← All answer keys
IT CertificationsAnswer Key

Nist 800 60 System Categorization

18 community-sourced questions and answers. Free — no login.

Community-sourced. Answers may be wrong or out of date. Always verify with your official training portal before submitting. Not affiliated with any branch, agency, or vendor. Details.
QUESTION 1

Why was NIST 800-60 developed for?

ANSWER

To assist Federal government agencies to categorize information and information systems

QUESTION 2

What two potential security impacts does NIST 800-60 help by developing guidelines?

ANSWER

Information: Privacy, Proprietary, Financial, Sensitive Information Systems: Mission Critical, Support, Administrative

QUESTION 3

What system does NIST 800-60 not apply to?

ANSWER

All Federal Information Systems except "National Security Systems".

QUESTION 4

How does FISMA define a "National Security System"?

ANSWER

As any information system used or operated for the function of intelligence activities, and processing classified information.

QUESTION 5

How many documents were developed to contribute to the Federal Information Security Management Act (FISMA) of 2002?

ANSWER

A series of nine documents. They are structured, but flexible. Address selecting, specifying, employing, evaluating, and monitoring security controls.

QUESTION 6

What does the Federal Enterprise Architecture (FEA) define?

ANSWER

It defines Security Categorization starts with the identification of what information supports which government lines of business.

QUESTION 7

What does FIPS 199 help assist within an organization?

ANSWER

Helps ensure that each information system receives the appropriate management oversight and reflects the needs of the organization as a whole. Proper security resources are given and not under/over allocated.

QUESTION 8

What results of an incorrect information system impact analysis? (FIPS 199)

ANSWER

Can result in the agency either over protection the information system; thus wasting resources OR under protecting and placing important operations at risk.

QUESTION 9

How often should the categorization of the information or information system be revisited?

ANSWER

At least every three years or when a significant change occurs to the system or supporting lines of business.

QUESTION 10

For Step 1 (Categorize Information Systems) of the RMF process, what two documents assist with guiding?

ANSWER

FIPS 199 NIST SP 800-60

QUESTION 11

For Step 2 (Select Security Controls) of the RMF Process, what two documents assist with guiding?

ANSWER

FIPS 200 NIST SP 800-53

QUESTION 12

What is the output from Step 2 of the RMF Process (Select Security Controls)?

ANSWER

The System Security Plan (SSP) or Just SP

QUESTION 13

For Step 3 (Implement Security Controls) of the RMF process, what document assists with guiding?

ANSWER

NIST SP 800-70

QUESTION 14

For Step 4 (Assess Security Controls), of the RMF process, what document assists with guiding?

ANSWER

NIST SP 800-53A

QUESTION 15

What is the output for Step 4 - Assess Security Controls?

ANSWER

A Security Assessment Report

QUESTION 16

For Step 5 (Authorize Information Systems), of the RMF process, what document assists with guiding?

ANSWER

NIST SP 800-37

QUESTION 17

What is the output for Step 5 - Authorize Information Systems?

ANSWER

A Plan of Actions & Milestones (POA&M)

QUESTION 18

For Step 6 (Monitor Security State), of the RMF process, what two documents assist with guiding?

ANSWER

NIST SP 800-37 NIST SP 800-53A

Looking for a different version?

CBTs get updated every year. Search for the exact version you're taking (e.g. "cyber awareness 2025").

Search all study materials