This post responds to the inquiry why I mentioned FISMA in the CISSP PRACTICE QUESTIONS – 20210302.
Strategic and critical thinking are essential skills for security professionals. In my opinion, strategic thinking means thinking from a long-term and high-level perspective; critical thinking aims to render effectiveness by exercising analytical and logical reasoning to determine necessity and sufficiency.
I have been writing CISSP questions of the day (QOTDs) for around two years to promote strategic and critical thinking and in-depth learning. It’s not my intention to simulate the actual exam or encourage shortcuts, cramming, or rote memorization. That’s why I write one and only one question a day and postpone sharing my suggested answer and justification. I hope it’s the time for my readers to research, think, analyze, reason, discuss, debate, conclude, and learn from the process. It’s also a time for me to learn from their feedback.
Laws and regulations drive the cybersecurity market. Organizational policies, standards, procedures, and guidelines shall comply or align with them. NIST develops Federal Information Processing Standards (FIPS) and publications aligned with laws and regulations; for example, the Federal Information Security Management Act (FISMA) and many others. Even though CISSP is a neutral certification, CISSP aspirants should still be “aware of” well-known statutes, acts, laws, or regulations; for example, the EU GDPR, the US HIPAA, the US Constitution, etc. Besides, the US is the cybersecurity industry leader. Given ISC2 is a US-based organization, and CISSP is a US-based certification enlisted in the DoD 8570.1 baseline certifications, I believe CISSP will be positioned to meet the local market at priority, e.g., the DoD, federal government departments and agencies, and US enterprises. That’s why we have to read NIST guidelines, FIPS, and laws and regulations.
I learn by reading, practicing, and sharing, so I spend much time writing my QOTDs and developing my justification. Readers may also learn from my explanation and references. As security professionals, we should try our best to communicate as precisely as possible. Without quoting sources, terminologies are inconsistent and subject to becoming jargon or buzzwords. For example, how do you define threat modeling, threat, threat scenario, threat landscape, risk, risk tolerance, risk assessment, attack vector, attack surface, security posture, etc.?
Finally, I hope my QOTDs are shared with a proper citation. On the one hand, it shows respect to the author and copyright; on the other hand, the real value of my QOTDs comes from the explanation and references instead of my suggested answer.
I hope you enjoy the breeze on your CISSP journey and pass the exam per your plan!