SPeD SFPC SECURITY FUNDAMENTALS PROFESSIONAL
CERTIFICATION 2023 ACTUAL EXAM 200 QUESTIONS AND
CORRECT DETAILED ANSWERS (VERIFIED ANSWERS)
|ALREADY GRADED A
Describe the purpose of a Statement of Reason (SOR) – ANSWER- Provide a
comprehensive and detailed written explanation of why a preliminary unfavorable
adjudicative determination was made.
List the primary authorities governing foreign disclosure of classified military
information. – ANSWER- Arms Export Control Act
National Security Decision Memorandum 119
National Disclosure Policy – 1
International Traffic in Arms Regulation (ITAR)
E.O.s 12829, 13526
Bilateral Security Agreements
DoD 5220.22-M, “NISPOM.”
List the key procedures for initiating Personnel Security Investigations (PSIs). –
ANSWER- Validate the need for an investigation.
Initiate e-QIP.
Review Personnel Security Questionnaire (PSQ) for completeness.
Submit electronically to Office of Personnel Management (OPM).
List three categories of Special Access Programs. – ANSWER- Acquisition
Intelligence
Operations and support
List three authorized sources of security classification guidance that could be used
in the derivative classification process – ANSWER- Security Classification Guide
Properly Marked source document
Contract Security Classification Specification (DD Form 254)
List three elements that should be considered in identifying critical program
information. – ANSWER- Element which if compromised could:
Cause significant degradation in mission effectiveness.
Shorten the expected combat-effective life of the system.
Reduce technological advantage.
Significantly alter program direction.
Enable an adversary to defeat, counter, copy, or reverse-engineer the technology or
capability.
List three different physical means for approved classified storage – ANSWERGeneral Services Administration (GSA)-approved storage containers.
Vaults (including modular vaults).
Open storage area (secure rooms, to include sensitive compartmented information
facility (SCIFs) and bulk storage areas).
What is the relationship between security control baselines and system
categorization? – ANSWER- Security controls are implemented based on the
system’s categorization. Specifically, once the security category of the information
system is determined, organizations begin the security control selection process,
selecting the baseline security controls corresponding to the security category of
the system.
List three construction requirements for vault doors. – ANSWER- General Services
Administration (GSA)-approved
Class 5 door.
Steel Door with tamper resistant hinge pins.
Constructed of metal.
Hung on non-removable hinge pins or with interlocking leaves.
Equipped with a GSA-approved combination lock.
Emergency egress hardware (deadbolt or metal bar extending across width of
door).
List three main policies that govern the DoD Information Security Program. –
ANSWER- E.O. 13526
Information Security Oversight Office (ISOO) 32 CFR Parts 2001 & 2003,
Classified National Security Information; Final Rule”
DoD Manual 5200.01, Volumes 1-4
List three duration/length/declassification options for originally classified
information. – ANSWER- Date or event that is:
Less than 10 years
At 10 years
Up to 25 years
50X1-HUM (with no date or event)
50X2-WMD (with no date or event)
25X (with a date or event)
List five responsibilities of the Government Special Access Program (SAP)
Security Officer/Contractor Program Security Officer (GSSO/CPSO). – ANSWEREnsure personnel processed for access to a SAP meet the prerequisite personnel
clearance and/or investigative requirements specified.
Ensure adequate secure storage and work spaces.
Ensure strict adherence to provisions of the National Industrial Security Program
Operating Manual (NISPOM), its supplement, and the Overprint
.When required, establish and oversee a classified materials control program for
each SAP.
When required, conduct an annual inventory of accountable classified materials.
When required, establish a Special Access Program Facility (SAPF).Establish and
oversee a visitor control program.
Monitor reproduction and/or duplication and destruction capability of SAP
information.
Ensure adherence to special communications capabilities within the SAPF.
Provide for initial program indoctrination of employees after their access is
approved; rebrief and debrief personnel as required.
Establish and oversee specialized procedures for the transmission of SAP materials
to and from Program elements
When required, ensure contractual specific security requirements such as
TEMPEST Automated information system (AIS), and operation security (OPSEC)
are accomplished.
Establish security training and briefings specifically tailored to the unique
requirements of the SAP.
List three DoD position sensitivity types and their investigative requirements. –
ANSWER- Critical Sensitive: Tier 5, Tier 5R
Non-critical sensitive: Tier 3, Tier 3R
Nonsensitive: Tier 1
List three different types of threats to classified information – ANSWER- Insider
threat
Foreign Intelligence entities
Cyber-security Threat
Define each step of the Risk Management Framework (RMF) – ANSWER- Step 1:
Categorize Information System (IS)Categorize the system in accordance with the
CNSSI 1253.Initiate the Security Plan.
Register system with DoD Component Cybersecurity Program.
Assign qualified personnel to RMF roles.
Step 2: Select Security Controls
Common Control Identification.
Select security controls.
Develop system-level continuous monitoring strategy.
Review and approve the security plan and continuous monitoring strategy.
Apply overlays and tailor.
Step 3: Implement Security Controls
Implement control solutions consistent with DoD Component Cybersecurity
architectures.
Document security control implementation in the security plan.
Step 4: Assess Security Controls
Develop and approve Security Assessment Plan.
Assess security controls.
SCA prepares Security Assessment Report (SAR).Conduct initial remediation
actions.
Step 5: Authorize
Prepare the plan of action and milestones (POA&M).Submit Security
Authorization Package (security plan, SAR and POA&M) to authorizing official
(AO).AO conducts final risk determination.AO makes authorization decision.
Step 6: Monitor Security Controls
Determine impact of changes to the system and the environment.
Assess selected controls annually.
Conduct needed remediation.
Update security plan, SAR and POA&M.
Report security status to AO.AO reviews reported status.
Implement system decommissioning strategy.
List three types of initial personnel security investigations and to whom they apply.
- ANSWER- Tier 5: Military, Civilian, Contractor
Tier 3: Military, Civilian, Contractor
Tier 1: Civilian and Contractor