CMMC In A Few Words
Common CMMC Definitions, Acronyms, and Terms
It is important to understand the many acronyms, terms, standards, authorities, and words commonly used in CMMC and cybersecurity discussions.
ATM – Assessment Team Member: An assessment team may consist of multiple staff, not all of which need to be certified assessors.
C3PAO – CMMC Third-Party Assessor Organization: A Certified Third-Party Assessor Organization (C3PAO) is an organization that is accredited and authorized by the CMMC Accreditation Body (CMMC-AB) to conduct CMMC assessments. C3PAOs are listed in the CMMC “marketplace” within the CMMC AB website. https://cmmcab.org/marketplace/
CCA – Certified CMMC Assessor: A person who has met all training, testing, and supervised auditing requirements and is certified by the CMMC-AB to lead assessments. CCA designation may be shown with a maximum level for which the assessor is certified. Listed in the CMMC-AB marketplace. https://cmmcab.org/marketplace/
CCP– Certified CMMC Professional: A person who has been through the entry level certification training and testing. CCPs can be an assessment team member, but not in a lead capacity. CCPs are eligible to become CCAs through additional training and testing. Listed in the CMMC-AB marketplace. https://cmmcab.org/marketplace/
CAGE – Contractor and Government Entity: Every contractor and sub working for the federal government must have its own CAGE code; sometimes multiple.
CAICO – CMMC Assessors and Instructors Certification Organization: Part of CMMC-AB that is responsible for the certification of assessors and instructors.
CAM – Contracts Administrator
CAP – CMMC Assessment Process: Provided by the CMMC-AB to ensure consistency in the way that C3PAOs interact with OSCs and with CMMC-AB in the formal assessment process.
CDI – Covered Defense Information: Unclassified controlled technical information or other information – synonymous with CUI.
CERT – Computer Emergency Response Team: Part of CISA, this team provides timely information about high-impact security activity affecting the community at large. Sign up for ongoing alerts. https://us-cert.cisa.gov/
CISA – Cybersecurity and Infrastructure Security Agency: Part of the US Department of Homeland Security (DHS), CISA sponsors MITRE Corporation to maintain a list of publicly disclosed vulnerabilities and puts out a regular email about current discoveries, risks, attacks, and alerts. https://www.cisa.gov/
CMMC -Cybersecurity Maturity Model Certification
CMMC AB – CMMC Accreditation Body https://cmmcab.org/
CMO – Chief Management Officer of the Department of Defense
COTS – Commercial-Off-The-Shelf: Any product available publicly that is not modified in any way for the government. DFARS does not apply to COTS. COTS contracts will most likely be judged to have FCI and so require at least CMMC L1.
CoPC – Code of Professional Conduct: All Certified Professionals, Certified Assessors, Registered Providers, and respective RPOs and C3PAOs must agree and abide by a code of conduct.
CRMP – Cyber Risk Management Plan
CTI – Controlled Technical Information
CUI – Controlled Unclassified Information: Per NIST 800-171, information “that law, regulation, or governmentwide policy requires to have safeguarding or disseminating controls, excluding information that is classified.” It is ordinary information that is transacted in doing business with the federal government, and is sensitive information, but not officially classified information.
CVE – Common Vulnerabilities and Exposures: CVE is a program sponsored by Cybersecurity and Infrastructure Security Agency (CISA) Vulnerability Management Component (VMC). A central database of publicly disclosed vulnerabilities. CVE feeds the National Vulnerability Database (NVD). Operated by the MITRE Corporation. https://cve.mitre.org/
DAM – DoD NIST SP 800-171 Assessment Methodology
DC3 – DoD Cyber Crime Center: A key DFARS 252.204.7012 term – point of contact to send malware samples to. The DC3 also operates the cyber incident report portion of the DIBNet portal. https://www.dc3.mil
DCMA – Defense Contract Management Agency
DCSA – Defense Counterintelligence and Security Agency
DDI(CL&S) – Director for Defense Intelligence (Counterintelligence, Law Enforcement, and Security): This office oversees and manages the DoD CUI Program.
DFARS – Defense Federal Acquisition Regulation Supplement: A published supplement to the Federal Acquisition Regulation (FAR) which adds additional guidance and requirements for DoD contracts.
DHS – US Department of Homeland Security
DIB – Defense Industrial Base: The worldwide industrial complex that enables research and development, as well as design, production, delivery and maintenance of military weapons systems/software systems, subsystems, and components or parts, as well as purchased services to meet US Military requirements.
DIBCAC – Defense Industrial Base Cybersecurity Assessment Center: Part of DCMA, this is the entity charged with assessing C3PAO candidates.
DIBNet – This public-private cybersecurity partnership is designed to improve DIB network defenses, reduce damage to critical programs, and increase DoD and DIB cyber situational awareness. Defense contractors subject to DFARS 252.204-7012 are required to report cyber incidents to DIBNet.
