Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CMMC original Slides > CCP Lesson 1 > Flashcards

CCP Lesson 1 Flashcards

1
Q

Defense Industrial Base (DIB) includes.

A

DoD Components, companies providing materials and services, government-owned facilities operated by the government or contractors

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Does Defense Supply Chain extend beyond DIB? Give examples.

A

Yes. office equipment, janitors, food

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What certification makes cybersecurity foundational for all acquisitions?

A

Cybersecurity Maturity Model Certification (CMMC)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Who receives contracts from the government?

A

Prime contractors

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Who helps prime contractors fulfill portions of the contracts?

A

Subcontractors

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

As information is moved between government, prime contractors, and subcontractors it is __ ____.

A

At risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What represents a philosophical change to securing the nation’s data?

A

CMMC program

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is the DoD’s initiative to verify defense contractors’ cybersecurity preparedness and effectiveness?

A

CMMC

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

CMMC standardized cybersecurity implementation across what?

A

Defense Industrial Base (DIB)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What year did the CMMC program kick off?

A

2019

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What year was CMMC Model 1.0 released?

A

2020

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What year was CMMC Model 2.0 released?

A

2021

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is considered the company’s own methods, techniques and inventions?

A

Internal Intellectual Property (IP)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Information from partners outside the government that is generally protected by contracts between parties such as license agreements and NDA’sis what tpe of Intellectual Property (IP)?

A

External Intellectual Property (IP)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

As it pertains to Legal, Regulatory, and Policy (LRP) Drivers, what ensures proper actions?

A

Laws

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

As it pertains to Legal, Regulatory, and Policy (LRP) Drivers, what are laws interpreted and implemented throug?

A

Regulations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

As it pertains to Legal, Regulatory, and Policy (LRP) Drivers, regulations are detailed thorugh?

A

Policies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What provides policies and procedures that apply to all Executive Branch departments and agencies regarding acquisitions?

A

Federal Acquisition Regulation (FAR)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

48 CFR is also known as?

A

Federal Acquisition Regulation (FAR)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What regulation documents rules that government contractors are subject to, takes priority over Defense Federal Aquisition Regulation Supplement (DFARS), and provides a consistent set of baselines that apply to all solicitations?

A

Federal Acquisition Regulation (FAR)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What regulation is a supplement of the Federal Aquisition regulation?

A

Defense Federal Aquisition Regulation Supplement (DFARS)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Defense Federal Aquisition Regulation Supplement (DFARS) includes policies and procedures that apply to who and administered by who?

A

Department of Defense (DoD)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What does Defense Federal Acquisition Regulation Supplement (DFARS) cover?

A

Department of Defense acquisitions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

The Federal Information Security Modernization Act is the Legal Authority for what type of information?

A

Federal Contract Information (FCI) and Controlled Unclassified Information (CUI)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What law requires government to protect sensitive information?

A

Federal Information Security Modernization Act

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What is the Regulatory Authority for Federal Contract Information?

A

48 CFR Section 52

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

What regulations explain how to adhere to the law, as applied to a contractor’s information systems?

A

48 CFR Section 52

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

What is section 52 of the Federal Acquisition Regulation (FAR) is also called?

A

FAR 52

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

What is the primary source of information on handling requirements for FCI?

A

FAR 52

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

As defined in FAR 52, what is an information system that is owned or operated by a contractor that processes, stores, or transmits Federal Contract Information (FCI)?

A

Covered Contractor information System

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

As defined in FAR 52, What is information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public or simple transactional information?

A

Federal Contract Information (FCI)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

As defined in FAR 52, what is any communication or representation of knowledge?

A

Information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

As defined in FAR 52, what is a discrete set of information resources organized for collection, processing, maintenance, use, sharing, dissemination, or disposition of information?

A

Information System

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

As defined in FAR 52, what are measures or controls that are prescribed to protect information systems?

A

Safeguards

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

2002 Federal Information Security Management Act (FISMA) Amended in 2014 and Executive Order 13556, Controlled Unclassified Information is the legal Authority for what type of information?

A

Controlled Unclassified Information (CUI)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

32 CFR Part 2002 is the regulatory authority for what type of information?

A

Controlled Unclassified Information (CUI)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Who oversees CUI Policy?

A

National Archives and Records Administration (NARA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

What regulatory Authority appointed the National Archives and Administration (NARA) to oversee CUI policy?

