CMMC Glossary
CMMC Glossary, Terms & Definitions
Welcome to our CMMC Glossary, a comprehensive resource designed to guide you through the intricate terminology of the Cybersecurity Maturity Model Certification (CMMC). Whether you’re new to the framework or seeking to deepen your understanding, this glossary provides clear definitions and context for key terms, helping you navigate the complexities of cybersecurity compliance and ensuring that your organization is well-prepared to achieve and maintain the required certification level.
Accreditation Body (AB): The organization responsible for overseeing the CMMC certification process, including the accreditation of C3PAOs and the approval of individual assessors.
Advanced Persistent Threat (APT): Sophisticated, prolonged, and targeted cyberattacks typically sponsored by nation-states or criminal organizations aiming to steal information or monitor systems.
Annual Affirmation: A requirement under CMMC for contractors to annually affirm their compliance with the cybersecurity standards applicable to their certification level.
CMMC (Cybersecurity Maturity Model Certification): A certification process that measures the cybersecurity maturity of defense contractors. It aims to protect controlled unclassified information (CUI) within the defense supply chain.
CUI (Controlled Unclassified Information): Information that requires protection under laws, regulations, or government-wide policies but is not classified under Executive Order or an equivalent.
Cyber Incident Reporting: The obligation to report cybersecurity incidents that affect the contractor’s ability to perform critical functions or affect the protection of CUI.
Cybersecurity Practices: Technical and managerial controls that contractors are required to implement to achieve and verify cybersecurity objectives.
DFARS (Defense Federal Acquisition Regulation Supplement): A supplement to the Federal Acquisition Regulation (FAR) that provides DoD-specific acquisition regulations.
DIB (Defense Industrial Base): Refers to the worldwide industrial complex that enables research and development, as well as design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts to meet U.S. military requirements.
DoD Assessment: An evaluation process led by the Department of Defense to verify contractor compliance with CMMC requirements, especially at higher levels.
FCI (Federal Contract Information): Information provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not intended for public release.
Federal Acquisition Regulation (FAR): The primary set of rules in the Federal Acquisition Regulations System that governs the procurement process of the US government.
Gap Analysis: The comparison of actual performance with potential or desired performance. Risk Management Framework (RMF): A framework that provides a structured process for integrating security and risk management activities into the system development life cycle.
Information Security Continuous Monitoring (ISCM): The maintaining of ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.
Level 1 Certification: The foundational level of CMMC that requires the implementation of basic cyber hygiene practices to protect Federal Contract Information (FCI).
Level 2 Certification: An advanced level that aligns with NIST SP 800-171, requiring a more rigorous set of practices to protect Controlled Unclassified Information (CUI).
Level 3 Certification: The highest and most stringent level, aligning with NIST SP 800-172, designed for environments that handle information vulnerable to Advanced Persistent Threats (APTs).
Maturity Processes: Practices that demonstrate the institutionalization of processes at the organizational level. These were featured in CMMC 1.0 but have been removed in CMMC 2.0 to simplify the model.
NIST SP 800-171: A publication from the National Institute of Standards and Technology that provides guidelines on protecting controlled unclassified information in non-federal information systems and organizations.
NIST SP 800-172: Builds on NIST SP 800-171 for protecting CUI in environments where advanced persistent threats (APTs) are a concern.
POA&M (Plan of Action and Milestones): A document that identifies tasks needed to correct deficiencies found during a security control assessment, achieve milestones, and mitigate risks.
Priority Acquisitions: DoD designations for contracts that require enhanced cybersecurity protections due to the sensitivity or critical nature of the involved information or services.
Rulemaking: The process by which the federal government develops and issues rules (regulations), including those related to CMMC. It typically involves public notice, a comment period, and publication of the final rule.
Security Requirements Guide (SRG): Documents that provide security requirements and guidance to ensure compliance with cybersecurity standards and best practices.
Self-Assessment: The process by which a contractor evaluates their compliance with the necessary cybersecurity requirements at certain CMMC levels to ensure they meet the standards without third-party involvement.
Sensitive Unclassified Information (SUI): Information that is not classified but is sensitive and requires controls to prevent unauthorized access or disclosure.
Supply Chain Risk Management (SCRM): The process of identifying, assessing, and mitigating the risks associated with the global and distributed nature of a supply chain.
Third-Party Assessment Organizations (C3PAOs): Organizations accredited by the CMMC Accreditation Body to conduct assessments of contractor compliance with the required CMMC level.