Download SPeD SFPC (Security Fundamentals Professional Certification) Exam Test Bank 2025-2026. and more Exams Security Analysis in PDF only on Docsity!
SPeD SFPC (Security Fundamentals
Professional Certification) Exam Test
Bank 2025-2026. Questions & Correct
Verified Answers. Graded A
"Contained in" – ANS Applied when derivative classifiers incorporate classified information from an authorized source into a new document, and no additional interpretation or analysis is needed to determine the classification of that information 3 levels of classification - ANSTS - grave damage to national security S - serious damage to national security C - damage to national security 32 CFR Parts 2001 & 2003,"Classified National Security Information; Final Rule" - ANSInformation Security Oversight Office (ISOO) document that governs the DoD Information Security Program 4 Declassification Systems - ANSScheduled - instructions assigned by the OCA are followed by date or event Automatic - set up through EO 13526; applies to records that have "historical value" under Title 44 of US Code; Dec 31st of year 25 years from original classification; 9 categories of exceptions Mandatory - the declassification system where the public can ask for classified information to be reviewed for declassification and public release
Systematic - permanently valuable classified records are reviewed for declassification after they reach a specific age; information exempted from automatic declassification is reviewed for possible declassification 5 Requirements of Derivative Classification - ANS1. Observe and respect OCAs original classification determination
- Apply the required markings
- Only use authorized sources
- Use caution when paraphrasing
- Take appropriate steps to resolve any doubts 6 steps to OCA decision process - ANSGov't Info - Determine if the information is official government information or has it already been classified by another OCA Eligibility - determine if the information is eligible for classification (not a smokescreen)Impact/harm - determine if potential for damage to national security if release occurs Designation - assign a level of classification Duration - determine duration of classification Guidance - communicate decision via SCG or properly marked source document A SAP can retain security cognizance, if necessary. - ANSTrue ANACI - ANSInitial investigation for civilians: Noncritical-sensitive positions, Confidential and Secret clearance eligibility, IT-II duties
Briefly describe the purpose of the DD Form 254 - ANSConvey security requirements, security classification guidance, and provide handling procedures for classified materials received and/or generated on a classified contract. Chapter 8 of the NISPOM - ANSIf you are a government contractor working on a contractor-owned system at a contractor facility, you must follow the security provisions of this reference Classification - ANSDetermination that information requires protection in the interest of national security Either original or derivative Classified Information - ANSRequires protection form unauthorized disclosure To be eligible - must be official government information that is owned by, produced by, produced for, or under the strict control of the US government Closed Circuit Televisions (CCTV) - ANSThis system has a camera that captures a visual image, converts the image to a video signal, and transmits the image to a remote location Combination padlock - ANSLock that complies with UL Standard 768- Group 1 Communications Security (COMSEC) - ANSProtection resulting from the measures designed to deny unauthorized persons information of value that
might be derived from the possession and study of telecommunications and to ensure the authenticity of such communications. Compilation - ANSCombining elements of information that are individually unclassified may be classified if the compiled information reveals an additional association or relationship that qualifies for classification under DoD policy OCAs designate when and what types of information are classified through compilation Explain the basis for classification by compilation on the face of the document or in the text Mark each portion individually according to its classified content COMSEC - ANSCrypto, emission, transmission, physical security Protect telecommunications Deny unauthorized persons information of value Ensure the authenticity of communication National Security Telecommunication and Information Systems Security Instruction (NSTISSI) No. 4001 Construction requirements for vault doors - ANS1. Constructed of metal
- Hung on non-removable hinge pins or with interlocking leaves.
- Equipped with a GSA-approved combination lock.
- Emergency egress hardware (deadbolt or metal bar extending across width of door).
