The DoD’s CMMC: Key Terms and Acronyms

The US Department of Defense (DoD’s) new Cybersecurity Maturity Model Certification (CMMC) program brings together three of the world’s largest acronym-producing entities—the defense, IT and information security industries—into a jargon-generating juggernaut of gigantic proportions (JGJGP).

If your business acts as a supplier or contractor within the US Defense Industrial Base (DIB), we hope this blog post will help you join the CMMC conversation quickly! It’s a one-stop shop for the key terminology you’ll encounter around the CMMC (and this will be updated regularly).

 

Term

Definition

APTs

Advanced Persistent Threats. These are hackers, often a nation state or state-sponsored group, with the skills to gain unauthorized access to a network and remain undetected for a long period of time. CMMC Levels 4 and 5 are meant to “protect CUI and reduce risk of APTs.”

C3PAO

Certified 3rd Party Assessor Organization. Before they can participate in contracts that mandate CMMC compliance, businesses must engage an official, independent C3PAO to conduct a formal compliance/certification audit. The CMMC Accreditation Body (CMMC-AB) certifies the C3PAOs so they can conduct the CMMC audits.

Capture Team

In the context of directing a company’s efforts to “capture” government contracts, a multidisciplinary team, called a capture team, is responsible for capture planning and execution. Sometimes called a Pursuit team.

CDI

Covered Defense Information. Any information that must be protected under DFARS Clause 252.204-7012. CDI can be given to a contractor by or on behalf of the DoD or collected/processed by the contractor. In practice, the terms CDI and Controlled Unclassified Information (CUI) may be used interchangeably.

Certified Assessor (CA)

CAs are credentialed individuals authorized by the CMMC-AB to deliver assessments, training, and consulting at/below the CA-1, CA-3 or CA-5 level, and to supervise Certified Professionals (CPs).

Certified Professional (CP)

CPs are credentialed individuals authorized by the CMMC-AB to participate on an assessment team under the supervision of a CA. They are themselves eligible to become CAs.

CMMC-AB

CMMC Accreditation Body. The CMMC-AB is a nonprofit, “industry formed” entity that establishes and oversees training and certification of assessment organizations (C3PAOs). C3PAOs, in turn, employ assessors who audit contractors for CMMC compliance.

CUI

Controlled Unclassified Information. “Information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended.” Another way to look at it is that CUI is any information that must be protected under CMMC.

DCMA

Defense Contract Management Agency. An agency of the US federal government reporting to the Under Secretary of Defense for Acquisition and Sustainment. The DCMA is responsible for administering contracts for the DoD and its partners and is a major part of the US defense acquisition process.

DFARS

Defense Federal Acquisition Regulation Supplement. DFARS Clause 252.204-7012 (“Safeguarding of Covered Defense Information and Cyber Incident Reporting”) mandates, among other things, that DoD contractors comply with the security requirements for CUI as specified in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171.

DIB

Defense Industrial Base. The global military-industrial complex that supports research, development, design, manufacturing, delivery and maintenance of products and services to meet US military requirements.

DIBCAC

Defense Industrial Base Cybersecurity Assessment Center. The DoD’s own cyber assessment center, which was organized in 2019 and is currently rating contractors on their information security controls on behalf of the DCMA. The DIBCAC also uses its own assessment guidance for NIST 800-171 implementation.

DSC

Defense Supply Chain. The same thing as the DIB. The CMMC uses the term DSC rather than DIB, presumably because more acronyms are better.

Exostar

Exostar is a global leader in identity and access management and secure cloud solutions for collaboration, information sharing and supply chain management. Founded in 2000 by Boeing, Raytheon, Lockheed, Rolls-Royce and BAE Systems, about 65% of the DoD’s direct spending is transacted over Exostar’s secure platform.

FCI

Federal Contract Information. This is information “not intended for public release” that is provided by or generated for the US government under a contract to develop or deliver a product or service to the government. FCI does not include information that the government provides to the public (such as on public websites) or transactional/payment information.

FOUO

For Official Use Only. This is a document designation that the DoD uses.

Katie Arrington

CISO for Acquisition and Sustainment at the DoD, and the point person for the CMMC rollout.

NIST 800-171

National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, which currently governs CUI in “non-federal information systems and organizations.” This is the information security standard to which DoD contractors and their suppliers currently must self-attest to participate in DoD contracts.

NIST Handbook 162

Entitled “NIST MEP Cybersecurity Self-Assessment Handbook for Assessing NIST SP 800-171 Security Requirements in Response to DFARS Cybersecurity Requirements,” NIST Handbook 162 is a step-by-step guide to assessing an information systems against the NIST SP 800-171 standard.

OSC

Organization Seeking Certification. A company that is going through, or looking to begin, the CMMC assessment process.

POAM

Plan of Actions & Milestones. A plan that outlines specific actions to be taken to correct defects noted during an evaluation of information security controls.

Prime or Primes

Prime contractors. In the realm of US government procurement, “primes” are organizations selected by the government to deliver products or services. “Subs” (subcontractors) are organizations that primes hire to help deliver said products or services.

Organizations Seeking Certification (OSCs)

OSCs are DoD suppliers that are in the process of moving to “CMMC Certified Supplier” status, which entails passing a CMMC assessment and thus achieving CMMC certification. All DoD suppliers will need CMMC certification to the CMMC Maturity Level specified in their contracts by 2025.

OUSD(A&S)

The Office of the Under Secretary of Defense for Acquisition and Sustainment. A unit of the Office of the Secretary of Defense that supervises all DoD acquisitions, including procurement, R&D, developmental testing, and contract administration. This is the DoD office responsible for implementing the CMMC.

Registered Practitioner (RP)

RPs are professionals who provide non-certified CMMC advice as part of their consultative services. They have been trained in the basic CMMC methodology, have agreed to the CMMC-AB Code of Professional Conduct and are affiliated with a Registered Provider Organization (RPO).

Registered Provider Organization (RPO)

RPOs are authorized by the CMMC-AB to represent themselves as “focused on CMMC,” as having a basic understanding of its requirements and as following the CMMC-AB Code of Professional Conduct. RPOs can deliver non-certified CMMC Consulting Services and will be listed on the CMMC-AB Marketplace.

TTPs

Tactics, techniques and procedures. APTs use an ever-growing arsenal of TTPs to exfiltrate CUI from the DoD’s primes and subs. CMMC Levels 4 and 5 focus on protecting CUI from APTs and their TTPs.

JGJGP

Jargon-generating juggernaut of gigantic proportions