- The FITSP-M exam consists of approximately 100 multiple-choice questions with a 2-hour time limit and a ~70% passing score.
- Information Security Program Management and Federal IT Security Policy and Compliance each carry 25% of the exam - together they make up half the test.
- The exam fee is approximately $350, delivered online through FITSI's portal in a closed-book format.
- Prerequisites typically include 3-5 years of IT security experience with at least 1 year in a management role, or equivalent education plus experience.
What the FITSP-M Exam Actually Looks Like
The Federal IT Security Professional - Manager (FITSP-M) certification is issued by the Federal IT Security Institute (FITSI) and is purpose-built for federal information security professionals operating in management roles. Unlike broad commercial certifications, every component of FITSP-M maps directly to the federal regulatory environment: NIST SP 800-37, NIST SP 800-53, FISMA 2014, and OMB Circular A-130.
The exam itself is delivered entirely online through FITSI's own portal. There is no Pearson VUE center, no Prometric scheduling - you register directly with FITSI and complete the exam through their system. This matters logistically: your test environment is your own workstation, but the format is strictly closed-book. No reference materials, no open browser tabs, no NIST publications on your second monitor.
At roughly 100 questions over 120 minutes, you have about 72 seconds per question on average. That sounds comfortable until you encounter scenario-based questions that require you to apply FISMA compliance logic or select the correct RMF step for a given federal system scenario. Pacing matters - and so does depth of knowledge in the two highest-weighted domains.
For candidates exploring where FITSP-M sits within the broader certification family, our overview of the FITSP Family Certifications: FITSP-A vs D vs M vs O explains how the Manager role compares to the Auditor, Designer, and Operator tracks and why each requires a distinct knowledge base.
The Five Exam Domains Broken Down
FITSP-M's content is organized across five domains. Understanding not just the topics but the weight of each domain is critical to allocating your preparation time effectively.
Domain 1: Information Security Governance (20%)
This domain covers the organizational structures, roles, and responsibilities that define how federal agencies manage information security from the top down.
- Senior Agency Information Security Officer (SAISO) responsibilities
- Authorizing Official (AO) roles under the RMF
- Security program charter development and oversight frameworks
- Aligning security governance with agency mission objectives
Domain 2: System Development Life Cycle (15%)
Security integration throughout the SDLC - not just at authorization - is a core federal requirement. This domain tests whether candidates understand where security controls enter the development process.
- Security requirements in the initiation and design phases
- Privacy impact assessments and security categorization (FIPS 199)
- Configuration management and change control in federal systems
- Disposition and media sanitization per NIST SP 800-88
Domain 3: Information Security Program Management (25%)
The single heaviest domain. This is where FITSP-M diverges sharply from general security certifications - it demands management-level fluency in building and running a compliant federal security program.
- Developing and maintaining agency-wide security policies and procedures
- Security awareness and training program requirements under FISMA
- POA&M (Plan of Action and Milestones) development and tracking
- Continuous monitoring strategies and automation under NIST SP 800-137
- Budgeting and resource allocation for security program activities
Domain 4: Incident Management (15%)
Federal incident response is governed by specific reporting requirements, timelines, and coordination channels - this domain is not about generic IR frameworks.
- US-CERT reporting requirements and federal incident categories
- Incident response plan development under NIST SP 800-61
- Coordination with CISA, Inspector General offices, and law enforcement
- Post-incident lessons learned and program improvement processes
Domain 5: Federal IT Security Policy and Compliance (25%)
Tied with Domain 3 as the highest-weighted area. This domain tests direct knowledge of the federal policy landscape - the actual documents, not just the concepts.
- FISMA 2014 requirements, definitions, and annual reporting obligations
- OMB Circular A-130 and its Appendix III requirements
- NIST SP 800-53 control families and selection process
- NIST SP 800-37 Risk Management Framework steps and documentation
- FIPS 140-2 cryptographic requirements for federal systems
Domains 3 and 5 together account for 50% of your exam score. A candidate who masters these two domains and performs adequately in the others has a structurally sound path to passing. That said, Domains 1 and 4 are not trivial - governance mistakes and incident mismanagement have real-world federal consequences, and exam questions reflect that weight.
