CCP Lesson 2 Flashcards
Sensitive Information
Information where the loss, misuse, or unauthorized access or modification could adversely affect the national interest or the conduct of federal programs, or the privacy to which individuals are entitled under 5 U.S.C. Section 552a (the Privacy Act).
Federal Contract Information (FCI)
Information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.
Controlled Unclassified Information (CUI)
Information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended.
Controlled Technical Information (CTI)
Technical Information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination.
Export-Controlled Information (ECI)
Any information or material that cannot be released to foreign nationals or representatives of a foreign entity, without first obtaining approval or license from the Dept. of State for items controlled by ITAR or the Dept. of Commerce for items controlled by the Export Administration Regulations (EAR).
Covered Defense Information (CDI)
Terms used to identify information that requires protection under DFARS Clause 252.204-7012. Unclassified CTI or other information, as described in the CUI Registry, that requires safeguarding or dissemination controls pursuant to and consistent with the law, regulations, and government-wide policies.
Lawful government purpose
Any activity, mission, function, operation, or endeavor that the U.S. Government authorizes or recognizes as within the scope of its legal authorities or the legal authorities of non-executive branch entities (such as state and local law enforcement).
Data Integrity
Property that data has not been altered in an unauthorized manner
Confidentiality
Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information
Personally Identifiable Information (PII)
Information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a speficic individual
Multifactor Authentication (MFA)
A mechanism that provides for added protection of data through electronic methods
Awareness
A learning process that sets the state for training by changing individual and organizational attitudes to realize the importance of security and the adverse consequences of its failure.
Awareness and Training Program
Explains proper rules of behavior for the use of agency information systems and information. The program communicates information technology (IT) security policies and procedures that need to be followed. (i.e., NSTISSD 501, NIST SP 800-50)
Configuration Management
A collection of activities focused on establishing and maintaining the integrity of information technology products and systems, through control of processes for initializing, changing, and monitoring the configurations of those products and systems throughout the system development life cycle.
Encryption
The process of changing plaintext into cipher text
Network Segmentation
The use of physical devices such as firewalls or logical separation such as subnetting to create distinct segments in your internal network
Demilitarized Zone (DMZ)
A small section of a private network that is located between two firewalls and made available for public access
Dissemination control
Method of managing sensitive information distribution so that it doesn’t spread more widely than allowed by law, regulation, or government-wide policy
Decontrolling CUI
Decontrolling occurs when an authorized holder, consistent with CUI regulations and the CUI Registry, removes safeguarding and dissemination controls from CUI that no longer requires such controls.
Record
Agency records and Presidential papers or Presidential records (or Vice-Presidential), as those terms are defined in 44 U.S.C. 3301 and 44 U.S.C. 2201 and 2207. Records are also items created or maintained by a Government contractor, licensee, certificate holder, or grantee that are subject to the sponsoring agency’s control under the terms of the entity’s agreement with the agency.
Media sanitization
The actions taken to render data written on media unrecoverable by both ordinary and extraordinary means.
Federal Contract Information (FCI)
Broadest definition of government information requiring protection. Not intended for public release.
Characteristics include private information and contract information
What is Federal Contract Information (FCI)?
Information useful only to the Defense Contractor and DoD. Not intended for public release
Cybersecurity Maturity Model Certification (CMMC) Level 1
Defined by Federal Aquisition Regulation (FAR) 52
What is Controlled Unclassified information (CUI)?
Always considered Federal Contract Information (FCI)
Not Classified
Information that the government creates or possesses, an entity creates or possesses on behalf of the government, and information requiring safeguarding
Defined in Part 2002 of Title 32 Code of Federal Regulations (CFR)
Cybersecurity Maturity Model Certification (CMMC) Levels 2 and 3
Federal Contract Information (FCI) - Examples
Delivery dates
Schedules
Controlled Unclassified Information (CUI) - Examples
Blueprints
water assessments
health information
personnel records
base civil engineering maps
Types of Controlled Unclassified Information (CUI)
Controlled Unclassified Information (CUI) Basic
Controlled Unclassified Information (CUI) Specified
Controlled Unclassified Information (CUI) Basic
Most broad sense of Controlled Unclassified Information (CUI)
No specific handling instructions
Any CUI that is not Specified
Controlled Unclassified Information (CUI) Specified
Specific handling instructions in the contract
Not more important than Controlled Unclassified Information (CUI) Basic
Requires enhanced controls for handling, storing, processing, and transmitting
Controlled Unclassified information (CUI) Registries
Provides the official list of Controlled Unclassified Information (CUI) types and categories