CMMC and NIST 800-171 Terms & Links
We’ve compiled the most thorough collection of helpful and authoritative links on the internet to help with your CMMC compliance efforts: CMMC Resources, NIST 800-171 Resources, CUI Resources, DFARS Resources
The Department of Defense (DoD) released the Cybersecurity Maturity Model Certification (CMMC) Program Proposed Rule on 12/26/2023. DoD also announces the availability of eight guidance documents for the CMMC Program. These documents provide additional guidance for the CMMC model, assessments, scoring, and hashing.
As of 12/26/2023 CMMC Proposed Rule and Documentations AND The CMMC documents (version 2.11) have both been released
CMMC Proposed Rule
CMMC Program – Proposed Rule (PDF)32 CFR Part 170
Summary: DoD is proposing to establish requirements for a comprehensive and scalable assessment mechanism to ensure defense contractors and subcontractors have, as part of the Cybersecurity Maturity Model Certification (CMMC) Program, implemented required security measures to expand application of existing security requirements for Federal Contract Information (FCI) and add new Controlled Unclassified Information (CUI) security requirements for certain priority programs. DoD currently requires covered defense contractors and subcontractors to implement the security protections set forth in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Rev 2 to provide adequate security for sensitive unclassified DoD information that is processed, stored, or transmitted on contractor information systems and to document their implementation status, including any plans of action for any NIST SP 800-171 Rev 2 requirement not yet implemented, in a System Security Plan (SSP). The CMMC Program provides the Department the mechanism needed to verify that a defense contractor or subcontractor has implemented the security requirements at each CMMC Level and is maintaining that status across the contract period of performance, as required.
- Federal Register – CMMC Program – Proposed Rule Webpage
- CMMC Program Rulemaking Docket (Unified Agenda, Overall Documents, Comments)
- Public comments posted regarding rule
- Regulatory Impact Analysis 32 CFR Part 170 (Impact, Cost, and Benefit Analysis)
- Initial Regulatory Flexibility Analysis 32 CFR (benefits and costs, small business impact analysis)
- CMMC Guidance document repository with public comments (assessment guides, scoping guides, hashing guide)
- Notice of Guidance for CMMC
CMMC Guidance – CMMC Model
CMMC Model Overview
Abstract: This document focuses on the CMMC Model as set forth in 32 CFR 170.14 of the CMMC Program proposed rule (See docket DoD–2023–OS–0063 on Regulations.gov). The model incorporates the security requirements from: (1) FAR 52.204–21, Basic Safeguarding of Covered Contractor Information Systems, (2) NIST SP 800–171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, and (3) a selected set of the requirements from NIST SP 800–172 Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800–171. ;The CMMC Program is designed to provide increased assurance to the DoD that defense contractors and subcontractors are compliant with information protection requirements for Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) and are protecting such information at a level commensurate with risk from cybersecurity threats, including Advanced Persistent Threats (APTs).
CMMC Guidance – CMMC Scoping Guide
Scoping Guide – CMMC Level 1
Abstract: This document provides scoping guidance for Level 1 of CMMC as set forth in 32 CFR 170.19. Prior to a Level 1 CMMC Self-Assessment the OSA must specify the CMMC Assessment Scope. The CMMC Assessment Scope defines which assets within the OSA’s environment will be assessed and the details of the self-assessment.
This guide is intended for OSAs that will be conducting a CMMC Level 1 self-assessment and the professionals or companies that will support them in those efforts.
Scoping Guide – CMMC Level 2
Abstract: This document provides scoping guidance for Level 2 of CMMC as set forth in 32 CFR 170.19. Prior to a Level 2 Self-Assessment or Level 2 Certification Assessment, the OSA must specify the CMMC Assessment Scope. The CMMC Assessment Scope defines which assets within the OSA’s environment will be assessed and the details of the assessment.
This guide is intended for OSAs that will be conducting a CMMC Level 2 Self-Assessment in accordance with 32 CFR 170.16, OSCs that will be obtaining a CMMC Level 2 Certification Assessment in accordance with 32 CFR 170.17, and the professionals or companies that will support them in those efforts. OSCs are a subset of OSAs as all organizations will participate in an assessment, but self-assessment cannot result in certification.
Scoping Guide – CMMC Level 3
Abstract: This document provides scoping guidance for Level 3 of CMMC as set forth in 32 CFR 170.19. Prior to conducting a CMMC assessment, the Level 3 CMMC Assessment Scope must be defined as set forth in 32 CFR 170.19(d). The CMMC Assessment Scope defines which assets within the OSC’s environment will be assessed and the details of the assessment.
When seeking a Level 3 Certification, the OSC must have a CMMC Level 2 Final Certification Assessment for the same scope as the Level 3 assessment. Any Level 2 Plan of Action and Milestones (POA&M as set forth in 32 CFR 170.4) items must be closed prior to the initiation of the CMMC Level 3 assessment. The CMMC Level 3 CMMC Assessment Scope may be a subset of the Level 2 CMMC Assessment Scope (e.g., a Level 3 data enclave with greater restrictions and protections within the Level 2 data enclave).
This guide is intended for OSCs that will be obtaining a CMMC Level 3 assessment and the professionals or companies that will support them in those efforts.
CMMC Guidance – CMMC Assessment Guide
Assessment Guide – CMMC Level 1
Abstract: This document provides guidance in the preparation for and execution of a Level 1 Self-Assessment under the CMMC Program as set forth in 32 CFR 170.15. CMMC Level 1 focuses on the protection of FCI, which is defined in 32 CFR 170.4 and 48 CFR 4.1901 as:
Federal contract information means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.
CMMC Level 1 is comprised of the 15 basic safeguarding requirements specified in Federal Acquisition Regulation (FAR) Clause 52.204–21.
Assessment Guide – CMMC Level 2
Abstract: This document provides guidance in the preparation for and execution of a Level 2 Self-Assessment or Level 2 Certification Assessment under the CMMC Program as set forth 32 CFR 170.16 and 170.17 respectively. An Assessment as defined in 32 CFR 170.4 means:
The testing or evaluation of security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for an information system or organization as defined in 32 CFR 170.15 to 32 CFR 170.18. For CMMC Level 2 there are two types of assessments:
- A Self-Assessment is the term for the activity performed by an entity to evaluate its own CMMC Level, as applied to Level 1 and some Level 2.
- A CMMC Level 2 Certification Assessment is the term for the activity performed by a Certified Third-Party Assessment Organization (C3PAO) to evaluate the CMMC Level of an OSC.
32 CFR 170.16(b) describes contract or subcontract eligibility for any contract with a CMMC Level 2 Self-Assessment requirement, and 32 CFR 170.17(b) describes contract or subcontract eligibility for any contract with a CMMC Level 2 Certification Assessment requirement. Level 2 Certification Assessment requires the OSA achieve either a Level 2 Conditional Certification Assessment or a Level 2 Final Certification Assessment, as described in 32 CFR 170.4, obtained through an assessment by an accredited Certified Third-Party Assessment Organization (C3PAO).
Assessment Guide – CMMC Level 3
Abstract: This document provides guidance in the preparation for and execution of a Level 3 Certification Assessment under the CMMC Program as set forth in 32 CFR 170.18. Certification at each CMMC level occurs independently. An Assessment as defined in 32 CFR 170.4 means:
The testing or evaluation of security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for an information system, or organization as defined in 32 CFR 170.15 to 32 CFR 170.18
A CMMC Level 3 Certification Assessment as defined in 32 CFR 170.4 is the term for the activity performed by the Department of Defense to evaluate the CMMC Level of an OSC. For CMMC Level 3, assessments are performed exclusively by the DoD.
An OSC seeking a CMMC Level 3 Certification Assessment must have first received a CMMC Level 2 Final Certification Assessment, as set forth in 32 CFR 170.18, for all applicable information systems within the CMMC Assessment Scope, and the OSC must implement the Level 3 requirements specified in 32 CFR 170.14(c)(4). This is followed by the CMMC Level 3 assessment conducted by the DoD.
