Skip to content

FEMA IS-921.A: Implementing Critical Infrastructure Security and Resilience Answers

What step is needed after information is collected? A. Establish information analysis centers

Determine information resources

Form public-private partnerships

Validate information

Complete the Statement: One of the key benefits of Protected Critical Infrastructure Information (PCII) is that it: A. Permits discovery under Federal, State, and local disclosure laws.

Cannot be used for regulatory purposes.

Includes threat awareness materials tailored to a particular sector’s needs.

Makes classified threat information available to owners and operators.

Complete the Statement: Implementation plans provide the following benefits, EXCEPT FOR: A. They identify specific actions that must be taken.

They identify areas for improvement.

They identify expected outcomes from corrective actions.

They provide a schedule for the completion of actions.

The following are examples of protective measures, EXCEPT FOR: A. Installing security systems.

Building system redundancies.

Hardening facilities.

Automating inventory functions.

Complete the Statement: Exercises conducted with major stakeholders strengthen security and resilience capabilities by helping to: A. Improve communications and promote consistency.

Exploit vulnerabilities and weaknesses in protective measures.

Identify best practices through benchmarking.

Provide outreach and training resources to major stakeholders.

Complete the Statement: The most effective protective programs have the following characteristics, EXCEPT FOR: A. Risk-informed.


Delegated .


Which of the following is a benefit of critical infrastructure partnerships for owners and operators? A. Partners are eligible for subsidies under the National Infrastructure Protection Act.

Information provided by partners can satisfy regulatory reporting requirements.

Partners receive timely and useful information about threats to critical infrastructure.

Partners automatically receive access to sensitive and classified threat information.

Complete the Statement: The responsibility for developing business continuity and emergency management plans to address the direct effects of incidents lies with: A. The DHS Office of Infrastructure Protection.

Critical infrastructure owners and operators.

Sector Specific Agencies.

The Federal Emergency Management Agency.

Complete the Statement: Critical infrastructure partners focus their information collection efforts and lay the foundation for a common operating picture by: A. Participating in industry partnerships

Implementing the Critical Information Protection program

Registering in warning and alert programs

Identifying information needs up front

What document provides the unifying structure for the integration of critical infrastructure security efforts and resilience strategies into a single national program? A. The Critical Infrastructure Response Plan

The Homeland Security Response Plan

The National Infrastructure Protection Plan

The Sector-Specific Protection Plan

Complete the Statement: Critical infrastructure security and resilience plans should explicitly address the following topics, EXCEPT FOR. A. Corrective actions.

Risk management.

Roles and responsibilities.

Partnership building and information sharing.

Owner/operator concerns about sharing sensitive or proprietary information can be moderated by the following, EXCEPT FOR: A. Identifying classified information networks to protect proprietary information.

Leveraging existing public-private partnerships.

Building confidence and trust over time.

Developing and establishing agreements in advance about the use of shared information.

The following statements are applicable to establishing partnership goals, EXCEPT FOR A. Goals should help partners maintain a common vision of desired security and resilience criteria.

Goals should duplicate those met under existing emergency operations programs.

Goals should reflect the broad security and resilience goals of the full range of partners.

Goals should help partners to identify specific risk-reduction strategies that will most significantly enhance security and resilience.

15. Select the correct answer to complete the statement. The following are resources for identifying effective critical infrastructure security and resilience practices EXCEPT FOR: A. Lessons-Learned Information Sharing (LLIS).

Cyber Security and Communications Industry Engagement and Resilience (IER) program.

Training offered by DHS and the sectors.

National Critical Infrastructure Security and Resilience Advisory System (CPAS).

What are the two factors used to evaluate reported information? A. The reliability of the information and whether it is actionable

The currency of the information and the evaluation of the source

The reliability of the source and the validity of the information

The relevance of the information to terrorism or to other threats

What is government’s role when engaging owners and operators to form partnerships? A. Creating partnerships that rely on civic engagement for critical infrastructure protection

Working with owners and operators to enforce compliance with widely-held protective measures and practices

Developing relationships with government regulatory partners that include mechanisms for sharing mandatory data

Encouraging and providing incentives to owners and operators to take action to make critical infrastructure secure and resilient

Complete the Statement: Continuous improvement activities provide the following benefits, EXCEPT FOR: A. They better prepare personnel to protect against potential threats.

They help to identify best practices from other industries.

They enable participants to apply policies, plans, and procedures in a safe environment.

They help to identify gaps in policies, plans, and procedures.

Complete the Statement: Critical infrastructure threat assessments should evaluate the following threats, EXCEPT FOR: A. Drought.

Domestic terrorist attacks.

Cyber/database failures.

Qualified workforce shortages.

Which of the following threats should we prioritize the highest when managing risk? A. Threats with the lowest probability of occurring

Threats that are limited to publicly-owned infrastructure

Threats that are confined to residential neighborhoods

Threats with the greatest consequences should they occur

Complete the Statement: Risk management identifies how threats will be deterred: A. Vulnerabilities mitigated, and consequences minimized.

Vulnerabilities mitigated, and consequences exploited.

Vulnerabilities eliminated, and consequences minimized.

Vulnerabilities eliminated, and consequences exploited.