2002.14.h - Information systems Flashcards
Information systems that process, store, or transmit CUI are of two different types: ______ ___________ ______ and ___-_______ ___________ ______
Federal information system and non-Federal information system
A Federal information system is an information system used or operated by an ______ or by a __________ of an ______ or other organization on behalf of an ______.
agency or by a contractor of an agency or other organization on behalf of an agency
A Federal information system operated on behalf of an agency provides information processing services to the agency that the Government might otherwise perform itself but has decided to _________.
outsource
Federal information systems includes systems operated exclusively for (a)__________ use and systems operated for (b)________ _______ ________ or __________ and ______ ______ users.
(a) Government
(b) multiple Federal agencies
(c) Government and private sector
An agency may require systems operated on its behalf by ___-_________ ______ entities to meet additional requirements the agency sets for its own internal systems.
non-executive branch
A ___-_______ ___________ ______ is any information system that does not meet the criteria for a Federal information system
non-Federal information system
Agencies (a)___ ___ treat non-Federal information systems as though they are agency systems, so agencies (b)______ require that non-executive branch entities protect these systems in the same manner that the agencies might protect their own information systems.
(a) may not
(b) cannot
When a non-executive branch entity receives Federal information only __________ to providing a service or product to the Government other than processing services, its information systems are not considered Federal information systems.
incidental
NIST SP 800–171 defines the requirements necessary to protect CUI Basic on ___-_______ information systems in accordance with the requirements of 32 CFR Part 2002.
non-Federal
Agencies must use NIST SP ___–___ when establishing security requirements to protect CUI’s confidentiality on non-Federal information systems.
800–171
Authorizing law, regulation, or policy listed in the CUI Registry for the CUI category or subcategory of the information involved prescribing specific safeguarding requirements for protecting the information’s confidentiality, or an agreement establishing requirements to protect CUI Basic at higher than moderate confidentiality overrides NIST SP 800-171 requirements.
T/F
True