Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

CMMC original Slides > CCP Lesson 1 > Flashcards

CCP Lesson 1 Flashcards

1
Q

Defense Industrial Base (DIB) includes.

A

DoD Components, companies providing materials and services, government-owned facilities operated by the government or contractors

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Does Defense Supply Chain extend beyond DIB? Give examples.

A

Yes. office equipment, janitors, food

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What certification makes cybersecurity foundational for all acquisitions?

A

Cybersecurity Maturity Model Certification (CMMC)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Who receives contracts from the government?

A

Prime contractors

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Who helps prime contractors fulfill portions of the contracts?

A

Subcontractors

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

As information is moved between government, prime contractors, and subcontractors it is __ ____.

A

At risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What represents a philosophical change to securing the nation’s data?

A

CMMC program

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is the DoD’s initiative to verify defense contractors’ cybersecurity preparedness and effectiveness?

A

CMMC

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

CMMC standardized cybersecurity implementation across what?

A

Defense Industrial Base (DIB)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What year did the CMMC program kick off?

A

2019

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What year was CMMC Model 1.0 released?

A

2020

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What year was CMMC Model 2.0 released?

A

2021

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is considered the company’s own methods, techniques and inventions?

A

Internal Intellectual Property (IP)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Information from partners outside the government that is generally protected by contracts between parties such as license agreements and NDA’sis what tpe of Intellectual Property (IP)?

A

External Intellectual Property (IP)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

As it pertains to Legal, Regulatory, and Policy (LRP) Drivers, what ensures proper actions?

A

Laws

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

As it pertains to Legal, Regulatory, and Policy (LRP) Drivers, what are laws interpreted and implemented throug?

A

Regulations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

As it pertains to Legal, Regulatory, and Policy (LRP) Drivers, regulations are detailed thorugh?

A

Policies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What provides policies and procedures that apply to all Executive Branch departments and agencies regarding acquisitions?

A

Federal Acquisition Regulation (FAR)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

48 CFR is also known as?

A

Federal Acquisition Regulation (FAR)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What regulation documents rules that government contractors are subject to, takes priority over Defense Federal Aquisition Regulation Supplement (DFARS), and provides a consistent set of baselines that apply to all solicitations?

A

Federal Acquisition Regulation (FAR)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What regulation is a supplement of the Federal Aquisition regulation?

A

Defense Federal Aquisition Regulation Supplement (DFARS)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Defense Federal Aquisition Regulation Supplement (DFARS) includes policies and procedures that apply to who and administered by who?

A

Department of Defense (DoD)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What does Defense Federal Acquisition Regulation Supplement (DFARS) cover?

A

Department of Defense acquisitions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

The Federal Information Security Modernization Act is the Legal Authority for what type of information?

A

Federal Contract Information (FCI) and Controlled Unclassified Information (CUI)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
What law requires government to protect sensitive information?
Federal Information Security Modernization Act
26
What is the Regulatory Authority for Federal Contract Information?
48 CFR Section 52
27
What regulations explain how to adhere to the law, as applied to a contractor's information systems?
48 CFR Section 52
28
What is section 52 of the Federal Acquisition Regulation (FAR) is also called?
FAR 52
29
What is the primary source of information on handling requirements for FCI?
FAR 52
30
As defined in FAR 52, what is an information system that is owned or operated by a contractor that processes, stores, or transmits Federal Contract Information (FCI)?
Covered Contractor information System
31
As defined in FAR 52, What is information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public or simple transactional information?
Federal Contract Information (FCI)
32
As defined in FAR 52, what is any communication or representation of knowledge?
Information
33
As defined in FAR 52, what is a discrete set of information resources organized for collection, processing, maintenance, use, sharing, dissemination, or disposition of information?
Information System
34
As defined in FAR 52, what are measures or controls that are prescribed to protect information systems?
Safeguards
35
2002 Federal Information Security Management Act (FISMA) Amended in 2014 and Executive Order 13556, Controlled Unclassified Information is the legal Authority for what type of information?
Controlled Unclassified Information (CUI)
36
32 CFR Part 2002 is the regulatory authority for what type of information?
Controlled Unclassified Information (CUI)
37
Who oversees CUI Policy?
National Archives and Records Administration (NARA)
38
What regulatory Authority appointed the National Archives and Administration (NARA) to oversee CUI policy?
32 CFR Part 2002
39
What regulation stood up Information Security Oversight Office (ISOO), which publishes CUI notices?
32 CFR Part 2002
40
What are the policy drivers for Controlled Unclassified Information?
National Archives and Records Administration (NARA); Information Security Oversight Office (ISOO)
41
What office publishes Controlled Unclassified Information (CUI) notices)?
Information Security Oversight Office (ISOO)
42
Policies stipulate that CUI must be protected in accordance with what National Institute of Standards and Technology (NIST) Special Publications (SP)?
NIST SP 800-171, NIST SP 800-171A, NIST SP 800-172
43
Defense Industrial Base (DIB)
Worldwide industrial complex, enables research and development + design/production of military weapons and systems to meet US military requirements
44
Prime Contractors
These contractors receive contracts from the government
45
Effects of loss of Intellectual Property
- Puts warfighter lives at danger - Diminishes global competitive advantage
46
Philosophical change to securing the Nation's Data
-"protect the information" not "protect the system"
47
Cybersecurity Maturity Matrix Certification (CMMC) program
- DoD initiative to verify defense contractors' cybersecurity preparedness and effectiveness - Standardizes cybersecurity implementation
48
Internal Intellectual Property (IP)
- The company's own methods, techniques, inventions
49
External Intellectual Property
- Partners outside the government; protected by documents such as license agreements and Nondisclosure Agreements (NDAs) - Federal government; commonly covers Federal Contract Information (FCI) and Controlled Unclassified Information (CUI)
50
Legal, Regulatory, Policy (LRP) drivers
Laws, regulation, and policies are behind the compliance requirements that government contractors must adhere to
51
Federal Aquisition Regulation (FAR)
Chapter 1 of Title 48 of the Code of Federal Regulations (CFR); 48 CFR Provides uniform policies and procedures regarding acquisitions Documents rules that government contractors are subject to
52
Defense Federal Acquisitions Regulations (DFARs)
Apply only DoD acquisition activities
53
Federal Contract Information (FCI) Legal driver
Federal Information Security Modernization Act
54
Federal Contract Information (FCI) Regulatory driver
Federal Acquisitions Regulation 52 (FAR 52)
55
What Federal Acquisitions Regulation 52 (FAR 52) covers
Regulation Definitions Requirements and procedures to safeguard Federal Contract Information (FCI) Responsibilities when delegating contract work to subcontractors
56
Federal Acquisition Regulation (FAR) definitions - Covered Contractor Information
Information system that is owned or operated by a contractor that processes, stores, or transmits Federal Contract Information (FCI)
57
Federal Acquisition Regulation (FAR) definition - Federal Contract Information (FCI)
Information not intended for public release, that is provided or generated for the Government under contract to develop or deliver a product or service to the Government
58
Federal Acquisition Regulation (FAR) definition - Information
Any communication or representation of knowledge
59
Federal Acquisition Regulation (FAR) definition - Information System
