Effective CISSP Questions

You are evaluating and selecting software vendors to customize the transportation management system in a procurement project. Which of the following is least likely to be part of the evaluation criteria for the vendor qualification?
A. FOCI (Foreign Ownership, Control, and Influence)
B. Capability Maturity Model Integration (CMMI)
C. Software Assurance Maturity Model (SAMM)
D. Common Criteria (ISO 15408)

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. Common Criteria (ISO 15408).

The Common Criteria (ISO 15408) specifies the criteria for evaluating IT products, not for vendor qualification.

Common Criteria Evaluation
Common Criteria Evaluation

FOCI as Regulatory Requirements

FOCI (Foreign Ownership, Control, and Influence) is a common regulatory requirement, e.g., 32 CFR § 2004.34 and 4.30.30. Foreign ownership, control or influence in Canada. CFR is an acronym for the Code of Federal Regulations in the US.


You, as an acquirer, can benefit from a vendor’s use of CMMI-DEV and avoid the pitfalls associated with unrealistic expectations by effectively using information obtained from the vendor’s CMMI-DEV efforts on development programs. (Osiecki)

“CMMI can be appraised using two different approaches: staged and continuous. The staged approach yields appraisal results as one of five maturity levels. The continuous approach yields one of four capability levels.” (Wikipedia)

CMM and CMMI Maturity Levels Comparison
CMM and CMMI Maturity Levels Comparison


Given that ISACA acquires the CMMI Institute and materials are copyrighted, OWASP’s SAMM (Software Assurance Maturity Model) is an open project.

SAMM Model Structure
SAMM Model Structure



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

在一個採購專案中,您正在評估和選擇軟件供應商,以客製開發一套運輸管理系統。 以下哪項最不可能成為供應商資格評估標準的一部分?
A. FOCI (外國所有權,控制權和影響力)
B. 能力成熟度模型集成 (CMMI)
C. 軟件保障成熟度模型 (SAMM)
D. 共同標準 (Common Criteria)

1 thought on “CISSP PRACTICE QUESTIONS – 20210218

  1. Pingback: ISO 15408&SAMM&CMMI&FOCI – Choson資安大小事

Leave a Reply