nerdexam
(ISC)2

CISSP-ISSEP · Question #78

Which of the following federal laws establishes roles and responsibilities for information security, risk management, testing, and training, and authorizes NIST and NSA to provide guidance for securit

The correct answer is B. Government Information Security Reform Act (GISRA). GISRA (2000) specifically established agency roles and responsibilities for information security programs - including risk management, periodic testing, and security awareness training - while explicitly authorizing both NIST and NSA to develop guidance and standards. The dual me

Governance and Training

Question

Which of the following federal laws establishes roles and responsibilities for information security, risk management, testing, and training, and authorizes NIST and NSA to provide guidance for security planning and implementation?

Options

  • AComputer Fraud and Abuse Act
  • BGovernment Information Security Reform Act (GISRA)
  • CFederal Information Security Management Act (FISMA)
  • DComputer Security Act

How the community answered

(28 responses)
  • A
    4% (1)
  • B
    93% (26)
  • C
    4% (1)

Explanation

GISRA (2000) specifically established agency roles and responsibilities for information security programs - including risk management, periodic testing, and security awareness training - while explicitly authorizing both NIST and NSA to develop guidance and standards. The dual mention of NIST and NSA is the key fingerprint of GISRA; NSA's role covered national security systems alongside NIST's civilian guidance.

Why the distractors are wrong:

  • C (FISMA) is the most tempting wrong answer - it superseded GISRA in 2002 and covers similar ground, but FISMA primarily delegates to NIST alone for civilian systems and does not give NSA the same co-equal role.
  • D (Computer Security Act) predates GISRA by over a decade (1987) and focused narrowly on establishing NIST/NSA roles for sensitive federal systems, but lacked the comprehensive program requirements (risk management, training, testing) described in the question.
  • A (CFAA) is about criminal liability for unauthorized computer access - entirely unrelated to security planning frameworks.

Memory tip: Think "GISRA = Guidance from both Agencies (NIST + NSA)." When you see a question mentioning both agencies together in a security program context, GISRA is the answer - FISMA dropped NSA from the civilian side when it replaced GISRA.

Topics

#Federal Legislation#Information Security Governance#Risk Management Frameworks#Agency Responsibilities

Community Discussion

No community discussion yet for this question.

Full CISSP-ISSEP Practice