Question Format and What It Tests
All FITSP-M questions are multiple-choice, but the style varies considerably. Some questions test recall: "Which NIST publication governs continuous monitoring?" Others are scenario-driven: a federal agency has a new information system with a FIPS 199 categorization of Moderate - which RMF step must be completed before the Authorizing Official issues an ATO?
The scenario-based questions are where underprepared candidates lose points. They require you to apply knowledge, not just recognize it. FITSI designs these questions to reflect the actual decisions a federal IT security manager makes - prioritizing between remediation items on a POA&M, selecting the appropriate control baseline, determining FISMA reporting thresholds after an incident.
Multiple-choice options are often deliberately close. A question on continuous monitoring might offer four plausible-sounding answers, with the distinction hinging on whether the answer references NIST SP 800-137 specifically or describes a process inconsistent with FISMA's annual review requirements. Precision in the source material is what separates correct from almost-correct.
You can work through representative question types and sharpen your federal policy application skills at our FITSP-M practice test platform, which mirrors the domain weighting and scenario format of the actual exam.
Registration, Fees, and Eligibility
The Cost Structure
The FITSP-M exam fee is approximately $350 for the exam itself. FITSI also offers preparatory training courses, which are priced separately and typically range from $800 to over $1,500 depending on format and duration. The training is not mandatory to sit for the exam, but candidates who self-study should budget their preparation time accordingly - the exam assumes familiarity with federal regulatory content that goes well beyond what commercial security certifications cover.
Prerequisites and Eligibility
FITSP-M is not an entry-level certification. FITSI requires candidates to demonstrate relevant professional experience in federal IT security management. The typical combination involves:
- 3-5 years of IT security experience, with at least 1 year in a management role, or
- Equivalent combination of relevant education and professional experience in federal information security
The "management role" requirement is meaningful - this certification targets individuals who are responsible for security programs, not just implementing controls. Federal civilian employees, contractors supporting federal agencies, and military personnel in information security oversight roles are the core audience.
| Exam Detail | Specification |
|---|---|
| Administering Body | Federal IT Security Institute (FITSI) |
| Delivery Method | Online via FITSI portal (self-administered) |
| Exam Fee | ~$350 (exam only) |
| Number of Questions | ~100 multiple-choice |
| Time Limit | ~2 hours |
| Format | Closed-book |
| Passing Score | ~70% |
| Regulatory Alignment | NIST SP 800-37, SP 800-53, FISMA 2014, OMB A-130 |
| Certification Validity | 3 years |
| Renewal Requirement | 60 CPE credits per 3-year cycle |
Scoring, Passing, and Certification Validity
The passing threshold for FITSP-M is approximately 70%. On a 100-question exam, that means correctly answering roughly 70 questions. FITSI does not publicly disclose pass rates, so there is no benchmarking data to contextualize how candidates perform on their first attempt.
What is publicly known is the domain structure - and that structure tells you where scoring decisions are made. A candidate who scores poorly in Domains 3 and 5 (50% combined weight) faces a steep recovery challenge from the remaining three domains. Conversely, strong performance in both high-weight domains creates a significant buffer.
Key Takeaway
You need roughly 70 correct answers out of 100. Domains 3 and 5 together represent approximately 50 of those questions. If you can score well in both, you enter the remaining 50 questions already close to the passing threshold.
Once certified, FITSP-M is valid for 3 years. Renewal requires 60 Continuing Professional Education (CPE) credits over that cycle - a meaningful ongoing commitment that encourages staying current with evolving federal policy. Given the pace of NIST framework updates and OMB policy revisions, this requirement reflects the practical reality of the federal IT security environment rather than a bureaucratic hurdle.
For a full side-by-side look at how renewal requirements compare across the FITSP certification family, see our article on the FITSP Family Certifications: FITSP-A vs D vs M vs O.
Who Hires FITSP-M Certified Professionals
FITSP-M was designed specifically for the federal information security workforce. The certification aligns with the NICE Cybersecurity Workforce Framework roles in the Oversee and Govern category - positions that carry agency-wide security responsibility rather than technical implementation duties.