A

32 CFR Part 2002

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

What regulation stood up Information Security Oversight Office (ISOO), which publishes CUI notices?

A

32 CFR Part 2002

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

What are the policy drivers for Controlled Unclassified Information?

A

National Archives and Records Administration (NARA); Information Security Oversight Office (ISOO)

41
Q

What office publishes Controlled Unclassified Information (CUI) notices)?

A

Information Security Oversight Office (ISOO)

42
Q

Policies stipulate that CUI must be protected in accordance with what National Institute of Standards and Technology (NIST) Special Publications (SP)?

A

NIST SP 800-171, NIST SP 800-171A, NIST SP 800-172

43
Q

Defense Industrial Base (DIB)

A

Worldwide industrial complex, enables research and development + design/production of military weapons and systems to meet US military requirements

44
Q

Prime Contractors

A

These contractors receive contracts from the government

45
Q

Effects of loss of Intellectual Property

A
  • Puts warfighter lives at danger
  • Diminishes global competitive advantage
46
Q

Philosophical change to securing the Nation’s Data

A

-“protect the information” not “protect the system”

47
Q

Cybersecurity Maturity Matrix Certification (CMMC) program

A
  • DoD initiative to verify defense contractors’ cybersecurity preparedness and effectiveness
  • Standardizes cybersecurity implementation
48
Q

Internal Intellectual Property (IP)

A
  • The company’s own methods, techniques, inventions
49
Q

External Intellectual Property

A
  • Partners outside the government; protected by documents such as license agreements and Nondisclosure Agreements (NDAs)
  • Federal government; commonly covers Federal Contract Information (FCI) and Controlled Unclassified Information (CUI)
50
Q

Legal, Regulatory, Policy (LRP) drivers

A

Laws, regulation, and policies are behind the compliance requirements that government contractors must adhere to

51
Q

Federal Aquisition Regulation (FAR)

A

Chapter 1 of Title 48 of the Code of Federal Regulations (CFR); 48 CFR

Provides uniform policies and procedures regarding acquisitions

Documents rules that government contractors are subject to

52
Q

Defense Federal Acquisitions Regulations (DFARs)

A

Apply only DoD acquisition activities

53
Q

Federal Contract Information (FCI) Legal driver

A

Federal Information Security Modernization Act

54
Q

Federal Contract Information (FCI) Regulatory driver

A

Federal Acquisitions Regulation 52 (FAR 52)

55
Q

What Federal Acquisitions Regulation 52 (FAR 52) covers

A

Regulation Definitions

Requirements and procedures to safeguard Federal Contract Information (FCI)

Responsibilities when delegating contract work to subcontractors

56
Q

Federal Acquisition Regulation (FAR) definitions - Covered Contractor Information

A

Information system that is owned or operated by a contractor that processes, stores, or transmits Federal Contract Information (FCI)

57
Q

Federal Acquisition Regulation (FAR) definition - Federal Contract Information (FCI)

A

Information not intended for public release, that is provided or generated for the Government under contract to develop or deliver a product or service to the Government

58
Q

Federal Acquisition Regulation (FAR) definition - Information

A

Any communication or representation of knowledge

59
Q

Federal Acquisition Regulation (FAR) definition - Information System

A

Set of information resources organized for collection, processing, maintenance, use, sharing, dissemination, or disposition of information

60
Q

Federal Acquisition Regulation (FAR) definition - Safeguarding

A

measures or controls prescribed to protect information systems

61
Q

Federal Acquisition Regulation 52 (FAR 52) safeguarding requirements and procedures 1-6

A
  1. Limit information system access to authorized users, processes acting on behalf of authorized users, or devices
  2. Limit information system access to the types of transactions and functions that authorized users are permitted to execute
  3. Verify and control/limit connections to and use of external information systems
  4. Control information posted or processed on publicly accessible information systems
  5. Identify information system users, processes acting on behalf of users, or devices
  6. Authenticate the identities of those users, processes, or devices, before allowing access to organizational information systems
62
Q

Federal Acquisition Regulation 52 (FAR 52) safeguarding requirements and procedures 7-15

A
  1. Sanitize or destroy information system media containing Federal Contract Information (FCI) before disposal or release for reuse
  2. Limit physical access to organizational information systems, equipment, and the operating environment to authorized individuals
  3. Escort visitors and monitor visitor activity, maintain audit logs of physical access, control and manage physical access devices
  4. Monitor, control, and protect organizational communications at the external boundary and key internal boundaries of the information systems
  5. Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks
  6. Identify, report, and correct information and information system flaws in a timely manner
  7. Provide protection from malicious code
  8. Update malicious code protection mechanisms
  9. Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed
63
Q

Controlled Unclassified Information (CUI) Legal drivers

A

2002 Federal Information Security Management Act amended 2014

Executive order 13556, Controlled Unclassified Information

64
Q

Controlled Unclassifed Information (CUI) Regulatory driver

A

32 Code of Federal Regulation (CFR) Part 2002, Controlled Unclassified Information

65
Q

Controlled Unclassifed Information (CUI) Policy drivers

A

National Archive and Records Administration (NARA)

Information Security Oversight Office (ISOO) Controlled Unclassified Information (CUI) notices

66
Q

2002 Federal Information Security Management Act (FISMA) states

A

Government must protect its sensitive information:

-Federal Contract Information (FCI)
-Controlled unclassified Information (CUI)

67
Q

Executive Order 13556, Controlled unclassified Information (4 November 2010)

A

Standardized handling of protected information that is unclassified

68
Q

32 Code of Federal Regulations (CFR) Part 2002, Controlled Unclassified Information (CUI)

A

Explain how to adhere to Executive Order 13556

Stipulate and create overall requirements, governance, and management of Controlled Unclassified Information (CUI)

Appointed National Archives and Record Administration (NARA) to oversee Conrtolled Unclassified Information (CUI) Policy

Stood up Information Security Oversight Office (ISOO), which published Controlled Unclassified Information (CUI) notices

69
Q

Controlled Unclassified information (CUI) should be protected in accordance with:

A

National Institute of Standards and Technology (NIST) 800-171

National Institute of Standards and Technology (NIST) 800-171A

National Institute of Standards and Technology (NIST) 800-172

70
Q

National Archive and Records Administration’s (NARA) Information Security Oversight Office (ISOO)

A

Authority on the protection of Controlled Unclassified Information (CUI)

71
Q

Information Security Oversight Office (ISOO)

A

Contained within National Archive and Records Administration’s (NARA)

Responsible to the President for policy and oversight of the U.S. government’s security classification system and the National Industrial Security Program

Receives policy and program guidance from Nation Security Council (NSC)

Serves as the authority on protection of Controlled Unclassified Information (CUI)

72
Q

Information Security Oversight Office (ISOO) - Classification Management Staff

A

Develop security classification policies for classifying, declassifying, and safeguarding national security information generated in Government and industry

73
Q

Information Security Oversight Office (ISOO) - Operations Staff

A

Evaluate the effectiveness of the security classification programs established by Government

74
Q

Information Security Oversight Office (ISOO) - Controlled Unclassified Information (CUI) Staff

A

Develop standardized CUI policies and procedures

75
Q

National Institute of Standards and Technology (NIST)

A

Put forth publications covering policies on managing cybersecurity on federal systems, specifically covering Controlled Unclassified Information (CUI)

76
Q

National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171

A

Focuses on Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations

Focuses primarily on protecting the confidentiality of Controlled Unclassified Information (CUI)

77
Q

National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53

A

Security controls recommended for federal information systems

78
Q

National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171A

A

Provides procedures for assessing the Controlled Unclassified Information (CUI)

The primary and authoritative guidance on assessing compliance with NIST SP 800-171

79
Q

National Institute of Standards and Technology (NIST) Special Publication (SP) 800-172

A

Enhanced Security Protection for Protecting Controlled Unclassified Information (CUI)

Provides federal agencies with enhanced security policies

Aims to protect the Confidentiality, Integrity, and Availability (CIA) of CUI

80
Q

Cybersecurity Maturity Model Certification (CMMC) Legal Drivers

A

Federal Information Security Modernization Act (FISMA)

Executive Order 13556

Subordinate Regulatory Authorities in addition to 32 Code of Federal Regulation (CFR) Part 2002 are Defense Federal Acquisition Regulations Supplement (DFARS):
Clause 252.204-7012
Clause 252.204-7019
Clause 252.204-7020
Clause 252.204-7021

