SPSC Practice Questions and Answers with Verified Solutions

SPSC Practice Questions and Answers with Verified Solutions The NISP applies to all of the following except: - Department of Defense (DoD) - Central Intelligence Agency (CIA) - Government Accountability Office (GAO) ...

SPSC Practice Questions and Answers with Verified Solutions The NISP applies to all of the following except: - Department of Defense (DoD) - Central Intelligence Agency (CIA) - Government Accountability Office (GAO) - Nuclear Regulatory Commission (NRC) ✔✔GAO - NISP applies only to the Exec Branch GAO is an arm of Congress The NISPOM applies to all the following except: - Director of National Intelligence (DNI) - Nuclear Regulatory Committee (NRC) - Defense Agencies - Non-Defense Contractors ✔✔Non-Defense Contractors Heads of DoD Components are required to establish a program to evaluate and assess the effectiveness and efficiency of the component's implementation of the DoD Information Security Program. This program is called: - Management controls - Supervisory controls - Self-inspection - Management analysis ✔✔Management controls An application for Facility Security Clearance (FCL) for a contractor may be made by: - A contractor or prospective contractor - A Government Contracting Agency (GCA) - A currently cleared company ✔✔2 and 3 Section 1.4 of EO 13526 specified eight categories of information that may be considered for classification. Which of the following is not one of those categories? - Foreign government information - Development, production, and use of weapons of mass destruction - Scientific, technological, or economic matters in general - Foreign relations or foreign activities of the US, including confidential sources ✔✔Scientific, technological, or economic matters in general May be classified if related to national security True/False Information may not be classified after a receipt of a request for the information under the Freedom of Information Act or the Privacy Act. ✔✔False - EO 13526 True/False DoD Regulation 5200.1-R requires that a copy of every SCG be forwarded to the Director of Freedom of Information and Security Review, Office of the Assistant of the Secretary of Defense for Public Affairs ✔✔False - SCI and SAP programs exempt EO 13526 designates the Director of the Information Security Oversight Office (ISOO) as the Executive Secretary of the: - Information Security Oversight Panel - Declassification Review Panel - Interagency Security Classification Appeals Panel - Archive Review Panel ✔✔Interagency Security Classification Appeals Panel Upon receipt of a request for a review for declassification of information properly classified under EO 13526, the responsible DoD organization shall conduct a review if the information has not been reviewed or declassification within the preceding: - 6 months - 1 year - 2 years - 5 years ✔✔2 years True/False Information has been identified as properly classified under EO 13526. It also qualifies for exemption from mandatory release to the public under the Freedom of Information Act (FOIA). As a consequence of both being true, the information is required to be properly marked as classified, and must also contain the FOUO designation. ✔✔False - must be unclassified to be FOUO Until Controlled Unclassified Information (CUI) markings are adopted by the DoD, which of the regulations apply to Sensitive But Unclassified (SBU) information? - DoD 5200.1-R - DoDD 5205.07 - DoD 5220.22-M - DoD 5200.2-R ✔✔DoD 5200.1-R From a risk management perspective, assets are normally assigned to one of five categories. Which of the following assets would you normally not include in one of the five asset categories? - Treaty inspectors - Privacy Act Information - Visitors - Privately owned vehicles ✔✔POVs In risk management, adversaries are typically grouped in all of the following categories except: - Individuals - Companies - Organizations - Governments ✔✔Companies In risk management, all of the following criteria are used to determine an asset's vulnerabilities except: - Countermeasure efficacy - Value - Quality - Quantity ✔✔Value Which of the following are not considered in a cost versus benefit analysis? - Efficacy and efficiency - Asset value and protection cost - Best protection at lowest cost - Risk mitigation ✔✔Efficacy and efficiency Why do you as an adjudicator need to know about court decisions that helped shape the Personnel Security Program (PSP)? - You are responsible for a body of knowledge including the origin and source of the PSP such as significant court decisions - To impress upon you the potential consequences of your adjudicative determinations - Court cases change key aspects of the PSP - All of the above ✔✔To impress upon you the potential consequences of your adjudicative determinations Determines need-to-know - SAPCAF - PM - TRO - PSO ✔✔PM Implements due process for candidates when SAP access was denied - SAPCAF - PM - TRO - PSO ✔✔SAPCAF Ensures DCII and JPAS are conducted and potentially disqualifying factors are considered prior to determining SAP access eligibility - SAPCAF - PM - TRO - PSO ✔✔PSO Reviews investigative files and other potential access-related reports - SAPCAF - PM - TRO - PSO ✔✔SAPCAF A major weakness of the Access National Agency Check and Inquiries (ANACI) is: - Issue resolution - Issue identification - Limited field work - Need to track vouchers ✔✔Issue resolution Which items in the following list are "Personal Information" that require protection under the Privacy Act? - SSN - Work telephone number - Military qualifications - DOB - Marriage status - Current federal position ✔✔1, 4, 5 The Tier Review process is all of the following except: - A rigid three-tiered examination - A reasonable assurance mechanism - An access eligibility determination - An enhanced risk assessment ✔✔A rigid three-tiered examination If an individual has a "waivered" SAP access, the individual may not: - Continue access beyond the initial period of access - Have adverse eligibility information mitigated - Be granted reciprocity with another program - All of the above ✔✔Be granted reciprocity with another program True/False The JAFAN 6/4 Tier REview process seeks to guarantee that persons granted access to SAP information are candidates whose personal and professional history indicates loyalty to the US, strength of character, trustworthiness, honesty, reliability, discretion, and sound judgement. ✔✔False Use of a polygraph examination as an access determination factor must be a condition specifically approved during: - Initial establishment of the SAP - Program reviews by designated authority - Risk mitigation determinations following an unauthorized disclosure - Development of the PSAP ✔✔Initial establishment of the SAP True/False During the access eligibility review process on a candidate, one issue remains, which has not been mitigated by the 2nd Tier Review Official. To have access granted, a waiver request is submitted to the SAPCO. ✔✔False All of the following are conditions that are of a security concern except: - Candidate was charged, arrested, or convicted of a felony - Candidate is alleged to be engaged in criminal conduct - Candidate was discharged from the Armed Forces under General Conditions - Candidate committed a single serious crime or multiple lesser offenses ✔✔Candidate was discharged from the Armed Forces under General Conditions A candidate is given a Letter of Denial from the SAPCAF and the candidate's appeal to the SAP Personnel Security Appeal Board (PSAB) is denied. The candidate may not be resubmitted for access until ___ months have passed. - 6 - 12 - 24 - 60 ✔✔12 SAP access eligibility determination officials may determine a candidate eligible for SAP access in all cases below except when the candidate: - Has a three year old investigation with no derogatory information - Has a five year old investigation with no derogatory information and the periodic reinvestigation was submitted prior to the expiration of the previous investigation - Have a five year old investigation with no derogatory information since the last periodic reinvestigation and the periodic reinvestigation was submitted at the time access was requested - Has an investigation older than five years and an approved waiver by the SAPCO designated official ✔✔Have a five year old investigation with no derogatory information since the last periodic reinvestigation and the periodic reinvestigation was submitted at the time access was requested Which of the following is responsible as the Federal Executive Agent for interagency OPSEC training? - Dir, Defense Intelligence Agency (DIA) - UnSecDef for Intelligence (USD(I)) - Dir, National Security Agency (NSA) - Dir, Office of Personnel Management (OPM) ✔✔Dir, National Security Agency (NSA) What is the primary difference between an OPSEC Survey and an OPSEC Assessment? - Purpose - Periodicity - Scale - Techniques used ✔✔Scale According to DoDD 5205.02, DoD OPSEC Program, OPSEC is a core capability of Information Operations (IO). All of the following are also core capabilities of IO, except: - Electronic Warfare (EW) - Computer Network Defense (CND) - Military Deception (MD) - Psychological Operations (PSYOPS) ✔✔Computer Network Defense (CND) DoDM 5205.02-M, DoD OPSEC Program Manual, specifies various subcomponent levels of OPSEC programs. Which level is considered a full-time managed and resourced OPSEC program? - Level III - Baseline - Level II - Midlevel ✔✔Level III OPSEC seeks to limit the adversary's ability to: - Track - Infer - Observe - Plan ✔✔Infer The OPSEC risk analysis equation consists of all the following except: - Threat - Vulnerability - Cost - Impact ✔✔Cost True/False Critical information is critical regardless of the adversary. ✔✔False True/False Unlike security programs that seek to protect classified information, OPSEC identifies, controls, and seeks to protect generally unclassified evidence that can be associated with sensitive operations and activities. ✔✔True Analysis of foreign intelligence collection threat for use in OPSEC measures is provided by: - Dir, NSA - Dir, DIA - Dir, DSS - USD(I) ✔✔Dir, DIA Who operates the Interagency OPSEC Support Staff (IOSS)? - Dir, OPM - USD(P) - Dir, DIA - Dir, NSA ✔✔Dir, NSA For service component SAPs, JAFAN 6/0 implements: - Federal statutes - Executive orders - National directives - NISPOM - NISPOM Supplement ✔✔1, 2, 3 Which one of the following words best describes commensurate levels of protection? - Similar - Equal - Adequate - Equivocal ✔✔Equal Which of the following resolves JAFAN 6/0 manual interpretation? - Dirs, SAPCOs - GPSOs - CPSOs - PMs ✔✔GPSOs Title 10, Section 119 specifies dates for SecDef to submit reports to the defense committees of Congress. When are new SAPs reported? - Jan - Feb - Mar - Apr ✔✔Feb JAFAN 6/0 prescribes requirements, restrictions, and other safeguards that are necessary to prevent unauthorized disclosure of SAP information and to control authorized disclosure of classified information. The NISPOMSUP provides the enhanced security requirements, procedures, and options for which for following? - Critical Restricted Data classified as TS and S - All Critical Restricted Data - Executive Branch approved SAPs and SAP-type compartmented efforts - SCI or other DNI SAP-type compartmented programs under DNI which protect intelligence sources and methods ✔✔1, 3, 4 The best form of entry control is: - Personnel picture board - Personal introduction and identification - Picture badge - Electronic turnstile ✔✔Personal introduction and identification A contractor may not retain and SAP information beyond the end of the contract performance period without being specifically authorized to do so, in writing, by the: - PSO - PM - CO - SAPCO ✔✔CO According to JAFAN 6/0, the Contract Security Classification Specification (DD 254) is used to transmit which of the following to the contractor: - RFP - Contract - SCG - Qualifications required of the CPSO ✔✔SCG During the Compliance Inspection, SEIs are validated in addition to the Core Compliance Items. Which of the following service component SAP officials determines the annuals SEIs? - GSSOs - PSOs - PMs - SAPCOs ✔✔SAPCOs What is the primary difference between a "waiver" and applying "commensurate levels of protection"? - Commensurate levels of protection either increase or decrease security requirements; waivers do not - Waivers either increase or decrease security requirements; commensurate levels do not - The reporting timelines for waivers are stricter - The reporting timelines for commensurate levels are stricter ✔✔Waivers either increase or decrease security requirements; commensurate levels do not When are existing SAPs reported to Congress? - Jan - Feb - Mar - Apr ✔✔Mar There are three categories of SAPs (acquisition, intelligence, and ops and support). Further, there are two types of SAPs (acknowledged and unacknowledged). Title 10, Section 119 only directly and specifically addresses: - Acquisition and intelligence - Unacknowledged - Operations and support - Acknowledged ✔✔Unacknowledged Title 10, Section 119 provides that a SAP may not be initiated until the Defense Committees are notified of the program and a period of time elapses. What period of time by must elapse? - 20 days - 25 days - 30 days - 14 days ✔✔30 days While JAFAN 6/0 applies to everyone involved in SAP protection, the guidance contained therein is directed primarily towards: - GPSOs - CSAs/SAPCOs - CPSOs - SAPCAF ✔✔GPSOs JAFAN 6/0 specifies that contractors are required to develop SOPs for their SAPFs when a contractual relationship exists. Which of the following indicates a contractual relationship? - RFI - RFP - Broad Area Announcement (BAA) - IR&D authority letter ✔✔IR&D authority letter (for IR&D efforts) Per JAFAN 6/0, which of the following officials authorizes TPI? - SecDef - PMs - Dir, SAPCO - PSOs ✔✔Dir, SAPCO All of the following statements are true about CUAs except: - A CUA is required when two or more SAPs use the same SAPF - The Host SAP is normally the initial SAP in the SAPF - Tenant SAPs must pay for additional security measures - Service Component SAPCOs formally execute CUAs ✔✔Service Component SAPCOs formally execute CUAs SAPCOs may authorize a PSAP. Upon authorization, enhanced security measures may be applied to a PSAP for up to ___ days. - 90 days - 120 days - 180 days - 210 days ✔✔210 days Which of the following words best describes the primary difference between a security violation and a security infraction? - Inadvertent - Compromise - Intent - Negligence ✔✔Compromise SAPFs not located on a declared inspection site may be inspected during an on-site ___ inspection. - Oversight - Preview - Challenge - No notice ✔✔Challenge Contact with a foreign born wife of a family member - Foreign contact reporting - Social contact reporting - Not reportable ✔✔Foreign contact reporting Contact with an in-law who persistently asks questions about your occupation - Foreign contact reporting - Social contact reporting - Not reportable ✔✔Social contact reporting Recurring contact with a neighbor who is a foreigner with a green card who loaned you money to fix your car - Foreign contact reporting - Social contact reporting - Not reportable ✔✔Foreign contact reporting Contact with foreign diplomatic personnel at a US hosted Armed Forces Day reception at the State Department - Foreign contact reporting - Social contact reporting - Not reportable ✔✔Foreign contact reporting Integral to good arms control inspection readiness planning is: - Development of a cover story - Risk assessment - Countermeasures development - Identification of vulnerabilities ✔✔Risk assessment DoDD 2060.1 provides that the Arms Control implementation and compliance responsibilities for SAPs must be accomplished under the cognizance of: - DoD SAPOC - USD(AT&L) - USD(I) - USD(P) ✔✔DoD SAPOC Which of the following is not directly involved with the decompartmentation of SAP materials? - GPM - CPSO - CPM - SAPCO ✔✔CPM Under which of the following categories would you find the self-inspection item, "Has the PSO promptly advised the service component SAPCO in all instances where national security concerns would impact on collateral security programs or clearances of program accessed individuals?" - Security planning - Security management - Personnel security - Accountability ✔✔Security management Control of TS SAP materials is required under what conditions? - The electronic materials are retained in a shared access folder within an approved information system and available for access by all users - The electronic materials are transmitted between users within the same unified network - The electronic materials are transmitted between users on different networks - The electronic materials are printed ✔✔3, 4 SAP classified material will only be transmitted outside the SAPF using one of the methods identified below in what order of precedence? - Defense Courier Service - Authorized Courier - Cryptographic communications systems - USPS ✔✔3, 2, 1, 4 According to JAFAN 6/9, what special construction is required for a TSWA? - None - Alarms - Sound - Access control ✔✔None All vents, ducts, and similar openings that enter or pass through a SAPF must be protected with steel bars or grills unless the opening is what? - Protected with a modern detection alarm - 98 square inches or less - Less than 6 inches in one dimension - Less that 96 linear inches ✔✔Less than 6 inches in one dimension In situations where conditions or unforeseen factors render full compliance with the JAFAN 6/9 standards unreasonable, security officers in the grade of ___ may apply commensurate levels of protection to specific requirements with JAFAN 6/9. - O-3 and GS-12 and above - O-4 and GS-13 and above - O-5 and GS-14 and above - O-6 and GS-15 ✔✔O-5 and GS-14 and above JAFAN 6/9 provides for entrance door sensors to have an initial time delay of no more than ___ seconds. - 45 - 30 - 60 - 15 ✔✔30 JAFAN 6/9 requires in most circumstance how many perimeter doors? - One - Two - Three - Four ✔✔Two Open storage includes all the situations below except: - Storage inside locked desks or file cabinets - Storage inside locked offices - Storage inside the records area of the SAPF in electrically operated storage units - Storage inside GSA approved containers in an open bay configuration ✔✔Storage inside GSA approved containers in an open bay configuration Combination locks used on or in a SAPF shall be changed immediately, whenever: - A combination lock is first installed or used - A combination has been subjected, or believed to have been subjected, to compromise - Whenever an individual knowing the combination no longer requires access (other sufficient controls to prevent access do not exist) - Whenever a new individual is required to be given access ✔✔1, 2, 3 Outside the US, a SAPF operating continuously may use Permanent Dry Wall Construction under which of the following circumstances? - The SAPF has GSA approved security containers to store all SAP materials - The SAPF, which is located with a US Government compound, has an immediate response force - The SAPF has an alert system and duress alarm - The SAPF has layered security or security in-depth ✔✔The SAPF, which is located with a US Government compound, has an immediate response force The following requirements have been levied on a SAPF being planned for construction. Meet the specifications of permanent dry wall construction Be alarmed in accordance with Annex B JAFAN 6/9 SAP information must be stored in GSA approved security containers Must be a response force capable of responding within 15 minutes and a reserve force available to assist When these requirements are met, the SAPF may be approved for: - Closed storage outside the US - Closed storage inside the US - Open storage outside the US - Open storage inside the US ✔✔Closed storage inside the US For Secure Working Areas, JAFAN 6/9 differentiates between Inside US and Outside US in several major areas. These include all of the following except: - Alarms - Response force response time - Perimeter wall construction - Reserve response force ✔✔Perimeter wall construction Under the Defense Acquisition Workforce Improvement Act (DAWIA), the categories of personnel comprising the "Acquisition Workforce" are: - Permanent status civilian and military personnel who occupy designated acquisition positions - Personnel serving in position within designated acquisition programs - Personnel in acquisition career development programs ✔✔1, 3 The PM, in coordination with the user, prepares the Acquisition Program Baseline (APB). The Program Exec Officer (PEO) and the Component Acquisition Exec (CAE), as appropriate, concur in the APB. The PM then revises the APB subsequent to: - Milestone Reviews - Program Restructuring - Unrecoverable Program Deviations ✔✔1, 2, 3 The source authority for appropriations is the: - Constitution - Appropriation Act - Authorization Act - None of the above ✔✔Constitution Compared with supply and service contracts, construction requirements contain a unique disclosure. Federal Acquisition Requirements (FAR) 36.204 requires that advance notices and solicitations indicate: - The Performance Bond Requirement - The required Past Performance Evaluation Ratings - The magnitude of the physical characteristics and estimated price range - All the above ✔✔The magnitude of the physical characteristics and estimated price range Develops and applies quality assurance procedures. - Procuring Contracting Officer - Administrative Contracting Officer - Contractor ✔✔ACO Controls the quality of supplies and/or services. - Procuring Contracting Officer - Administrative Contracting Officer - Contractor ✔✔CON Receives specifications for inspection, testing, etc, from the PM - Procuring Contracting Officer - Administrative Contracting Officer - Contractor ✔✔PCO Cost As an Independent Variable (CAIV) requires trading between cost, schedule, and performance criteria. This process is conducted in the "trade space" between the objective and threshold levels, while focusing on the: - Total Ownership Cost (TOC) - Life Cycle Cost (LCC) - Total Investment Cost (TIC) - Budget At Completion (BAC) ✔✔TOC Which of the following is usually reserved for work efforts considered to be relatively high-risk, and which is required for cost and incentive contracts (ie Non Firm-Fixed Price), subcontracts, intra-government work agreements, and other agreements valued at or greater than $20 million in then-year dollars - Earned Value Reporting - Funds Status Reporting - Contracts Deliverables List - Contract Performance Report ✔✔Contract Performance Report What are the two types of Nunn-McCurdy breaches? - Significant and serious - Continuous and critical - Serious and continuous - Significant and critical ✔✔Significant and critical Acquisition logistics management begins with the initial establishment of an acquisition program and continues through which phase of the acquisition life cycle? - System and Development and Demonstration - Production and Deployment - Operations and Support - Demilitarization and Disposal ✔✔Operations and Support - Demilitarization and Disposal is a component piece of Operations and Support Who is responsible for implementation of, and compliance with, Arms Control Agreements for DoD? - USD(P) - USD(AT&L) - USD(I) - Defense Threat Reduction Agency (DTRA) ✔✔USD(AT&L) JAFAN 6/3 recognizes the contributions to security made by: - Technical Surveillance Countermeasures (TSCM) - Operating Environments - Constant monitoring - Encryption ✔✔Operating Environments How often are accredited information systems re-evaluated even if no security-relevant changes occur? - Annually - Biennially - Every three years - None of the above ✔✔Every three years True/False For any system that operates with Protection Level (PL) 4 and below functionality, media that is placed into that system must be classified and controlled at the highest level of information on the system until reviewed and validated or PSO approved procedures otherwise dictate. ✔✔False When receiving media into an organization, which of the following must occur and in what order? - Virus scan the media - Report receipt to the Information Assurance Manager or Information Assurance Officer - Conduct a reliable human review - Write protect media - Account for the materials ✔✔2, 1, 4, 3, 5 JAFAN 6/3 describes eight roles pertaining to IS security and assigns responsibilities to each. JAFAN 6/3 also states that the eight roles can be collapsed into four or five depending on whither the Principal Accrediting Authority (PAA) is also that: - Data owner - Designated Accrediting Authority (DAA) - ISSM - ISSO ✔✔Data owner The Levels-of-Concern rating for an information system is: - Used to determine which of the technical security requirements are appropriate to that information systems - Applicable to both multi-user and non-multi-user systems - The mean of the types of information being processed - Dependent on the protection levels being applied ✔✔Used to determine which of the technical security requirements are appropriate to that information systems Individuals holding all of the following positions must be US citizens. Which of the following is required to be a US Government employee? - ISSO - DAA - DAA Rep - ISSM ✔✔DAA JAFAN 6/3 lists six safeguards that information systems should incorporate. These include all of the following except: - Information is accessed only by authorized individuals and processes - Information retains its context identity - Information is available to satisfy mission requirements - Information is appropriately marked and labeled ✔✔Information retains its context identity JAFAN 6/3 discusses information system security in terms of three attributes. These are: - Protection, discrimination, restoration - Confidentiality, limitation, registration - Integrity, availability, confidentiality - Hardware, software, firmware ✔✔Integrity, availability, confidentiality JAFAN 6/3 designates all of the following as Special Categories of Information Systems except: - Dedicates systems - Non-networked systems - Deployable systems - Embedded systems ✔✔Non-networked systems