Test your knowledge of NIST Special Publication 800-53
Posted on
February 22, 2022
by
The NIST maintains Special Publication 800-53 to document federal cybersecurity processes, terms, and guidelines.

A large number of security-related certification exams require knowledge of NIST Special Publication 800-53 and its subsequent revisions and updates. This tome — formally titled Security and Privacy Controls for Federal Information Systems and Organizations — is managed by the U.S. National Institute of Standards and Technology (NIST)

Special Publication 800-53 can be considered a key foundation upon which a strong portfolio of professional cybersecurity skills and knowledge can be built. While written specifically for federal agencies, as well as state agencies that do business with and/or interact with federal agencies, it can be adopted by any public or private sector organization.

As of this writing, Revision 5 is the most current update and is available online. The following 25 questions are based on NIST SP 800-53, Revision 5. In all cases, pick the best answer(s) to each question. The answers appear at the end of the questions. Good luck!

1. Which of the following is a trusted process explicitly authorized to reclassify and relabel data in accordance with a defined policy exception?
A. Overseer
B. Teacher
C. Mentor
D. Regrader

2. While previous revisions of SP 800-53 had different numbers, how many security and privacy control families does Revision 5 divide controls into?
A. 25
B. 20
C. 18
D. 12

3. Which of the following is defined as an exercise reflecting real-world conditions that is conducted as a simulated adversarial attempt to compromise organizational missions or business processes and to provide a comprehensive assessment of the security capabilities of an organization and its systems?
A. Red team exercise
B. Black pocket exercise
C. Gray cloak exercise
D. Worst enemy exercise

4. Which of the following is the process by which security and privacy control baselines are modified (usually by identifying and designating common controls, applying scoping considerations, and so forth)?
A. Fashioning
B. Crafting
C. Tailoring
D. Affecting

5. Which of the following is defined as being an intentional — but unauthorized — act resulting in the modification of a system, components of systems, its intended behavior, or data?
A. Meddling
B. Damaging
C. Tampering
D. Interfering

6. Any actions, devices, procedures, techniques, or other measures that are taken to reduce the vulnerability of a system are known as which of the following?
A. Supports
B. Succors
C. Hurdles
D. Countermeasures

7. Which of the following are controls whose implementation results in a capability that is inheritable by multiple systems or programs?
A. System-specific controls
B. Universal controls
C. Common controls
D. Hybrid controls

8. Federal agencies are required to implement which of the following sets of controls for federal information systems?
A. NIST Risk Management Framework
B. NIST Framework for Cybersecurity
C. NIST Cloud Control Framework
D. NIST Framework for Defense Protection

9. Federal control baselines are not included in SP 800-53 now, but instead provided in which complementing document?
A. SP 800-37
B. SP 800-54
C. SP 800-53B
D. SP 800-60-1

10. According to the publication, which of the following are “descriptions of the safeguards and protection capabilities appropriate for achieving the particular security and privacy objectives of the organization and reflecting the protection needs of organizational stakeholders”?
A. Controls
B. Labels
C. Safeguards
D. Schemas

11. When a system processes PII, which of the following have the responsibility for managing the security risks for the PII in the system?
A. The operator
B. The information security program
C. The privacy program
D. Both the information security program and the privacy program share the responsibility.

12. Which of the following identifiers describes the security and privacy control family associated with employee security?
A. IR
B. SR
C. MA
D. PS

13. The chronology of the origin, development, ownership, location, and changes to a system or system component and associated data is known as which of the following?
A. Derivation
B. Attribution
C. Provenance
D. Foundation

14. According to NIST, which concept recognizes that satisfying security or privacy requirements seldom derives from a single control, but rather from a set of mutually reinforcing controls?
A. wherewithal
B. capability
C. proficiency
D. facility

15. Which of the following refers to the process of rendering access to target data on a given media infeasible for a given level of effort?
A. Redaction
B. Sanitization
C. Darkening
D. Obfuscating

Please visit GoCertify to attempt the remaining 10 questions of this quiz.

ANSWERS

The NIST maintains Special Publication 800-53 to document federal cybersecurity processes, terms, and guidelines.

1. D — A regrader is defined in SP 800-53 as a trusted process explicitly authorized to reclassify and relabel data in accordance with a defined policy exception.
2. B — SP 800-53 Revision 5 divides controls into 20 families.
3. A — A red team exercise is one reflecting real-world conditions that is conducted as a simulated adversarial attempt to compromise organizational missions or business processes.
4. C — Tailoring is the process by which security control baselines are modified.
5. C — Tampering is defined as an intentional — but unauthorized — act resulting in the modification of a system, components of systems, its intended behavior, or data.
6. D — Countermeasures are any actions, devices, procedures, techniques, or other measures that are taken to reduce the vulnerability of a system.
7. A — Common controls implement results that are inheritable by multiple systems or programs.
8. A — Federal agencies are required to implement the NIST Risk Management Framework sets of controls for federal information systems.
9. C — SP 800-53B provides federal control baselines.
10. A — Controls are defined as descriptions of the safeguards and protection capabilities appropriate for achieving the particular security and privacy objectives of the organization and reflecting the protection needs of organizational stakeholders.
11. D — Both the information security program and the privacy program share the responsibility when a system processes personally identifiable information (PII).
12. D — Employee security falls under the Personnel Security control family and the identifier is PS.
13. C — Provenance is the chronology of the origin, development, ownership, location, and changes to a system or system component and associated data.
14. B — The concept of capability recognizes that satisfying security or privacy requirements seldom derives from a single control but rather from a set of mutually reinforcing controls.
15. B — Sanitization refers to the process of rendering access to target data on a given media infeasible for a given level of effort.

About the Author

Emmett Dulaney is a professor at Anderson University and the author of several books including Linux All-in-One For Dummies and the CompTIA Network+ N10-008 Exam Cram, Seventh Edition.

Posted to topic:
Certification