The primary hiring contexts include:
- Federal civilian agencies - particularly those with large IT portfolios subject to FISMA annual reporting, such as DoD components, civilian cabinet agencies, and independent regulatory commissions
- Federal contractors and systems integrators - firms providing IT security program management services under government contracts where FITSP-M may be listed as a preferred or required qualification
- Defense Information Systems Agency (DISA) contractors and other defense sector organizations operating under RMF-based authorization processes
- Internal audit and IG offices that conduct FISMA compliance reviews and need managers who understand both the operational and compliance dimensions of federal security programs
The FITSP-M is particularly relevant for roles with titles such as Information System Security Manager (ISSM), IT Security Program Manager, FISMA Compliance Manager, and Cybersecurity Program Lead in federal contexts. It demonstrates specific competency in the regulatory framework these roles operate within - something a general CISSP or Security+ cannot provide.
A Domain-Driven Preparation Schedule
Generic study advice - "study 2 hours a day," "use flashcards," "take practice tests" - doesn't account for the specific knowledge distribution FITSP-M demands. The schedule below maps preparation weeks to domain weight and complexity, not to arbitrary time blocks.
Domain 5: Federal IT Security Policy and Compliance (25%)
- Read FISMA 2014 in full - focus on definitions, agency responsibilities, and reporting requirements
- Review OMB Circular A-130, particularly the information security and privacy provisions
- Map NIST SP 800-53 control families to FISMA requirements - understand why controls exist, not just what they are
Domain 3: Information Security Program Management (25%)
- Study POA&M development and the federal tracking process - practice constructing sample POA&M entries
- Review NIST SP 800-137 continuous monitoring guidance and how it integrates with FISMA annual reporting
- Understand security awareness and training requirements - what FISMA mandates vs. what agencies implement
Domain 1: Information Security Governance (20%) + Domain 2: SDLC (15%)
- Map AO, ISSM, ISSO, and SAISO roles within the RMF framework - know who is accountable for what
- Review FIPS 199 categorization process and NIST SP 800-60 for system categorization guidance
- Trace a federal system through all six RMF steps - understand the documentation requirements at each phase
Domain 4: Incident Management (15%) + Full Practice Testing
- Review US-CERT federal incident categories, reporting timelines, and notification requirements
- Study NIST SP 800-61 Rev. 2 - federal agencies must align IR plans to this guidance
- Complete timed practice exams under closed-book conditions using the FITSP-M practice test platform
- Identify weak domains from practice results and revisit corresponding source materials
The rationale for starting with Domain 5 rather than Domain 1 is strategic: the policy and compliance domain provides context that makes every other domain more coherent. When you understand FISMA's requirements and OMB A-130's provisions, the governance structures in Domain 1 and the program management requirements in Domain 3 make functional sense rather than appearing as isolated facts to memorize.
If you want a detailed breakdown of how the FITSP-M exam format compares to other years and what has changed in alignment with updated NIST guidance, the full reference article is the FITSP-M Exam Format 2026: Questions, Time and Scoring.
Frequently Asked Questions
The FITSP-M exam contains approximately 100 multiple-choice questions with a 2-hour time limit. That averages out to roughly 72 seconds per question, though scenario-based questions will require more time and straightforward recall questions will require less. Practicing under timed conditions is essential.
The passing score is approximately 70%. FITSI does not publicly disclose pass rate data, so there is no official benchmark for first-attempt performance. Given the closed-book, policy-specific nature of the exam, candidates who have internalized the source regulatory documents - not just studied summaries - are best positioned to clear the threshold.
No. The FITSP-M is a closed-book exam administered through FITSI's online portal. No reference materials are permitted during the exam. This includes NIST publications, OMB circulars, or personal notes. Candidates must know specific regulatory content, control identifiers, and framework steps from memory.
FITSI typically requires a combination of education and professional experience. The standard expectation is 3-5 years of IT security experience with at least 1 year in a management role, or an equivalent mix of relevant education and professional experience in federal information security. Specific requirements should be confirmed directly with FITSI before registering, as they may be updated.
FITSP-M certification is valid for 3 years. Renewal requires earning 60 Continuing Professional Education (CPE) credits over that 3-year cycle. This is designed to ensure certified managers remain current with evolving federal IT security policy, including NIST framework revisions and new OMB guidance. Begin tracking CPEs from your certification date.
Ready to Start Practicing?
Test your knowledge across all five FITSP-M domains with practice questions designed to mirror the closed-book, scenario-based format of the actual exam - including Federal IT Security Policy and Compliance and Information Security Program Management, the two domains that make up half your score.
Start Free Practice Test