SFPC Cheat Sheet 2026

The 30 highest-yield SFPC facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.

50 questions
120 min time limit
80% to pass
  1. A Business Continuity Plan (BCP) is primarily designed to: Ensure critical functions continue during and after a disaster
  2. During an emergency, who typically has primary authority over evacuation decisions? The incident commander
  3. What is the highest level of national security classification used in the United States? Top Secret
  4. Which of the following are the two universal prerequisites for an individual to be considered for access to any Special Access Program? A validated need-to-know and the appropriate level of security clearance.
  5. In classified information handling, 'commingling' refers to: Mixing classified materials from different classification levels without proper controls
  6. Who is typically responsible for approving access to a Special Access Program? Designated Accrediting Authority (DAA)
  7. Which of the following activities is the primary focus of the 'Monitor' step in the Risk Management Framework? Continuously tracking changes to the system and assessing control effectiveness over time.
  8. A security manager is determining the appropriate level of investigation for a new federal position. What is the most critical factor in this determination? The designation of the position's sensitivity.
  9. A security manager uses this system to communicate with the DoD CAF? JCAVS
  10. Bollards are a type of physical security barrier primarily designed to protect against which of the following threats? Vehicular impact and ram-raiding
  11. According to Executive Order 13556, which of the following is considered a type of controlled unclassified information (CUI)? Law Enforcement Sensitive (LES) Information
  12. Which type of physical intrusion detection system (PIDS) sensor is specifically designed to detect an unauthorized entry through a door or window? A magnetic contact switch
  13. If someone accidentally gave a foreign entity access to classified information, which guideline would it fall under? Use of Information Technology Systems
  14. What is the purpose of 'crime prevention through environmental design' (CPTED)? Using security cameras in all areas
  15. What is 'data exfiltration' in the context of insider threats? The unauthorized transfer of sensitive data from an organization by an insider
  16. What is the purpose of the Personnel Security Investigation (PSI) process? To determine whether an individual is eligible for a security clearance
  17. What is a classified 'working paper' as defined in information security handling guidelines? A document generated during preparation of a classified product, such as notes or drafts
  18. In the context of SAPs, what does the term "carve-out" refer to? The segregation of program information from general classified information systems
  19. Which of the following best describes 'mutual aid agreements'? Pre-arranged agreements between jurisdictions to provide assistance
  20. What is a primary goal of a post-incident analysis or after-action review? Document lessons learned to improve future responses
  21. What is a 'critical information list' (CIL) in OPSEC? A prioritized compilation of information that must be protected from adversary collection
  22. What does the 'MICE' acronym represent in the context of insider threat motivations? Money, Ideology, Coercion/Compromise, Ego
  23. What is a Program Access Request (PAR) in the context of SAPs? A formal request to grant an individual access to a specific SAP
  24. What is 'opsec' as it applies to personal behavior? Being mindful of what personal information you reveal that could be used against you
  25. When a cleared employee must hand-carry Secret documents outside a controlled facility, what is required? A courier authorization letter and appropriate protective packaging or container
  26. What is the primary goal of personal security measures for a security professional? To identify and reduce personal vulnerabilities while enabling professional effectiveness
  27. Which of the following best defines the concept of 'need-to-know' for accessing classified information? A person requires access to perform their official duties
  28. What is included in the markings of classified information? Document holder as the sole authority to make transfer and dissemination determinations.
  29. What is a 'zero-day vulnerability'? A software vulnerability that is unknown to the vendor and for which no patch exists yet
  30. What is 'identity theft' and why is it a personal security concern? The fraudulent acquisition and use of another person's private identifying information
Turn these facts into recall: