RIMS · CRMP-FED
The RIMS-CRMP-FED validates risk management competencies specifically within the United States Federal Government environment, covering enterprise risk management implementation, reporting, and alignment with OMB, GAO, and NIST standards. It is developed in cooperation with the Association for Federal Enterprise Risk Management (AFERM) and builds upon the core RIMS-CRMP credential.
Questions
850
Duration
180 minutes
Passing Score
Pass/Fail
Difficulty
SpecialtyLast Updated
Feb 2026
Use this CRMP-FED practice exam to prepare for RIMS-Certified Risk Management Professional—Federal (CRMP-FED) with realistic questions, detailed explanations, and focused study modes. The practice bank includes 850 questions for RIMS CRMP-FED, so you can review the exam steadily instead of relying on one long cram session.
As you practice, pay extra attention to recurring topics such as Understanding the Federal Government ERM Environment, ERM Implementation in the Federal Government, ERM Reporting in the Federal Government, OMB, GAO, and NIST Standards Alignment, and Federal Stakeholder Engagement and Communication. Start with short sessions to identify weak areas, then move into timed quizzes once your accuracy is consistent.
The explanations are especially useful when you want to connect exam wording to the responsibilities and scenarios described in the official certification guidance. Use the free preview first, then unlock the full question bank when you are ready to build a complete study routine.
The RIMS-Certified Risk Management Professional—Federal (CRMP-FED) is a specialized credential developed by RIMS in cooperation with the Association for Federal Enterprise Risk Management (AFERM) that validates risk management competencies specifically within the United States Federal Government environment. It is the only credential of its kind designed to confirm expertise in enterprise risk management (ERM) as practiced under federal frameworks, including alignment with OMB Circular A-123, OMB Circular A-11 Part 6, GAO standards, and NIST guidance. The RIMS-CRMP holds ANSI National Accreditation Board (ANAB) accreditation under ISO/IEC 17024:2012, making it the only risk management certification in the world with this accredited status.
The CRMP-FED is structured as an add-on to the core RIMS-CRMP credential and cannot be earned independently. Candidates take a single three-hour combined exam that tests both core risk management competencies and federal-government-specific knowledge—covering areas such as ERM implementation within federal agencies, internal controls integration, stakeholder engagement, and ERM reporting requirements. The credential is valid for two years and requires ongoing recertification to maintain.
This certification is designed for risk management professionals working within or directly supporting United States Federal Government agencies who wish to validate their specialized knowledge of federal ERM frameworks and practices. Typical candidates include agency risk officers, enterprise risk managers, internal auditors, compliance officers, and program managers embedded in civilian or defense federal organizations.
The credential is also well-suited for contractors, consultants, and advisors who regularly support federal agencies on ERM implementation, reporting, and governance. RIMS membership is not required to pursue the CRMP-FED, and RIMS-CRMP holders seeking to differentiate themselves in a government-focused career path will find it a natural and recognized next step.
Candidates must first earn or simultaneously qualify for the core RIMS-CRMP credential before sitting for the FED portion of the exam. This means satisfying one of three eligibility pathways: (1) a bachelor's degree or global equivalent in risk management plus one year of full-time risk management work experience; (2) a bachelor's degree or global equivalent in any non-risk management field plus three years of full-time risk management work experience; or (3) six years of full-time risk management experience with no degree requirement. All degrees must be from accredited institutions.
Applicants must submit a formal application with supporting documentation (official transcripts or registrar letters, employment verification), pay the applicable fee, and receive an authorization-to-test email from the RIMS-CRMP Certification Department before scheduling the exam. If a candidate has already passed the core RIMS-CRMP, they need only demonstrate eligibility for and pass the FED portion. The six-month testing window must be honored, or the examination fee is forfeited.
The CRMP-FED is delivered as a single combined, computer-based exam totaling three hours. The full exam consists of 170 items: 100 scored RIMS-CRMP core questions, 20 unscored pretest (pilot) questions embedded in the core section, and 50 scored FED-specific questions answered in a dedicated one-hour block. The exam is available year-round and administered either at a Pearson VUE testing center (in the US, Canada, and internationally) or via remote proctoring through Pearson VUE's OnVUE platform from a candidate's home or office. Candidates choosing remote proctoring must check in 30 minutes before their scheduled start time.
A passing score requires achieving 71% or higher on the overall exam. Results are provided as pass/fail. Candidates who do not pass must reapply within the guidelines set by the RIMS-CRMP Certification Department. The CRMP-FED credential, once earned, is valid for two years, after which recertification is required.
Earning the CRMP-FED signals to federal hiring managers, Inspector General offices, and agency leadership that a professional has validated expertise in the specific risk management frameworks, regulations, and reporting obligations unique to the federal government. It is recognized by the Navy, Army, and Marine Corps COOL programs, making it eligible for military tuition assistance funding and a valued credential for transitioning service members entering federal civilian risk roles. According to RIMS data, full-time risk professionals holding the RIMS-CRMP credential earn approximately $16,000 more annually than non-certified peers—a premium that the specialized CRMP-FED designation is positioned to reinforce within the federal pay and hiring ecosystem.
