Lesson 1 Definition Flashcards

1
Q

Defense Industrial Base (DIB)

A

Worldwide industrial complex, enables research and development and design/production of military weapons and systems to meet US military requirements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Prime Contractors

A

These contractors receive contracts from the government

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Effects of loss of Intellectual Property

A
  • Puts warfighter lives at danger
  • Diminishes global competitive advantage
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Philosophical change to securing the Nation’s Data

A

-“protect the information” not “protect the system”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Cybersecurity Maturity Matrix Certification (CMMC) program

A
  • DoD initiative to verify defense contractors’ cybersecurity preparedness and effectiveness
  • Standardizes cybersecurity implementation
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Internal Intellectual Property (IP)

A
  • The company’s own methods, techniques, inventions
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

External Intellectual Property

A
  • Partners outside the government; protected by documents such as license agreements and Nondisclosure Agreements (NDAs)
  • Federal government; commonly covers Federal Contract Information (FCI) and Controlled Unclassified Information (CUI)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Legal, Regulatory, Policy (LRP) drivers

A

Laws, regulation, and policies are behind the compliance requirements that government contractors must adhere to

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Federal Aquisition Regulation (FAR)

A

Chapter 1 of Title 48 of the Code of Federal Regulations (CFR); 48 CFR

Provides uniform policies and procedures regarding acquisitions

Documents rules that government contractors are subject to

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Defense Federal Acquisitions Regulations (DFARs)

A

Apply only DoD acquisition activities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Federal Contract Information (FCI) Legal driver

A

Federal Information Security Modernization Act

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Federal Contract Information (FCI) Regulatory driver

A

Federal Acquisitions Regulation 52 (FAR 52)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What Federal Acquisitions Regulation 52 (FAR 52) covers

A

Regulation Definitions

Requirements and procedures to safeguard Federal Contract Information (FCI)

Responsibilities when delegating contract work to subcontractors

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Federal Acquisition Regulation (FAR) definitions - Covered Contractor Information

A

Information system that is owned or operated by a contractor that processes, stores, or transmits Federal Contract Information (FCI)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Federal Acquisition Regulation (FAR) definition - Federal Contract Information (FCI)

A

Information not intended for public release, that is provided or generated for the Government under contract to develop or deliver a product or service to the Government

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Federal Acquisition Regulation (FAR) definition - Information

A

Any communication or representation of knowledge

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Federal Acquisition Regulation (FAR) definition - Information System

A

Set of information resources organized for collection, processing, maintenance, use, sharing, dissemination, or disposition of information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Federal Acquisition Regulation (FAR) definition - Safeguarding

A

measures or controls prescribed to protect information systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Federal Acquisition Regulation 52 (FAR 52) safeguarding requirements and procedures 1-6

A
  1. Limit information system access to authorized users, processes acting on behalf of authorized users, or devices
  2. Limit information system access to the types of transactions and functions that authorized users are permitted to execute
  3. Verify and control/limit connections to and use of external information systems
  4. Control information posted or processed on publicly accessible information systems
  5. Identify information system users, processes acting on behalf of users, or devices
  6. Authenticate the identities of those users, processes, or devices, before allowing access to organizational information systems
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Federal Acquisition Regulation 52 (FAR 52) safeguarding requirements and procedures 7-15

A
  1. Sanitize or destroy information system media containing Federal Contract Information (FCI) before disposal or release for reuse
  2. Limit physical access to organizational information systems, equipment, and the operating environment to authorized individuals
  3. Escort visitors and monitor visitor activity, maintain audit logs of physical access, control and manage physical access devices
  4. Monitor, control, and protect organizational communications at the external boundary and key internal boundaries of the information systems
  5. Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks
  6. Identify, report, and correct information and information system flaws in a timely manner
  7. Provide protection from malicious code
  8. Update malicious code protection mechanisms
  9. Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Controlled Unclassified Information (CUI) Legal drivers

A

2002 Federal Information Security Management Act amended 2014

Executive order 13556, Controlled Unclassified Information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Controlled Unclassifed Information (CUI) Regulatory driver

A

32 Code of Federal Regulation (CFR) Part 2002, Controlled Unclassified Information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Controlled Unclassifed Information (CUI) Policy drivers

A

National Archive and Records Administration (NARA)

Information Security Oversight Office (ISOO) Controlled Unclassified Information (CUI) notices

24
Q

2002 Federal Information Security Management Act (FISMA) states

A

Government must protect its sensitive information:

-Federal Contract Information (FCI)
-Controlled unclassified Information (CUI)

25
Q

Executive Order 13556, Controlled unclassified Information (4 November 2010)

A

Standardized handling of protected information that is unclassified

26
Q

32 Code of Federal Regulations (CFR) Part 2002, Controlled Unclassified Information (CUI)

A

Explain how to adhere to Executive Order 13556

Stipulate and create overall requirements, governance, and management of Controlled Unclassified Information (CUI)

Appointed National Archives and Record Administration (NARA) to oversee Conrtolled Unclassified Information (CUI) Policy

Stood up Information Security Oversight Office (ISOO), which published Controlled Unclassified Information (CUI) notices

27
Q

Controlled Unclassified information (CUI) should be protected in accordance with:

A

National Institute of Standards and Technology (NIST) 800-171

National Institute of Standards and Technology (NIST) 800-171A

National Institute of Standards and Technology (NIST) 800-172

28
Q

National Archive and Records Administration’s (NARA) Information Security Oversight Office (ISOO)

A

Authority on the protection of Controlled Unclassified Information (CUI)

29
Q

Information Security Oversight Office (ISOO)

A

Contained within National Archive and Records Administration’s (NARA)

Responsible to the President for policy and oversight of the U.S. government’s security classification system and the National Industrial Security Program

Receives policy and program guidance from Nation Security Council (NSC)

Serves as the authority on protection of Controlled Unclassified Information (CUI)

30
Q

Information Security Oversight Office (ISOO) - Classification Management Staff

A

Develop security classification policies for classifying, declassifying, and safeguarding national security information generated in Government and industry

31
Q

Information Security Oversight Office (ISOO) - Operations Staff

A

Evaluate the effectiveness of the security classification programs established by Government

32
Q

Information Security Oversight Office (ISOO) - Controlled Unclassified Information (CUI) Staff

A

Develop standardized CUI policies and procedures

33
Q

National Institute of Standards and Technology (NIST)

A

Put forth publications covering policies on managing cybersecurity on federal systems, specifically covering Controlled Unclassified Information (CUI)

34
Q

National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171

A

Focuses on Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations

Focuses primarily on protecting the confidentiality of Controlled Unclassified Information (CUI)

35
Q

National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53

A

Security controls recommended for federal information systems

36
Q

National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171A

A

Provides procedures for assessing the Controlled Unclassified Information (CUI)

The primary and authoritative guidance on assessing compliance with NIST SP 800-171

37
Q

National Institute of Standards and Technology (NIST) Special Publication (SP) 800-172

A

Enhanced Security Protection for Protecting Controlled Unclassified Information (CUI)

Provides federal agencies with enhanced security policies

Aims to protect the Confidentiality, Integrity, and Availability (CIA) of CUI

38
Q

Cybersecurity Maturity Model Certification (CMMC) Legal Drivers

A

Federal Information Security Modernization Act (FISMA)

Executive Order 13556

Subordinate Regulatory Authorities in addition to 32 Code of Federal Regulation (CFR) Part 2002 are Defense Federal Acquisition Regulations Supplement (DFARS):
Clause 252.204-7012
Clause 252.204-7019
Clause 252.204-7020
Clause 252.204-7021

Subordinate Policies - Cybersecurity Maturity Model Certification (CMMC) and DoD Instruction 5200.48, Controlled Unclassified Information

39
Q

Cybersecurity Maturity Model Certification (CMMC) Regulatory Drivers

A

32 Code of Federal Regulation (CFR) Part 2002

Subordinate Regulatory Authorities Defense Federal Acquisition Regulations Supplement (DFARS):
- Clause 252.204-7012
- Clause 252.204-7019
- Clause 252.204-7020
- Clause 252.204-7021

40
Q

Cybersecurity Maturity Model Certification (CMMC) Policy Drivers

A

National Archives and Records Administration (NARA) Information Security Oversight Office
(ISOO) Controlled Unclassified Information (CUI) notices
- National Institute of Standards and Technology (NIST) Special Publications 800-171, 800-172, 800-171A

Subordinate Policies
- Cybersecuruty Maturity Model Certification (CMMC
- DoD Instructions 5200.48

41
Q

Defense Federal Acquisition Regulations Supplement (DFARS)

A

DoD’s counterpart to Federal Acquisition Regulation (FAR) 52

Represent a significant philosophical change in how the nation’s data is secured, including the creation of the CMMC ecosystem

42
Q

Cybersecurity Maturity Model Certification (CMMC)

A

An enhancement and set of constraints upon the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171/2

43
Q

DoD Instruction 5200.48, Controlled Unclassified Information

A

Policies to improve how Controlled Unclassified Information (CUI) is marked, handled, and managed within DoD

44
Q

Defense Federal Acquisition Regulations Supplement (DFARS) Clause 252.204-7012
(Safeguarding Covered Defense Information and Cyber Incident Reporting)

A

Identifies requirements for protecting Cyber Defense Information (CDI) and reporting cyber incidents

Requires compliance with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171

Global self-attestation by contract signature

Self-attest only

45
Q

Defense Federal Acquisition Regulations Supplement (DFARS) Clause 252.204-7019
(Notice of NIST SP 800-171 DoD Assessment Requirements)

A

Identifies the DoD’s cybersecurity assessment requirements

Detailed self-attestation

Defense Industry Base (DIB) contractors must formally report to DoD a summary score of their NIST SP 800-171 compliance

Subject to Defense Contract Management Agency (DCMA) audits

46
Q

Defense Federal Acquisition Regulations Supplement (DFARS) Clause 252.204-7020
(NIST SP 800-171 DoD Assessment Requirements)

A

Defines how DoD will conduct different types of assessments

47
Q

Defense Federal Acquisition Regulations Supplement (DFARS) Clause 252.204-7021
(Contractor Compliance with the Cybersecurity Maturity Model Certification (CMMC) Level Requirement)

A

Covers the Cybersecurity Maturity Model Certification (CMMC) Model Requirement

Enacts Cybersecurity Maturity Model Certification (CMMC)

48
Q

Cybersecurity Maturity Model Certification (CMMC) background Regulations and Standards

A

2002 Federal Information Security Management (FISMA) Act

2005 Risk Management Framework (RMF)

2011 Federal Risk and Authorization Management Program (FedRAMP)

2020 Cybersecurity Maturity Model Certification (CMMC)

49
Q

Risk Management Framework (RMF)

A

Designed to help Federal agencies meet Federal Information Security Management Act (FISMA) requirements

50
Q

Risk Management Framework (RMF) Process (7 Steps)

A

Prepare

Categorize

Select Controls

Implement Controls

Assess Controls

Authorize Systems

Monitor Systems

51
Q

Risk Management Framework (RMF) Process - Prepare

A

Establish context and priorities

52
Q

Risk Management Framework (RMF) Process - Categorize

A

Categorize information systems

53
Q

Risk Management Framework (RMF) Process - Select Controls

A

Tailor controls to reduce risk to an acceptable level based on risk assessment

54
Q

Risk Management Framework (RMF) Process - Implement Controls

A

Implement security controls

55
Q

Risk Management Framework (RMF) Process - Assess Controls

A

Assess controls to see if they were implemented properly and have desired outcomes

56
Q

Risk Management Framework (RMF) Process - Authorize Systems

A

Authorize Information Systems

57
Q

Risk Management Framework (RMF) Process - Monitor Security Controls

A

Ensure ongoing effectiveness