10.05.21

CMMC Key Terms and Acronyms

Key Terms

Auditthe process of assessing an organization’s cybersecurity maturity in order to achieve CMMC compliance. CMMC evaluates contractors on a range of five compliance levels used to assess the risk they pose when they use, store, and transmit data.

Assessment – the process organizations use to identify their CMMC readiness gaps with the CMMC requirements to help them obtain certification.

Controlled Unclassified Information – information requiring safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and government-wide policies, excluding information classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or Atomic Energy act of 1954, as amended. 

Cyber Hygieneactivities performed by system administrators and users, and what is being done to improve their cybersecurity

DoD Contractor – any contractor or subcontractor doing business with the Department of Defense.

Domainsa domain is a distinct set or group of security controls which have similar attributes to each other. These domains are vital to the protection of FCI and CUI. The CMMC framework consists of 17 cybersecurity domains.

Federal Contract Information – information provided by or generated for the government under a contract and not intended for public release.

Gap Analysisgap analyses determine how close the contractor is to being fully  CMMC compliant and identifies the areas needing improvement.

Levels – the CMMC framework consists of 5 security Levels with 1 being the lowest and 5 being the highest. Each Level was designed to protect FCI and CUI.

Practice – how CMMC evaluates process maturity implementation. An example of a practice could be a log or the system sign-on practices of employees.

Processhow an organization ensures effective implementation of practice activities. An example of a process would be a tangible policy readily available and consistently used.  

Scoping – the act of identifying everything CUI touches within an organization. Anything CUI touches is considered the scope and practices and controls will apply to these types of systems.

System Security Plan – a high-level look at how organizations are complying with CMMC. Ideally, it will list practices, controls, and how they are being implemented. It’s important to list the specifics of how each in-scope system is implemented. 

Acronyms

APT – Advanced Persistent Threat

C3PAO – Certified Third-Party Assessment Organization

CDI – Covered Defense Information 

CMMC – Cybersecurity Maturity Model Certification

CTI – Controlled Technical Information

CUI – Controlled Unclassified Information

DIB – Defense Industrial Base

DFARS – Department of Federal Acquisition Regulation Systems

DOD – Department of Defense

FCI – Federal Contract Information

FOUO – For Official Use only

NIST – National Institute of Standards and Technology

NPI – Nonpublic Personal Information

SSP – System Security Plan

Sources

https://www.defense.gov

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-172.pdf

https://cmmcab.org/marketplace/

https://www.acq.osd.mil/cmmc/docs/CMMC_ModelMain_V1.02_20200318.pdf

https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf

https://www.acquisition.gov/dfars/252.204-7008-compliance-safeguarding-covered-defense-information-controls.?&searchTerms=252.204-7012+

https://www.acquisition.gov/dfars

https://www.acq.osd.mil/cmmc/contact-us.html

https://www.cisa.gov/defense-industrial-base-sector