[26 Test Answers] Cyber Awareness Challenge 2023

Here are the test answers to the Cyber Awareness Challenge (CAC) 2023.

Overview: The Cyber Awareness Challenge serves as an annual refresher of security requirements, security best practices, and your security responsibilities.

The answers here are current and are contained within three (3) incidents: spillage, Controlled Unclassified Information (CUI), and malicious codes. Whether you have successfully completed the previous version or starting from scratch, these test answers are for you.

Spillage

Which of the following does NOT constitute spillage?
A. Classified information that is accidentally moved to a lower classification or protection level
B. Classified information that should be unclassified and is downgraded.✅
C. Classified information that is intentionally moved to a lower protection level without authorization.

NOTE: Spillage occurs when information is “spilled” from a higher classification or protection level to a lower classification or protection level. Spillage can be either inadvertent or intentional.

Which of the following is NOT an appropriate way to protect against inadvertent spillage?
A. Label all files, removable media, and subject headers.
B. Use the classified network for all work, including unclassified work.✅
C. Be aware of classified markings and all handling caveats.

NOTE: Being cognizant of classification markings and labeling practices are good strategies to avoid inadvertent spillage. While it may seem safer, you should NOT use a classified network for unclassified work.

Which of the following should you NOT do if you find classified information on the internet?
A. Note the website’s URL.
B. Download the information.✅
C. Report it to security.

NOTE: Remember that leaked classified or controlled information is still classified or controlled even if it has already been compromised. Do NOT download it or you may create a new case of spillage.

Classified data

[Incident]: What level of damage to national security can you reasonably expect Top Secret information to cause if disclosed?
A. Damage
B. Serious damage
C. Exceptionally grave damage✅

NOTE: Top Secret information could be expected to cause exceptionally grave damage to national security if disclosed.

[Scene]: Which of the following is true about telework?
A. You may use your personal computer as long as it is in a secure area in your home.
B. You must have your organization’s permission to telework.✅
C. You may use unauthorized software as long as your computer’s antivirus software is up-to-date.

NOTE: You must have permission from your organization to telework. When teleworking, you should always use authorized equipment and software.

Insider threat

[Alex’s statement]: In addition to avoiding the temptation of greed to betray his country, what should Alex do differently?
A. Avoid attending professional conferences.
B. Ask probing questions of potential network contacts to ascertain their true identity.
C. Avoid talking about work outside of the workplace or with people without a need to know.✅

NOTE: Don’t talk about work outside of your workspace unless it is a specifically designated public meeting environment and is controlled by the event planners. Be careful not to discuss details of your work with people who do not have a need-to-know.

[Ellen’s statement]: How many insider threat indicators does Alex demonstrate?
A. None
B. One
C. Two
D. Three or more✅

NOTE: Alex demonstrates a lot of potential insider threat indicators, including difficult life circumstances, unexplained affluence, and unusual interest in classified information

[Mark’s statement]: What should Alex’s colleagues do?
A. Report suspicious behavior in accordance with their organization’s insider threat policy.✅
B. Keep an eye on his behavior to see if it escalates.
C. Set up a situation to establish concrete proof that Alex is taking classified information.

NOTE: By reporting Alex’s potential risk indicators, Alex’s colleagues can protect their organization and potentially get Alex the help he needs to navigate his personal problems.

Controlled Unclassified Information (CUI)

Which of the following is NOT an example of CUI?
A. Proprietary data
B. Press release data✅
C. Financial information

NOTE: CUI includes, but is not limited to, Controlled Technical Information (CUI), Personally Identifiable Information (PII), Protected Health Information (PHI), financial information, personal or payroll information, proprietary data, and operational information.

Which of the following is NOT a correct way to protect CUI?
A. CUI may be stored on any password-protected system.✅
B. CUI may be stored in a locked desk after working hours.
C. CUI may be emailed if encrypted.

NOTE: CUI may be stored only on authorized systems or approved devices.

Physical security

[Incident #1]: What should the employee do differently?
A. Nothing. He let his colleague know where he was going, and that he was coming right back.
B. Skip the coffee break and remain at his workstation. He’s on the clock after all.
C. Remove his CAC and lock his workstation.✅

NOTE: Always remove your CAC and lock your computer before leaving your workstation.

[Incident #2]: What should the employee do differently?
A. Nothing. The person looked familiar, and anyone can forget their badge from time to time.
B. Decline to let the person in and redirect her to security.✅
C. Let the person in but escort her back to her workstation and verify her badge.

NOTE: Don’t allow others access or piggyback into secure areas. Always challenge people without proper badges and report suspicious activity.

Identity Management

✅ Always take your Common Access Card (CAC) when you leave your workstation.
✅ Never write down the PIN for your CAC.
❌ The telephone does not necessarily represent a security violation.
❌ The notepad does not necessarily represent a security violation.

Sensitive Compartmented Information (SCI)

[Incident #1]: When is it appropriate to have your security badge visible?
A. Only when badging in
B. At all times when in the facility.✅
C. At any time during the workday, including when leaving the facility.

NOTE: Badges must be visible and displayed above the waist at all times when in the facility. Badges must be removed when leaving the facility.

[Incident #2]: What should the owner of this printed SCI do differently?
A. Never print classified documents.
B. Label the printout UNCLASSIFIED to avoid drawing attention to it.
C. Retrieve classified documents promptly from printers.✅

NOTE: Always mark classified information appropriately and retrieve classified documents promptly from the printer.

[Incident #3]: What should the participants in this conversation involving SCI do differently?
A. Physically assess that everyone within listening distance is cleared and has a need-to-know for the information being discussed.✅
B. Hold the conversation over email or instant messenger to avoid being overheard.
C. Nothing. It is fair to assume that everyone in the SCIF is properly cleared.

NOTE: Even within SCIF, you cannot assume that everyone present is cleared and has a need-to-know. Assess your surroundings to be sure no one overhears anything they shouldn’t.

Removable Media in a SCIF

[Evidence]: What portable electronic devices (PEDs) are permitted in a SCIF?
A. All PEDs, including personal devices
B. All government-owned PEDs
C. Only expressly authorized government-owned PEDs.✅

NOTE: No personal PEDs are allowed in a SCIF. Government-owned PEDs must be expressly authorized by your agency.

[Incident]: What is the response to an incident such as opening an uncontrolled DVD on a computer in a SCIF?
A. Notify your security POC
B. Analyze the media for viruses or malicious code
C. Analyze the other workstations in the SCIF for viruses or malicious code
D. All of these.✅

NOTE: Classified DVD distribution should be controlled just like any other classified media. If an incident occurs, you must notify your security POC immediately.

Malicious code

[Prevalence]: Which of the following is an example of malicious code?
A. A system reminder to install security updates.
B. Software that installs itself without the user’s knowledge.✅
C. A firewall that monitors and controls network traffic.

NOTE: Malicious code can mask itself as a harmless email attachment, downloadable file, or website. In reality, once you select one of these, it typically installs itself without your knowledge.

[Damage]: How can malicious code cause damage?
A. Corrupting files
B. Erasing your hard drive
C. Allowing hackers access
D. All of these✅

NOTE: Malicious code can cause damage by corrupting files, erasing your hard drive, and/or allowing hackers access.

[Spread]: How can you avoid downloading malicious code?
A. Turn on automatic downloading.
B. Only use a government-issued thumb drive to transfer files between systems.
C. Do not access website links in email messages.✅

NOTE: To avoid downloading malicious code, you should avoid accessing website links, buttons, or graphics in email messages or popups.

Website use

✅ Cookies may pose a security threat, particularly when they save unencrypted personal information.
✅ Look for “https” in the URL name to confirm that the site uses an encrypted link.

Travel

[Incident]: What should Sara do when using publicly available Internet, such as hotel Wi-Fi?
A. Only connect with the Government VPN✅
B. Only connect via an Ethernet cable
C. Only connect to known networks

NOTE: Use caution when connecting laptops to hotel Internet connections. Use public for free Wi-Fi only with the Government VPN.

[Incident]: What is the danger of using public Wi-Fi connections?
A. Compromise of data
B. Exposure to malware
C. Both of these.✅

NOTE: If you are directed to a login page before you can connect by VPN, the risk of malware loading of data compromise is substantially increased.

Mobile devices

[Incident]: When is it okay to charge a personal mobile device using government-furnished equipment (GFE)?
A. This is always okay
B. Only when there is no other charger available.
C. This is never okay.✅

NOTE: Never charge personal mobile devices using GFE nor connect any other USB devices (like a coffer warmer) to GFE.

[Incident]: Which of the following demonstrates proper protection of mobile devices?
A. Sally stored her government-furnished laptop in her checked luggage using a TSA-approved luggage lock.
B. Linda encrypts all of the sensitive data on her government-issued mobile devices.✅
C. Alan uses password protection as required on his government-issued smartphone but prefers the ease of no password on his personal smartphone.