As you embark on the CMMC journey and prepare to learn more about the certification process and apply to be certified as a federal contractor, you will come across many acronyms. Some of these acronyms play a major role as you become CMMC certified. It would definitely be worth to have a quick reference page as you move forward and get your pre-assessment started.
The following glossary is adapted from the DOD’s CMMC 1.0 Appendices as well as CMMCAB.ORG and republished here as a service to our readers and clients looking into getting pre-assessment for CMMC Compliance and prepare for the assessment. CMMC definitions will be the standard for use of terms by CMMC Auditors. We also hope this will help you and your team speak the same language.
Here are some repetitious acronyms and definitions worth noticing!
CMMC ACRONYMS & DEFINITION
C3PAO – CMMC Third-Party Assessors Organization Organization authorized to manage the assessment process and enter into a contract to deliver CMMC assessments with assessed organization and certified CMMC assessors.
CCA/CCP – Certified CMMC Assessors/Professionals Credentialed Individuals are authorized to deliver assessments, training, and consulting.
CUI – Controlled Unclassified Information Information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and government-wide policies, excluding information that is classified under Executive Order.
CDI – Covered Defense Information Term used to identify information that requires protection under DFARS Clause.
Unclassified controlled technical information (CTI) or other information, as described in the CUI Registry, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government wide policies and is:
*Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of, DoD in support of the performance of the contract, OR *Collected, developed, received, transmitted, used, or stored by, or on behalf of, the contractor in support of the performance of the contract.
Cybersecurity – Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation.
Defense Industrial Base (DIB) – The worldwide industrial complex that enables research and development, as well as design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts, to meet U.S. military requirements.
Domain – Sets of capabilities that are based on cybersecurity best practices. There are 17 domains within CMMC. Each domain is assessed for practice and process maturity across five defined levels.
Encryption – The process of changing plaintext into cipher text.
Encryption Policies – Policies that manage the use, storage, disposal, and protection of cryptographic keys used to protect organization data and communications.
FCI – Federal Contract Information – Federal contract information means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public Web sites) or simple transactional information, such as necessary to process payments.
Firewall – A device or program that controls the flow of network traffic between networks or hosts that employ differing security postures.
Identity, Credential, and Access Management (ICAM) – Programs, processes, technologies, and personnel used to create trusted digital identity representations of individuals and non-person entities (NPEs), bind those identities to credentials that may serve as a proxy for the individual or NPE in access transactions, and leverage the credentials to provide authorized access to an organizations’ resources.
Insider Threat – The threat that an insider will use her/his authorized access, wittingly or unwittingly, to do harm to the security of the organization or the United States. This threat can include damage to the United States through espionage, terrorism, unauthorized disclosure, or through the loss or degradation of departmental resources or capabilities.
LPP – Licensed Partner Publisher The CMMC-AB LPP program is designed for publishers of educational courses and content who wish to sell such content to education organizations such as universities, online schools or professional schools or direct to consumer. Listed as a LPP on the CMMC-AB website.
LTP – Licensed Training Providers The CMMC-AB LTP program is designed for providers of education and training services such as colleges, universities, online schools, professional schools, internal corporate training departments, or any direct-to-consumer learning providers. Delivers certified training to students using approved curriculum developed by LPPs. Listed as a Licensed Training Provider on the CMMC-AB Marketplace.
Maturity Model – A maturity model is a set of characteristics, attributes, or indicators that represent progression in a particular domain. A maturity model allows an organization or industry to have its practices, processes, and methods evaluated against a clear set of requirements (such as activities or processes) that define specific maturity levels. At any given maturity level, an organization is expected to exhibit the capabilities of that level. A tool that helps assess the current effectiveness of an organization and supports determining what capabilities they need in order to obtain the next level of maturity in order to continue progression up the levels of the model.
Multi Factor Authentication (MFA) – Authentication using two or more different factors to achieve authentication. Factors include something you know (e.g., PIN, password); something you have (e.g., cryptographic identification device, token); or something you are (e.g., biometric).
OSC – Organization Seeking Certification The company that is going through the CMMC assessment process to receive a level of certification for a given environment. The certificate allows organization to bid on DoD contracts up to the identified Maturity level.
Patch – An update to an operating system, application, or other software issued specifically to correct particular problems with the software.
PII – Personally Identifiable Information Information which can be used to distinguish or trace the identity of an individual (e.g., name, social security number, biometric records) alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual (e.g., date and place of birth, mother’s maiden name).
Risk Assessment – The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of a system.
Risk Management – The program and supporting processes to manage information security risk to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation.
Risk Mitigation – Prioritizing, evaluating, and implementing the appropriate controls/countermeasures recommended from the risk management process.
RP/RPO – Registered Provider/Organization – Authorized to represent the organization as familiar with the basic constructs of the CMMC Standard with a CMMC-AB provided logo.
The RPOs and RPs in the CMMC ecosystem provide advice, consulting, and recommendations to their clients. They are the “implementers” and consultants, but do not conduct Certified CMMC Assessments. Any references to “non-certified” services are only referring to the fact that an RPO is not authorized to conduct a certified CMMC assessment.
SOC – Security Operations Center A centralized function within an organization utilizing people, processes, and technologies to continuously monitor and improve an organization’s security posture while preventing, detecting, analyzing, and responding to cybersecurity incidents.
SCRM – Supply Chain Risk Management A systematic process for managing supply chain risk by identifying susceptibilities, vulnerabilities, and threats throughout the supply chain and developing mitigation strategies to combat those threats whether presented by the supplier, the supplied product and its subcomponents, or the supply chain (e.g., initial production, packaging, handling, storage, transport, mission operation, and disposal).
Standards – A document, established by consensus and approved by a recognized body, that provides for common and repeated use, rules, guidelines or characteristics for activities or their results, aimed at the achievement of the optimum degree of order in a given context.
Threat – Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.
Unauthorized Access – Any access that violates the stated security policy.
User – Individual, or (system) process acting on behalf of an individual, authorized to access an information system.
Vulnerability Assessment – Systematic examination of an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation.
If you are interested in bidding and serving DoD Contracts or if you are currently a federal contractor and want to continue serving federal contracts, CMMC certification allows your company to continue participation and bid on DoD contracts. Within the CMMC, there are Security Maturity level 1 through 5, five being the highest. Once your company gets CMMC certification, it will be good for up to 3 years.
It is highly recommended by the CMMC-AB that any contractors currently working on DoD contracts, or wanting to bid on them start the pre-assessment of their business security, practices & processes, and have plans to fix any defeciencies or vulnerabilities that are found. All DoD suppliers, and eventually all federal government suppliers will need to comply with the CMMC Certification requirements. Along with certification, it would be imperative to have a comprehensive cyber insurance coverage as a part of cybersecurity risk mitigation plan.
Speak to one of our experienced cyber agents to help you find the best policy for your business and connect with our certified RP/PRO team to get you started on pre-assessment so you are ready for the CMMC certification.