Flashcards in DoD Authorizing Official Course Deck (16):
What is Cybersecurity and why is it important?
DoD cybersecurity policy - replaces the term Information Assurance and is designed to prevent damage to, protect, and restore: Computers, Electronic communications systems or services, Electronic Wire communications, or Information contained in any of the above. It also promotes reciprocity and information sharing.
Cybersecurity ensures what?
C-I-A the confidentiality, integrity, and availability of DoD information
Where does RMF apply?
Whenever IT falls under a DoD Component and/or when the IT receives, processes, stores, displays, or transmits DoD information.
RMF Process: Asses & Authorize
A full RMF must be performed on Informations systems: Enclaves, Major Applications and PIT systems
RMF Process: Asses Only
RMF assesment only on a PIT, Services: Internal and/or External, Products: Software, hardware and/or applications
AO Major responsibilities
Render authorization decisions: Determine acceptable risk and manage risk acceptance. This can not be delegated and may only be done by the AO. The AO will promote reciprocity, oversee system-level risk mgmt activities and appoint AODR and manage other cybersecurity workforce positions
What is the capstone cybersecurity policy?
DoDI 8500.01 - establishes the DoD cybersecurity program and lays the foundation for DoD cyberspace defense. Applies to all DoD IT and aligns with Federal cybersecurity terminology and policy
What is the role of DoDI 8510.01
Replaces DIACAP with RMF. Provides the provisions for categorizing systems, implementing security controls, and assessing those controls.
RMF has 6 steps
1. Categorize System 2. Select Security Controls 3. Implement Security Controls 4. Asses Security Controls 5. Authorize System 6. Monitor Controls
What are the 3 types of risk?
likelihood, threat, and impact
DoD CIO (Tier 1 of governance structure)
Directs and oversees cybersecurity risk mgmt of DoD IT and Develops and establishes DoD cybersecurity policy and guidance
RMF Techincal Advisory Group (TAG) (Tier 1 of governance structure)
provides implemetation guidance for the RMF
Interfaces w/DoD Component cybersecurity programs, cybersecurity communities of intrest, and other entities
DoD Information Secuirty Risk Mgmt Commitee (ISRMC) (Tier 1 of governance structure)
Formerly the DISN/GIG Flag Panel
Comprises the 4 Mission Area Prinicpal Authorizing Officials (PAOs), thier reps, and other major DoD and IC stakeholder
Asses risk from Tier 1
Provides strategic guidance to Tiers 2 & 3
Authorizes information exchanges and systems connections for enterprise wide systems, cross Mission Area Systems, cross security domain connections, and mission partner connections
Defense IA Secuirty Accredidation Working Group (DSAWG) (Tier 1 of governance structure)
Supports the ISRMC
Reviews/resolves authorization issues related to charing community risk
Develops & provides guidance to AOs for system connections to the DoD information enterprise.
Principal Authorizing Officals (PAO) (Tier 2 Mission/Business Process)
appointed for each DoD mission area and represent the mission area (ma) intrerests
issue auth. guidance to the MA
resolve auth issues within the MA and work w/other PAOs to resolve issues
Designate information security architects or IS sercurity engineers for MA segments or systems of systems