OSCs may also use this guide to perform CMMC Level 3 self-assessment (for example, in preparation for an annual affirmation); however, they are not eligible to submit results from a self-assessment in support of a CMMC Level 3 Certification Assessment. Only the results from an assessment by the DoD are considered for award of a CMMC Level 3 Certification Assessment. Level 3 reporting and affirmation requirements can be found in 32 CFR 170.18 and 32 CFR 170.22.
CMMC Guidance – CMMC Hashing Guide
Hashing Guide (cryptographic reference (or hash) for each artifact used in the assessment)
Abstract: This guide assumes that the reader has a basic understanding of command line tools and scripting. During the performance of a CMMC assessment, the assessment team will collect objective evidence using a combination of three assessment methods:
- examination of artifacts,
- affirmations through interviews, and
- observations of actions.
Because these OSA artifacts may be proprietary, the assessment team will not take OSA artifacts offsite at the conclusion of the assessment. For the protection of all stakeholders, the OSA must retain the artifacts. This guide describes how to provide a cryptographic reference (or hash) for each artifact used in the assessment as discussed in 32 CFR 170.17 and 170.18.
CUI
CUI Policies (Gov Policies) / Regulations
FAR 52.204-21 – Basic Safeguarding of Covered Contractor Information Systems (pdf)
Cloud service providers supporting CUI
- Microsoft Azure GCC / GCC HIGH
- Azure Commercial – suitable for handling Federal Contract Information (FCI)
- Government (GCC) – Suitable for handling CUI that is not export-controlled and does not require US persons for operations tasks
- Government (GCC High) – suitable for handling CUI that have export-controlled restrictions (i.e., ITAR, EAR)
- Microsoft Tech Community Discussion: Understanding Compliance Between Commercial, Government and DoD Offerings
- Amazon Web Services (AWS) GOVERNMENT: AWS released the NIST SP 800-171 Customer Responsibility Matrix (CRM), which aligns with the CMMC 2.0 Level 2 Advanced. It provides a breakdown of the NIST SP 800-171 security controls that customers can inherit from AWS using the Compliant Framework for Federal and DoD Workloads in AWS GovCloud (US).
- AWS presentation explains CMMC
- Google Cloud Government – Google has many cloud services that are NIST 800-171 compliant.
- Oracle Government Cloud
- Oracle Cloud Compliance Matrix
Additional CUI resources
- Defense Counterintelligence and Security Agency (DCSA) presentation covering “What is CUI”
- National Archives and Records Administration Page with CUI Registry
- DoD Procurement Toolbox – Cybersecurity Page Other Resources
- NIST SP 800-171 DoD Assessment Methodology (.docx)
- Project Spectrum Project Spectrum is a comprehensive, cost-effective platform that provides companies, institutions, and organizations with cybersecurity information, resources, tools, and training. Our mission is to improve cybersecurity readiness, resiliency, and compliance for small/medium-sized businesses and the Federal manufacturing supply chain.
- The CMMC Information Institute Helping you cut through the fog of CMMC-related misinformation.
- Assistance in the development of a System Security Plan and Plans of Action and milestones
- Approach to Implementing NIST SP 800-171
- About the Cybersecurity Evaluation Tool (CSET) Tool – CSET is a no-cost application developed by the DHS’s Industrial Control Systems – Cyber Emergency Response Team (ICS-CERT). The tool provides a systematic approach for evaluating an organization’s security posture. It guides asset owners and operators through a step-by-step process to evaluate their industrial control system and IT network security practices.
Cybersecurity Awareness Training (Free)
Satisfies CMMC’s general cybersecurity awareness training requirements
DoD Cybersecurity Awareness Training – Cyber Awareness Challenge 2022 (The purpose of the Cyber Awareness Challenge is to influence behavior, focusing on actions that authorized users can engage to mitigate threats and vulnerabilities to DoD Information Systems. )
Cybersecurity Policy Templates
- Community Resources for CMMC and NIST 800-171 Compliance – a great resource highlighting available policy templates
- SANS Institute – over 60 Security Policy Templates, including Acceptable Use, Remote Access, and Wireless policies
- Cybersecurity Facility-Related Control Systems (FRCS) This site has excellent policy and procedure templates and checklists. While the templates and checklists are labeled DoD, ESTCP, or Navy, they are generally organization agnostic, and any organization can modify them to suit their use.
- A generic template of recommended policies and procedures (artifacts) to support the answers to the security control questions – ESTCP IT Policies and Procedures template
KLC Consulting’s NIST 800-171 R2 Self Assessment Template
Spreadsheet with CMMC 2.0 numbering, Practice, and AO, Practice, and AO descriptions, Dropdown showing practice compliance level, Practice documentation, evidence tracking, POAM gaps documentation, POAM remediation date, Methodology score.
Commercially Off The Shelf (COTS)
Any item of supply (including construction material) that is:
- A commercial product (as defined in paragraph (1) of the definition of commercial product in this section);
- Sold in substantial quantities in the commercial marketplace; and
- Offered to the Government, under a contract or subcontract at any tier, without modification, in the same form in which it is sold in the commercial marketplace; and does not include bulk cargo items, as defined in 46 USC 40102(4). Examples: agricultural products and petroleum products.
DCMA Commercial Item Group (CIG)
COTS definition – FAR 201 FAR 12.103
FAR 2.101 KLC Consulting’s COTS Exemption Case Studies
FIPS 140-2 validated product search
- A cryptographic module validated by the Cryptographic Module Validation Program (CMVP) to meet requirements specified in FIPS Publication 140-2 (as amended). As a prerequisite to CMVP validation, the cryptographic module must employ a cryptographic algorithm implementation that has successfully passed validation testing by the Cryptographic Algorithm Validation Program (CAVP). See NSA-approved cryptography.
- Search for information on validated cryptographic modules
FedRAMP certified product search
Here is where you can search for FedRAMP-certified products
SPRS – SPRS submission instructions
Requires registering and logging into the PIEE system to receive authority as the SPRS security role.
- Simple instructions to obtain PIEE Access and the SPRS Vendor Support role.
- SPRS Access Instruction
- Detailed instructions with screenshot examples – Add SPRS Cyber Vendor Role Instruction and SPRS Quick Entry Guide
- PIEE Helpdesk telephone #: 866-618-5988
- For submission detail: please follow the instructions here.
- SPRS Submission website
- CMMCAUDIT’s Guide to submit a NIST 800-171 self-assessment to the DoD’s SPRS
DoD Procurement Toolbox – Cybersecurity Policy Regulations
- Safeguarding Covered Defense Information and Cyber Incident Reporting
- DoDI 5200.48 “Controlled Unclassified Information.”
- 32 CFR 2002 Part IV National Archives and Records Administration 32 CFR Part 2002 “Controlled Unclassified Information.”
- EO 13556 Vol 75, No 216. “Controlled Unclassified Information”
- NIST Special Publication 800-171 Rev. 2 “Protecting Controlled Unclassified Information in Non-federal Systems and Organizations”
- 2019 CUI Reports to the President & CUI Notices
- US Under Secretary of Defense’s Office of Acquisition & Sustainment CMMC Page
CMMC, CUI, DFARS, and NIST Authoritative Regulation
- DFARS 252.204-7008
- DFARS 252.204-7012
- DFARS 252.204-7019
- DFARS 252.204-7020
- DFARS 252.204-7021 (CMMC)
48 CFR Federal Acquisition Regulations – Basic Safeguarding of Contractor Information Systems
Official CMMC Documents
CMMC Information
CMMC Model Overview
CMMC Scoping
- Link to CMMC Level 1 Scoping Guidance
- Link to CMMC Level 2 Scoping Guidance
- NIST Special Publication 800-171 Rev. 2 “Protecting Controlled Unclassified Information in Non federal Systems and Organizations”
Mapping NIST 800-171 / CMMC to Other Cybersecurity Frameworks
- ComplianceForge – CMMC 2.0 Mapping – NIST-ISO-CIS
- NIST SP 800-171 Revision 2 Appendix D
The Cyber Accreditation Body (Formerly the CMMC-AB)
- Cyber AB – Manages the CMMC ecosystem, C3PAOs, Registered Practitioners (RP)
- Cyber AB Marketplace – for searching entities within the CMC ecosystem, such as C3PAOs or Registered Practitioners (RP)
CUI / DFARS 7012 / NIST 800-171 / CMMC FAQ
Government sources
- US Under Secretary of Defense’s Office of Acquisition & Sustainment CMMC FAQ Page
- DoD Procurement Toolbox CMMC FAQ Page
- Defense Counterintelligence and Security Agency (DCSA) CUI FAQ – CUI Marking FAQ
- NIST CUI FAQ
- DCSA CUI Frequently Asked Questions (FAQ)
- CDSA – CUI and Freedom of Information Act (FOIA) FAQ CUI and the FOIA FAQs
Non-Government sources
- CMMC Accreditation Body (CMMC AB) FAQ
- CMMCAudit.org – CMMC Compliance FAQs – Organizations seeking certification
Other Resources: CUI Registry
Defense Counterintelligence and Security Agency (DCSA)
- DCSA CUI Information Page
- DCSA CUI Slick Sheet – One-page overview of CUI
- DCSA CUI Quick Start Guide – to assist in building a CUI program
- DCSA CUI Marking Job Aid
- DCSA CUI Baseline Requirements
- DCSA CUI Roadmap to Compliance
- DCSA CUI Standard Practice and Procedure (SPP) Template
- DCSA CUI Training Reference Guide
- DCSA CUI Resources One-Pager
- DCSA CUI Glossary & Policy Summaries
- DCSA CUI Training Presentation
- DCSA CUI Manager Customer Engagement Questions
- DCSA CUI Self-Inspection Tool for DOD and Industry
- CUI Cover Sheet
- NARA CUI Marking Handbook (2016)
- NIST MEP Cybersecurity Self-Assessment Handbook 162 For Assessing NIST SP 800-171 Security Requirements in Response to DFAR
- Cybersecurity Requirements
- CDSE CUI Toolkit/Resources
- Safeguarding Covered Defense Information (CDI) – 2 pager
- Implementing DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting – What happens on 12/31/2017
- One page information about CUI
NIST 800-171 Resources
- NIST 800-171 Revision 2 document: Protecting Controlled Unclassified Information in Non-federal Systems and Organizations PDF
- NIST 800-171 Assessment Guide PDF
- NIST 800-171 System Security Plan (SSP) Template by NIST (Word format)
- NIST 800-171 CUI Plan of Action and Milestone (POA&M) (Word format)
- NIST 800-172 – Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Specia
- Publication 800-171 – CMMC 2.0 Level 3 is based on NIST 800-171 and 800-172
- NIST 800-171 Rev 2 Mapping: Cybersecurity Framework v.1.0 to SP 800-171 Rev. 2 (xls)
CMMC / CUI Related Training
- KLC’s CMMC videos – Cybersecurity Maturity Model Certification (CMMC)
- DoD Mandatory CUI Training
- DOD Mandatory CUI Training Student Guide
- DCSA CUI Training Presentation
- DODCUI.MIL – CUI Training page
- ISOO – CUI Training
- The National Archive – Controlled Unclassified Information Program (Video)
CUI Marking, Handling, and Labeling
- ISOO CUI Marking Training (YouTube
- DoD CUI Marking Job Aid
- CUI Marking Quick Reference Guide
- CUI Marking Category List
- CUI Marking – Limited Dissemination Controls
- KLC’s CUI Marking, Handling, and Labeling video discussion
- ISOO – CUI: Lawful Government Purpose
- ISOO – CUI – Introduction to Marking
- ISOO – CUI – Marking Commingled Information
- ISOO – CUI – Controlled Environments
- ISOO – CUI – Destruction of CUI
- ISOO – CUI: Unauthorized Disclosure: Prevention and Reporting
CUI-Related Glossary
Controlled Unclassified Information [EO 13556]: Information that law, regulation, or government wide policy requires safeguarding or disseminating controls. It excludes Classified Information under Executive Order 13526, Classified National Security Information, December 29, 2009, any predecessor or successor order, or the Atomic Energy Act of 1954, as amended.
Term | Definition |
Controlled Unclassified Information [EO 13556] | Controlled Unclassified Information (CUI): Information that requires safeguarding or disseminating controls through laws, regulation, or government wide policy. It excludes Classified Information under Executive Order 13526, Classified National Security Information, December 29, 2009, any predecessor or successor order, or the Atomic Energy Act of 1954, as amended. |
CUI categories [32 CFR 2002] | Types of Information requiring (or permitting) agencies to exercise safeguarding or dissemination controls through laws, regulations, or government wide policies. and which the CUI Executive Agent has approved and listed in the CUI Registry |
CUI Executive Agent [32 CFR 2002] | The National Archives and Records Administration (NARA) implements the executive branch-wide CUI Program and oversees federal agency actions to comply with Executive Order 13556. NARA has delegated this authority to the Director of the Information Security Oversight Office (ISOO). |
CUI program [32 CFR 2002] | The executive branch program standardizes CUI handling by all Federal agencies. The program includes CUI’s rules, organization, and procedures, established by Executive Order 13556, 32 CFR Part 2002, and the CUI Registry. |
CUI registry [32 CFR 2002] | The CUI Registry is an online repository for all information, guidance, policy, and requirements for handling CUI, including everything issued by the CUI Executive Agent (other than 32 CFR Part 2002). The CUI Registry identifies all approved CUI categories, provides general descriptions for each, identifies the basis for controls, establishes markings, and includes guidance on handling procedures. |
Federal Information System [40 USC 11331] | An information system used or operated by an executive agency, contractor of an executive agency, or another organization on behalf of an executive agency. |
External Network | An external network is a network not controlled by your business organization. |
External System Service Provider | A provider of external system services to an organization through broad consumer-producer relationships. These include joint ventures, business partnerships, outsourcing arrangements (i.e., contracts, interagency agreements, lines of business arrangements), licensing agreements, or supply chain exchanges. |
FIPS-Validated Cryptography | A cryptographic module validated by the Cryptographic Module Validation Program (CMVP) to meet requirements specified in FIPS Publication 140-2 (as amended). As a prerequisite to CMVP validation, the cryptographic module requires employing a cryptographic algorithm implementation that has successfully passed validation testing by the Cryptographic Algorithm Validation Program (CAVP). See NSA-approved cryptography. Information on validated cryptographic modules. |
Incident [44 USC 3552] | An occurrence that actually or imminently jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of a breach of law, security policies, security procedures, or acceptable use policies |
Information Resources [44 USC 3502] | Information and related resources include personnel, equipment, funds, and information technology. |
Information Security [44 USC 3552] | Protecting information and systems from unauthorized access, disclosure, disruption, modification, or destruction. Information Security provides confidentiality, integrity, and availability. |
Information System [44 USC 3502] | An Information System is a discrete set of information resources organized for collecting, processing, maintaining, using, sharing, disseminating, or disposing of information. |
Information Technology [OMB A-130] | Information Technology is any service, equipment, or interconnected system(s) or subsystem(s) of equipment used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the agency. Information Technology includes: Computers, ancillary equipment (including imaging peripherals, input, output, and storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware, and similar procedures, services (including cloud computing and helpdesk services or other professional services which support any point of the life cycle of the equipment or service), and related resources. Information technology does not include any equipment acquired by a contractor incidental to a contract that does not require its use. |
Insider Threat | Insider Threat is the threat that an insider will use their authorized access, wittingly or unwittingly, to harm the security of the United States. This threat can include damage to the United States through espionage, terrorism, unauthorized disclosure, or the loss or degradation of departmental resources or capabilities. |