CPI (Critical Program Information) - ANSIncludes both classified military information and controlled unclassified information Needs to be protected from unauthorized or inadvertent destruction, transfer, alteration, or loss Compromise of critical program information can significantly alter program direction, shorten combat effective life of the system, or require additional research, development, test, and evaluation resources to counter impact of its loss DoD 5200. Custodian - ANSSomeone who is in possession of and charged with safeguarding classified information Required to verify clearance eligibility, access level, NTK and SF- completed before providing to another person Custodians - ANSPeople who are in possession of, or who are otherwise charged with, safeguarding classified information. DCII - ANSSystem of record for fraud investigations DD Form 2501 - ANSCourier Authorization Card DD Form 254 - ANSForm that conveys security requirements, classification guidance, and provides handling procedures for classified material received and/or generated on a classified contract Form a contractor could use to determine if classified storage is required and at what level
DD Form 441-Security Agreement - ANSDocumentation that establishes the government's authority to review the contractor's security program to ensure compliance Declassification - ANSThe authorized change in the status of information from classified to unclassified Instructions are placed on the front of a document and usually appear as declassify on and the date or declassify on and the event Instructions not applied to RD (determined by DOE) or FRD (deterred by DOE and DoD) Declassification Exceptions - ANSInformation marked 25X, 50X, 75X + exemption category 50X HUM - no date of declassification - reveals human intelligence source 50X2 WMD - no date of declassification - reveals design of weapons of mass destruction Defense Courier Service (DCS) - ANSInternational network of couriers and courier stations for the expeditious, cost-effective, and secure transmission of qualified classified documents and material (under DoD-I 5200.33, Defense Courier Operations). Defense Information System for Security (DISS) - ANSFamily of systems that will serve as the system of record for comprehensive personnel security, suitability, and credential management of all military, civilian, and DoD contractor personnel. Provides secure communications between
Develop and approve Security Assessment Plan. Assess security controls. SCA prepares Security Assessment Report (SAR).Conduct initial remediation actions. Step 5: Authorize Prepare the plan of action and milestones (POA&M).Submit Security Authorization Package (security plan, SAR and POA&M) to authorizing official (AO).AO conducts final risk determination.AO makes authorization decision. Step 6: Monitor Security Controls Determine impact of changes to the system and the environment. Assess selected controls annually. Conduct needed remediation. Update security plan, SAR and POA&M. Report security status to AO.AO reviews reported status. Implement system decommissioning strategy. Define security control baselines - ANSA set of minimum security controls defined for a low, moderate, or high impact information system. Define system categorization - ANSThe process by which the Information Owner identifies the potential impact (low, moderate, or high) that would result from the loss of confidentiality, integrity, and availability should a security breach occur.
Define the difference between a security infraction and a security violation - ANSAn infraction cannot reasonably be expected to and does not result in the loss, compromise, or suspected compromise of classified information; whereas a violation does result in or could be expected to result in the loss or compromise of classified information. Define unauthorized disclosure - ANSCommunication or physical transfer of classified or controlled unclassified information to an unauthorized recipient. Derivative Classification - ANSThe process of using existing classified information to create new material and marking that newly developed material consistent with the classification markings that apply to the source information The incorporating, paraphrasing, restating, or generating in new form any information that is already classified Not an authority, an assumed responsibility Does not include duplication or reproduction of existing classified information Must receive training at least once every 2 years Describe the concept of security-in-depth. - ANSLayered and complementary security controls sufficient to deter, detect, and document unauthorized entry and movement within an installation or facility.
Describe the purpose of due process in the Personnel Security Program (PSP) - ANSEnsures fairness by providing the subject the opportunity to appeal an unfavorable adjudicative determination. Describe two impacts of cyber-security lapses on non-repudiation - ANSNegative impacts 1.) Sender could deny the message was sent. 2.) Recipient of an email could change the message and contest that the altered message was sent by the sender. Definition: Protection against an individual falsely denying having performed a particular action. Provides the capability to determine whether a given individual took a particular action such as creating information, sending a message, approving information, and receiving a message. Describe two impacts of cybersecurity lapses on confidentiality. - ANSNegative impacts if no confidentiality: 1.) Persons could be granted access to information beyond their need-to- know. 2.) Sensitive or classified information could be disclosed to an unauthorized system. Definition: Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. DISA, Joint Interoperability Test Command (JITC) - ANSThis organization maintains a register of certified security digital facsimiles
DoD 5200-1.H - ANSHandbook for Writing Security Classification Guidance Provides detailed information on how to develop security classification guidance DoD 5200.02-R - ANSDoD Manual ##? Implements and maintains the DoD personnel security policies and procedures DoD 5200.08-R - ANSPhysical Security Program regulation DoD 5200.2-R - ANSImplements and maintains the DoD personnel security policies and procedures DoD CAF responsibilities - ANS1. Making adjudicative decisions
- The DoD CAF is a repository for investigative records
- Initiating special investigations
- The DoD CAF adjudicate by applying the whole person concept DoD Component Requirements - ANSAgencies add their own requirements to ensure security measures are effective for their unique missions Designate a Senior Agency Official to oversee the program Appoint a Security Manager for education and training DoD Instruction 5200.01 - ANSInformation Security Program and Protection of Sensitive Compartmented Information Establishes the basic information security policies for the DoD and provides a high-level
E.O. 12968 - ANSExecutive Order that establishes a uniform Personnel Security Program E.O. 13526 - ANS Current executive order on information security Prescribes a uniform system for classifying, safeguarding, and declassifying national security information Promotes declassification and public access to information as soon as national security considerations permit Established National Declassification Center Greater openness and transparency Stronger OCA and derivative classifier training requirements Derivative classifiers identified by name Self-inspection programs to review samples of original and derivatively classified documents Declassification exemptions of 50 and 75 years Effective Protective Barriers - ANS1. Steel barriers
- Chain link fence
- Barbed wire Electromechanical combination lock - ANSLock that complies with FF-L- 2740 series lock specification EO 12968 - ANSThe Executive Order (E.O.) that establishes a uniform Personnel Security Program
EO 8381 - ANS
1st information security executive order Extracting - ANSWhen information is taken directly from an authorized classification guidance source and is stated verbatim in a new or different document Factors for determining whether U.S. companies are under Foreign Ownership, Control or Influence (FOCI) - ANS1. Record of economic and government espionage against the U.S. targets
- Record of enforcement/engagement in unauthorized technology transfer
- Type and sensitivity of the information that shall be accessed
- The source, nature and extent of FOCI
- Record of compliance with pertinent U.S. laws, regulations and contracts
- Nature of bilateral & multilateral security & information exchange agreements
- Ownership or control, in whole or part, by a foreign government False - ANSTrue or False: Standby lighting is used when regular lighting is not available FOIA (Freedom of Information Act) - ANSTo be exempt from mandatory release, it must fit into one of the qualifying categories and there must be a legitimate gov't purpose to withhold it FOUO is a designation that applies to Unclassified that may be exempt from mandatory release
Force Protection Condition levels - ANSNormal, Alpha, Bravo, Charlie, Delta FSO responsibilities - ANS1. Ensure compliance with the NISP
- Follow NISPOM guidelines
- Provide training for cleared individuals Generating - ANSWhen information is taken from an authorized source and generated into another form or medium, such as a video, DVD, or CD Give examples of data spills - ANSClassified email sent to an unclassified network. Classified document reproduced on an unclassified printer. Classified document uploaded to an unclassified system. Controlled unclassified information (CUI) transmitted without the required CUI protection and access controls. Handcarrying - ANSMust be done by an appropriately cleared gov't or contractor employee Written authorization always required Letter of authorization if traveling on commercial airline Written statement (DD Form 2501) if another mode of transportation Material should be double wrapped - briefcase is outer layer if locked Items may be opened en route as a last resort if required by customs or police but must be opened out of sight of the general public
Homeland Security Presidential Directive-12 (HSPD-12) - ANSPolicy for common identification standard for federal employees and contractors. Requires government-wide development and implementation of a standard for secure and reliable forms of identification for federal employees and contractors Identify and describe the DoD position sensitivity types and their investigative requirements. - ANS*Critical Sensitive: SSBI, SSBI-PR, PPR *Non-Critical Sensitive: ANACI or NACLC Non-Sensitive: NACI Identify practices to follow when handling classified information. - ANSProperly destroy preliminary drafts, worksheets, and other material after they have served their purpose *Use approved secure communications circuits for telephone conversations to discuss classified information *Follow procedures when copying classified information *Use security forms such as SF 701 and SF 702 Identify the 13 Adjudicative Guidelines - ANS1. Allegiance to the United States
- Foreign Influence
- Foreign Preference
- Sexual Behavior
- Personal Conduct
- Financial Considerations
- Alcohol Consumption
