CCP Lesson 2 Flashcards

1
Q

Sensitive Information

A

Information where the loss, misuse, or unauthorized access or modification could adversely affect the national interest or the conduct of federal programs, or the privacy to which individuals are entitled under 5 U.S.C. Section 552a (the Privacy Act).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Federal Contract Information (FCI)

A

Information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Controlled Unclassified Information (CUI)

A

Information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Controlled Technical Information (CTI)

A

Technical Information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Export-Controlled Information (ECI)

A

Any information or material that cannot be released to foreign nationals or representatives of a foreign entity, without first obtaining approval or license from the Dept. of State for items controlled by ITAR or the Dept. of Commerce for items controlled by the Export Administration Regulations (EAR).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Covered Defense Information (CDI)

A

Terms used to identify information that requires protection under DFARS Clause 252.204-7012. Unclassified CTI or other information, as described in the CUI Registry, that requires safeguarding or dissemination controls pursuant to and consistent with the law, regulations, and government-wide policies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Lawful government purpose

A

Any activity, mission, function, operation, or endeavor that the U.S. Government authorizes or recognizes as within the scope of its legal authorities or the legal authorities of non-executive branch entities (such as state and local law enforcement).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Data Integrity

A

Property that data has not been altered in an unauthorized manner

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Confidentiality

A

Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Personally Identifiable Information (PII)

A

Information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a speficic individual

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Multifactor Authentication (MFA)

A

A mechanism that provides for added protection of data through electronic methods

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Awareness

A

A learning process that sets the state for training by changing individual and organizational attitudes to realize the importance of security and the adverse consequences of its failure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Awareness and Training Program

A

Explains proper rules of behavior for the use of agency information systems and information. The program communicates information technology (IT) security policies and procedures that need to be followed. (i.e., NSTISSD 501, NIST SP 800-50)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Configuration Management

A

A collection of activities focused on establishing and maintaining the integrity of information technology products and systems, through control of processes for initializing, changing, and monitoring the configurations of those products and systems throughout the system development life cycle.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Encryption

A

The process of changing plaintext into cipher text

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Network Segmentation

A

The use of physical devices such as firewalls or logical separation such as subnetting to create distinct segments in your internal network

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Demilitarized Zone (DMZ)

A

A small section of a private network that is located between two firewalls and made available for public access

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Dissemination control

A

Method of managing sensitive information distribution so that it doesn’t spread more widely than allowed by law, regulation, or government-wide policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Decontrolling CUI

A

Decontrolling occurs when an authorized holder, consistent with CUI regulations and the CUI Registry, removes safeguarding and dissemination controls from CUI that no longer requires such controls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Record

A

Agency records and Presidential papers or Presidential records (or Vice-Presidential), as those terms are defined in 44 U.S.C. 3301 and 44 U.S.C. 2201 and 2207. Records are also items created or maintained by a Government contractor, licensee, certificate holder, or grantee that are subject to the sponsoring agency’s control under the terms of the entity’s agreement with the agency.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Media sanitization

A

The actions taken to render data written on media unrecoverable by both ordinary and extraordinary means.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Federal Contract Information (FCI)

A

Broadest definition of government information requiring protection. Not intended for public release.

Characteristics include private information and contract information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What is Federal Contract Information (FCI)?

A

Information useful only to the Defense Contractor and DoD. Not intended for public release

Cybersecurity Maturity Model Certification (CMMC) Level 1

Defined by Federal Aquisition Regulation (FAR) 52

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is Controlled Unclassified information (CUI)?

A

Always considered Federal Contract Information (FCI)

Not Classified

Information that the government creates or possesses, an entity creates or possesses on behalf of the government, and information requiring safeguarding

Defined in Part 2002 of Title 32 Code of Federal Regulations (CFR)

Cybersecurity Maturity Model Certification (CMMC) Levels 2 and 3

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Federal Contract Information (FCI) - Examples

A

Delivery dates

Schedules

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Controlled Unclassified Information (CUI) - Examples

A

Blueprints

water assessments

health information

personnel records

base civil engineering maps

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Types of Controlled Unclassified Information (CUI)

A

Controlled Unclassified Information (CUI) Basic

Controlled Unclassified Information (CUI) Specified

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Controlled Unclassified Information (CUI) Basic

A

Most broad sense of Controlled Unclassified Information (CUI)

No specific handling instructions

Any CUI that is not Specified

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Controlled Unclassified Information (CUI) Specified

A

Specific handling instructions in the contract

Not more important than Controlled Unclassified Information (CUI) Basic

Requires enhanced controls for handling, storing, processing, and transmitting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Controlled Unclassified information (CUI) Registries

A

Provides the official list of Controlled Unclassified Information (CUI) types and categories

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

The Controlled Unclassified Information (CUI)
registry contains what information?

A

Categories, Controlled Unclassified Information (CUI) markings, dissemination controls, registry change log, policy and guidance

32
Q

Controlled Technical Information (CTI)

A

Specified category of Controlled Unclassified Information (CUI)

Includes technical information

Collected, developed, received, transmitted, used, or stored by, or on behalf of the government in support of the performance of a contract

33
Q

Controlled Technical Information (CTI) examples

A

Research and engineering data

Technical reports

Technical orders

Data sets

Software executable and sourse code

Process sheets

34
Q

Export-Controlled Information (ECI)

A

Specified category of Controlled Unclassified Information (CUI)

Includes physical assets and encryption technologies, assets falling in the scope of International Traffic and Arms Regulations (ITAR) and Export Administration Regulations (EAR)

Subject to additional requirement above Controlled Unclassified Information (CUI)

Can’t be released to non-U.S. citizens

35
Q

Guidelines for protecting Federal Contract Information (FCI) - Information Security Requirements

A

Follow Cybersecurity Maturity Model Certification (CMMC) level 1

36
Q

Guidelines for protecting Federal Contract Information (FCI) - Marking

A

None

37
Q

Guidelines for protecting Federal Contract Information (FCI) - National Archives and Records Administration (NARA)

A

None

38
Q

Guidelines for protecting Federal Contract Information (FCI) - DoD Specific

A

None

39
Q

Guidelines for protecting Federal Contract Information (FCI) -Other Federal Agencies

A

None

40
Q

Guidelines for protecting Controlled Unclassified Information (CUI) - Information Security Requirements

A

Follow Cybersecurity Maturity Model Certification (CMMC) level 2/NIST SP 800-171

41
Q

Guidelines for protecting Controlled Unclassified Information (CUI) - Marking

A

National Archives Control Unclassified Information (CUI) Markings, National Archive and Records Administration (NARA) CUI Marking handbook

42
Q

Guidelines for protecting Controlled Unclassified Information (CUI) - National Archive and Records Administration (NARA)

A

NARA Information Security Oversight Office (ISOO) CUI notices

43
Q

Guidelines for protecting Controlled Unclassified Information (CUI) - DoD Specific

A

DoD Instruction 5200.48, Controlled Unclassified Information (CUI)

DoD CUI Program

DoD Mandatory (CUI) Training

DoD CUI Marking Aid

44
Q

Guidelines for protecting Controlled Unclassified Information (CUI) - Other Federal Agencies

A

State department for International Traffic and Arms Regulations (ITAR) related information

45
Q

Covered Defense Information (CDI)

A

General term in the Defense Community for Controlled Unclassified Information (CUI) under the authority of the DoD

Any regulated information

46
Q

Cybersecurity Maturity Model Certification (CMMC) Assessments

A

Verify whether an organization is following the pertinant regulations to ensure that sensitive information is managed at the below points:

  • Identification
  • sharing
  • marking
  • safeguarding
  • storage
  • dissemination
  • destruction
47
Q

DoD Instruction 5200.48 “Controlled Unclassified Information”

A

Establishes policy

Assigns responsibilities

Prescribes procedures to identify, handle, and store Controlled Unclassified Information throughout DoD

48
Q

DoD Controlled Unclassified Information (CUI) Marking Requirements

A

The acronym “CUI” at the top and bottom of each page

CUI designation indicator

49
Q

Controlled Unclassified Information (CUI) Basic Category Marking

A

CUI//BASIC

50
Q

Controlled Unclassified Information (CUI) Specified Category Marking

A

CUI//SP-SPECIFIED

51
Q

Portion Marking

A

Not required

Used when there is a mix of Controlled Unclassified Information (CUI) and unclassified/uncontrolled information

