As you embark on the CMMC journey and prepare to learn more about the certification process and apply to be certified as a federal contractor, you will come across many acronyms. Some of these acronyms play a major role as you become CMMC certified. It would definitely be worth to have a quick reference page as you move forward and get your pre-assessment started.
The following glossary is adapted from the DOD’s CMMC 1.0 Appendices as well as CMMCAB.ORG and republished here as a service to our readers and clients looking into getting pre-assessment for CMMC Compliance and prepare for the assessment. CMMC definitions will be the standard for use of terms by CMMC Auditors. We also hope this will help you and your team speak the same language.
CMMC ACRONYMS & DEFINITION
C3PAO - CMMC Third-Party Assessors Organization
Organization authorized to manage the assessment process and enter into a contract to deliver CMMC assessments with assessed organization and certified CMMC assessors.
CCA/CCP - Certified CMMC Assessors/Professionals
Credentialed Individuals are authorized to deliver assessments, training, and consulting.
CUI - Controlled Unclassified Information
Information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and government-wide policies, excluding information that is classified under Executive Order.
CDI - Covered Defense Information
Term used to identify information that requires protection under DFARS Clause.
Unclassified controlled technical information (CTI) or other information, as described in the CUI Registry, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government wide policies and is:
*Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of, DoD in support of the performance of the contract, OR
*Collected, developed, received, transmitted, used, or stored by, or on behalf of, the contractor in support of the performance of the contract.
Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation.
Defense Industrial Base (DIB)
The worldwide industrial complex that enables research and development, as well as design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts, to meet U.S. military requirements.
Domains are sets of capabilities that are based on cybersecurity best practices. There are 17 domains within CMMC. Each domain is assessed for practice and process maturity across five defined levels.
The process of changing plaintext into cipher text.
Policies that manage the use, storage, disposal, and protection of cryptographic keys used to protect organization data and communications.
FCI - Federal Contract Information
Federal contract information means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public Web sites) or simple transactional information, such as necessary to process payments.
A device or program that controls the flow of network traffic between networks or hosts that employ differing security postures.
ICAM - Identity, Credential, and Access Management
Programs, processes, technologies, and personnel used to create trusted digital identity representations of individuals and non-person entities (NPEs), bind those identities to credentials that may serve as a proxy for the individual or NPE in access transactions, and leverage the credentials to provide authorized access to an organizations’ resources.
The threat that an insider will use her/his authorized access, wittingly or unwittingly, to do harm to the security of the organization or the United States. This threat can include damage to the
United States through espionage, terrorism, unauthorized disclosure, or through the loss or degradation of departmental resources or capabilities.
LPP - Licensed Partner Publisher The CMMC-AB LPP program is designed for publishers of educational courses and content who wish to sell such content to education organizations such as universities, online schools or professional schools or direct to consumer. Listed as a LPP on the CMMC-AB website.
LTP - Licensed Training Providers The CMMC-AB LTP program is designed for providers of education and training services such as colleges, universities, online schools, professional schools, internal corporate training departments, or any direct-to-consumer learning providers. Delivers certified training to students using approved curriculum developed by LPPs. Listed as a Licensed Training Provider on the CMMC-AB Marketplace.
A maturity model is a set of characteristics, attributes, or indicators that represent progression in a particular domain. A maturity model allows an organization or industry to have its practices, processes, and methods evaluated against a clear set of requirements (such as activities or processes) that define specific maturity levels. At any given maturity level, an organization is expected to exhibit the capabilities of that level. A tool that helps assess the current effectiveness of an organization and supports determining what capabilities they need in order to obtain the next level of maturity in order to continue progression up the levels of the model.
MFA - Multifactor Authentication
Authentication using two or more different factors to achieve authentication. Factors include something you know (e.g., PIN, password); something you have (e.g., cryptographic identification device, token); or something you are (e.g., biometric).
OSC - Organization Seeking Certification
The company that is going through the CMMC assessment process to receive a level of certification for a given environment. The certificate allows organization to bid on DoD contracts up to the identified Maturity level.
An update to an operating system, application, or other software issued specifically to correct particular problems with the software.
PII - Personally Identifiable Information
Information which can be used to distinguish or trace the identity of an individual (e.g., name, social security number, biometric records) alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual (e.g., date and place of birth, mother’s maiden name).
The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of a system.
The program and supporting processes to manage information security risk to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation.
Prioritizing, evaluating, and implementing the appropriate risk-reducing controls/countermeasures recommended from the risk management process.
RP/RPO - Registered Provider/Organization
Authorized to represent the organization as familiar with the basic constructs of the CMMC Standard with a CMMC-AB provided logo.
The RPOs and RPs in the CMMC ecosystem provide advice, consulting, and recommendations to their clients. They are the “implementers” and consultants, but do not conduct Certified CMMC Assessments. Any references to “non-certified” services are only referring to the fact that an RPO is not authorized to conduct a certified CMMC assessment.
SOC - Security Operations Center
A centralized function within an organization utilizing people, processes, and technologies to continuously monitor and improve an organization’s security posture while preventing, detecting, analyzing, and responding to cybersecurity incidents.
SCRM - Supply Chain Risk Management
A systematic process for managing supply chain risk by identifying susceptibilities, vulnerabilities, and threats throughout the supply chain and developing mitigation strategies to combat those threats whether presented by the supplier, the supplied product and its subcomponents, or the supply chain (e.g., initial production, packaging, handling, storage, transport, mission operation, and disposal).
A document, established by consensus and approved by a recognized body, that provides for common and repeated use, rules, guidelines or characteristics for activities or their results, aimed at the achievement of the optimum degree of order in a given context.
Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other
organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.
Any access that violates the stated security policy.
Individual, or (system) process acting on behalf of an individual, authorized to access an information system.
Systematic examination of an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation.