Regulation, Policy, and Framework
This structured approach helps implement policies, strategies, or processes effectively.
What are frameworks?
This acronym stands for a structured framework developed by NIST for managing information security and privacy risks.
What is RMF (Risk Management Framework)?
This individual designates the ISSO for a system.
Who is the System Owner?
This is the average timeframe for obtaining an Authority to Operate (ATO) approval.
What is 6–9 months?
'UII' stands for _________.
What is Unique Investment Identifier?
This is the primary purpose of FIPS 199.
What is 'to determine the system's impact of the confidentiality, integrity, or availability of the data stored, processed, and/or transmitted'?
A ______ is used to determine whether a system or project involves PII requires a PIA.
What is a Privacy Threshold Analysis?
USCIS ISSOs must reference this core document and its attachments for security planning.
What is DHS 4300A?
This framework is a structured, repeatable process developed by NIST for managing information security and privacy risks.
What is the primary purpose of the Risk Management Framework (RMF)?
These are the officially appointed roles in the ATO lifecycle.
Who are A/ISSOs, System Owner, Authorizing Official (AO)?
These types of information should be considered for processing, storing, and transmitting.
What are data types, elements, internal/external/publicly available information?
Inventory Change Request (ICR & UII).
What is the Component Level?
This document provides a general understanding of Digital Identity requirements and methods for performing respective analyses.
What is the e-Authentication?
______ is required when a system or project collects, uses, stores, or disseminates PII.
What is a PIA?
These are potential consequences of failing to comply with regulatory requirements.
What are suspension, termination, fines, and imprisonment?
This is the distinction between a regulation and a policy, where one is a legally enforceable rule issued by an authority and the other is a guiding principle or course of action adopted by an organization.
What is the difference between a regulation and a policy?
System Owners must first sign off on these for items that cannot be remediated within allocated timeframes
What are Risk Acceptances/Waivers?
Besides initial development, funding should also cover these aspects throughout the SDLC.
What are maintenance and continuous support?
A UII is required in IT Acquisition Reviews (ITARs) for this reason.
What is 'To ensure compliance with policies governing the budget process and manage business cases'?
____Impact Level references 'Severe or catastrophic adverse effect on organizational operations, assets, or individuals'
What is 'High' Impact?
This individual is ultimately responsible for completing a PTA within DHS.
Who is the System Owner?
USCIS ISSOs must be familiar with this regulation, updated in 2014.
What is the Federal Information Security Modernization Act (FISMA)?
This formal acceptance of risk grants permission for a system to operate within the Federal Government.
What is an Authority to Operate (ATO)?
Waivers, Risk Acceptance Requests, and authorizations including entry into the Ongoing Authorization Program.
What is Advising the AO, certifying system prerequisites, serving as the Risk Executive and/or overseeing the Component Cybersecurity Program?
These are the three main types of constraints to consider during system development.
What are time, resources, and technical feasibility?
The FISMA ID is important for DHS IT systems for this reason.
It ensures systems are itemized, associated with funding sources, and security requirements are met.
________ is the robustness of the authentication process and the binding between an authenticator and a specific individual’s identifier
What is Authentication Assurance Level (AAL)?
Information that can be used to identify an individual, such as name, SSN, or email address is also known as _______?
What is Personally Identifiable Information (PII)?
Under FISMA (2014 update), DHS/CISA issues these directives to civilian agencies.
What are Binding Operational Directives (BODs)?
These are the key elements required for granting an Authority to Operate (ATO).
What are risk-based decision-making, risk appetite, operational requirements, time constraints, and continuous monitoring?
The CISO has signature authority for these documents and processes.
What are Waivers, Risk Acceptance Requests, and authorizations including entry into the Ongoing Authorization Program?
These must be completed before an ISSO and SO are officially designated.
What are training and designation letters?
These are the four elements of a FISMA ID.
What are the DHS Component ID, CSAM ID, System Type, Parent CSAM ID?
Name 3 of the 6 potential impact categories for authentication errors.
What are: Inconvenience/distress/reputation, financial loss, harm to agency programs/public interests, unauthorized release of sensitive information, personal safety, civil/criminal violations?
These are the key components of a PIA.
What are system description, PII analysis, privacy risks, and mitigation strategies?
This directive requires federal agencies to remediate Known Exploited Vulnerabilities (KEV) on a time-bound schedule.
What is CISA BOD 22-01?
This official can mandate system use without a full ATO, but additional safeguards are required during ATO pursuit.
Can an Authorizing Official mandate system use without a full ATO?
This is the AO’s role in the security authorization process.
What is Making the final security decision, accepting risk, and/or signing the authorization decision letter?
This is one risk associated with using Commercial Off-The-Shelf (COTS) products.
What is vendor lock? and/or
What is the risk of vulnerabilities or lack of customization in Commercial Off-The-Shelf (COTS) products as it relates to information security?
These systems track investments using UII codes. (Name at least 3 of 4.)
What are the INVEST, ITAR, CSAM, OMB Federal IT Dashboard systems?
______, ________, and _________ are the robustness of the authentication process and the binding between an authenticator and a specific individual’s identifier.
What are the: Identity Assurance Level (IAL), Authentication Assurance Level (AAL), Federation Assurance Level (FAL)?
A PTA determines if a PIA is necessary, while a PIA assesses privacy risks and compliance is known as the _______ between a PIA and PTA
What is the Difference between a PTA and PIA?