Onboarding

Question 1

CUI

Answer 1

Controlled Unclassified Information

an umbrella term that encompasses all CDI and Controlled Technical Information (CTI)

Question 2

CDI

Answer 2

Covered Defense Information
technical information with a military or space application that is marked with a distribution statement in accordance with DoDI 5230.24

Question 3

CTI

Answer 3

Controlled Technical Information

Question 4

Who identifies a piece of information as CTI?

Answer 4

Both parties (DoD and contractor) share the responsibility to a certain extent.statements of work are in place and distribution statements are assigned to each piece of content

Question 5

Why am I required to protect CUI/CDI/CTI as a defense contractor?

Answer 5

bad actors (hostile states, individuals, and corporations) are trying to get it and if they succeed it could hurt individuals, organizations, or our national security; can result in a rapid loss of a contract

Question 6

Who identifies a piece of information as CTI?

Answer 6

Both parties (DoD and contractor) share the responsibility to an extent. While the DoD company is responsible for properly labeling a piece of info, both parties work on–> statements of work are in place and distribution statements are assigned to each piece of content

Question 7

Is there a way to search if a piece of info should/shouldn’t be CUI?

Answer 7

Yes, it can be searched in the CUI Registry to find this out. There are 24 Categories of content and 83 sub categories of content! Each category is defined as either CUI Basic or CUI Specified.

Question 8

What is ITAR?

Answer 8

International Traffic in Arms Regulations; it’s a CUI Specified data type

Question 9

If a piece of CUI or ITAR information is suspected of being accessed by unauthorized parties, where should a contractor report this?

Answer 9

After reporting the incident to the contracting officer, they should file a report with BOTH Dibnet and DDTS within the first 72 hours

Question 10

DoD contractors may only utilize a cloud storage system if t is certified to what standard?

Answer 10

FedRAMP moderate

Question 11

What is DFARS

Answer 11

the government regulation for DoD acquisition

Question 12

Whats does the DFARS 7012 clause cover and why is it so important?

Answer 12

(Safeguarding Covered Defense Information and Cyber incident reporting)It specifically relates to securing information systems for contractors supporting the Department of Defense

Question 13

DFARS

Answer 13

Defense Federal Acquisition Regulation Supplement

Question 14

What is NIST?

Answer 14

The National Institute of Standards and Technology is the United States agency tasked to advance measurement science, standards and technology in ways that enhance the economic security and improve quality of life.

Question 15

NIST’s Special Publication 800-171 was titled

Answer 15

“Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations”

Question 16

What is NIST 800-171?

Answer 16

a comprehensive set (109 total) of requirements; a guideline for non-federal organizations that must securely process CUI content, within internal and external information systems, in support of federal activities.

Question 17

SSP

Answer 17

System Security Plan

Question 18

POA & M

Answer 18

Plan of Action & Milestones

Question 19

How does CMMC contrast DFARS 7012

Answer 19

it forces the requirement before award, or ‘award-time’.

Question 20

The CMMC requirements are broken down by…

Answer 20

Domains/Capabilities and then each Practice and Process within them is designated by level.

Question 21

CMMC primarily leans on…

Answer 21

NIST 800-171

Question 22

CMMC AB

Answer 22

CMMC Accreditation Body (12 people overseeing the training, quality, and administration of the third-party assessment organizations)

Question 23

What is SSP?

Answer 23

the collective details of a business’ security posture and system(s) profile

Question 24

What is POA & M?

Answer 24

it includes information about weaknesses and gaps according to NIST 800-171 standards, as well as the risk posture for each respective gap and any mitigating steps the company intends to make.

Question 25

What is a ‘complete’ SSP?

Answer 25

a working and living document

Question 26

What is a ‘complete’ POA & M?

Answer 26

an empty document once you configure Office 365 and your other systems properly.

Question 27

three primary components required for DFARS compliance:

Answer 27

1. To Provide Adequate Security to a System holding CUI/CDI content via configuration to NIST 800-171 and FedRAMP Moderate
2. To provide Incident Reporting within 72 hours of a suspected incident
3. To flow down all contract clauses to sub contractors

Question 28

DIB

Answer 28

Defense Industrial Base

Question 29

SPRS

Answer 29

Supplier Performance Risk System

Question 30

DCMA

Answer 30

The Defense Contract Management Agency

Question 31

FCI

Answer 31

Federal Contract Information (not intended for release to the public)

Question 32

When did NIST 800-171 go into effect?

Answer 32

December ‘17

Question 33

DLP

Answer 33

Data Loss Prevention