CCP Lesson 2 Flashcards
Sensitive Information
Information where the loss, misuse, or unauthorized access or modification could adversely affect the national interest or the conduct of federal programs, or the privacy to which individuals are entitled under 5 U.S.C. Section 552a (the Privacy Act).
Federal Contract Information (FCI)
Information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.
Controlled Unclassified Information (CUI)
Information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended.
Controlled Technical Information (CTI)
Technical Information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination.
Export-Controlled Information (ECI)
Any information or material that cannot be released to foreign nationals or representatives of a foreign entity, without first obtaining approval or license from the Dept. of State for items controlled by ITAR or the Dept. of Commerce for items controlled by the Export Administration Regulations (EAR).
Covered Defense Information (CDI)
Terms used to identify information that requires protection under DFARS Clause 252.204-7012. Unclassified CTI or other information, as described in the CUI Registry, that requires safeguarding or dissemination controls pursuant to and consistent with the law, regulations, and government-wide policies.
Lawful government purpose
Any activity, mission, function, operation, or endeavor that the U.S. Government authorizes or recognizes as within the scope of its legal authorities or the legal authorities of non-executive branch entities (such as state and local law enforcement).
Data Integrity
Property that data has not been altered in an unauthorized manner
Confidentiality
Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information
Personally Identifiable Information (PII)
Information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a speficic individual
Multifactor Authentication (MFA)
A mechanism that provides for added protection of data through electronic methods
Awareness
A learning process that sets the state for training by changing individual and organizational attitudes to realize the importance of security and the adverse consequences of its failure.
Awareness and Training Program
Explains proper rules of behavior for the use of agency information systems and information. The program communicates information technology (IT) security policies and procedures that need to be followed. (i.e., NSTISSD 501, NIST SP 800-50)
Configuration Management
A collection of activities focused on establishing and maintaining the integrity of information technology products and systems, through control of processes for initializing, changing, and monitoring the configurations of those products and systems throughout the system development life cycle.
Encryption
The process of changing plaintext into cipher text
Network Segmentation
The use of physical devices such as firewalls or logical separation such as subnetting to create distinct segments in your internal network
Demilitarized Zone (DMZ)
A small section of a private network that is located between two firewalls and made available for public access
Dissemination control
Method of managing sensitive information distribution so that it doesn’t spread more widely than allowed by law, regulation, or government-wide policy
Decontrolling CUI
Decontrolling occurs when an authorized holder, consistent with CUI regulations and the CUI Registry, removes safeguarding and dissemination controls from CUI that no longer requires such controls.
Record
Agency records and Presidential papers or Presidential records (or Vice-Presidential), as those terms are defined in 44 U.S.C. 3301 and 44 U.S.C. 2201 and 2207. Records are also items created or maintained by a Government contractor, licensee, certificate holder, or grantee that are subject to the sponsoring agency’s control under the terms of the entity’s agreement with the agency.
Media sanitization
The actions taken to render data written on media unrecoverable by both ordinary and extraordinary means.
Federal Contract Information (FCI)
Broadest definition of government information requiring protection. Not intended for public release.
Characteristics include private information and contract information
What is Federal Contract Information (FCI)?
Information useful only to the Defense Contractor and DoD. Not intended for public release
Cybersecurity Maturity Model Certification (CMMC) Level 1
Defined by Federal Aquisition Regulation (FAR) 52
What is Controlled Unclassified information (CUI)?
Always considered Federal Contract Information (FCI)
Not Classified
Information that the government creates or possesses, an entity creates or possesses on behalf of the government, and information requiring safeguarding
Defined in Part 2002 of Title 32 Code of Federal Regulations (CFR)
Cybersecurity Maturity Model Certification (CMMC) Levels 2 and 3
Federal Contract Information (FCI) - Examples
Delivery dates
Schedules
Controlled Unclassified Information (CUI) - Examples
Blueprints
water assessments
health information
personnel records
base civil engineering maps
Types of Controlled Unclassified Information (CUI)
Controlled Unclassified Information (CUI) Basic
Controlled Unclassified Information (CUI) Specified
Controlled Unclassified Information (CUI) Basic
Most broad sense of Controlled Unclassified Information (CUI)
No specific handling instructions
Any CUI that is not Specified
Controlled Unclassified Information (CUI) Specified
Specific handling instructions in the contract
Not more important than Controlled Unclassified Information (CUI) Basic
Requires enhanced controls for handling, storing, processing, and transmitting
Controlled Unclassified information (CUI) Registries
Provides the official list of Controlled Unclassified Information (CUI) types and categories
The Controlled Unclassified Information (CUI)
registry contains what information?
Categories, Controlled Unclassified Information (CUI) markings, dissemination controls, registry change log, policy and guidance
Controlled Technical Information (CTI)
Specified category of Controlled Unclassified Information (CUI)
Includes technical information
Collected, developed, received, transmitted, used, or stored by, or on behalf of the government in support of the performance of a contract
Controlled Technical Information (CTI) examples
Research and engineering data
Technical reports
Technical orders
Data sets
Software executable and sourse code
Process sheets
Export-Controlled Information (ECI)
Specified category of Controlled Unclassified Information (CUI)
Includes physical assets and encryption technologies, assets falling in the scope of International Traffic and Arms Regulations (ITAR) and Export Administration Regulations (EAR)
Subject to additional requirement above Controlled Unclassified Information (CUI)
Can’t be released to non-U.S. citizens
Guidelines for protecting Federal Contract Information (FCI) - Information Security Requirements
Follow Cybersecurity Maturity Model Certification (CMMC) level 1
Guidelines for protecting Federal Contract Information (FCI) - Marking
None
Guidelines for protecting Federal Contract Information (FCI) - National Archives and Records Administration (NARA)
None
Guidelines for protecting Federal Contract Information (FCI) - DoD Specific
None
Guidelines for protecting Federal Contract Information (FCI) -Other Federal Agencies
None
Guidelines for protecting Controlled Unclassified Information (CUI) - Information Security Requirements
Follow Cybersecurity Maturity Model Certification (CMMC) level 2/NIST SP 800-171
Guidelines for protecting Controlled Unclassified Information (CUI) - Marking
National Archives Control Unclassified Information (CUI) Markings, National Archive and Records Administration (NARA) CUI Marking handbook
Guidelines for protecting Controlled Unclassified Information (CUI) - National Archive and Records Administration (NARA)
NARA Information Security Oversight Office (ISOO) CUI notices
Guidelines for protecting Controlled Unclassified Information (CUI) - DoD Specific
DoD Instruction 5200.48, Controlled Unclassified Information (CUI)
DoD CUI Program
DoD Mandatory (CUI) Training
DoD CUI Marking Aid
Guidelines for protecting Controlled Unclassified Information (CUI) - Other Federal Agencies
State department for International Traffic and Arms Regulations (ITAR) related information
Covered Defense Information (CDI)
General term in the Defense Community for Controlled Unclassified Information (CUI) under the authority of the DoD
Any regulated information
Cybersecurity Maturity Model Certification (CMMC) Assessments
Verify whether an organization is following the pertinant regulations to ensure that sensitive information is managed at the below points:
- Identification
- sharing
- marking
- safeguarding
- storage
- dissemination
- destruction
DoD Instruction 5200.48 “Controlled Unclassified Information”
Establishes policy
Assigns responsibilities
Prescribes procedures to identify, handle, and store Controlled Unclassified Information throughout DoD
DoD Controlled Unclassified Information (CUI) Marking Requirements
The acronym “CUI” at the top and bottom of each page
CUI designation indicator
Controlled Unclassified Information (CUI) Basic Category Marking
CUI//BASIC
Controlled Unclassified Information (CUI) Specified Category Marking
CUI//SP-SPECIFIED
Portion Marking
Not required
Used when there is a mix of Controlled Unclassified Information (CUI) and unclassified/uncontrolled information
If used, must be throughout the entire document
Standard Form (SF) 902 Label
Used on computers, servers, mobile devices, file cabinets, external hard drives
Standard Form (SF) 903 Label
Used on small electronic media, such as USB devices
Controlled Unclassified Information (CUI) Mailing Requirements
Use First Class, Express, Certified, or Registered mail
Controlled Unclassified Information (CUI) Mailing Requirements - External Transmissions
Document must have recipient’s address, return address, and the words “TO BE OPENED BY ADDRESSEE ONLY” on the front
Controlled Unclassified Information (CUI) Mailing Requirements - Internal transmissions
Document must have recipient’s address, and the words “TO BE OPENED BY ADDRESSEE ONLY” on the front, but only the recipient’s address is required.
Controlled Unclassified Information (CUI) - Fax marking considerations
Use Transmittal coversheet Standard Form (SF) 901
Make sure person is present to receive fax
Do not send to unattended fax machine
Controlled Unclassified Information (CUI) - Package marking considerations
Package in a non-transparent envelope or box
Include authorized person in address block
Do mark outside of envelope or box with controlled Unclassified Information (CUI) Markings
Restrict Physical Access to:
Facilities, rooms, devices, media
Restrict Logical to:
Data, Digital resources, Networks
Authentication
Process by which a system verifies the identity of a user
Examples: passwords, thumbprints, tokens
Authorization
Determines what an identity can access within a system once authenticated
Example: OAuth
Access Control Mechanisms
Determines what operations a user may or may not engage with through comparing the user identity to the access credentioals
Example: Role Based Access Control (RBAC)
Encryption
Provides additional protections in cases where a user or a sysem may be sharing sensitive protected information
Example: Secure Shell (SSH), Socket Layer Protocol (SSL, TLS)
Multifactor Authentication (MA)
Users are required to present at least two of the following:
- Something you know
- Something you have
- Something you are
Cybersecurity Awareness Training
Identifies common risks and cybersecurity threars
Reduces human error
Provides best practices
Helps employees understand the security risks of their actions
Mitigates security risks to sensitive information
Recognizes and responds to external and internal threats
Enhances organizational resilience against cybersecurity threats
Embeds a culture of security compliance
Controlled Unclassified Information (CUI) Storage in Controlled Environments - Logical
Backup Systems
Classification of emails and its source
Network diagrams segmentation and Access Control Lists (ACLs)
Data classifications
Controlled Unclassified Information (CUI) Storage in Controlled Environments - Physical
Hard storage devices positioned in lock and safe locations
Authorized workstations or mobile devices to store data
Storage room designed for data security
Controlled Unclassified Information (CUI) Storage in Controlled Environments - Policies and Procedures
Everyone in the Organization Seeking Certification (OSC) must have knowledge of the policies and procedures
Federal Information Processing Standard (FIPS) Validated Cryptography
Used to protect Confidentiality of Controlled Unclassified Information (CUI)
Isolation
Separating assets that process, store, and transmit sensitive information from assets that do not handle sensitive information
Types of Isolation
Physical
Logical
Controlled Access
Restricting communications based on specific configurations or parameters
Limited Disseminations Controls
No Foreign Nationals (NOFORN or NF)
Releasable To (REL TO)
Media Sanitation - Clear
Logical techniques to sanitize data
Media Sanitation - Purge
Applies physical and logical techniques that render data recovery infeasible
Media Sanitation - Destroy
Renders target data recovery infeasible