If used, must be throughout the entire document

52
Q

Standard Form (SF) 902 Label

A

Used on computers, servers, mobile devices, file cabinets, external hard drives

53
Q

Standard Form (SF) 903 Label

A

Used on small electronic media, such as USB devices

54
Q

Controlled Unclassified Information (CUI) Mailing Requirements

A

Use First Class, Express, Certified, or Registered mail

55
Q

Controlled Unclassified Information (CUI) Mailing Requirements - External Transmissions

A

Document must have recipient’s address, return address, and the words “TO BE OPENED BY ADDRESSEE ONLY” on the front

56
Q

Controlled Unclassified Information (CUI) Mailing Requirements - Internal transmissions

A

Document must have recipient’s address, and the words “TO BE OPENED BY ADDRESSEE ONLY” on the front, but only the recipient’s address is required.

57
Q

Controlled Unclassified Information (CUI) - Fax marking considerations

A

Use Transmittal coversheet Standard Form (SF) 901

Make sure person is present to receive fax

Do not send to unattended fax machine

58
Q

Controlled Unclassified Information (CUI) - Package marking considerations

A

Package in a non-transparent envelope or box

Include authorized person in address block

Do mark outside of envelope or box with controlled Unclassified Information (CUI) Markings

59
Q

Restrict Physical Access to:

A

Facilities, rooms, devices, media

60
Q

Restrict Logical to:

A

Data, Digital resources, Networks

61
Q

Authentication

A

Process by which a system verifies the identity of a user

Examples: passwords, thumbprints, tokens

62
Q

Authorization

A

Determines what an identity can access within a system once authenticated

Example: OAuth

63
Q

Access Control Mechanisms

A

Determines what operations a user may or may not engage with through comparing the user identity to the access credentioals

Example: Role Based Access Control (RBAC)

64
Q

Encryption

A

Provides additional protections in cases where a user or a sysem may be sharing sensitive protected information

Example: Secure Shell (SSH), Socket Layer Protocol (SSL, TLS)

65
Q

Multifactor Authentication (MA)

A

Users are required to present at least two of the following:

  • Something you know
  • Something you have
  • Something you are
66
Q

Cybersecurity Awareness Training

A

Identifies common risks and cybersecurity threars

Reduces human error

Provides best practices

Helps employees understand the security risks of their actions

Mitigates security risks to sensitive information

Recognizes and responds to external and internal threats

Enhances organizational resilience against cybersecurity threats

Embeds a culture of security compliance

67
Q

Controlled Unclassified Information (CUI) Storage in Controlled Environments - Logical

A

Backup Systems

Classification of emails and its source

Network diagrams segmentation and Access Control Lists (ACLs)

Data classifications

68
Q

Controlled Unclassified Information (CUI) Storage in Controlled Environments - Physical

A

Hard storage devices positioned in lock and safe locations

Authorized workstations or mobile devices to store data

Storage room designed for data security

69
Q

Controlled Unclassified Information (CUI) Storage in Controlled Environments - Policies and Procedures

A

Everyone in the Organization Seeking Certification (OSC) must have knowledge of the policies and procedures

70
Q

Federal Information Processing Standard (FIPS) Validated Cryptography

A

Used to protect Confidentiality of Controlled Unclassified Information (CUI)

71
Q

Isolation

A

Separating assets that process, store, and transmit sensitive information from assets that do not handle sensitive information

72
Q

Types of Isolation

A

Physical

Logical

73
Q

Controlled Access

A

Restricting communications based on specific configurations or parameters

74
Q

Limited Disseminations Controls

A

No Foreign Nationals (NOFORN or NF)

Releasable To (REL TO)

75
Q

Media Sanitation - Clear

A

Logical techniques to sanitize data

76
Q

Media Sanitation - Purge

A

Applies physical and logical techniques that render data recovery infeasible

77
Q

Media Sanitation - Destroy

A

Renders target data recovery infeasible