Set of information resources organized for collection, processing, maintenance, use, sharing, dissemination, or disposition of information
60
Federal Acquisition Regulation (FAR) definition - Safeguarding
measures or controls prescribed to protect information systems
61
Federal Acquisition Regulation 52 (FAR 52) safeguarding requirements and procedures 1-6
1. Limit information system access to authorized users, processes acting on behalf of authorized users, or devices 2. Limit information system access to the types of transactions and functions that authorized users are permitted to execute 3. Verify and control/limit connections to and use of external information systems 4. Control information posted or processed on publicly accessible information systems 5. Identify information system users, processes acting on behalf of users, or devices 6. Authenticate the identities of those users, processes, or devices, before allowing access to organizational information systems
62
Federal Acquisition Regulation 52 (FAR 52) safeguarding requirements and procedures 7-15
7. Sanitize or destroy information system media containing Federal Contract Information (FCI) before disposal or release for reuse 8. Limit physical access to organizational information systems, equipment, and the operating environment to authorized individuals 9. Escort visitors and monitor visitor activity, maintain audit logs of physical access, control and manage physical access devices 10. Monitor, control, and protect organizational communications at the external boundary and key internal boundaries of the information systems 11. Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks 12. Identify, report, and correct information and information system flaws in a timely manner 13. Provide protection from malicious code 14. Update malicious code protection mechanisms 15. Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed
63
Controlled Unclassified Information (CUI) Legal drivers
2002 Federal Information Security Management Act amended 2014 Executive order 13556, Controlled Unclassified Information
64
Controlled Unclassifed Information (CUI) Regulatory driver
32 Code of Federal Regulation (CFR) Part 2002, Controlled Unclassified Information
65
Controlled Unclassifed Information (CUI) Policy drivers
National Archive and Records Administration (NARA) Information Security Oversight Office (ISOO) Controlled Unclassified Information (CUI) notices
66
2002 Federal Information Security Management Act (FISMA) states
Government must protect its sensitive information: -Federal Contract Information (FCI) -Controlled unclassified Information (CUI)
67
Executive Order 13556, Controlled unclassified Information (4 November 2010)
Standardized handling of protected information that is unclassified
68
32 Code of Federal Regulations (CFR) Part 2002, Controlled Unclassified Information (CUI)
Explain how to adhere to Executive Order 13556 Stipulate and create overall requirements, governance, and management of Controlled Unclassified Information (CUI) Appointed National Archives and Record Administration (NARA) to oversee Conrtolled Unclassified Information (CUI) Policy Stood up Information Security Oversight Office (ISOO), which published Controlled Unclassified Information (CUI) notices
69
Controlled Unclassified information (CUI) should be protected in accordance with:
National Institute of Standards and Technology (NIST) 800-171 National Institute of Standards and Technology (NIST) 800-171A National Institute of Standards and Technology (NIST) 800-172
70
National Archive and Records Administration's (NARA) Information Security Oversight Office (ISOO)
Authority on the protection of Controlled Unclassified Information (CUI)
71
Information Security Oversight Office (ISOO)
Contained within National Archive and Records Administration's (NARA) Responsible to the President for policy and oversight of the U.S. government's security classification system and the National Industrial Security Program Receives policy and program guidance from Nation Security Council (NSC) Serves as the authority on protection of Controlled Unclassified Information (CUI)
72
Information Security Oversight Office (ISOO) - Classification Management Staff
Develop security classification policies for classifying, declassifying, and safeguarding national security information generated in Government and industry
73
Information Security Oversight Office (ISOO) - Operations Staff
Evaluate the effectiveness of the security classification programs established by Government
74
Information Security Oversight Office (ISOO) - Controlled Unclassified Information (CUI) Staff
Develop standardized CUI policies and procedures
75
National Institute of Standards and Technology (NIST)
Put forth publications covering policies on managing cybersecurity on federal systems, specifically covering Controlled Unclassified Information (CUI)
76
National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171
Focuses on Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations Focuses primarily on protecting the confidentiality of Controlled Unclassified Information (CUI)
77
National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53
