Engineering
Audit
FISMA
Security
Agile
100

An open-source software platform used to build, run, and manage applications inside standardized units called containers.

What is Docker?

100

Standard scheduled CJIS technical audits occur on this recurring cycle for criminal justice agencies.

What is every three (3) years?

100

When a security control fails an audit, you must document the mitigation strategy, required resources, and scheduled completion dates in this official, living compliance document.

What is POA&M (Plan of Action and Milestones)?

100
A platform used to perform security testing of web applications ranging from initial mapping and analysis to finding and exploiting security vulnerabilities.

What is Burp Suite Professional?

100

A service provided by the system that fulfills stakeholder needs and can be delivered by a single Agile Release Train (ART).

What is a feature?

200

An open-source tool used for automating the deployment, scaling, and management of containerized applications.

What is Kubernetes?

200

An automated security auditing tool parses source code into an Abstract Syntax Tree (AST) to identify security vulnerabilities without executing the program.

What is SAST (Static Application Security Testing)?

200

Under the modern Open Security Controls Assessment Language (OSCAL) framework, this specific machine-readable artifact is generated to programmatically document how a system satisfies its defined security requirements.

What is a SSP (System Security Plan)?

200

A vulnerability scanner used to proactively identify and fix security flaws and misconfigurations before attackers can exploit them.

What is Tenable Nessus?

200

A servant leader and coach who operates at the program level to ensure multiple teams work together harmoniously to deliver value.

Who is the Agile Release Train Engineer (RTE)?

300

Overlapping layers of security put in place so that if one defensive mechanism fails, subsequent layers succeed in protecting the asset is known as this.

 What is Defense in Depth?

300

Following an audit failure, this is the exact number of calendar days an agency is given to correct non-compliant issues or submit a corrective action plan.

What is 30 days?

300

This systematic process evaluates the operational and financial consequences of a business disruption, identifying which critical systems must be restored first.

What is a Business Impact Analysis (BIA)?

300

This strict architecture strategy dictates that no user or device is trusted by default, requiring continuous verification regardless of whether they are inside or outside the agency network perimeter.

What is Zero Trust Architecture?

300

A critical, regular event where integrated work of an entire ART is showcased to stakeholders.

What is System Demo?

400

Used in PKI, this specific service identifies which digital certificates should no longer be honored even if they are still within their standard validity period.

 What is a CRL (Certificate Revocation List)?

400

This group is responsible for officially approving updates and changes to the CJIS Security Policy.

What is the CJIS Advisory Policy Board (APB)?

400

This document outlines how an organization will recover its systems following a severe disruption or cyberattack.

What is ISCP (Information System Contingency Plan)?

400

This type of network segment restricts external public traffic from touching internal federal databases by placing public-facing servers in an isolated zone.

What is a DMZ (Demilitarized Zone)?

400

Owner of the Team Backlog and single voice to the Team on what, when and why backlog items are required.

Who is the Product Owner?

500

A method defined by NIST SP 800-126 used to automate how organizations manage vulnerabilities and evaluate compliance with security policies.

What is SCAP (Security Content Automation Protocol)?

500
A U.S. government cybersecurity standard that defines minimum security requirements for cryptographic modules to reinforce any transmission of CJI over public or wireless networks.

What is FIPS 140-2?

500

This memorandum directs agencies to employ a risk-based, prioritized logging approach to address inefficiencies and the evolving cyber threat environment.

What is M-26-14?

500

A key exchange mechanism used to negotiate a shared encryption key over an insecure connection while relying on a RSA digital signature to verify the server's identity.

What is DHE-RSA (Diffie-Hellman Ephemeral with RSA)?

500

An agile technique used when multiple teams need to coordinate their work discussing dependencies, tracking progress, and removing cross-team impediments.

What is a Scrum of Scrums?