Subordinate Policies - Cybersecurity Maturity Model Certification (CMMC) and DoD Instruction 5200.48, Controlled Unclassified Information

81
Q

Cybersecurity Maturity Model Certification (CMMC) Regulatory Drivers

A

32 Code of Federal Regulation (CFR) Part 2002

Subordinate Regulatory Authorities Defense Federal Acquisition Regulations Supplement (DFARS):
- Clause 252.204-7012
- Clause 252.204-7019
- Clause 252.204-7020
- Clause 252.204-7021

82
Q

Cybersecurity Maturity Model Certification (CMMC) Policy Drivers

A

National Archives and Records Administration (NARA) Information Security Oversight Office
(ISOO) Controlled Unclassified Information (CUI) notices
- National Institute of Standards and Technology (NIST) Special Publications 800-171, 800-172, 800-171A

Subordinate Policies
- Cybersecuruty Maturity Model Certification (CMMC
- DoD Instructions 5200.48

83
Q

Defense Federal Acquisition Regulations Supplement (DFARS)

A

DoD’s counterpart to Federal Acquisition Regulation (FAR) 52

Represent a significant philosophical change in how the nation’s data is secured, including the creation of the CMMC ecosystem

84
Q

Cybersecurity Maturity Model Certification (CMMC)

A

DOD initiative to verify contracting cyber security preparedness.

An enhancement and set of constraints upon the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171/2

85
Q

DoD Instruction 5200.48, Controlled Unclassified Information

A

Policies to improve how Controlled Unclassified Information (CUI) is marked, handled, and managed within DoD

86
Q

Defense Federal Acquisition Regulations Supplement (DFARS) Clause 252.204-7012
(Safeguarding Covered Defense Information and Cyber Incident Reporting)

A

Identifies requirements for protecting Cyber Defense Information (CDI) and reporting cyber incidents

Requires compliance with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171

Global self-attestation by contract signature

Self-attest only

87
Q

Defense Federal Acquisition Regulations Supplement (DFARS) Clause 252.204-7019
(Notice of NIST SP 800-171 DoD Assessment Requirements)

A

Identifies the DoD’s cybersecurity assessment requirements

Detailed self-attestation

Defense Industry Base (DIB) contractors must formally report to DoD a summary score of their NIST SP 800-171 compliance

Subject to Defense Contract Management Agency (DCMA) audits

88
Q

Defense Federal Acquisition Regulations Supplement (DFARS) Clause 252.204-7020
(NIST SP 800-171 DoD Assessment Requirements)

A

Defines how DoD will conduct different types of assessments

89
Q

Defense Federal Acquisition Regulations Supplement (DFARS) Clause 252.204-7021
(Contractor Compliance with the Cybersecurity Maturity Model Certification (CMMC) Level Requirement)

A

Covers the Cybersecurity Maturity Model Certification (CMMC) Model Requirement

Enacts Cybersecurity Maturity Model Certification (CMMC)

90
Q

Cybersecurity Maturity Model Certification (CMMC) background Regulations and Standards

A

2002 Federal Information Security Management (FISMA) Act

2005 Risk Management Framework (RMF)

2011 Federal Risk and Authorization Management Program (FedRAMP)

2020 Cybersecurity Maturity Model Certification (CMMC)

91
Q

Risk Management Framework (RMF)

A

Designed to help Federal agencies meet Federal Information Security Management Act (FISMA) requirements

92
Q

Risk Management Framework (RMF) Process (7 Steps)

A

Prepare

Categorize

Select Controls

Implement Controls

Assess Controls

Authorize Systems

Monitor Systems

93
Q

Risk Management Framework (RMF) Process - Prepare

A

Establish context and priorities

94
Q

Risk Management Framework (RMF) Process - Categorize

A

Categorize information systems

95
Q

Risk Management Framework (RMF) Process - Select Controls

A

Tailor controls to reduce risk to an acceptable level based on risk assessment

96
Q

Risk Management Framework (RMF) Process - Implement Controls

A

Implement security controls

97
Q

Risk Management Framework (RMF) Process - Assess Controls

A

Assess controls to see if they were implemented properly and have desired outcomes

98
Q

Risk Management Framework (RMF) Process - Authorize Systems

A

Authorize Information Systems

99
Q

Risk Management Framework (RMF) Process - Monitor Security Controls

A

Ensure ongoing effectiveness

CMMC original Slides (18 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions