CMMC Glossary of Terms

Access Control (AC)

The process of granting or denying specific requests to:

• obtain and use information and related information processing services, and
• enter specific physical facilities (e.g., federal buildings, military establishments, border crossing entrances).

Advanced Persistent Threat (APT)

An adversary with sophisticated expertise and significant resources allows it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). These objectives typically include establishing and extending footholds within the targeted organizations’ information technology infrastructure for purposes of exfiltrating information, undermining or impeding critical aspects of a mission, program, or organization, or positioning itself to carry out these objectives in the future. The advanced persistent threat:

• pursues its objectives repeatedly over an extended period of time,
• adapts to defenders’ efforts to resist it, and
• is determined to maintain the level of interaction needed to execute its objectives.

Assessment

The testing or evaluation of security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome for meeting the security requirements for an information system or organization.

Awareness and Training Program

Explains proper rules of behavior for the use of agency information systems and information. The program communicates information technology (IT) security policies and procedures that need to be followed.

Baseline Security

The minimum security controls required for safeguarding an IT system based on its identified needs for confidentiality, integrity, and/or availability protection.

Blacklist

A list of discrete entities, such as IP addresses, hostnames, applications, software libraries, and so forth, that have been previously determined to be associated with malicious activity, thus requiring access or execution restrictions.

Blue Team

The group is responsible for defending an organization’s use of information systems by maintaining its security posture against a group of mock attackers (i.e., the Red Team). Typically, the Blue Team and its supporters must defend against real or simulated attacks:

• over a significant period of time,
• in a representative operational context (e.g., as part of an operational exercise), and
• according to rules established and monitored with the help of a neutral group refereeing the simulation or exercise (i.e., the White Team).

Breach

An incident where an adversary has gained access to the internal network of an organization or an organizationally owned asset in a manner that breaks the organizational policy for accessing cyber assets and results in the loss of information, data, or asset. A breach usually consists of the loss of an asset due to the gained access.

CMMC- Cybersecurity Maturity Model Certification

The Cybersecurity Maturity Model Certification (CMMC) is the most recent cybersecurity framework from the Department of Defense (DoD) designed to protect the U.S. defense supply chain from foreign and domestic cyber threats and reduce the overall security risk of the defense sector. The purpose of CMMC is to provide increased assurance to the DoD that DIB (Defense Industry Base) companies can adequately protect sensitive unclassified information throughout the multi-tier supply chain.

CMMC Accreditation Body (CMMC-AB)

The U.S. Department of Defense authorizes the CMMC Accreditation Body to be the sole authoritative source for the operationalization of CMMC Assessments and Training with the DoD contractor community or other communities that may adopt the CMMC.

• Certified CMMC Professionals (CCP) CMMC trained and tested cybersecurity professionals who work on an assessment team but are not sanctioned to lead the assessment. The CMMC-AB CP is an entry-level assessor.
• Certified CMMC Assessors (CCA) CMMC trained and certified professionals sanctioned to lead CMMC assessments. The CA# corresponds to the highest ML# (Maturity Level 1-5) the professional is authorized to assess. CMMC-AB CA’s can deliver certified consultations and assessments. For example, a CA-3 Assessor can certify an organization for Maturity Levels 1 through 3.
• Licensed Partner Publisher (LPP)- A licensed publisher of CMMC-related educational courses and content such as universities, online schools, or professional schools
• Licensed Training Provider (LTP)– A licensed provider of CMMC-related education and training materials such as universities, colleges, online schools, professional schools, and internal corporate training departments.
• Organization Seeking Certification (OSC)- Organizations within the DIB seeking CMMC certification for Maturity Levels 1-5.
• Registered Practitioner (RP)– Authorized by CMMC-AB to provide non-certified advisory services, informed by basic training on the CMMC standard. RPs do not conduct certified CMMC assessments.
• Registered Provider Organization (RPO)– Organizations that provide advice, consulting, and recommendations to OSCs but do not conduct certified assessments. CMMC-AB authorizes RPOs to represent the organization as familiar with the basic constructs of the CMMC standard. They have agreed to the CMMC-AB Code of Professional Conduct.
• Third-Party Assessor Organization (C3PAO)– A third-party service provider organization authorized by the CMMC-AB to manage the Organizations Seeking Certification (OSCs) assessment process. Defense contractors and subcontractors may only obtain certification through a C3PAO.

CMMC Framework

The CMMC framework is built on three elements – Security domains, Capabilities, and Controls (Practices). When combined, they prescribe best practices for the protection of an organization and associated FCI and CUI.  These elements apply at five cybersecurity maturity levels (Level 1, 2, 3, 4, and 5) in the overall CMMC framework, Level 1 being the least mature and level 5 the most mature.

CMMC Maturity Level (ML#)

The CMMC model comprises 5 levels of cyber maturity – each designed to accommodate different cybersecurity maturity levels. The maturity levels are designed to support DIB suppliers who require basic cybersecurity hygiene at level 1 through complex DIB suppliers actively targeted by threat actors, potentially from a nation-state at level 5.

• Level 1 – CMMC Level 1 focuses on basic cyber hygiene and ensures requirements specified in 48 CFR 52.204-21 are applied. At this level and Level 2, organizations can be given FCI (Federal Contract Information). The FCI does not include information generated by the Government for public purposes like public-facing websites. While security practices are expected to be followed, Level 1 organizations do not exhibit process maturity, and practices are not institutionalized.
• Level 2 – CMMC Level 2 focuses on intermediate cyber hygiene. This set of security practices gives the organization at Level 2 a better ability to protect data and keep the business operational against cyber threats. Organizations document their standard operating procedures (SOP), policies, and a Strategic Plan for all security domains to guide their security program’s fulfillment.
• Level 3 – Organizations assessed at CMMC Level 3 show good cyber hygiene and can protect their Assets and access and produce CUI. They have the ability to face modern attackers (APT’s) and manage security incidents & actions while exercising robust security controls. Adequate resource activities and review, Established policies and procedures, and Process documentation demonstrate Security Processes Maturity.
• Level 4 – At CMMC Level 4, an organization has developed a robust and forward-thinking, anticipatory cybersecurity program. The organization has the ability to contour its protections to thwart the ever-changing tactics, techniques, and procedures (TTP) in use by APTs (advanced persistent threats). These organizations review and document all activities, measure performance, and inform senior management of any issues, demonstrating further maturity.
• Level 5 – Organizations assessed at CMMC Level 5 have advanced cybersecurity program that demonstrates an ability to optimize their cybersecurity capabilities to dissuade APTs. These organizations ensure standardization in their process implementation across the organization units.

CMMC Standard

The framework combines various cybersecurity standards and best practices and maps those controls and processes across several maturity levels that range from basic to advanced cyber hygiene. When implemented, it will reduce risk against a specific set of cyber threats.

Compliance

Conformity in fulfilling official requirements.

Contractor (Defense Contractor)

Any individual, firm, corporation, partnership, association, or other legal non-Federal entity enters into a contract directly with the DoD to furnish services, supplies, or construction.

Control

The methods, policies, and procedures—manual or automated—are used by an organization to safeguard and protect assets, promote efficiency, or adhere to standards. A measure that is modifying risk.

Note: controls include any process, policy, device, practice, or other actions which modify risk.

Controlled Unclassified Information (CUI)

Information that requires safeguarding or dissemination controls according to and consistent with law, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended.

Covered Defense Information (CDI)

A term used to identify information that requires protection under DFARS Clause 252.204- 7012. Unclassified controlled technical information (CTI) or other information, as described in the CUI Registry, that requires safeguarding or dissemination controls according to and consistent with law, regulations, and Government-wide policies and is:

• Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; OR
• Collected, developed, received, transmitted, used, or stored by—or on behalf of—the contractor in support of the contract’s performance.

Cybersecurity

Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, ensures its availability, integrity, authentication, confidentiality, and nonrepudiation.

Defense Contract Management Agency (DCMA)

The Defense Contract Management Agency is an agency of the United States federal government reporting to the Under Secretary of Defense for Acquisition and Sustainment. It is responsible for administering contracts for the Department of Defense and other authorized federal agencies.

Defense Industrial Base (DIB)

The worldwide industrial complex enables research and development and design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts to meet U.S. military requirements. It is estimated that the DIB includes approximately 300,000 companies in the supply chain.

Defense Federal Acquisition Regulation Supplement (DFARS)

A set of cybersecurity regulations administered by the Department of Defense (DoD) for external contractors and suppliers.

The DFARS implements and supplements the FAR and provides detailed information about applying the regulation for DoD contractors, minimum requirements, and options to meet compliance standards.

Department of Defense (DoD)

The United States Department of Defense is America’s largest government agency. It is charged with coordinating and supervising all government agencies and functions directly related to national security and the United States Armed Forces.

Department of Defense (DoD) Cyber Crime Center (DC3)

DC3’s mission is to deliver superior digital and multimedia forensic services, cyber technical training, vulnerability sharing, technical solutions development, and cyber analysis within the following DoD mission areas: cybersecurity and critical infrastructure protection, law enforcement and counterintelligence, document and media exploitation, and counterterrorism.

DoD-Defense Industrial Base (DIB) Collaborative Information Sharing Environment (DCISE)

DCISE is the operational hub of DoD’s Defense Industrial Base (DIB) Cybersecurity Program (DC3), focused on protecting intellectual property and safeguarding DoD content residing on or transiting through contractor unclassified networks. DCISE develops and shares actionable threat products, performs cyber analysis and diagnostics, and provides remediation consultation for DIB participants.

Enterprise Mission Assurance Support Service (eMass)

A web-based Government solution designed to support cybersecurity management and the compliance platform used by DoD programs internally.

Federal Acquisition Regulation (FAR)

The FAR is the primary regulation for use by all executive agencies to acquire supplies and services with appropriated funds. FAR is jointly issued by The Department of Defense (DoD), the U.S. General Services Administration (GSA), and the National Aeronautics and Space Administration (NASA).

Federal Contract Information (FCI)

Federal contract information means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.

Federal Risk and Authorization Management Program (FedRAMP)

FedRAMP.gov is a product of GSA’s (General Services Administration) Technology Transformation Services that provides a standardized approach to security assessment and authorization for cloud products and services used by U.S. federal agencies.

General Services Administration (GSA)

GSA is an independent agency of the United States government established to help manage and support federal agencies’ basic functioning.

Identity-Based Access Control (IBAC)

Access control is based on the user’s identity (typically relayed as a characteristic of the process acting on that user’s behalf). Access authorizations to specific objects are assigned based on user identity.

Identity, Credential, and Access Management (ICAM)

Programs, processes, technologies, and personnel used to create trusted digital identity representations of individuals and non-person entities (NPEs), bind those identities to credentials that may serve as a proxy for the individual or NPE in access transactions, and leverage the credentials to provide authorized access to an organization‘s resources.

Information System (IS)

A discrete set of information resources is organized to collect, process, maintain, use, share, disseminate, or dispense information.

Insider Threat

The threat that an insider will use her/his authorized access, wittingly or unwittingly, to harm the organization’s security or the United States. This threat can include damage to the United States through espionage, terrorism, unauthorized disclosure, or the loss or degradation of departmental resources or capabilities.

Insider Threat Program

A coordinated collection of capabilities authorized by the Department/Agency (D/A) is organized to deter, detect, and mitigate the unauthorized disclosure of sensitive information.

Malicious Code

Software or firmware intended to perform an unauthorized process that adversely impacts the confidentiality, integrity, or availability of an information system. A virus, worm, Trojan horse, or other code-based entity that infects a host. Spyware and some forms of adware are also examples of malicious code.

Malware

Software or firmware intended to perform an unauthorized process that adversely impacts the confidentiality, integrity, or availability of an information system. A virus, worm, Trojan horse, or other code-based entity that infects a host. Spyware and some forms of adware are also examples of malicious code (malware).

Maturity Level

See CMMC Maturity Level

Maturity Model

A maturity model is a set of characteristics, attributes, or indicators representing a progression in a particular domain. A maturity model allows an organization or industry to have its practices, processes, and methods evaluated against a clear set of requirements (such as activities or processes) that define specific maturity levels. At any given maturity level, an organization is expected to exhibit the capabilities of that level. A tool that helps assess the current effectiveness of an organization and supports determining what capabilities they need to obtain the next level of maturity to continue progression up the levels of the model.

National Institute of Standards and Technology (NIST)

A physical sciences laboratory and a non-regulatory agency of the United States Department of Commerce. The NIST mission is to promote innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic benefits.

Organization Seeking Certification (OSC)

The entity that is going through the CMMC assessment process receives a level of certification for a given environment.

Plan of Action and Milestones (POA&M)

The task or honey-do list of how the organization will address cybersecurity risks related to their information and systems.

Process

A procedural activity that is performed to implement a defined objective.

Process Maturity

A CMMC Process (i.e., DD.999, DD.998, DD.997, DD.996, DD.995) is a specific set of defined activities that organizations implement to achieve maturity of process.

Red Team

A group of people authorized and organized to emulate a potential adversary’s attack or
exploitation capabilities against an enterprise’s security posture. The Red Team’s objective is to improve enterprise Information Assurance by demonstrating the impacts of successful attacks and by demonstrating what works for the defenders (i.e., the Blue Team) in an operational environment.

Security Domain

An environment or context includes a set of system resources and a set of system entities that have the right to access the resources as defined by a common security policy, security model, or security architecture.

Security Operations Center (SOC)

A centralized function within an organization utilizing people, processes, and technologies to continuously monitor and improve an organization’s security posture while preventing, detecting, analyzing, and responding to cybersecurity incidents.

Supply Chain

A system of organizations, people, activities, information, and resources, possibly international in scope, provides products or services to consumers.

Supply Chain Attack

Attacks allow the adversary to utilize implants or other vulnerabilities inserted before installation to infiltrate data or manipulate information technology hardware, software, operating systems, peripherals (information technology products), or services at any point during the life cycle.

Supply Chain Risk Management (SCRM)

A systematic process for managing supply chain risk by identifying susceptibilities, vulnerabilities, and threats throughout the supply chain and developing mitigation strategies to combat those threats whether presented by the supplier, the supplied product and its subcomponents, or the supply chain (e.g., initial production, packaging, handling, storage, transport, mission operation, and disposal).

System Security Plan (SSP)

The formal document prepared by the information system owner (or common security controls owner for inherited controls) provides an overview of the system’s security requirements and describes the security controls in place or planned for meeting those requirements. The plan can also contain supporting appendices or, as references, other key security-related documents such as a risk assessment, privacy impact assessment, system interconnection agreements, contingency plan, security configurations, configuration management plan, and incident response plan.

Threat

Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.

Threat Actor

An individual or a group posing a threat.

Threat Intelligence

Threat information has been aggregated, transformed, analyzed, interpreted, or enriched to provide the necessary context for decision-making processes.

Threat Monitoring

Analysis, assessment, and review of audit trails and other information collected to search out system events that may constitute system security violations.

Trigger

A set of logic statements to be applied to a data stream that produces an event when an anomalous incident or behavior occurs.

Virus

A computer program that can copy itself and infect a computer without permission or knowledge of the user. A virus might corrupt or delete data on a computer, use e-mail programs to spread itself to other computers, or even erase everything on a hard disk.

Vulnerability

A threat source could exploit a weakness in an information system, system security procedures, internal controls, or implementation.

Vulnerability Assessment

Systematic examination of an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm such measures’ adequacy after implementation.

Vulnerability Management

An Information Security Continuous Monitoring (ISCM) capability that identifies vulnerabilities [Common Vulnerabilities and Exposures (CVEs)] on devices that are likely to be used by attackers to compromise a device and use it as a platform from which to extend compromise to the network.

Whitelist

An approved list or register of entities provided a particular privilege, service, mobility, access, or recognition.

Implementing a default deny-all or allow-by-exception policy across an enterprise environment and a clear, concise, timely process for adding exceptions when required for mission accomplishments.

White Team

A White Team in cybersecurity is the group responsible for refereeing an engagement between a Red Team of mock attackers and a Blue Team of actual defenders of their enterprise’s use of information systems. In an exercise, the White Team acts as the judges, enforces the rules of the exercise, observes the exercise, scores teams, resolves any problems that may arise, handles all requests for information or questions, and ensures that the competition runs fairly and does not cause operational problems for the defender’s mission.

The White Team helps to establish the rules of engagement, the metrics for assessing results, and the procedures for providing operational security for the engagement. The White Team normally has responsibility for deriving lessons-learned, conducting the post-engagement assessment, and promulgating results.