DoD Authorizing Official Course Flashcards Preview

RMF > DoD Authorizing Official Course > Flashcards

Flashcards in DoD Authorizing Official Course Deck (16):
1

What is Cybersecurity and why is it important?

DoD cybersecurity policy - replaces the term Information Assurance and is designed to prevent damage to, protect, and restore: Computers, Electronic communications systems or services, Electronic Wire communications, or Information contained in any of the above. It also promotes reciprocity and information sharing.

2

Cybersecurity ensures what?

C-I-A the confidentiality, integrity, and availability of DoD information

3

Where does RMF apply?

Whenever IT falls under a DoD Component and/or when the IT receives, processes, stores, displays, or transmits DoD information.

4

RMF Process: Asses & Authorize

A full RMF must be performed on Informations systems: Enclaves, Major Applications and PIT systems

5

RMF Process: Asses Only

RMF assesment only on a PIT, Services: Internal and/or External, Products: Software, hardware and/or applications

6

AO Major responsibilities

Render authorization decisions: Determine acceptable risk and manage risk acceptance. This can not be delegated and may only be done by the AO. The AO will promote reciprocity, oversee system-level risk mgmt activities and appoint AODR and manage other cybersecurity workforce positions

7

What is the capstone cybersecurity policy?

DoDI 8500.01 - establishes the DoD cybersecurity program and lays the foundation for DoD cyberspace defense. Applies to all DoD IT and aligns with Federal cybersecurity terminology and policy

8

What is the role of DoDI 8510.01

Replaces DIACAP with RMF. Provides the provisions for categorizing systems, implementing security controls, and assessing those controls.

9

RMF has 6 steps

1. Categorize System 2. Select Security Controls 3. Implement Security Controls 4. Asses Security Controls 5. Authorize System 6. Monitor Controls

10

What are the 3 types of risk?

likelihood, threat, and impact

11

DoD CIO (Tier 1 of governance structure)

Directs and oversees cybersecurity risk mgmt of DoD IT and Develops and establishes DoD cybersecurity policy and guidance

12

RMF Techincal Advisory Group (TAG) (Tier 1 of governance structure)

provides implemetation guidance for the RMF
Interfaces w/DoD Component cybersecurity programs, cybersecurity communities of intrest, and other entities

13

DoD Information Secuirty Risk Mgmt Commitee (ISRMC) (Tier 1 of governance structure)

Formerly the DISN/GIG Flag Panel
Comprises the 4 Mission Area Prinicpal Authorizing Officials (PAOs), thier reps, and other major DoD and IC stakeholder
Asses risk from Tier 1
Provides strategic guidance to Tiers 2 & 3
Authorizes information exchanges and systems connections for enterprise wide systems, cross Mission Area Systems, cross security domain connections, and mission partner connections

14

Defense IA Secuirty Accredidation Working Group (DSAWG) (Tier 1 of governance structure)

Supports the ISRMC
Reviews/resolves authorization issues related to charing community risk
Develops & provides guidance to AOs for system connections to the DoD information enterprise.

15

Principal Authorizing Officals (PAO) (Tier 2 Mission/Business Process)

appointed for each DoD mission area and represent the mission area (ma) intrerests
issue auth. guidance to the MA
resolve auth issues within the MA and work w/other PAOs to resolve issues
Designate AOs
Designate information security architects or IS sercurity engineers for MA segments or systems of systems

16

DoD Component Heads (Tier 2 Mission/Business Process)

ensure IS and platform IT (PIT) systems are categorized according to RMF guideline
Verify a PM or System Mgr is appointed for all IS and PIT systems
Ensure IT under their authority comply with RMF
Operate only authorized IS and PIT systems: ATO, including w/Conditions or IATT
Comply w/all auth decisions, including a DATO
Ensure personnel in or supporting RMF are properly trained and have certs