Internal Network | A network where establishment, maintenance, and provisioning of security controls are under the direct control of organizational employees or contractors; or the cryptographic encapsulation or similar security technology implemented between organization-controlled endpoints provides the same effect (concerning confidentiality and integrity). An internal network is typically organization-owned yet may be organization-controlled while not being organization-owned. |
Least Privilege | Least Privilege is a principle of designing security architecture to grant the minimum system authorizations and resources needed for employees to perform their functions. |
Malicious Code | Malicious code is software or firmware intended to perform an unauthorized process that harms a system’s confidentiality, integrity, or availability. Examples are a virus, worm, Trojan horse, or other code-based entity that infects a host. Spyware and some forms of adware are also examples of malicious code. |
Media [FIPS 200] | Physical devices or writing surfaces include magnetic tapes, optical disks, magnetic disks, Large-Scale Integration (LSI) memory chips, and printouts (but not display media) onto which information is recorded, stored, or printed within a system. |
Mobile Code | Software programs or parts of programs obtained from remote systems, transmitted across a network, and executed on a local system without explicit installation or execution by the recipient. |
Mobile Device | A portable computing device with a small form factor such that a single individual can easily carry it. It’s designed to: Operate without a physical connection (e.g., wirelessly transmit or receive information), possess local, nonremovable/removable data storage, and it has a self-contained power source. Mobile devices may also include voice communication capabilities, onboard sensors that allow the devices to capture information or built-in features that synchronize local data with remote locations. Examples include smartphones, tablets, and E-readers. |
Multifactor Authentication | Multifactor Authentication uses two or more different factors to achieve Authentication. Factors include something you know (e.g., PIN, password); something you have (e.g., cryptographic identification device, token); or something you are (e.g., biometric) |
Nonfederal Organization | An entity that owns operates, or maintains a nonfederal system. |
Nonfederal System | A system that does not meet the criteria for a federal system. |
Network | A Network is an implemented system with a collection of interconnected components. Such components may include routers, hubs, cabling, telecommunications controllers, key distribution centers, and technical control devices. |
Network Access | Access to a system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide-area network, Internet). |
Organization [FIPS 200, Adapted] | An Organization is an entity of any size, complexity, or position with a hierarchical structure. |
Personnel Security [SP 800-53] | Personnel Security is the discipline of assessing individual conduct, integrity, judgment, loyalty, reliability, and stability for duties and responsibilities requiring trustworthiness. |
Portable Storage Device | A Portable Storage Device is a system component that can be inserted into and removed from another system. They store data or information (e.g., text, video, audio, and image data). And they typically use magnetic, optical, or solid-state devices (e.g., floppy disks, compact/digital video disks, flash/thumb drives, external hard disk drives, and flash memory cards/drives that contain nonvolatile memory). |
Potential Impact [FIPS 199] | The Potential Impact is the expected loss of confidentiality, integrity, or availability: (i) a limited adverse effect (FIPS Publication 199 low); (ii) a serious adverse effect (FIPS Publication 199 moderate); or (iii) a severe or catastrophic adverse effect (FIPS Publication 199 high) on organizational operations, organizational assets, or individuals. |
Privileged Account | A Privileged Account is a system account with authorizations of a privileged user. |
Privileged User | A Privileged User has authorization (and therefore, trusted) to perform security-relevant functions that ordinary users are not authorized to perform. |
Remote Access | Remote Access allows a user (or a process acting on behalf of a user) to communicate through an external network (e.g., the Internet). |
Remote Maintenance | People conduct Remote Maintenance activities by communicating through an external network (e.g., the Internet). |
Replay Resistance | Replay Resistance protects against the capture of transmitted authentication or access control information and its subsequent retransmission with the intent of producing an unauthorized effect or gaining unauthorized access. |
Risk [OMB A-130] | Risk measures the extent to which a potential circumstance or event threatens an entity. It typically functions as (i) the adverse impact or magnitude of the harm that would arise if the circumstance or event occurs and (ii) the likelihood of occurrence. |
Risk Assessment [SP 800-30] | A Risk Assessment identifies risks to organizational operations (including mission, functions, image, and reputation), corporate assets, individuals, other organizations, and the Nation resulting from the operation of a system. |
Sanitization | Sanitation is the action to render data written on media unrecoverable by ordinary and extraordinary means. Some forms of sanitization remove information from media such that data recovery is impossible. It includes removing all classified labels, markings, and activity logs. |
Security Control [OMB A-130] | Security Control(s) are the safeguards or countermeasures prescribed for an information system or an organization to protect the confidentiality, integrity, and availability of the system and its information. |
Security Control Assessment [OMB A-130] | A Security Control Assessment is the testing or evaluation of security controls to determine the extent the controls are: implemented correctly, operating as intended, and producing the desired outcome to meet the security requirements for an information system or organization. |
Security Domain [CNSSI 4009, Adapted] | A Security Domain implements a security policy administered by a single authority. |
Security Functions | Security Functions are the hardware, software, or firmware of the system responsible for enforcing system security policy and supporting the isolation of the system’s code. |
Split Tunneling | Split Tunneling allows a remote user or device to establish a non-remote connection with a system and simultaneously communicate via another connection to a resource in an external network. This network access method enables users to access remote devices (e.g., a networked printer) simultaneously while accessing uncontrolled networks. |
System Component [SP 800-128] | A discrete, identifiable information technology asset that represents a building block of a system and may include hardware, software, and firmware. |
System Security Plan (SSP) | A document that describes how an organization meets the security requirements for a system. Or how an organization plans to meet the requirements if it doesn’t currently. The System Security Plan describes the system boundary, the environment in which the system operates, the implementation of the security requirements, and the relationships with or connections to other systems. |
System Service | a system’s capability to process, store, and transmit information. |
Threat [SP 800-30] | A Threat is a circumstance or event that can adversely impact operations, assets, individuals, other organizations, or the Nation. In a system, a threat arises through unauthorized access, destruction, disclosure, modification of information, or denial of service. |
System User | A System User is an individual or (system) process acting on behalf of an individual authorized to access a system. |
Whitelisting | Whitelisting is a process to identify software programs authorized to execute on a system or authorized Universal Resource Locators (URL)/websites. |
Wireless Technology | Wireless technology allows information transfer between separated points without a physical connection. Wireless technologies include microwave, packet radio (ultra-high-frequency or very high frequency), 802.11x, and Bluetooth. |
Acronyms (COMMON ABBREVIATIONS)
Acronym | Term |
2FA | 2-Factor Authentication |
C3PAO | CMMC 3rd Party Assessment Organization |
CFR | Code of Federal Regulations |
CMMC | Cybersecurity Maturity Model Certification |
CNSS | Committee on National Security Systems |
CUI | Controlled Unclassified Information |
CISA | Cybersecurity and Infrastructure Security Agency |
DMZ | Demilitarized Zone |
FAR | Federal Acquisition Regulation |
FCI | Federal Contract Information |
FIPS | Federal Information Processing Standards |
FISMA | Federal Information Security Modernization Act |
IoT | Internet of Things |
IP | Internet Protocol |
ISOO | Information Security Oversight Office |
IT | Information Technology |
ITL | Information Technology Laboratory |
MFA | Multi-Factor Authentication |
NARA | National Archives and Records Administration |
NFO | Nonfederal Organization |
NIST | National Institute of Standards and Technology |
OMB | Office of Management and Budget |
POA&M | Plan of Actions and Milestone |
RP | Registered Practitioner |
RPO | Registered Provider Organization |
SP | Special Publication |
VoIP | Voice over Internet Protocol |