CCP Lesson 5 Flashcards
Scope
The scale or extent of what will be evaluated for conformity, which includes those assets (people, facilities, technology) within the OSC’s environment that are targeted for CMMC Assessment because they interact with sensitive information - for example, by containing it, touching it in transit, or operating on the same network as it.
Scoping
The process of setting or determining the scope.
Headquarters (HQ) Organization
The legal entity that will be delivering services or products under the terms of a DoD contract
Host Unit
The specific people, procedures, and technology within an HQ Organization that would be applied to the DoD contract and that are to be considered as the OSC for CMMC Assessment purposes
Supporting Organization/Units
The people, procedures, and technology external to the HQ Organization that support the Host Unit. The affiliated asset may need to be included as part of the CMMC Assessment Scope
Out-of-Scope Assets
Assets that cannot process, store or transmit FCI or CUI because they are physically or logically separated from CUI assets or are inherently unable to do so.
System
A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.
Shared Responsibility Matrix
A mechanism that identifies the person(s) or team(s) in the OSC or the ESP responsible for the implementation and sustainment of the technical controls, as reflected in the terms of service between the EST as provider and the OSC as customer.
Security Control Inheritance
A situation in which an information system or application receives protection from security controls (or portions of security controls) that are developed, implemented, assessed, authorized, and monitored by entities other than those responsible for the system or application; either internal or external to the organization where the system or application resides.
CMMC Certification Boundary
Defines the assets to which an assessor will evaluate conformity with applicable CMMC practices. This is the boundary to which a CMMC Certificate will be applied.
Assessment Boundary
Identifies all assets in the contractor’s environment for the Assessment engagement. Assets within the Assessment Boundary can be part of the CMMC Certification Boundary or Enabling Assets.
System Security Plan
The formal document prepared by the information system owner (or common security controls owner for inherited controls) that provides an overview of the security requirements for the system and describes the security controls in place or planned for meeting those requirements. The plan can also contain as supporting appendices or as references, other key security-related documents such as a risk assessment, privacy impact assessment, system interconnection agreements, contingency plan, security configuration management plan, and incident response plan.
Enclave
A segmentation of an organization’s network or data that is intended to “wall off” that network or database from all other networks or systems. A CMMC Assessment scope can be within the Assessment scope of an enclave.
Cybersecurity Maturity Model Certification (CMMC) Level 1 Scoping Guidance
Cybersecurity Maturity Model Certification (CMMC) Self-assessment Scope must be done before Level 1 Cybersecurity Maturity Model Certification (CMMC) Self-Assessment
Informs which assets will be assessed
Informs the details of the Self-Assessment
Cybersecurity Maturity Model Certification (CMMC) Level 2 Scoping Guidance
Prior to an assessment, contractor assets must be categorized
Data at use
Processing
When Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) is actively being used by a system component
Data at rest
Storage
When Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) is inactive
Data in Motion
When Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) is transferred from one information system or one location to another
Level 1 scoping considerations
People
Technology
Facilities
External Service providers
Cloud-based External Service Providers
Virtualized
Save on capital and operational expenses
Security Protection Assets
Cybersecurity Maturity Mode Certification (CMMC) Level 2
Provide security functions or capabilities to the Office seeking Certification (OSC)
Contractor Risk Managed Assets
Managed using contractor’s risk-based information security policy, procedures, and practices
Specialized Assets
Part of Cybersecurity Maturity Certification (CMMC) Level 2
- Government Propery
- Internet of Things (IoT) or Industial Internet of Things (IIoT)
- Operational Technology
- Restricted Information Systems
- Test Equipment
Specialized Assets - Government Property
All property owned or leased by the government
Specialized Assets - Internet of Things (IoT) or Industial Internet of Things (IIoT)
Interconnected devices having physical or virtual representation in the digital world
Specialized Assets - Operational Technology (OT)
Used in manufacturing systems, Industrial Control Systems (ICS), or Supervisory Control and Data Aquisition (SCADA) Systems
Specialized Assets - Restricted Information Systems
Systems that are configured based entirely on government requirements and used to support the contract
Specialized Assets - Test Equipment
Used in testing of products, system components, and contract deliverables
Controlled Unclassified Information (CUI) Asset Contractor Requirements
Document asset inventory
Document System Security Plan (SSP)
Document Network Diagram
Prepare to be assessed against Level 2 Practices
Security Protection Assets Contractor Requirements
Document asset inventory
Document System Security Plan (SSP)
Document Network Diagram
Prepare to be assessed against Level 2 Practices
Contractor Risk Managed Assests Contractor Requirements
Document asset inventory
Document System Security Plan (SSP)
Document Network Diagram
Prepare to be assessed against CA.L2-3.12.4
Specialized Assets Contractor Requirements
Document asset inventory
Document System Security Plan (SSP)
Document Network Diagram
Prepare to be assessed against CA.L2-3.12.4
Follow the Information Strategy
Used to determine scope
Scoping Methodology
Identify Sensitive Information
Identify business processes that use that information
identify systems that directly support those processes
Identify enabling systems
Categories of Cloud Services
Software as a Service (SaaS)
Platform as a Service (PaaS)
Infrastructure as a Service (IaaS)
Shared Responsibility Matrix
Identifies who is responsible for each Assessment Objective
Responsible, Accountable, Consulted, Informed (RACI) Chart
A way to document a shared responsibility matrix
Establishing Scope
Inventory all systems
Catalog Sensitive Information
Determine how sensitive information moves
Identify Systems and enabling systems in scope
