US Navy Cyber Awareness Challenge 2025

*Malicious Code Which of the following may indicate a malicious code attack? Select all that apply. Then select submit. -The device re-starts following a system update. -A new app suddenly appears on the device. -The device slows down. -A new tab appears in the Web browser.

-A new app suddenly appears on the device. -The device slows down. -A new tab appears in the Web browser.

*Malicious Code How can malicious code spread? Select all that apply. Then select submit. -E-mail attachments -Downloading files -Visiting infected websites -Virus scans

-E-mail attachments -Downloading files -Visiting infected websites

*Unclassified Information When e-mailing this personnel roster, which of the following should you do? -Encrypt the PII -Digitally sign the e-mail -Use your Government e-mail account

-Encrypt the PII -Digitally sign the e-mail -Use your Government e-mail account

*Physical Facilities Sensitive Compartmented Information Facility (SCIF) Which of the following must you do when working in a SCIF? -Verify that all personnel in listening distance have a need-to-know -Ensure that monitors do not provide unobstructed views -Escort uncleared personnel and warn others in the SCIF

-Verify that all personnel in listening distance have a need-to-know -Ensure that monitors do not provide unobstructed views -Escort uncleared personnel and warn others in the SCIF

*Social Engineering DoD Software. DoD Software share "Approved Software List" with you. How many social engineering indicators are present in this e-mail? -0 -1 -2 -3+

3+

Which of these is NOT a potential indicator that your device may be under a malicious code attack? -The device slows down -Loss of control of the mouse or keyboard -A strange pop-up during system startup -An operating system update

An operating system update

*Mobile Devices Which method of getting online poses the least risk? -Approved mobile hotspot -Coffee shop Wi-Fi

Approved mobile hotspot

Which of the following is a best practice to protect your identity? -Throw credit card and bank statement in the trash -Carry your passport with you at all times -Enable data aggregation on sites when possible -Ask how information will be used before giving it out

Ask how information will be used before giving it out

What is a best practice for creating user accounts for your home computer? -Do not share your home computer with any other user -Create separate accounts for each user and tailor each password wo what will be easy for the individual user to remember -Set up a generic user account with no password for general user functions -Create separate accounts for each user and have each user create their own password

Create separate accounts for each user and have each user create their own password

*Identity Management True or false? The best way to keep your passport safe is to carry it with you? -True -False

False

Which of the following uses of removable media is allowed? -Alex uses personally owned removable media on an Unclassified government laptop to transfer personal music files. -Nicky uses Unclassified government owned removable media to transfer work files to a personal laptop. -Cameron connects a personal phone to an Unclassified government laptop to charge. -Sam uses approved Government owned removable media to transfer files between government systems as authorized.

Sam uses approved Government owned removable media to transfer files between government systems as authorized.

*Telework What step should be taken next to securely telework? -Connect peripherals -Secure the area so others cannot view your monitor

Secure the area so others cannot view your monitor

Which of the following is true of removable media and portable electronic devices (PEDs)? -The risk associated with them may lead to loss of life. -They cannot be adequately secured, so they are prohibited by the DoD. -Removable media pose more risk than PEDs and are not permitted in government facilities. -Their utility outweighs any risk associated with them.

The risk associated with them may lead to loss of life.

Which of the following is true of compressed URLs (e.g., Tiny URL, goo.gl)? -You must open the link to find out where it leads. -You can hover your cursor over it to preview where it actually leads. -They pose no risk. -They may be used to mask malicious intent

They may be used to mask malicious intent

How can you protect your home computer? -Use the administration account for all users -Disable the password feature -Decline security updates -Use legitimate, known antivirus software

Use legitimate, known antivirus software

How can you protect data on a mobile device? -Use two-factor authentication -Store your data on a commercial cloud application -Disable automatic screen locking after a period of inactivity -Turn over your device as requested by authority figures

Use two-factor authentication

*Home Computer Security Firewall Protection Enable? -Yes -No

Yes

*Home Computer Security User Accounts Create user profile? -Yes -No

Yes

*Home Computer Security Virus and Threat Protection Install? -Yes -No

Yes

*Identity Authentication Alex How do you secure your account? I receive a text message code when logging in with a password. -Yes -Maybe -No

Yes

*Insider Threat Does Bob demonstrate potential insider threat indicators? -Yes -No

Yes

When is the safest time to post on social media about your work-related travel? -During the trip -Before the trip -After the trip

After the trip

How can you protect a mobile device while traveling? -Only use public Wi-Fi offered by established businesses -Only make voice calls, as they are more secure than data transmissions -Connect with a Government VPN -Store the device in a hotel safe when sightseeing

Connect with a Government VPN

*Government Resources Is this an appropriate use of government-furnished equipment (GFE)? -Yes -No

No

You receive an e-mail with a link to run an anti-virus scan. Your IT department has not sent links like this in the past. The e-mail is not digitally signed. What action should you take? -Select the link to run the anti-virus scan. -Look for a phone number in the e-mail to call for more information. -Report the e-mail to your security POC or help desk. -Reply to the e-mail to request more information.

Report the e-mail to your security POC or help desk.

Which of the following is a way to protect classified data? -Remove classification markings when transporting it -Store it in a GSA-approved container -Use a classified network for unclassified work -Destroy inappropriately marked material

Store it in a GSA-approved container

What are the requirements for access to Sensitive Compartmented Information (SCI)? -The access caveats specified by the Direct of National Intelligence -The appropriate level of security clearance eligibility and a need-to-know -Top Secret clearance and indoctrination into the SCI program -Secret clearance and a signed nondisclosure agreement (NDA)

Top Secret clearance and indoctrination into the SCI program

As you scroll through your social media feed, a news headline catches your eye. What should you consider before sharing it with your connections? -How many times you have already posted today -Whether your connection would find the information valuable -There is nothing for you to consider before sharing -Whether the source is credible and reliable

Whether the source is credible and reliable

*Social Networking Important info for everyone! I had no idea. -Keep Scrolling -Re-post

Keep Scrolling

Based on the description provided, how many insider threat indicators are present? Edward has worked for a DoD agency for 2 years. He is an analyst who takes a great deal of interest in his work. He occasionally takes a somewhat aggressive interest in others' work as well, including asking for classified detail of their projects. He otherwise gets along well with his colleagues. -0 -1 -2 -3+

1

*Social Engineering DoD IT. Alert: E-mail Storage Quota Exceeded How many social engineering indicators are present in this e-mail? -0 -1 -2 -3+

3+

Which of the following personally owned peripherals can you use with government furnished equipment (GFE)? -A wired keyboard connected via USB -A wired webcam that requires installed drivers -A Bluetooth headset -A monitor connected via USB

A wired keyboard connected via USB

How can malicious code do damage? -Corrupt files -Encrypting or erasing your had drive -Allowing hackers access -All of these

All of these

Under which Cyberspace Protection Condition (CPCON) is the priority focus limited to critical functions? -CPCON 1 -CPCON 2 -CPCON 3 -CPCON 4

CPCON 1

*Sensitive Compartmented Information Select an action to take in response to compromised Sensitive Compartmented Information (SCI). -Gather more information -Call your security point of contact (POC) -Do nothing

Call your security point of contact (POC)

*Mobile Devices Which payment method poses the least risk? -Cash -Digital credit card on smartphone

Cash

*Sensitive Compartmented Information Which of these individuals demonstrated behavior that could lead to the compromise of SCI? -Dr. Dove -Col. Cockatiel -Mr. Macaw

Col. Cockatiel

Which of the following is an example of removable media? -Smartphone -Laptop -Compact disc -Fitness band

Compact disc

Which type of data could reasonably be expected to cause damage to national security? -Secret -Confidential -Controlled Unclassified Information (CUI) -Top Secret

Confidential

Adam sees a coworker who does not have the required clearance with a printed document marked as Sensitive Compartmented Information (SCI). What should he do? -Contact his security POC to report the incident. -E-mail his security POC with detailed information about the information and person involved. -Nothing. It is not his responsibility. -Retrieve the document and verify that the coworker did not read it.

Contact his security POC to report the incident.

*Unclassified Information What type of information does this personnel roster represent? -Unclassified Information -Controlled Unclassified Information (CUI) -For Official Use Only (FOUO) information

Controlled Unclassified Information (CUI)

Which of the following is a potential insider threat indicator? -Authorized handling of classified information -Work-related foreign travel -Financial windfall from an inheritance -Death of a spouse

Death of a spouse

*Social Networking Everyone should see the new superhero movie! The special effects are fantastic on the big screen! -Delete -Post

Delete

You receive a text message from a vendor notifying you that your order is on hold due to needing updated payment information from you. It provides a shortened link for you to provide the needed information. What is the best course of action? -Open the link to provide information -Reply to the message and ask for more information -Delete the message -Open the link to inspect the website

Delete the message

*Social Networking Shaun S. 2 shared connections -Deny -Accept

Deny

*Classified Information Select an area in which to edit an electronic report that is classified. -Your Office -Common Area -Conference Room -Designated Secure Area

Designated Secure Area

*Unclassified Information Your meeting notes are unclassified. This means that your notes: -May be released to the public. -Do not have the potential to damage national security. -Do not have the potential to affect the safety of personnel, missions, or systems. -Do not require any markings

Do not have the potential to damage national security.

Which of the following in NOT an appropriate use of your Common Access Card (CAC)? -Reporting it immediately if lost of misplaced -Exchanging it for a visitor pass in another building -Using it on systems with up-to-date security -Storing it in a shielded sleeve

Exchanging it for a visitor pass in another building

How can you protect your home computer? -Turn off antivirus software scans -Install spyware protection software -Disable firewall protection -Accept all mobile code

Install spyware protection software

Which of the following is true for Controlled Unclassified Information (CUI)? -It is another term for any Unclassified information that has not been cleared for public release. -It is marked as CUI at the discretion of the information owner. -It poses no risk to Government missions or interests. -It belongs to a defined category established in the DoD CUI Registry.

It belongs to a defined category established in the DoD CUI Registry.

As you browse a social media site, you come across photos of information with classification markings. What should you do? -You are authorized to response to inquiries about it. -Notify your security point of contact. -You may forward the URL to the information to interested parties. -Download the information to your computer.

Notify your security point of contact.

Which of the following is an appropriate use of a DoD Public Key Infrastructure (PKI) token? -Use a SIPRNet token for NIPRNet access as well -Only leave it in a system while actively using it for a PKI-required task -Use a NIPRNet token for SIPRNet access as well -Only use it on a publicly accessible computer with up-t-date antivirus software

Only leave it in a system while actively using it for a PKI-required task

Who designates whether information is classified and its classification level? -Your organization or agency head -National Security Agency (NSA) -Original classification authority -Your security point of contact

Original classification authority

*Physical Facilities Open Office Area Which of the following poses a physical security risk? -Posting an access roster in public view -Using your Common Access Card (CAC) for facility access -Challenging people without proper badges

Posting an access roster in public view

*Insider Threat How should Bob's colleagues respond? -Confront Bob -Report Bob -Avoid Bob

Report Bob

You received an e-mail marked important from your agency head asking you to call them using a number you do not recognize. The e-mail was sent from a personal e-mail address that you do not recognize, but it addresses you by name. What action should you take? -This may be a spear phishing attempt. Report it to your security POC or help desk. -This is an important request that requires your immediate attention. You should call immediately. -As it does not contain any hyperlinks or attachments, you should simply delete the e-mail. -As the e-mail addresses you by name, you should test the number by sending a text message to it.

This may be a spear phishing attempt. Report it to your security POC or help desk.

*Telework Does this pose a potential security risk? -Yes -No

Yes

*Identity Authentication Select the individual who securely authenticates their identity. -Alex -Bailey -Charlie

Alex

*Sensitive Compartmented Information Workstation Col. Cockatiel stores an unmarked document on the classified network. Does this behavior represent a security concern? -Yes -No

Yes

Which of the following is true of transmitting or transporting Sensitive Compartmented Information (SCI)? -You must be courier-briefed for SCI to transport it. -SCI does not require a coversheet in an open storage environment. -You may only transmit SCI via certified mail. -You must never print SCI.

You must be courier-briefed for SCI to transport it.

*Physical Facilities Collateral Classified Space Which of the following must you do when using an unclassified laptop in a collateral classified environment? -Use a wireless headset -Disable the embedded camera, microphone, and Wi-Fi -Use government-issued wired peripherals

-Disable the embedded camera, microphone, and Wi-Fi -Use government-issued wired peripherals

*Telework Which of these personally-owned computer peripherals may be used with government-furnished equipment? -HDMI monitor -USB keyboard -Wireless mouse

-HDMI monitor -USB keyboard

*Malicious Code How can you prevent the download of malicious code? Select all that apply. Then select submit. -Scan external files before uploading to your device -Research apps and their vulnerabilities before downloading -Use the Preview Pane to view e-mails -Disable automatic security patches

-Scan external files before uploading to your device -Research apps and their vulnerabilities before downloading

*Government Resources This is not an appropriate use of GFE. Why? -You should not use government e-mail to sell anything. -You should use a digital signature when sending hyperlinks. -You should not use unauthorized services, such as fileshare services, on GFE.

-You should not use government e-mail to sell anything. -You should use a digital signature when sending hyperlinks. -You should not use unauthorized services, such as fileshare services, on GFE.