The credential is relevant to positions such as Agency Risk Officer, Senior Advisor for Enterprise Risk, ERM Program Manager, Internal Controls Officer, and strategic planning roles across civilian and defense agencies. As OMB continues to enforce ERM requirements under Circular A-123 and federal agencies mature their risk programs, demand for credentialed professionals who can demonstrate knowledge of federal-specific standards—rather than general private-sector ERM—continues to grow. The ANAB accreditation under ISO/IEC 17024:2012 adds a layer of independent validation that supports portability and credibility of the credential across agencies.
5 sample questions with answers and explanations. Start a practice session to test yourself across all 850 questions.
Preview — answers shown1. Contoso Federal Agency is developing its supply chain risk management program for IT acquisitions. The agency needs to comply with federal requirements that restrict certain telecommunications equipment. Which two FAR provisions specifically prohibit certain foreign-manufactured products and equipment in federal acquisitions? (Select two!)
Multiple correct answersExplanation
FAR 52.204-23 specifically prohibits the use of Kaspersky Lab products and services in federal acquisitions due to national security concerns. FAR 52.204-24 establishes telecommunications equipment prohibitions, restricting the acquisition of covered telecommunications equipment and services from certain foreign manufacturers. Together, these provisions form a critical part of the federal supply chain risk management framework. FAR 52.212-4 addresses standard contract terms for commercial items and does not relate to supply chain security prohibitions. FAR 52.219-8 deals with small business utilization requirements in federal contracting. FAR 52.225-1 addresses Buy American Act compliance for domestic sourcing preferences, which is a trade policy rather than a cybersecurity supply chain restriction.
2. Litware Agency's risk analyst is preparing a presentation on the differences between Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs) for the Risk Management Council. Which statement correctly distinguishes KRIs from KPIs in the context of federal risk management? (Select one!)
Explanation
Key Risk Indicators are forward-looking leading indicators that provide early warning signals about increasing risk exposure, enabling organizations to take proactive action before risks materialize. Characteristics of effective KRIs include being quantifiable, predictable, trackable over time, benchmarkable, timely, and cost-effective. They function as an early warning system that alerts management when risk exposure exceeds tolerable levels. Key Performance Indicators, by contrast, are typically backward-looking lagging metrics that measure how well the organization has performed against established targets and objectives, showing deviations from expected outcomes. Assigning leading indicator characteristics to KPIs and lagging characteristics to KRIs reverses the fundamental distinction between these two metric types. KRIs and KPIs are distinct concepts with different purposes and temporal orientations, making them unsuitable for interchangeable use. KRIs are applicable across all risk categories including operational, strategic, compliance, and cybersecurity risks within federal agencies, not limited exclusively to financial or budgetary risks.
3. Contoso Federal Agency is a CFO Act agency undergoing its annual compliance assessment under OMB Circular A-123 Appendix D (M-23-06). The agency's financial management systems must meet specific requirements under the Federal Financial Management Improvement Act (FFMIA). Which three requirements must the agency demonstrate compliance with under Section 803(a) of FFMIA? (Select three!)
Multiple correct answersExplanation
FFMIA Section 803(a) requires CFO Act agencies to demonstrate compliance with three specific requirements: federal financial management system requirements, federal accounting standards as established by the Federal Accounting Standards Advisory Board (FASAB), and the United States Standard General Ledger (USSGL) at the transaction level. Agency-specific performance measurement standards fall under GPRAMA, not FFMIA. GAO audit standards and procurement integrity requirements are governed by separate statutory authorities and are not part of the FFMIA Section 803(a) compliance requirements.
4. Contoso Federal Agency is a CFO Act agency undergoing its annual assessment under OMB Circular A-123 Appendix D (M-23-06). The agency's financial management systems are being evaluated for compliance with the Federal Financial Management Improvement Act (FFMIA). Which three requirements must the agency demonstrate compliance with under Section 803(a) of FFMIA? (Select three!)
Multiple correct answersExplanation
FFMIA Section 803(a) establishes three specific compliance requirements for CFO Act agencies: federal financial management system requirements, federal accounting standards as established by the Federal Accounting Standards Advisory Board (FASAB), and the United States Standard General Ledger (USSGL) at the transaction level. Appendix D of OMB A-123 (M-23-06) applies specifically to these 24 CFO Act agencies. DATA Act reporting requirements are addressed under Appendix A. Payment integrity requirements fall under Appendix C. GPRAMA performance metrics are separate from FFMIA financial management system compliance.
5. Fabrikam Federal Agency has recently experienced a data breach in its financial reporting system. The Chief Information Security Officer is mapping the agency's cybersecurity risk management approach to the NIST three-tier risk management model described in SP 800-39. The CISO needs to identify at which tier the agency should establish its risk framing, define organizational risk tolerances, and set investment priorities for cybersecurity. At which tier of the NIST SP 800-39 model should these strategic governance decisions be made? (Select one!)
Explanation
NIST SP 800-39 defines a three-tier risk management model. Tier 1 (Organization) is the strategic and governance level where risk framing, organizational risk tolerances, and investment priorities are established. This tier addresses enterprise-wide risk decisions that guide all subordinate risk management activities. Tier 2 (Mission/Business Process) focuses on defining security architecture and allocating resources at the business process level. Tier 3 (Information Systems) addresses specific system-level controls, categorization, and continuous monitoring. There is no Tier 4 in the NIST SP 800-39 model; it uses only three tiers for its risk management hierarchy.
$17.99
One-time access to this exam