Here is a list of glossary terms relevant to the Cybersecurity Maturity Model Certification (CMMC) and compliance. It may be long and seem excessive but we ensure you this is just the main terms you will run across frequently.
- CMMC – Cybersecurity Maturity Model Certification: A DoD initiative to enhance cybersecurity across the Defense Industrial Base (DIB). It has five levels, each with increasing requirements based on the sensitivity of the information handled.
- Organization Seeking Assessment (OSA) – Refers to any organization that is preparing to undergo a CMMC assessment, intending to achieve certification for compliance with the required cybersecurity standards.
- External Service Providers (ESPs) – Companies or organizations that provide outsourced services (such as IT or cloud services) that support CMMC compliance but do not process or handle Controlled Unclassified Information (CUI) directly.
- Controlled Unclassified Information (CUI) – Sensitive but unclassified information that requires protection per federal standards. For CMMC, it’s essential to secure CUI to meet specific cybersecurity controls in NIST SP 800-171.
- Federal Contract Information (FCI) – Information provided by or generated for the government under a contract that is not intended for public release. CMMC Level 1 requirements cover basic safeguards for FCI.
- Classified National Security Information – Information that requires protection due to its potential impact on national security. This information is generally outside CMMC’s scope but remains governed by separate classification standards.
- Supplier Performance Risk System (SPRS) – A DoD database used to track contractor risk scores related to cybersecurity and performance. Contractors input their NIST SP 800-171 scores here, affecting their ability to secure contracts.
- 48 CFR 52.204–21 (FAR Clause 52.204–21) – The Federal Acquisition Regulation (FAR) clause that outlines basic safeguarding requirements for protecting FCI on federal contracts.
- DFARS Clause 252.204-7020 – A DoD supplement to FAR that requires contractors to report their compliance with NIST SP 800-171 requirements via self-assessment and submission to SPRS.
- Federal Risk and Authorization Management Program (FedRAMP) – A government-wide program that standardizes security requirements for cloud services. CMMC requires FedRAMP Moderate baseline for any cloud services handling CUI.
- NIST SP 800-171 – A National Institute of Standards and Technology (NIST) publication that provides security controls specifically designed to protect CUI within non-federal information systems.
- (AC) Access Control – A security domain in NIST SP 800-171, defining measures to limit access to authorized users.
- Accreditation Body (AB) – The entity authorized by DoD to oversee CMMC’s assessment and certification process, including training assessors and providing oversight.
- (APT) Advanced Persistent Threat – A sophisticated, prolonged cyberattack often associated with state-sponsored groups. CMMC Level 3 is designed to counter such threats.
- (AT) Awareness and Training – Another security domain in NIST SP 800-171, focusing on providing cybersecurity training to users within the organization.
- (C3PAO) CMMC Third-Party Assessment Organization – Certified organizations authorized to conduct CMMC assessments, ensuring organizations meet necessary security requirements.
- (CA) Security Assessment – This domain within NIST SP 800-171 involves policies and procedures to periodically assess and ensure effectiveness of security controls.
- CAICO – CMMC Assessors and Instructors Certification Organization, responsible for training and certifying assessors and instructors within the CMMC ecosystem.
- CAGE (Commercial and Government Entity) – A unique identifier for federal contractors, often used in conjunction with the System for Award Management (SAM).
- CNC (Computerized Numerical Control) – A technology used in manufacturing that is relevant to cybersecurity in protecting critical operational technology.
- CoPC (Code of Professional Conduct) – A set of guidelines governing the behavior and responsibilities of CMMC assessors and other professionals in the accreditation body.
- CSP (Cloud Service Provider) – Companies offering cloud-based services, which, under CMMC requirements, need FedRAMP authorization when managing CUI.
- DCMA (Defense Contract Management Agency) – DoD agency that oversees DIB cybersecurity assessments, providing certifications through DIBCAC.
- DFARS (Defense Federal Acquisition Regulation Supplement) – Regulations added to FAR specific to defense contracting, including DFARS 252.204-7012 and DFARS 252.204-7020, which mandate cybersecurity standards.
- DIB (Defense Industrial Base) – Refers to companies and contractors that provide products and services to DoD.
- DIBCAC (Defense Industrial Base Cybersecurity Assessment Center) – A DCMA group responsible for performing cybersecurity assessments of DIB contractors.
- DoD (Department of Defense) – The U.S. federal department responsible for coordinating and overseeing CMMC implementation across defense contracts.
- DoDI (Department of Defense Instruction) – A DoD directive providing guidance on implementing policies, including those related to cybersecurity.
- eMASS (Enterprise Mission Assurance Support Service) – A DoD tool for managing cybersecurity assessments and authorizations.
- ESP (External Service Provider) – Companies that support DoD contractors by providing security-related services or technology solutions without directly handling FCI or CUI.
- FAR (Federal Acquisition Regulation) – Regulations governing federal procurement, which apply broadly across U.S. government contracting.
- FedRAMP – Federal Risk and Authorization Management Program, which ensures cloud services meet baseline security standards for federal data handling.
- GFE (Government Furnished Equipment) – Equipment provided by the government to contractors, often subject to strict handling and security requirements.
- IA (Identification and Authentication) – Security controls that confirm the identity of users before granting access to systems.
- ICS (Industrial Control System) – Technology that manages and controls industrial processes, particularly relevant to CMMC for operational technology security.
- IIoT (Industrial Internet of Things) – Connected devices in industrial settings that may be impacted by cybersecurity risks.
- IoT (Internet of Things) – A network of connected devices that can be vulnerable if not properly secured, particularly relevant for CMMC when these handle sensitive data.
- IR (Incident Response) – Security protocols for detecting, responding to, and mitigating cybersecurity incidents.
- IS (Information System) – Systems used to manage data, which are subject to CMMC cybersecurity controls.
- IEC (International Electrotechnical Commission) – A standards organization that, along with ISO, develops global standards for cybersecurity.
- ISO/IEC (International Organization for Standardization / International Electrotechnical Commission) – Two organizations that jointly publish cybersecurity standards (e.g., ISO/IEC 27001), providing an alternative framework to NIST.
- IT (Information Technology) – Computer-based technology systems that are integral to managing FCI and CUI under CMMC.
- L# (CMMC Level Number) – Indicates the cybersecurity level required for a given contract, ranging from L1 (basic FCI protection) to L3 (protection against APTs).
- MA (Maintenance) – A NIST SP 800-171 security domain focusing on proper maintenance and upkeep of information systems.
- MP (Media Protection) – Security domain related to controlling access to media containing FCI or CUI.
- MSSP (Managed Security Service Provider) – Companies that provide outsourced monitoring and management of security systems.
- NARA (National Archives and Records Administration) – U.S. agency responsible for CUI program oversight, ensuring proper handling and marking of sensitive information.
- NAICS (North American Industry Classification System) – Classification system used to categorize business establishments for contracting and other purposes.
- NIST (National Institute of Standards and Technology) – U.S. agency that develops standards, including cybersecurity guidelines essential to CMMC.
- ODP (Organization-Defined Parameter) – Customizable elements within cybersecurity standards that organizations can adjust based on their risk profile.
- OSA (Organization Seeking Assessment) – Organizations actively preparing for or undergoing a CMMC assessment.
- OSC (Organization Seeking Certification) – Refers to any entity that must achieve CMMC certification to qualify for certain DoD contracts.
- OT (Operational Technology) – Hardware and software that detects or causes changes through direct monitoring of physical devices.
- PI (Provisional Instructor) – A designation for CMMC instructors authorized to teach training courses under provisional status.
- PIEE (Procurement Integrated Enterprise Environment) – A DoD platform for acquisition and procurement, supporting contractor compliance.
- PII (Personally Identifiable Information) – Any data that could identify an individual, subject to cybersecurity and privacy protections.
- PLC (Programmable Logic Controller) – An industrial digital computer used in manufacturing automation, relevant to CMMC for OT security.
- POA&M (Plan of Action and Milestones) – A documented plan to address and remediate cybersecurity gaps over time.
- PRA (Paperwork Reduction Act) – U.S. law requiring agencies to minimize the paperwork burden on businesses and individuals.
- RM (Risk Management) – A process of identifying, assessing, and mitigating risks, integral to cybersecurity and CMMC.
- SAM (System for Award Management) – A government system that maintains contractor data for eligibility and compliance with federal contracts.
- SC (System and Communications Protection) – Security controls ensuring system integrity, especially communications security.
- SCADA (Supervisory Control and Data Acquisition) – Industrial control system for large-scale monitoring, relevant for CMMC if sensitive data is managed.
- SI (System and Information Integrity) – A set of controls within NIST SP 800-171 to protect the integrity of systems and data, ensuring timely identification of security threats.
- SIEM (Security Information and Event Management) – A technology that provides real-time analysis of security alerts generated by hardware and applications, helping to detect and respond to threats.
- SSP (System Security Plan) – A detailed document outlining how an organization plans to meet cybersecurity requirements, including descriptions of security controls and implementation.
- SP (Special Publication) – Refers to publications by NIST, such as NIST SP 800-171, which provide guidelines and standards for cybersecurity.
- SPD (Security Protection Data) – Data focused on protecting sensitive information, particularly in environments like the defense industrial base (DIB).