Onboarding Flashcards
CUI
Controlled Unclassified Information
an umbrella term that encompasses all CDI and Controlled Technical Information (CTI)
CDI
Covered Defense Information
technical information with a military or space application that is marked with a distribution statement in accordance with DoDI 5230.24
CTI
Controlled Technical Information
Who identifies a piece of information as CTI?
Both parties (DoD and contractor) share the responsibility to a certain extent.statements of work are in place and distribution statements are assigned to each piece of content
Why am I required to protect CUI/CDI/CTI as a defense contractor?
bad actors (hostile states, individuals, and corporations) are trying to get it and if they succeed it could hurt individuals, organizations, or our national security; can result in a rapid loss of a contract
Who identifies a piece of information as CTI?
Both parties (DoD and contractor) share the responsibility to an extent. While the DoD company is responsible for properly labeling a piece of info, both parties work on–> statements of work are in place and distribution statements are assigned to each piece of content
Is there a way to search if a piece of info should/shouldn’t be CUI?
Yes, it can be searched in the CUI Registry to find this out. There are 24 Categories of content and 83 sub categories of content! Each category is defined as either CUI Basic or CUI Specified.
What is ITAR?
International Traffic in Arms Regulations; it’s a CUI Specified data type
If a piece of CUI or ITAR information is suspected of being accessed by unauthorized parties, where should a contractor report this?
After reporting the incident to the contracting officer, they should file a report with BOTH Dibnet and DDTS within the first 72 hours
DoD contractors may only utilize a cloud storage system if t is certified to what standard?
FedRAMP moderate
What is DFARS
the government regulation for DoD acquisition
Whats does the DFARS 7012 clause cover and why is it so important?
(Safeguarding Covered Defense Information and Cyber incident reporting)It specifically relates to securing information systems for contractors supporting the Department of Defense
DFARS
Defense Federal Acquisition Regulation Supplement
What is NIST?
The National Institute of Standards and Technology is the United States agency tasked to advance measurement science, standards and technology in ways that enhance the economic security and improve quality of life.
NIST’s Special Publication 800-171 was titled
“Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations”
What is NIST 800-171?
a comprehensive set (109 total) of requirements; a guideline for non-federal organizations that must securely process CUI content, within internal and external information systems, in support of federal activities.
SSP
System Security Plan
POA & M
Plan of Action & Milestones
How does CMMC contrast DFARS 7012
it forces the requirement before award, or ‘award-time’.
The CMMC requirements are broken down by…
Domains/Capabilities and then each Practice and Process within them is designated by level.
CMMC primarily leans on…
NIST 800-171
CMMC AB
CMMC Accreditation Body (12 people overseeing the training, quality, and administration of the third-party assessment organizations)
What is SSP?
the collective details of a business’ security posture and system(s) profile
What is POA & M?
it includes information about weaknesses and gaps according to NIST 800-171 standards, as well as the risk posture for each respective gap and any mitigating steps the company intends to make.
