SFPC Cheat Sheet 2026
The 30 highest-yield SFPC facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.
50 questions
120 min time limit
80% to pass
- A Business Continuity Plan (BCP) is primarily designed to: → Ensure critical functions continue during and after a disaster
- During an emergency, who typically has primary authority over evacuation decisions? → The incident commander
- What is the highest level of national security classification used in the United States? → Top Secret
- Which of the following are the two universal prerequisites for an individual to be considered for access to any Special Access Program? → A validated need-to-know and the appropriate level of security clearance.
- In classified information handling, 'commingling' refers to: → Mixing classified materials from different classification levels without proper controls
- Who is typically responsible for approving access to a Special Access Program? → Designated Accrediting Authority (DAA)
- Which of the following activities is the primary focus of the 'Monitor' step in the Risk Management Framework? → Continuously tracking changes to the system and assessing control effectiveness over time.
- A security manager is determining the appropriate level of investigation for a new federal position. What is the most critical factor in this determination? → The designation of the position's sensitivity.
- A security manager uses this system to communicate with the DoD CAF? → JCAVS
- Bollards are a type of physical security barrier primarily designed to protect against which of the following threats? → Vehicular impact and ram-raiding
- According to Executive Order 13556, which of the following is considered a type of controlled unclassified information (CUI)? → Law Enforcement Sensitive (LES) Information
- Which type of physical intrusion detection system (PIDS) sensor is specifically designed to detect an unauthorized entry through a door or window? → A magnetic contact switch
- If someone accidentally gave a foreign entity access to classified information, which guideline would it fall under? → Use of Information Technology Systems
- What is the purpose of 'crime prevention through environmental design' (CPTED)? → Using security cameras in all areas
- What is 'data exfiltration' in the context of insider threats? → The unauthorized transfer of sensitive data from an organization by an insider
- What is the purpose of the Personnel Security Investigation (PSI) process? → To determine whether an individual is eligible for a security clearance
- What is a classified 'working paper' as defined in information security handling guidelines? → A document generated during preparation of a classified product, such as notes or drafts
- In the context of SAPs, what does the term "carve-out" refer to? → The segregation of program information from general classified information systems
- Which of the following best describes 'mutual aid agreements'? → Pre-arranged agreements between jurisdictions to provide assistance
- What is a primary goal of a post-incident analysis or after-action review? → Document lessons learned to improve future responses
- What is a 'critical information list' (CIL) in OPSEC? → A prioritized compilation of information that must be protected from adversary collection
- What does the 'MICE' acronym represent in the context of insider threat motivations? → Money, Ideology, Coercion/Compromise, Ego
- What is a Program Access Request (PAR) in the context of SAPs? → A formal request to grant an individual access to a specific SAP
- What is 'opsec' as it applies to personal behavior? → Being mindful of what personal information you reveal that could be used against you
- When a cleared employee must hand-carry Secret documents outside a controlled facility, what is required? → A courier authorization letter and appropriate protective packaging or container
- What is the primary goal of personal security measures for a security professional? → To identify and reduce personal vulnerabilities while enabling professional effectiveness
- Which of the following best defines the concept of 'need-to-know' for accessing classified information? → A person requires access to perform their official duties
- What is included in the markings of classified information? → Document holder as the sole authority to make transfer and dissemination determinations.
- What is a 'zero-day vulnerability'? → A software vulnerability that is unknown to the vendor and for which no patch exists yet
- What is 'identity theft' and why is it a personal security concern? → The fraudulent acquisition and use of another person's private identifying information
Turn these facts into recall: