CC Reviews Questions

The Federal Information Security Modernization Act (FISMA) requires federal agencies to implement comprehensive information security programs, including continuous monitoring and vulnerability scanning.

FISMA mandates risk-based security controls aligned with NIST standards, such as NIST SP 800-53 and NIST SP 800-137.

HIPAA applies to healthcare data, GLBA applies to financial institutions, and FERPA protects student education records. None of these broadly mandate vulnerability scanning across federal systems.

FISMA is foundational to federal cybersecurity governance and compliance.

The primary purpose of multi-factor authentication (MFA) is to add additional layers of security to user authentication by requiring more than one authentication factor. These factors typically include something you know, something you have, and something you are.

MFA significantly reduces the risk of unauthorized access, even if one factor—such as a password—is compromised. Attackers would still need access to the additional factors to authenticate successfully.

While MFA can help reduce the likelihood of breaches, it does not directly prevent malware or ensure data integrity. Its focus is on strengthening identity verification.

NIST, CIS, and other security frameworks strongly recommend MFA, particularly for remote access, privileged accounts, and cloud environments, due to its proven effectiveness in preventing account compromise.

Standards define mandatory technical or operational requirements that must be followed to comply with policy. Guidelines are optional, and procedures provide step-by-step instructions.

The principle of least privilege ensures users have only the minimum permissions necessary to perform their tasks. This limits damage from compromised accounts and insider threats.

It is foundational to access control, IAM, and zero trust architectures and is recommended by all major security frameworks.