Security controls recommended for federal information systems
78
National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171A
Provides procedures for assessing the Controlled Unclassified Information (CUI) The primary and authoritative guidance on assessing compliance with NIST SP 800-171
79
National Institute of Standards and Technology (NIST) Special Publication (SP) 800-172
Enhanced Security Protection for Protecting Controlled Unclassified Information (CUI) Provides federal agencies with enhanced security policies Aims to protect the Confidentiality, Integrity, and Availability (CIA) of CUI
80
Cybersecurity Maturity Model Certification (CMMC) Legal Drivers
Federal Information Security Modernization Act (FISMA) Executive Order 13556 Subordinate Regulatory Authorities in addition to 32 Code of Federal Regulation (CFR) Part 2002 are Defense Federal Acquisition Regulations Supplement (DFARS): Clause 252.204-7012 Clause 252.204-7019 Clause 252.204-7020 Clause 252.204-7021 Subordinate Policies - Cybersecurity Maturity Model Certification (CMMC) and DoD Instruction 5200.48, Controlled Unclassified Information
81
Cybersecurity Maturity Model Certification (CMMC) Regulatory Drivers
32 Code of Federal Regulation (CFR) Part 2002 Subordinate Regulatory Authorities Defense Federal Acquisition Regulations Supplement (DFARS): - Clause 252.204-7012 - Clause 252.204-7019 - Clause 252.204-7020 - Clause 252.204-7021
82
Cybersecurity Maturity Model Certification (CMMC) Policy Drivers
National Archives and Records Administration (NARA) Information Security Oversight Office (ISOO) Controlled Unclassified Information (CUI) notices - National Institute of Standards and Technology (NIST) Special Publications 800-171, 800-172, 800-171A Subordinate Policies - Cybersecuruty Maturity Model Certification (CMMC - DoD Instructions 5200.48
83
Defense Federal Acquisition Regulations Supplement (DFARS)
DoD's counterpart to Federal Acquisition Regulation (FAR) 52 Represent a significant philosophical change in how the nation's data is secured, including the creation of the CMMC ecosystem
84
Cybersecurity Maturity Model Certification (CMMC)
DOD initiative to verify contracting cyber security preparedness. An enhancement and set of constraints upon the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171/2
85
DoD Instruction 5200.48, Controlled Unclassified Information
Policies to improve how Controlled Unclassified Information (CUI) is marked, handled, and managed within DoD
86
Defense Federal Acquisition Regulations Supplement (DFARS) Clause 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting)
Identifies requirements for protecting Cyber Defense Information (CDI) and reporting cyber incidents Requires compliance with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Global self-attestation by contract signature Self-attest only
87
Defense Federal Acquisition Regulations Supplement (DFARS) Clause 252.204-7019 (Notice of NIST SP 800-171 DoD Assessment Requirements)
Identifies the DoD's cybersecurity assessment requirements Detailed self-attestation Defense Industry Base (DIB) contractors must formally report to DoD a summary score of their NIST SP 800-171 compliance Subject to Defense Contract Management Agency (DCMA) audits
88
Defense Federal Acquisition Regulations Supplement (DFARS) Clause 252.204-7020 (NIST SP 800-171 DoD Assessment Requirements)
Defines how DoD will conduct different types of assessments
89
Defense Federal Acquisition Regulations Supplement (DFARS) Clause 252.204-7021 (Contractor Compliance with the Cybersecurity Maturity Model Certification (CMMC) Level Requirement)
Covers the Cybersecurity Maturity Model Certification (CMMC) Model Requirement Enacts Cybersecurity Maturity Model Certification (CMMC)
90
Cybersecurity Maturity Model Certification (CMMC) background Regulations and Standards
2002 Federal Information Security Management (FISMA) Act 2005 Risk Management Framework (RMF) 2011 Federal Risk and Authorization Management Program (FedRAMP) 2020 Cybersecurity Maturity Model Certification (CMMC)
91
Risk Management Framework (RMF)
Designed to help Federal agencies meet Federal Information Security Management Act (FISMA) requirements
92
Risk Management Framework (RMF) Process (7 Steps)
Prepare Categorize Select Controls Implement Controls Assess Controls Authorize Systems Monitor Systems
93
Risk Management Framework (RMF) Process - Prepare
Establish context and priorities
94
Risk Management Framework (RMF) Process - Categorize
Categorize information systems
95
Risk Management Framework (RMF) Process - Select Controls
Tailor controls to reduce risk to an acceptable level based on risk assessment
96
Risk Management Framework (RMF) Process - Implement Controls
Implement security controls
97
Risk Management Framework (RMF) Process - Assess Controls
Assess controls to see if they were implemented properly and have desired outcomes
98
Risk Management Framework (RMF) Process - Authorize Systems
Authorize Information Systems
99
Risk Management Framework (RMF) Process - Monitor Security Controls
Ensure ongoing effectiveness

CMMC original Slides (18 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions