CMMC Key Terms and Acronyms

Key Terms

Audit – the process of assessing an organization’s cybersecurity maturity in order to achieve CMMC compliance. CMMC evaluates contractors on a range of five compliance levels used to assess the risk they pose when they use, store, and transmit data.

Assessment – the process organizations use to identify their CMMC readiness gaps with the CMMC requirements to help them obtain certification.

Controlled Unclassified Information – information requiring safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and government-wide policies, excluding information classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or Atomic Energy act of 1954, as amended.

Cyber Hygiene – activities performed by system administrators and users, and what is being done to improve their cybersecurity.

DoD Contractor – any contractor or subcontractor doing business with the Department of Defense.

Domains – a domain is a distinct set or group of security controls which have similar attributes to each other. These domains are vital to the protection of FCI and CUI. The CMMC framework consists of 17 cybersecurity domains.

Federal Contract Information – information provided by or generated for the government under a contract and not intended for public release.

Gap Analysis – gap analyses determine how close the contractor is to being fully CMMC compliant and identifies the areas needing improvement.

Levels – the CMMC framework consists of 5 security Levels with 1 being the lowest and 5 being the highest. Each Level was designed to protect FCI and CUI.

Practice – how CMMC evaluates process maturity implementation. An example of a practice could be a log or the system sign-on practices of employees.

Process – how an organization ensures effective implementation of practice activities. An example of a process would be a tangible policy readily available and consistently used.

Scoping – the act of identifying everything CUI touches within an organization. Anything CUI touches is considered the scope and practices and controls will apply to these types of systems.

System Security Plan – a high-level look at how organizations are complying with CMMC. Ideally, it will list practices, controls, and how they are being implemented. It’s important to list the specifics of how each in-scope system is implemented.