*Mobile Devices Which action will keep DoD data the safest? -Change seats -Leave the coffee shop

Leave the coffee shop

*Identity Authentication Charlie How do you protect your Common Access Card (CAC) or personal Identity Verification (PIV) Card? I use my CAC occasionally as a secondary photo identification. -Yes -Maybe -No

Maybe

How can you protect yourself from social networking sites? -Assume that people are who they say they are on social networking sites -Establish privacy settings and assume the available options will remain consistent -Validate connection requests through another source if possible -Turn on Global Positioning System (GPS) location geotagging

Validate connection requests through another source if possible

How can you protect yourself on social networking sites? -Turn on Global Positioning System (GPS) location geotagging -Assume that people are who they say they are on social networking sites -Validate connection requests through another source if possible =Establish privacy settings and assume the available options will remain consistent

Validate connection requests through another source if possible

Does it pose a security risk to tap your smartwatch to pay for a purchase at a store? -Only if you do not have the data on your linked phone encrypted. -No, there is no security risk associated with this. -Only if you do not have two-factor authentication enabled on your linked phone. -Yes, there is a risk that the signal could be intercepted and altered.

Yes, there is a risk that the signal could be intercepted and altered.

Steve occasionally runs errands during virtual meetings. He joins the meetings using his approved government device. Does this pose a security concern? -Maybe. It depends on whether Steve uses headphones and how loudly he talks. -Yes. eavesdroppers may be listening to Steve's conversation. -No. No one else is going to be paying attention to what Steve is doing, as phone calls in public places are common. -No, because Steve is using a government-approved device.

Yes. eavesdroppers may be listening to Steve's conversation.

Which of the following is the safest to share on a social media networking site? -Your birthdate -Your mother's maiden name -Your favorite movie -Your current location

Your favorite movie

Which of the following is an example of a strong password? -bRobr@79I*P -Fluffy&Spot -Password12345 -1965May31!

bRobr@79I*P

Which of the following is permitted when using an unclassified laptop within a collateral classified space? -A Government-issued wireless headset with a microphone -A microphone embedded in the laptop -A personally-owned wired headset without a microphone -A Government-issued wireless headset without microphone

A personally-owned wired headset without a microphone

Which of the following can be used to catalogue information about you? -Social networking sites -Audio-enabled digital assistants (e.g., Siri, Alexa) -Fitness trackers -All of these

All of these

Which of the following poses a security risk while teleworking in an environment where Internet of Things (IoT) devices are present? -Voice-enabled listening recording -Default IoT device passwords -Unknown devices connected via Bluetooth -All of these

All of these

Which of the following is an example of behavior that you should report? -Planning an overseas vacation -Drinking alcohol socially -Expressing dislike of a recent Presidential action -Bringing a phone into a prohibited area

Bringing a phone into a prohibited area

Which of the following is a best practice for telework and remote work? -Ensure others do not have access to your work area when processing classified information. -Connect to your Government Virtual Private Network (VPN). -Use personal equipment to avoid the risks associated with non-Government internet. -Rotate the location in your home where you perform telework or remote work.

Connect to your Government Virtual Private Network (VPN).

You receive a phone call from an unknown person asking for a directory name on your government furnished laptop so that a software can be made. Which course of action should you take? -Document the interaction and contact your security POC or help desk -Provide the information but decline to update the software -Provide the information and follow instructions -End the call with no further action

Document the interaction and contact your security POC or help desk

Which of the following is an allowed use of government furnished equipment (GFE)? -Conducting transactions on your side business -Viewing family photos from your shared DropBox -Lending it to your spouse to watcha movie -E-mailing your supervisor

E-mailing your supervisor

Matt is a government employee who needs to share a document containing source selection data with his supervisor. Which of the following describes the most appropriate way for Matt to do this? -Sent it via chat in a collaboration app. -Leave a printed copy on his supervisor's desk after working hours. -Encrypt it and send it via digitally signed Government e-mail. -Save it to a shared folder accessible to their team.

Encrypt it and send it via digitally signed Government e-mail.

John receives an e-mail about a potential shutdown of a major social service unless a petition receives enough signatures. Which of the following actions should John NOT take with the e-mail? -Research the claim -Delete it -Forward it -Mark it as junk

Forward it

Which of the following is a best practice for physical security? -Only hold the door for coworkers that you know work in the facility -Post access rosters in a visible area outside the facility -Lock your security badges away and avoid wearing it while in the facility -Report suspicious activity

Report suspicious activity

*Website Use Did you hear about this? They are trying to move Thanksgiving to March instead of November! Sign the petition and make a donation to stop this. -Research Claim -Research Link -Open Link

Research Claim

How can you protect yourself from identity theft? -Share passwords and PINs in your household -Review your credit report annually -Scan personal documents before discarding them -Segregate the data collected by your apps and devices

Review your credit report annually

Tessa is processing payroll data that includes employees' names, home addresses, and salary. Which of the following is Tessa prohibited from doing with the data? -Using her home computer to print the data while working remotely -Storing it in her locked desk drawer after working hours -Securely e-mailing it to a colleague who needs to provide missing data -Encrypting it

Using her home computer to print the data while working remotely

When linked to a specific individual, which of the following is NOT an example of Personally Identifiable Information (PII)? -Smartphone brand and model -Fingerprint records -Mother's maiden name -Payment for the provisions of healthcare

Smartphone brand and model

*Identity Management True or false? Voice-activated smart devices can collect and share your personal information. -True -False

True

*Removable Media Choose an action! You find an unlabeled thumb drive in the parking area outside your workplace. What should you do? -Plug it into your work computer to find out more about it -Leave it alone -Turn it in to your security officer

Turn it in to your security officer

Which of the following is true of spillage? -It occurs when authorization to transfer information is granted and then later revoked. -It describes information that is "spilled" to either a lower or higher protection level. -It refers specifically to classified information that becomes publicly available. -It can be either inadvertent or intentional.

It can be either inadvertent or intentional.

*Identity Authentication Bailey What kind of passwords do you use? I use Password1 as one of my passwords. -Yes -Maybe -No

No

*Sensitive Compartmented Information Conversation Area Mr. Macaw and a colleague had a conversation about a shared project in the SCIF after verifying no one was nearby. Does this behavior represent a security concern? -Yes -No

No

*Sensitive Compartmented Information Printer Dr. Dove printed a classified document and retrieved it promptly from the printer. Does this behavior represent a security concern? -Yes -No

No

*Identity Management True or false? You should monitor your credit card statements for unauthorized purchases? -True -False

True

Which of the following is a best practice for using government e-mail? -Do not solicit sales -Use "Reply All" when responding to e-mails -Copy your personal e-mail on your outgoing-emails -Do not use a digital signature when sending attachments

Do not solicit sales

Which of the following statement is true of DoD Unclassified data? -It does not require access or distribution controls. -It must be cleared before being released to the public. -It poses no risk to the safety of government personnel, mission, or systems. -It does not require classification markings.

It must be cleared before being released to the public.

When allowed, which of the following is an appropriate use of removable media? -Labeling media that contains personally identifiable information (PII) -Destroying removable media with a refrigerator magnet -Downloading data from classified networks -Discarding unneeded removable media in the trash

Labeling media that contains personally identifiable information (PII)

Which of the following is best practice when browsing the Internet? -Set your browser to accept all cookies -Look for the h-t-t-p-s in the URL name -Confirm that the site uses an unencrypted link -Save your credit card information on e-commerce sites

Look for the h-t-t-p-s in the URL name

Which of the following describes Sensitive Compartmented Information (SCI)? -The requirement for access to SCI material are security clearance eligibility and need-to-know -SCI introduces an overlay of security to Top Secret, Secret, and Confidential information. -The determination that a piece of information is SCI is made at the organizational level. -SCI is a type of Controlled Unclassified Information (CUI).

SCI introduces an overlay of security to Top Secret, Secret, and Confidential information.

How can you prevent viruses and malicious code? -Email infected files to your security POC -View e-mail using the Preview Pane rather than opening it Allow mobile code to run on all websites -Scan all e-mail attachments

Scan all e-mail attachments

Which of the following provides precise, comprehensive guidance regarding specific program, system, operation, or weapon system elements of information to be classified? -Classification Management Tool -Local Security Official -Security Classification Guide -Classification Registry

Security Classification Guide

What is an insider threat? -The risk that information systems and networks will fail due to inadequate internal maintenance. -Someone who proactively identifies persons with authorized access to explain to gain access to U.S. government data. -The risk posed by the loss of organizational knowledge when trusted personnel resign or retire. -Someone who uses authorized access, either wittingly or unwittingly, to harm national security.

Someone who uses authorized access, either wittingly or unwittingly, to harm national security.

Which of the following is a best practice for protecting your home wireless network for telework or remote work? -Implement, as a minimum, Wi-Fi Protected Access 2 (WPA2) Personal encryption -Use your router's pre-set Service Set Identifier (SSID) and password -Turn off all other devices that connect to your router while working -Open access to your network to all devices

Turn off all other devices that connect to your router while working