Skip to Content
Home The Professional Standard for Information Security Why this course? An overview

The Professional Standard for Information Security

0 %

Completed

Course content

Why this course? An overview

10 XP
Prev Next
Fullscreen Share
Source Web Page

Sign in to explore.


Interactive audio.

Flashcards.

Visual tools.

Prepare for the quiz 

Minimum Security Protocol Introduction

The referenced document, publicly available, outlines Federal Acquisition Regulation (FAR) clause 52.204-21, which establishes the mandatory minimum security protocols for private contractors handling non-public government data. It defines covered contractor information systems and identifies the specific types of federal contract information that require protection. The regulation mandates fifteen basic safeguarding requirements, ranging from access control and identity authentication to malicious code protection and physical equipment security. Furthermore, it stipulates that these cybersecurity obligations must be extended to subcontractors who interact with the same sensitive data. Ultimately, this document serves as a legal framework to ensure that contractual information remains secure while residing on or moving through external private networks.
Rating
0 0

There are no comments for now.

Join this Course
to be the first to leave a comment.

1. According to FAR 52.204-21, what is a 'covered contractor information system'?
"An information system owned or operated by a contractor that processes, stores, or transmits Federal contract information." "An information system owned or operated by a contractor that processes Federal contract information."
2. What is the definition of 'Federal contract information' (FCI)?
Information not intended for public release that is provided by or generated for the Government under a contract to deliver a product or service. Information intended for public release that is provided by or generated for the Government under a contract to deliver a product or service.
3. Does 'Federal contract information' include information provided by the Government to the public on websites?,
"No, it specifically excludes information provided to the public." Yes
4. What type of 'simple transactional information' is excluded from the definition of Federal contract information?
Information necessary to process payments. Information necessary to setup a Prime Contract
5. According to CNSSI 4009, how is 'information' defined in the context of FAR 52.204-21?
Any communication or representation of knowledge such as facts, data, or opinions, in any medium or form. Any communication or representation of knowledge such as facts, data, or opinions, in writing.
6. What constitutes an 'information system' under 44 U.S.C. 3502?
A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. Cloud information systems organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.
7. In the context of contractor information systems, what does 'safeguarding' mean?
Measures or controls prescribed to protect information systems Measures or controls prescribed to employees who work for the contractor
8. To what three entities must information system access be limited?
Authorized users, processes acting on behalf of authorized users, or devices. Authorized users, Application Programming Interfaces (API), or devices.
9. Information system access must be limited to specific types of _____ and _____ that authorized users are permitted to execute.
Transactions and functions People and processes
10. What must a contractor do regarding connections to external information systems?
Verify and control or limit those connections. Monitor incoming and outgoing traffic.
11. Where must a contractor control information being posted or processed?
On publicly accessible information systems. On internal email.
12. As a prerequisite to allowing access to organizational systems, a contractor must _____ the identities of users, processes, or devices.
Authenticate (or verify) use biometrical means to verify
13. What action must be taken on information system media containing FCI before disposal?
Sanitize or destroy the media. Backup the data for archival purposes.
14. Physical access to information systems and equipment must be limited to _____.
Authorized individuals those who have signed a disclosure
15. Besides limiting access, what three physical safeguarding actions are required for visitors
Escort visitors, monitor visitor activity, and maintain audit logs of physical access. Two factor authentication, photo and visitor logs.
16. What physical hardware must be controlled and managed to protect information systems?
Physical access devices. Laptops, tablets but not cell phones.
17. At which two types of boundaries must organizational communications be monitored, controlled, and protected?
External boundaries and key internal boundaries. Only External boundaries, internal is safe.
18. How should publicly accessible system components be logically or physically separated from internal networks?
Through the implementation of subnetworks. S3 bucket redirections.
19. How quickly should information and information system flaws be identified, reported, and corrected?
In a timely manner. Within 24 hours
20. Where must protection from malicious code be provided?
At appropriate locations within organizational information systems. Virus scanning must be enabled on servers only.
21. When must malicious code protection mechanisms be updated?
When new releases are available. Quarterly, on a schedule, determined by the organization.
22. How often should scans of the information system be performed?
Periodically. Each document open, each email open, automatic scans should trigger.
23. When must real-time scans of files from external sources occur?
As files are downloaded, opened, or executed. As files are received by email server.
24. Does FAR 52.204-21 relieve the contractor of safeguarding requirements for Controlled Unclassified Information (CUI)?
No, it does not relieve the contractor of CUI requirements established by Executive Order 13556. Yes, it relieves the contractor.
25. Under what condition must a contractor include the substance of FAR 52.204-21 in a subcontract?
When the subcontractor may have FCI residing in or transiting through its information system. When payments to subcontractor are made with government credit cards.
26. Which specific type of acquisition is exempt from the flow-down requirements of FAR 52.204-21(c)
Commercially available off-the-shelf (COTS) items. Custom software.
27. Does the flow-down requirement of FAR 52.204-21 apply to subcontracts for commercial services?
Yes, unless the services are commercially available off-the-shelf (COTS) items. Yes, there are no exceptions.
28. Identify the source of the definition for 'Information' used in FAR 52.204-21.
Committee on National Security Systems Instruction (CNSSI) 4009. The source is unknown.
29. Identify the source of the definition for 'Information system' used in FAR 52.204-21.
44 U.S.C. 3502 Classified
30. According to control (viii), physical access must be limited to the systems, the equipment, and the _____.
Respective operating environments Cloud Hosted Data Center
31. Control (x) defines 'organizational communications' as information _____ or _____ by organizational information systems.
Transmitted or received Processed or viewed
32. The requirements in FAR 52.204-21 are considered _____ safeguarding requirements.
Basic Advanced
33. Control (v) requires the identification of users, devices, and _____.
Processes acting on behalf of users Authorized Representatives
34. True or False: Simple transactional information necessary to process payments is considered Federal Contract Information (FCI).
False True
35. Which FAR part prescribes the insertion of clause 52.204-21?
FAR 4.1903. FAR 1903.4
36. What is the primary objective of implementing subnetworks under control (xi)?
To separate publicly accessible system components from internal networks. To prevent cyberattack.
37. Is the contractor required to report information system flaws as part of basic safeguarding?
Yes, flaws must be identified, reported, and corrected in a timely manner. No, flaws can be corrected without reporting.
38. What is the minimum number of security controls specified in FAR 52.204-21(b)(1)?
15 3
39. Does FAR 52.204-21 apply to systems that do not process, store, or transmit FCI?
No, it only applies to 'covered contractor information systems'. Correct, it applies to all Government Contractors and subcontractors.
40. Term: Sanitization
Definition: The process of removing data from media so that the data cannot be retrieved or reconstructed. Definition: The process of keeping the data center in optimal conditions.
41. Term: Authentication
Definition: The process of verifying the identity of a user, process, or device as a prerequisite for system access. Definition: The multi-factor tool used to provide verification.
42. Which control requires the maintenance of audit logs?
Control (ix), specifically regarding physical access. Control (ix), specifically regarding viewing data.
43. Are contractors required to update malicious code protection mechanisms only during annual reviews?
No, they must be updated when new releases are available. No, quarterly.
44. What does control (ii) restrict beyond just 'who' can access a system?
It restricts 'what' those authorized users are permitted to do (transactions and functions). It restricts 'how' those authorized users are permitted to do (transactions and functions).
45. Clause 52.204-21(b)(2) mentions that other safeguarding requirements may be specified by which entities?
Federal agencies and departments. State agencies.
46. Does the definition of 'Information' include audiovisual representations?
Yes, it includes textual, numerical, graphic, cartographic, narrative, or audiovisual forms. No, video media is not included.
47. What must be done to visitors' activity according to control (ix)?
It must be monitored. It must be logged.
48. What is the specific trigger for the flow-down requirement to a subcontractor?
The subcontractor having FCI residing in or transiting through its information system. The subcontractor has COTS and information is residing in and transiting through its information system.
49. Under control (iii), what must be done to connections with external systems?
They must be verified and controlled or limited. They must be monitored.
50. Control (xv) requires real-time scans of files from external sources when they are _____, _____, or _____.
Downloaded, opened, or executed Received, downloaded, or opened
51. Under FAR 52.204-21, who owns or operates the 'covered contractor information system'
The contractor. The commercial producer of the system.
52. What is the purpose of control (iv) regarding publicly accessible information systems?
To control the information posted or processed on them. To control what is posted.
53. In the subcontract flow-down requirement, paragraph (c) must be included in its _____.
Substance Terms and conditions their website.
54. Is 'simple transactional information' defined as FCI if it is generated for the Government?
No, simple transactional information is explicitly excluded from the definition of FCI. Yes. to keep things simple.
55. Does control (vi) apply to devices as well as human users?
Yes, it applies to users, processes, or devices. No, just processes.
56. What does control (xii) require regarding the timing of flaw correction?
It must be done in a timely manner. It must be done when the contractor has time to review the issue and correct it.
57. According to the definitions, what is the prerequisite for an information system to be 'covered'?
It must process, store, or transmit Federal contract information. The entity must have a contract with the government directly.
58. What kind of separation is required for subnetworks in control (xi)?
Physical or logical separation. Physical.
59. Which control requires monitoring of 'key internal boundaries'
Control (x) Control (y)
Additional Resources
Join this Course to access resources