DoD Authorizing Official Course Flashcards Preview

RMF > DoD Authorizing Official Course > Flashcards

Flashcards in DoD Authorizing Official Course Deck (16):

What is Cybersecurity and why is it important?

DoD cybersecurity policy - replaces the term Information Assurance and is designed to prevent damage to, protect, and restore: Computers, Electronic communications systems or services, Electronic Wire communications, or Information contained in any of the above. It also promotes reciprocity and information sharing.


Cybersecurity ensures what?

C-I-A the confidentiality, integrity, and availability of DoD information


Where does RMF apply?

Whenever IT falls under a DoD Component and/or when the IT receives, processes, stores, displays, or transmits DoD information.


RMF Process: Asses & Authorize

A full RMF must be performed on Informations systems: Enclaves, Major Applications and PIT systems


RMF Process: Asses Only

RMF assesment only on a PIT, Services: Internal and/or External, Products: Software, hardware and/or applications


AO Major responsibilities

Render authorization decisions: Determine acceptable risk and manage risk acceptance. This can not be delegated and may only be done by the AO. The AO will promote reciprocity, oversee system-level risk mgmt activities and appoint AODR and manage other cybersecurity workforce positions


What is the capstone cybersecurity policy?

DoDI 8500.01 - establishes the DoD cybersecurity program and lays the foundation for DoD cyberspace defense. Applies to all DoD IT and aligns with Federal cybersecurity terminology and policy


What is the role of DoDI 8510.01

Replaces DIACAP with RMF. Provides the provisions for categorizing systems, implementing security controls, and assessing those controls.


RMF has 6 steps

1. Categorize System 2. Select Security Controls 3. Implement Security Controls 4. Asses Security Controls 5. Authorize System 6. Monitor Controls


What are the 3 types of risk?

likelihood, threat, and impact


DoD CIO (Tier 1 of governance structure)

Directs and oversees cybersecurity risk mgmt of DoD IT and Develops and establishes DoD cybersecurity policy and guidance


RMF Techincal Advisory Group (TAG) (Tier 1 of governance structure)

provides implemetation guidance for the RMF
Interfaces w/DoD Component cybersecurity programs, cybersecurity communities of intrest, and other entities


DoD Information Secuirty Risk Mgmt Commitee (ISRMC) (Tier 1 of governance structure)

Formerly the DISN/GIG Flag Panel
Comprises the 4 Mission Area Prinicpal Authorizing Officials (PAOs), thier reps, and other major DoD and IC stakeholder
Asses risk from Tier 1
Provides strategic guidance to Tiers 2 & 3
Authorizes information exchanges and systems connections for enterprise wide systems, cross Mission Area Systems, cross security domain connections, and mission partner connections


Defense IA Secuirty Accredidation Working Group (DSAWG) (Tier 1 of governance structure)

Supports the ISRMC
Reviews/resolves authorization issues related to charing community risk
Develops & provides guidance to AOs for system connections to the DoD information enterprise.


Principal Authorizing Officals (PAO) (Tier 2 Mission/Business Process)

appointed for each DoD mission area and represent the mission area (ma) intrerests
issue auth. guidance to the MA
resolve auth issues within the MA and work w/other PAOs to resolve issues
Designate AOs
Designate information security architects or IS sercurity engineers for MA segments or systems of systems


DoD Component Heads (Tier 2 Mission/Business Process)

ensure IS and platform IT (PIT) systems are categorized according to RMF guideline
Verify a PM or System Mgr is appointed for all IS and PIT systems
Ensure IT under their authority comply with RMF
Operate only authorized IS and PIT systems: ATO, including w/Conditions or IATT
Comply w/all auth decisions, including a DATO
Ensure personnel in or supporting RMF are properly trained and have certs