Key Terms
Audit – the process of assessing an organization’s cybersecurity maturity in order to achieve CMMC compliance. CMMC evaluates contractors on a range of five compliance levels used to assess the risk they pose when they use, store, and transmit data.
Assessment – the process organizations use to identify their CMMC readiness gaps with the CMMC requirements to help them obtain certification.
Controlled Unclassified Information – information requiring safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and government-wide policies, excluding information classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or Atomic Energy act of 1954, as amended.
Cyber Hygiene – activities performed by system administrators and users, and what is being done to improve their cybersecurity.
DoD Contractor – any contractor or subcontractor doing business with the Department of Defense.
Domains – a domain is a distinct set or group of security controls which have similar attributes to each other. These domains are vital to the protection of FCI and CUI. The CMMC framework consists of 17 cybersecurity domains.
Federal Contract Information – information provided by or generated for the government under a contract and not intended for public release.
Gap Analysis – gap analyses determine how close the contractor is to being fully CMMC compliant and identifies the areas needing improvement.
Levels – the CMMC framework consists of 5 security Levels with 1 being the lowest and 5 being the highest. Each Level was designed to protect FCI and CUI.
Practice – how CMMC evaluates process maturity implementation. An example of a practice could be a log or the system sign-on practices of employees.
Process – how an organization ensures effective implementation of practice activities. An example of a process would be a tangible policy readily available and consistently used.
Scoping – the act of identifying everything CUI touches within an organization. Anything CUI touches is considered the scope and practices and controls will apply to these types of systems.
System Security Plan – a high-level look at how organizations are complying with CMMC. Ideally, it will list practices, controls, and how they are being implemented. It’s important to list the specifics of how each in-scope system is implemented.
Acronyms
APT – Advanced Persistent Threat
C3PAO – Certified Third-Party Assessment Organization
CDI – Covered Defense Information
CMMC – Cybersecurity Maturity Model Certification
CTI – Controlled Technical Information
CUI – Controlled Unclassified Information
DIB – Defense Industrial Base
DFARS – Department of Federal Acquisition Regulation Systems
DOD – Department of Defense
FCI – Federal Contract Information
FOUO – For Official Use only
NIST – National Institute of Standards and Technology
NPI – Nonpublic Personal Information
SSP – System Security Plan
Sources
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-172.pdf
https://cmmcab.org/marketplace/
https://www.acq.osd.mil/cmmc/docs/CMMC_ModelMain_V1.02_20200318.pdf
https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf
https://www.acquisition.gov/dfars
https://www.acq.osd.mil/cmmc/contact-us.html
https://www.cisa.gov/defense-industrial-base-sector