DoD – Department of Defense
DoD CIO – Department of Defense Chief Information Officer
DSCA – Defense Counterintelligence and Security Agency
EA – Executive Agent
EICP – Event/Incident Communication Plan
EIRP – Event/Incident Response Plan
eMASS – Enterprise Mission Assurance Support Service: This is the Compliance Platform that DoD programs use internally to manage their cybersecurity compliance. eMASS is used for DoD mission networks and historically has not been associated with Defense Contractor compliance. Access to private sector is restricted. However, the CMMC will need to record assessments and hold certification status for thousands of companies in a central place. eMASS is the most likely solution.
EO – Executive Order
FAR – Federal Acquisition Regulation: Standardized policies and procedures for any contract made with the United States Federal Government (including Department of Defense)
FCI – Federal Contract Information: Information that is provided to a contractor, but not intended for public release. It is provided by, or generated for, the government via a contract to develop or deliver a product or service to the government.
FedRAMP – Federal Risk and Authorization Management Program: Promotes the adoption of secure cloud services across the Federal Government by providing a standardized approach to security and risk assessment.
FFRDC – Federally Funded Research and Development Center
FOCI – Foreign Ownership, Control, or Influence: Analysis conducted to determine risk of foreign influence on an organization.
FOAI – Freedom of Information Act
HLO – Highest Level Owner
IGO – Inter-Governmental Organization
IO – Immediate Owner
IOC – Indicators of Compromise
ISOO – Information Security Oversight Office
ITAR – International Traffic in Arms Regulations
ITL – NIST’s Information Technology Laboratory: ITL develops tests, test methods, reference data, proof of concept implementations, and technical analyses to advance the development and productive use of information technology.
ITM – Insider Threat Management
MEP – Manufacturing Extension Partnership
ML – Maturity Level: This term is used to describe the security practices successfully implemented by a CMMC-assessed Defense Contractor and verified during an audit sanctioned by the CMMC-AB.
MSP – Managed Service Provider: MSPs work in collaboration with internal IT departments of organizations to supplement their workforce. In the context of CMMC, MSPs may help an OSC accomplish various requirements necessary to achieve their desired CMMC maturity level.
NARA – National Archives and Records Administration https://www.archives.gov/
NCF – National Critical Functions: Functions of government and private sector so vital that their disruption, corruption, or dysfunction would have a debilitating effect on security, national economic security, and/or national public health or safety. https://www.cisa.gov/national-critical-functions
NISP – National Industrial Security Program
NIST – National Institute of Standards and Technology https://www.nist.gov/
NIST 800-171: A standard established by NIST that specifically addresses CUI. This standard is paramount in CMMC certification and accompanies NIST 800-53, which specifies how federal government contractors and subcontractors are to manage controlled unclassified Information (CUI). It already has been revised and will likely be revised again in the future. Various requirements via the controls found within this document make up the different requirements for various CMMC maturity levels.
NGO – Non-Governmental Organization
NVD – National Vulnerability Database: A central database of publicly disclosed vulnerabilities. See CISA and CVE above. https://nvd.nist.gov/
OIG DoD – Office of the Inspector General of the Department of Defense
OSC – Organizations Seeking Certification: Any organization seeking CMMC certification.
OSD – Office of the Secretary of Defense
OUSD(A&S) – Office of the Under Secretary of Defense for Acquisition and Sustainment: An organization within the U.S. Department of Defense that monitors and oversees acquisition and sustainment within the DoD. The requirements of CMMC and its enforcement is indirectly within the oversight of the OUSD (A&S).
PIEE – Procurement Integrated Enterprise Environment
POA&M – Plan of Action and Milestones: A document which identifies missing security requirements and lays out a plan to resolve them. Expected to contain mid-or-high level tasks and milestones to reach a certain cybersecurity goal.
RMM – Resilience Management Model: Developed by CERT
RP – Registered Practitioner: A Registered Practitioner (RP) delivers a non-certified advisory service informed by basic training on the CMMC standard. They advise, consult, and make recommendations regarding the CMMC certification process. They may help implement actions required to achieve CMMC compliance. However, they are not certified CMMC assessors, nor do they conduct formal assessments. Listed in the CMMC-AB marketplace. https://cmmcab.org/marketplace/
RPO – Registered Provider Organization: An organization registered with the CMMC-AB and employing one or more RPs. Listed in the CMMC-AB marketplace. https://cmmcab.org/marketplace/
SPRS – Supplier Program Risk System: DoD enterprise-wide web app for identifying, assessing, and monitoring unclassified performance. Used by DoD acquisition community to comply with FAR/DFARS.
SSP – System Security Plan: One or more documents that describe the information system of an organization. Expected to be very detailed and in-depth about the network, devices, software, cloud services, and security requirements.
STIG – Secure Technical Implementation Guidance
TTP – Tactics, Techniques, and Procedures: Used to describe the methods of exploit and attack by bad actors.
UD – Unauthorized Disclosure
USC – United States Code
USD(A&S) – Under Secretary of Defense for Acquisition and Sustainment
USD(I&S) – Under Secretary of Defense for Intelligence and Security
USD(I&S) – Under Secretary of Defense for Research and Engineering