FITSP-M Exam Prep Free practice test →

Free FITSP-M Practice Questions

10 free, exam-style Federal IT Security Professional - Manager (FITSP-M) practice questions with answers and explanations. No signup required. Work through them below, then take the full free FITSP-M practice test to study every exam domain.

Question 1

The NIST Cybersecurity Framework (CSF) v2.0 introduced a sixth core function that did not exist in version 1.1. This new function establishes the organization's cybersecurity risk management strategy and policy. Which function was added?

  1. Identify - understanding organizational assets and risk
  2. Detect - identifying cybersecurity events in real time
  3. Respond - containing and mitigating detected incidents
  4. Govern - establishing risk strategy, expectations, and policy
Show answer & explanation

Correct answer: D - Govern - establishing risk strategy, expectations, and policy

Question 2

SP 800-37 Rev 2 defines the Risk Management Framework (RMF) as a seven-step process. Which of the following lists the steps in the correct sequence?

  1. Categorize, Select, Implement, Assess, Authorize, Monitor, Prepare
  2. Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor
  3. Prepare, Select, Categorize, Implement, Assess, Monitor, Authorize
  4. Categorize, Prepare, Select, Implement, Assess, Authorize, Monitor
Show answer & explanation

Correct answer: B - Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor

Question 3

Executive Order 14028 (Improving the Nation's Cybersecurity) required software vendors selling to the federal government to provide a document listing all components and dependencies in their products. This requirement is known as:

  1. A Software Bill of Materials (SBOM)
  2. A Privacy Impact Assessment (PIA)
  3. A System of Records Notice (SORN)
  4. A Plan of Action and Milestones (POA&M)
Show answer & explanation

Correct answer: A - A Software Bill of Materials (SBOM)

Question 4

A federal system processes three information types: Type A is categorized as (Moderate, Low, Low), Type B as (Low, Low, High), and Type C as (Low, Moderate, Low). Applying the FIPS 199 high water mark principle, the system's overall security categorization is:

  1. (Low, Low, Low) - using the lowest impact across all types
  2. (Moderate, Low, High) - selecting each objective's highest independently
  3. (Moderate, Moderate, High) - the high water mark yields an overall HIGH impact
  4. (High, High, High) - any HIGH value elevates all objectives
Show answer & explanation

Correct answer: C - (Moderate, Moderate, High) - the high water mark yields an overall HIGH impact

Question 5

During a security control assessment, the assessor attempts to authenticate to a system using invalid credentials five consecutive times, then verifies that the account lockout mechanism activates as documented in the SSP. According to SP 800-53A, which assessment method is the assessor performing?

  1. Examine - reviewing documentation and specifications
  2. Interview - discussing procedures with system personnel
  3. Test - exercising mechanisms to compare actual versus expected behavior
  4. Audit - independently verifying compliance with policy
Show answer & explanation

Correct answer: C - Test - exercising mechanisms to compare actual versus expected behavior

Question 6

FIPS 140-3 defines four security levels for cryptographic modules. Level 2 requires tamper-evident coatings and role-based authentication, while Level 3 increases protection significantly. What is the KEY distinction that separates Level 3 from Level 2?

  1. Level 3 adds software encryption; Level 2 uses only hardware encryption
  2. Level 3 requires tamper-detection and active response mechanisms with identity-based authentication
  3. Level 3 removes the physical security requirement and relies solely on logical controls
  4. Level 3 adds annual third-party audits; Level 2 requires only self-assessment
Show answer & explanation

Correct answer: B - Level 3 requires tamper-detection and active response mechanisms with identity-based authentication

Question 7

An employee at a federal agency is terminated for cause. The IT security manager must ensure that all of the employee's system access is immediately revoked, credentials are retrieved, and agency property is returned. Which SP 800-53 control MOST directly addresses these requirements?

  1. PS-4 (Personnel Termination) - revoking access and retrieving credentials upon separation
  2. AC-2 (Account Management) - managing the lifecycle of user accounts on the system
  3. IR-4 (Incident Handling) - detecting, analyzing, and responding to security incidents
  4. AT-2 (Literacy Training and Awareness) - ensuring users understand security policies
Show answer & explanation

Correct answer: A - PS-4 (Personnel Termination) - revoking access and retrieving credentials upon separation

Question 8

SP 800-37 Rev 2 and SP 800-39 both address risk management for federal information systems. A manager studying for the FITSP-M exam asks how these two publications differ. The BEST explanation is:

  1. SP 800-37 provides the system-level RMF process (7 steps from Prepare through Monitor); SP 800-39 provides the organization-wide risk management framework (3 tiers, 4 components)
  2. SP 800-39 defines the RMF steps for individual systems; SP 800-37 provides the overarching enterprise risk strategy across three organizational tiers
  3. SP 800-37 covers only the Authorize step; SP 800-39 covers the remaining six RMF steps and continuous monitoring activities
  4. SP 800-39 replaced SP 800-37 in 2020; only SP 800-39 is current and applicable to federal systems today
Show answer & explanation

Correct answer: A - SP 800-37 provides the system-level RMF process (7 steps from Prepare through Monitor); SP 800-39 provides the organization-wide risk management framework (3 tiers, 4 components)

Question 9

An Authorizing Official (AO) reviews the authorization package for a MODERATE-impact system. The Security Assessment Report shows 5 of 200 controls as 'Other Than Satisfied,' all with LOW risk. The POA&M documents remediation within 60 days. The residual risk is within organizational tolerance. What is the MOST appropriate authorization decision?

  1. DATO - any controls rated 'Other Than Satisfied' require denial of authorization regardless of risk level
  2. Full ATO with no conditions - 5 out of 200 controls is a negligible finding rate that requires no further action
  3. Interim ATO for 30 days - the system should operate temporarily while a completely new assessment is conducted
  4. ATO with Conditions - authorizing operation with a requirement to remediate the 5 findings within the 60-day POA&M timeline
Show answer & explanation

Correct answer: D - ATO with Conditions - authorizing operation with a requirement to remediate the 5 findings within the 60-day POA&M timeline

Question 10

NISTIR 8062 introduces three privacy engineering objectives that guide the integration of privacy into federal system design. These three objectives are:

  1. Confidentiality, integrity, and availability - the traditional CIA triad applied to privacy data
  2. Authentication, authorization, and accountability - ensuring proper access controls for personal data
  3. Predictability, manageability, and disassociability - enabling reliable expectations, granular control, and de-identification of PII
  4. Collection limitation, purpose specification, and use limitation - the OECD privacy principles for data handling
Show answer & explanation

Correct answer: C - Predictability, manageability, and disassociability - enabling reliable expectations, granular control, and de-identification of PII

Ready for the real thing?

Practice hundreds more FITSP-M questions with instant scoring, weak-area drills, and full exam simulations.

Start the free practice test See pricing