Candidates of all four certification roles (Auditor, Designer, Manager, and Operator) are tested on a comprehensive Federal Body of Knowledge (FBK) which consists of a library of federal statutes, regulations, standards, and guidelines. The FBK consists of 6 domains and 18 IT security topic areas.
Domain 1 – NIST Special Publications (SPs)
Domain 2 – NIST Federal Information Processing Standards (FIPS)
Domain 3 – NIST Control Families (CFs)
Domain 4 – Governmental Laws and Regulations
Domain 5 – NIST Risk Management Framework (RMF)
Domain 6 – NIST Interagency Reports (NISTIRs)
IT security topic areas
Topic 1 - Access Control
Topic 2 - Audit and Accountability
Topic 3 - Awareness and Training
Topic 4 - Configuration Management
Topic 5 - Contingency Planning
Topic 6 - Identification and Authentication
Topic 7 - Incident Response
Topic 8 - Maintenance
Topic 9 - Media Protection
Topic 10 - Personnel Security
Topic 11 - Physical and Environmental Protection
Topic 12 - Planning
Topic 13 - Program Management
Topic 14 - Risk Assessment
Topic 15 - Security Assessment and Authorization
Topic 16 - System and Communications Protection
Topic 17 - System and Information Integrity
Topic 18 - System and Services Acquisition
The domains are the boundaries of knowledge that are applicable within the federal government. The IT security topics include themes and skills that IT security professionals are expected to understand. The FITSP certification exams include questions that cover the intersection between the six domains and the 18 IT security topic areas.
Seventeen of the 18 IT security topic areas are derived directly from the minimum control requirements defined in FIPS 200, and one is defined in NIST SP 800-53, Appendix G (Program Management).
The FITSP Certification Program is represented by the FITSI FBK. The FBK contains six domains, and a domain is considered an area of knowledge.