation?** a. The security manager should consider the potential for creation of classified compilations. b. The security manager should recognize and respect a clear delineation between the classified and unclassified information and never impose restrictions on dissemination of unclassified information. c. When compilation of unclassified items of information has the potential to reveal classified information, those items should be classified and protected at the level of the classified information. d. A security manager should focus on classified information as identified in a classification guide and avoid being distracted by unclassified information related to the system or operation. Enclosure 5 of DoD M 5200.01 Vol 3 Info Sec & Cyber SAPPC CPT Page 14
24. Which of the following statements accurately compares and contrasts a preliminary inquiry related to unauthorized disclosure of classified information to/from a counterintelligence (CI) inquiry? a. A preliminary inquiry focuses on addressing key questions such as when, where and how did an incident occur, who was involved and was classified information inappropriately disclosed; while the goal of the CI inquiry is to establish or refute a reasonable belief that a particular person is acting for or on behalf of, or an event is related to, a foreign power engaged in spying or committing espionage, sabotage, treason, sedition, subversion, assassinations, or international terrorist activities. b. A preliminary inquiry is the first step in conducting a CI inquiry. c. A preliminary inquiry is to establish or refute a reasonable belief that a particular person is acting for or on behalf of a foreign power engaged in spying or committing espionage, sabotage, treason, sedition, subversion, assassinations, or international terrorist activities; while the goal of a CI inquiry is to determine if the information involved in the incident was classified. d. Any cleared employee or supervisor may conduct a preliminary inquiry; however, only a certified security specialist or CI agent is authorized to conduct a CI inquiry. DoD Directive 5210.50 July 22, 2005 DoD Directive 5210.50 October 14,2014 Info Sec 25. Continuous evaluation assesses an individual s continuous reliability and trustworthiness by all of the following requirements, EXCEPT: a. Conducting performance assessments of cleared personnel. b. Reporting all change conditions about cleared personnel. c. Conducting periodic reinvestigations. d. Discovering incidents that may impact continued clearances. 5200.2-R, February 23, 1996 Pers Sec SAPPC CPT Page 15
26. Which of the following adjudication processes refers to a person s identifiable character traits and conduct sufficient to decide whether employment or continued employment would or would not protect the integrity or promote the efficiency of the Federal service? a. HSPD 12 credentialing b. National security adjudication c. Suitability adjudication d. Continuous evaluation 5200.2-R, February 23, 1996 Pers Sec 27. Under what circumstances can a non-u.s. citizen be granted Limited Access Authorization (LAA), allowing him or her to have access to U.S. Secret classified information while employed by a cleared DoD contractor? a. If the government contracting activity (GCA) concurs, a LAA may be granted in those rare circumstances where the non- U.S. citizen possesses unique or unusual skill or expertise that is urgently needed to support a specific U.S. Government contract involving access to specified classified information and a cleared or clearable U.S. citizen is not readily available. b. Non-U.S. citizen contractor employees may never be granted authorization to have access to U.S. classified information. c. A LAA may only be granted when the contractor is supporting a U.S. contractor working in the individual s country of origin. d. Non-U.S. citizens may be granted access to U.S. classified information in exactly the same way that cleared U.S. citizens are granted access as long as they have a need to know the classified information. NISPOM 2-209 and 2-210 DOD5200. Pers Sec SAPPC CPT Page 16
28. Which phrase most accurately completes this statement? Discretionary judgements used to determine eligibility for national security positions. a. Are an inherently governmental function and shall be performed by appropriately trained and favorably adjudicated Federal Government personnel and appropriate automated procedures. b. May be performed by appropriately trained and favorably adjudicated Federal Government personnel or employees of contractors in the National Industrial Security Program. c. Are made only by local commanders or management officials d. Are made only by use of automated procedures. DoD Instruction 5200.2 (para 3 c) Pers Sec 29. Which of the following statements is NOT correct? a. An individual who has received mental health counseling is not eligible to have access to national security information. b. Mental health counseling may be a positive factor that, by itself, shall not jeopardize the rendering of eligibility determinations or temporary eligibility for access to national security information. c. Mental health counseling, where relevant to adjudication for a national security position, may justify further inquiry to assess risk factors that may be relevant to the DoD Personnel Security Program. d. No negative inference may be raised solely on the basis of mental health counseling. DoD Instruction 5200.2 (para 3 d) Pers Sec 30. Which factors may be considered in an adjudication in the DoD Personnel Security Program? a. Personnel security criteria and adjudicative standards described in Executive Order 12968, Access to Classified Information, August 2, 1995, as amended. b. The applicant, who is a U.S citizen, was born in Iran. c. The applicant s sex (gender) and sexual orientation. d. Time in grade as a Federal government employee. DoD Instruction 5200.2 (para 3 e) Pers Sec SAPPC CPT Page 17
31. Identify if temporary eligibility for access to classified information (collateral) can be granted prior to completion of the investigative and adjudicative process. a. Based on exceptional circumstances where official functions must be performed prior to completion of the investigative and adjudicative process, temporary eligibility for access to classified information may be granted while the investigation is underway. b. Temporary eligibility for access to classified information may not be granted under any circumstances. c. Temporary eligibility for access to classified information is always granted prior to completion of the investigative and adjudicative process. d. Temporary eligibility for access to classified information is granted whenever issues are present which may lead to denial of access because these issues may prolong the investigative and adjudicative process. DoD Instruction 5200.2 (para 3 i) Pers Sec 32. When taking electronic fingerprints of the applicant for a personnel security investigation, what should you avoid doing? a. Using a hand lotion or moisturizing substance. b. Checking that the electronic fingerprint machine is properly calibrated. c. Correctly entering all required data. d. Making rolling prints from nail to nail. How to Take Successful Electronic Fingerprints video from CDSE website Pers Sec SAPPC CPT Page 18
33. When completing a Questionnaire for National Security Positions, Standard Form 86 (SF 86), detailed information requested may be difficult for an applicant to provide. Which of the following will result in timely and accurate processing of the SF 86? a. Gaps in employment and / or residence should be explained in the remarks section. b. Include dashes and parenthesis when entering telephone numbers. c. If information is not available or not applicable, leave the field blank. d. List current spouse only and never provide information about a former spouse. Job aid from CDSE website How to Complete Standard Form 86 (SF86) Questionnaire for National Security Positions Pers Sec SAPPC CPT Page 19
34. Joint Clearance and Access Verification System (JCAVS) indicates that an employee is eligible to have access to TOP SECRET (TS) information based on the investigation and favorable adjudication that was completed one year ago while she was employed by the U.S. Army. She now works for your organization in a position where she will routinely need access to SECRET information to do her job. She does not need access to TS for her current position. What level of access should be entered in JCAVS based on her position in your organization? a. SECRET, because this is the highest level of access that she is expected to need to do her current job. b. TOP SECRET, because she still has TS eligibility and this will allow her to be considered for other positions that may become available within your organization. c. Access must not be granted in her new position until a new personnel security investigation is completed. d. JACAVS records should continue to show the TS access granted during her former period of employment and local security records should reflect that her access has been temporarily downgraded based on her current duties. DoD Instruction 5200.02 March 2014 Pers Sec SAPPC CPT Page 20
35. Identify if a non-u.s. citizen can be granted access to classified information in support of a DoD program. a. A non-u.s. citizen who possesses expertise that cannot be filled by a cleared or clearable U.S. citizen may hold a sensitive position or be granted a limited access authorization to classified information in support of a specific DoD program, project, or contract following a favorable security determination by an authorized adjudication facility. b. A non-u.s. citizen is entitled access to classified information following a favorable security determination just as a U.S. citizen would be to allow fair competition in the DoD workforce. c. A non-u.s. citizen may not be granted access to classified information in support of a DoD program under any circumstances. d. A non-u.s. citizen can hold a sensitive position or be granted a limited access authorization to classified information in support of a DoD program only if there is a cleared U.S. citizen with expertise who can backfill the position if the non-u.s. citizen returns to his country of origin. DoD Instruction 5200.2 (para 3 j) Pers Sec 36. Under what circumstances may a person be appointed or assigned to a national security position when an unfavorable personnel security determination has been rendered? a. No person shall be appointed or assigned to a national security position when an unfavorable personnel security determination has been rendered. b. When the person is appointed to the position by the President, Secretary of Defense, or their designee. c. When the person has unique knowledge or skills that are needed to perform tasks required for success of a mission and no other qualified person is available to perform those tasks. d. When the person has formally requested to appeal the unfavorable personnel security determination. DoD Instruction 5200.2 (para 3 h) Pers Sec SAPPC CPT Page 21
37. Under what circumstance may a person be deemed to be eligible for a national security position? a. Eligibility for national security positions shall be granted only to persons who are U.S. citizens for whom the investigative and adjudicative process has been favorably adjudicated. b. Merely by reason of Federal service or contracting, licensee, certificate holder, or grantee status. c. Merely as a matter of right or privilege. d. Merely by reason of the person holding a particular title, rank, position, or affiliation. DoD Instruction 5200.2 (para 3 g) Pers Sec 38. Eligibility determinations and employee clearance records can be found in which of the following? a. Industrial Security Facility Database (ISFD) b. Defense Information System for Security (DISS) c. Electronic Questionnaires for Investigations Processing (e-qip) system d. Joint Worldwide Intelligence Communications System (JWICS) DoDM 5200.02, April 3, 2017 Pers Sec 39. What controls are required for keys and combinations protecting arms, ammunition and explosives (AA&E)? a. Keys and combinations to AA&E storage areas shall be retained separately from other keys and combinations. b. Keys and combinations to AA&E storage areas shall be retained with other keys and combinations used on the installation. c. Locks with keys are never authorized to secure AA&E storage areas. d. Keys and combinations to AA&E storage areas must be controlled at a level equivalent to Top Secret material. A Physical Security Technology Newsletter, Issue 29 (DoD Lock Program) DoDM5100.76 Phys Sec SAPPC CPT Page 22
40. Which of the following statements does NOT accurately reflect DoD and national policy on locks? a. Locks which are used to protect classified information may also be used to protect conventional arms, ammunition and explosives (AA&E). b. Combination locks that meet requirements of DoDM 5200.01, Volumes 1-4, DoD Information Security Program or DoD 5220.22-M, National Industrial Security Program Operating Manual may be used to protect classified information. c. Security containers used to store and protect classified information must be approved by GSA (General Services Administration). d. The Director of National Intelligence (DNI) is responsible for setting security standards for sensitive compartmented information facilities (SCIF). DoDM 5200.01, Volumes 1-4, DoD Information Security Program DoD 5220.22-M, National Industrial Security Program Operating Manual A Physical Security Technology Newsletter, Issue 29 (DoD Lock Program) DoDM5100.76 Phys Sec 41. Which of the following best defines critical information as used in Operations Security (OPSEC)? a. An adversary with intentions and capability to obtain your organization s critical information and use that information to cause harm to your organization or to prevent your organization from mission success. b. Information (usually unclassified) about your organization or operations that could be used by an adversary to cause harm to your organization or prevent your organization from mission success. c. A weakness that may lead to loss or compromise of critical information. d. Information about your program that is classified. JP-3-13.3, January 24, 2012, III-3-III-6 Phys Sec SAPPC CPT Page 23
42. Which of the following accurately describes the difference between Point and Area security? a. Point security countermeasures protect areas requiring a lower level of security; Area security countermeasures protect areas requiring a high level of security. b. Point security countermeasures protect people, information, and activities and operations; Area security countermeasures protect equipment and facilities. c. Point security countermeasures protect small areas or specific assets; Area security countermeasures protect large areas or multiple assets. d. Point security countermeasures include active measures such as manned visitor entries and electronically operated gates at entry checkpoints; Area security countermeasures include passive measures such as intrusion detection systems (IDS) and lighting. 5200.08-R, May 27, 2009 Phys Sec SAPPC CPT Page 24
43. Two Security Professionals, Chris and Jo, are discussing the use of identification systems to control access to facilities. Chris says that once DoD Civilian Personnel, DoD Civilian Contractors and DoD Military Personnel possessing a DoDissued common access card (CAC) are vetted through DoD Personnel Security Standards they are considered identity proofed. a. Chris is correct b. Jo is correct c. Both Chris and Jo are correct d. Both Chris and Jo are incorrect DTM 09-012, December 8, 2009 Phys Sec Jo says DoD-issued card holders are identity proofed at card issuance sites based on federally authorized identity documents. Who is correct? SAPPC CPT Page 25
Scenario 1 (Items 44 and 45 are based on this scenario). Jo, an architectural engineer, has developed a blueprint for a new four-story government building with a Special Access Program Facility (SAPF) on the first floor. The blueprint Jo sent over for review is for the first floor of the building. The blueprint includes the following qualities: Floor-to-ceiling windows on the first floor for the lobby that are covered with material to protect from forced entry; blinds on those windows can be closed from the inside, The ceilings in the SAPF are made of plaster, Front open swinging doors are covered with material to protect the SAPF from forced entry with a deadbolt; vault that includes a General Services Administration (GSA)-approved combination lock, An alarm control unit, A parking lot containing handicap-accessible ramps and sidewalks. 44. Please determine if the following statement is True or False. Since the windows are covered with material to protect from forced entry, the blinds are not necessary. a. True b. False DoDM 5200.01-V3, February 21, 2012 Phys Sec 45. Please determine whether the following statement complies with policy, does not comply with policy, or there is not enough information to make a determination. Since access to the SAPF is from inside the building, the doors are constructed of heavy glass. a. This is according to policy b. Does not comply with policy c. There is not enough information DoDM 5200.01-V3, February 21, 2012 Phys Sec SAPPC CPT Page 26
46. What is the role of the government contracting activity (GCA), or cleared prime, when a contractor that does not have a Facility Clearance (FCL) wants to bid on a Request for Proposal (RFP) that requires access to classified information? a. The GCA must issue a formal letter rejecting the contractor s bid due to the fact that the contractor does not have the requisite FCL b. The contractor must submit a sponsorship letter to GCA, which will then decide whether to allow the contractor to bid on the contract. c. The GCA or cleared prime contractor must sponsor the contractor for a facility security clearance by submitting a sponsorship letter to DSS, which will then allow the contractor to bid on the contract. d. The GCA must ensure that the owners and upper management of the contractor s facility first take the Industrial Security Facilities Database (ISFD) user course before the contractor can be permitted to bid on the contract. DOD 5220.22- R, December 4, 1985 5220.22-M, February 28, 2006 Indus Sec 47. The Defense Acquisition System is governed according to which of the following policies? a. Supervision; control; care; and management b. Confidentiality; integrity; availability; authentication; and nonrepudiation c. Flexibility; responsiveness; innovation; discipline; and streamlined and effective management d. Maturity; discretion; and trustworthiness DoDD 5000.01 ori. 2003 Nov 2007 Ch4.3 Policy Indus Sec SAPPC CPT Page 27
48. All of the following are vulnerabilities that motivate the need to include security as a requirement for contracts involving sensitive information, EXCEPT: a. Failure to report security incidents. b. Lack of adherence to marking, handling, storage, transmission, and destruction requirements. c. Desire of foreign actors to commit economic espionage and steal classified information under the contract. d. Failure to properly train employees working on the contract. 5220.22-M February 28, 2006, page #7-1-1 Indus Sec 49. Which of the following documents the agreement between the U.S. government and a cleared contractor in which the contactor agrees to maintain a security program in compliance with the National Industrial Security Program Operating Manual (NISPOM) and the government agrees to security guidance and program oversight? a. DD Form 254 b. Security Classification Guide (SCG) c. DD Form 441 d. Request for Proposal (RFP) 5220.22-M, February 28, 2006 DOD 5220.22- R, December 4, 1985 Indus Sec SAPPC CPT Page 28
50. According to clause 252.204-7009 of the Defense Federal Acquisition Regulation Supplement (DFARS), which of the following must be included in solicitations and contracts for the purpose of protecting controlled unclassified information (CUI)? a. A derivative marking identifying the contract as one which will require access to CUI. b. A paragraph or clause prohibiting the contracting activity from using CUI in the performance of future contracts. c. A statement emphasizing that such information remains unclassified and therefore is required to be declassified under any Freedom of Information Act (FOIA) request. d. A non-disclosure of information clause that prohibits release of unclassified information to the public without approval of the contracting activity. Contract clauses ACQ OSD.mil Indus Sec 51. When a Cognizant Security Agency (CSA)- designated database is not available, what must a visit authorization letter include? a. The visitor s social security number b. The individual s nationality c. The individual s name, date and place of birth and citizenship d. A professional reference for the individual DOD 5220.22- R, December 4, 1985 5200.2-R, February 23, 1996, Indus Sec 52. Which of the following personnel is not required to have a personnel security clearance cleared to the level of the facility clearance? a. The senior management official b. The Facility Security Officer c. The Contracting Officer d. The Insider Threat Program Senior Official DOD 5220.22- R, December 4, 1985 Indus Sec SAPPC CPT Page 29
53. During fiscal year 2015, foreign collectors continued to work to erode U.S. economic and military advantages through the theft of cleared industry s investment in expensive research and development efforts. These collectors applied the complete spectrum of collection methods in order to identify and exploit vulnerabilities in cleared industry s security measures. Top methods of operation reported to Defense Security Service by cleared contractors in 2015 were: a. Academic solicitation, foreign persons seeking employment, attempted illegal acquisition of technology, requests for information, and suspicious computer network activity. b. Seduction, sexual solicitation and blackmail. c. Solicitation based on ethnic background or national origin. d. Surveillance using technical means such as cameras with long-range lens, powerful microphones, hidden cameras and microphones, etc. DSS 2016 edition Technology Collection Trends Indus Sec 54. Security professionals can play a role in the counterintelligence community landscape by helping to do which of the following? a. Eliminate the targeting of DoD assets by Foreign Intelligence Entities (FIEs). b. Increase budgetary allocation for specific agencies. c. Enhance the commercial advantage of U.S. security-related technology. d. Deter foreign intelligence collection by increasing, risk, cost, and delay. DoDD 5240.02 March 17, 2015 Gen Sec SAPPC CPT Page 30
55. Which of the following is NOT a responsibility of the compliance inspector within the DoD Security Program? a. Prepare and provide an inspection report. b. Educate the activity about policy and policy changes. c. Conduct Staff Assistance Visits (SAVs). d. Evaluate individual DoD Component activities and the DoD Component as a whole with respect to the implementation of the information security program established in accordance with the Manual requirements. 5220.22-M, February 28, 2006 Gen Sec 56. What is an Operations Security (OPSEC) indicator? a. An OPSEC indicator is any detectable activity and/or information that, when looked at by itself or in conjunction with something else, allows an adversary to obtain critical or sensitive information. b. An OPSEC indicator is any detectable activity and / or information that, when looked at by itself or in conjunction with something else, allows an adversary to obtain unauthorized access to classified information. c. An OPSEC indicator is evidence that an installation or organization has a sound and effective OPSEC program. d. An OPSEC indicator is any information that allows an OPSEC officer to identify the intentions and capabilities of an adversary. OPSEC Professional s Association training material found at: https://www.slideshare. net/departmentofdefense/ opsec-vulnerabilities-andindicators IOSS training material, DoD 5205.02 M OPSEC Manual SAPPC CPT Page 31
57. What is the purpose of the Foreign Visitor Program? a. To provide adjudication for granting non-u.s. citizens access eligibility to classified information, provided access remains limited to only the approved program or project. b. To track and approve access by a foreign entity to information that is classified; and to approve access by a foreign entity to information that is unclassified, related to a U.S. Government contract, or plant visits covered by International Traffic in Arms Regulations (ITAR). c. To ensure that cleared facilities (FCL) have the appropriate physical security measures in place to prevent unauthorized access during facility visits by foreign delegations. d. To identify and mitigate unauthorized network intrusion by foreign intelligence entities (FIEs) and terrorist groups. 5240.26 May 4, 2012 Gen Sec 58. As part of Operations Security (OPSEC), a program coordinator should use which of the following tools to assess assets as part of the risk management process for critical information? a. Critical Information List b. Threat vulnerability matrix c. Risk Rating Table d. Security Classification Guide 5200.39, December 28, 2010 Gen Sec 59. What tool can a security professional use to identify the types of DoD assets requiring protection as part of a physical security program? a. People, Information, Equipment Facilities, Activities Operations (PIE-FAO) acronym b. Threat-assessment rating scale c. Risk assessment formula d. Security-in-depth model 5200.08-R, May 27, 2009 UFC 4-010-01 February 9, 2012 Gen Sec SAPPC CPT Page 32
60. Which of the following accurately describes the relationship between threats and vulnerabilities as it relates to the protection of DoD Assets? a. If an Asset has a Vulnerability that is mitigated by countermeasures, a Threat is more likely to be able to compromise the Asset. b. The likelihood that the Asset will be compromised is determined by the ability of the Vulnerability to exploit the Threat. c. Threats are weaknesses that a Vulnerability can exploit to compromise an Asset. d. Vulnerabilities are weaknesses that a Threat can exploit to compromise an Asset. 5200.08-R, May 27, 2009 Gen Sec 61. In order to conduct a thorough Operations Security (OPSEC) threat analysis, all of the following questions must be answered EXCEPT: a. Who is the adversary, and what is their intent and capability? b. What are the adversary s goals? c. Who is the adversary targeting and how? d. What tactics does the adversary use? e. What does the adversary already know about the unit s mission; what critical information has already been exposed and is known by the adversary? JP-3-13.3, January 24, 2012 5205.02-M, November 3, 2008 Gen Sec 62. Procedural controls which are baseline requirements for DoD information systems include which of the following?** a. Information System (IS) user agreements b. Wireless access c. Removable media d. Printers are required to be capable of producing hardcopy of all classified information DoD Instruction 8510.01, Risk Management Framework (RMF) for DoD Information Technology (IT), March 12, 2014 Committee on National Security Systems Instruction 1253, Security Categorization and Control Selection for National Security Systems, March 15, 2012, as amended Gen Sec SAPPC CPT Page 33
63. Organizational leadership recently stated their desire to include Security Awareness training into their employees annual training plans. You propose the idea of a single training for all employees and additional practical exercises for specific identified personnel. What security control would include the practical exercise portion of the training?** a. Practical Application Training b. Role-based Security Training c. Scenario-based Security Training d. Situation-based Security Training NIST SP 800-53 r4 (April 2013) ////F-38 Gen Sec & Cyber 64. Which of the following is NOT a security discipline that supports risk management by providing programs to deter, detect, and delay threats to DoD assets? a. Public security b. Operational security c. International security d. Industrial security DoD 5200.08- R, May 27, 2009 Gen Sec 65. Two Security Professionals, Chris and Jo, are discussing mission assurance roles and responsibilities. Chris says the Director, Defense Intelligence Mission Assurance Office (DIMAO) conducts assessments to validate the completeness, readiness, and effectiveness of mission assurance programs, plans, and capabilities. a. Chris is correct b. Jo is correct c. Both Chris and Jo are correct d. Both Chris and Jo are incorrect DoDI 3020.39, March 2, 2015 Gen Sec & Cyber Jo says the DIMAO leads the office of primary responsibility (OPR) for the development and coordination of mission assurance policies and guidance for the Defense Intelligence Enterprise (DIE) and interagency, departmental, and intelligence community (IC) counterparts. Who is correct?** SAPPC CPT Page 34