CMMC and NIST 800-171 Terms & Links

CUI Policies (Gov Policies) / Regulations

FAR 52.204-21 – Basic Safeguarding of Covered Contractor Information Systems (pdf)

Cloud service providers supporting CUI

• Microsoft Azure GCC / GCC HIGH
  • Azure Commercial – suitable for handling Federal Contract Information (FCI)
  • Government (GCC) – Suitable for handling CUI that is not export-controlled and does not require US persons for operations tasks
  • Government (GCC High) – suitable for handling CUI that have export-controlled restrictions (i.e., ITAR, EAR)
  • Microsoft Tech Community Discussion: Understanding Compliance Between Commercial, Government and DoD Offerings
• Amazon Web Services (AWS) GOVERNMENT: AWS released the NIST SP 800-171 Customer Responsibility Matrix (CRM), which aligns with the CMMC 2.0 Level 2 Advanced. It provides a breakdown of the NIST SP 800-171 security controls that customers can inherit from AWS using the Compliant Framework for Federal and DoD Workloads in AWS GovCloud (US).
• AWS presentation explains CMMC
• Google Cloud Government – Google has many cloud services that are NIST 800-171 compliant.
• Oracle Government Cloud
• Oracle Cloud Compliance Matrix

Additional CUI resources

• Defense Counterintelligence and Security Agency (DCSA) presentation covering “What is CUI”
• National Archives and Records Administration Page with CUI Registry
• DoD Procurement Toolbox – Cybersecurity Page Other Resources
• NIST SP 800-171 DoD Assessment Methodology (.docx)
• Project Spectrum Project Spectrum is a comprehensive, cost-effective platform that provides companies, institutions, and organizations with cybersecurity information, resources, tools, and training. Our mission is to improve cybersecurity readiness, resiliency, and compliance for small/medium-sized businesses and the Federal manufacturing supply chain.
• The CMMC Information Institute Helping you cut through the fog of CMMC-related misinformation.
• Assistance in the development of a System Security Plan and Plans of Action and milestones
• Approach to Implementing NIST SP 800-171
• About the Cybersecurity Evaluation Tool (CSET) Tool – CSET is a no-cost application developed by the DHS’s Industrial Control Systems – Cyber Emergency Response Team (ICS-CERT). The tool provides a systematic approach for evaluating an organization’s security posture. It guides asset owners and operators through a step-by-step process to evaluate their industrial control system and IT network security practices.

• Community Resources for CMMC and NIST 800-171 Compliance – a great resource highlighting available policy templates 
• SANS Institute – over 60 Security Policy Templates, including Acceptable Use, Remote Access, and Wireless policies
• Cybersecurity Facility-Related Control Systems (FRCS) This site has excellent policy and procedure templates and checklists. While the templates and checklists are labeled DoD, ESTCP, or Navy, they are generally organization agnostic, and any organization can modify them to suit their use.
• A generic template of recommended policies and procedures (artifacts) to support the answers to the security control questions –  ESTCP IT Policies and Procedures template

KLC Consulting’s NIST 800-171 R2 Self Assessment Template

Spreadsheet with CMMC 2.0 numbering, Practice, and AO, Practice, and AO descriptions, Dropdown showing practice compliance level, Practice documentation, evidence tracking, POAM gaps documentation, POAM remediation date, Methodology score.

Commercially Off The Shelf (COTS)

1. Any item of supply (including construction material) that is—
   (i) A commercial product (as defined in paragraph (1) of the definition of commercial product in this section);
   (ii) Sold in substantial quantities in the commercial marketplace; and
   (iii) Offered to the Government, under a contract or subcontract at any tier, without modification, in the same form in which it is sold in the commercial marketplace; and
2. Does not include bulk cargo items, as defined in 46 USC 40102(4). Examples:  agricultural products and petroleum products.
3. DCMA Commercial Item Group (CIG)
4. COTS definition – FAR 201
   FAR 12.103
5. FAR 2.101
   KLC Consulting’s COTS Exemption Case Studies

• A cryptographic module validated by the Cryptographic Module Validation Program (CMVP) to meet requirements specified in FIPS Publication 140-2 (as amended). As a prerequisite to CMVP validation, the cryptographic module must employ a cryptographic algorithm implementation that has successfully passed validation testing by the Cryptographic Algorithm Validation Program (CAVP). See NSA-approved cryptography.
• Search for information on validated cryptographic modules

FedRAMP certified product search

Here is where you can search for FedRAMP-certified products

SPRS – SPRS submission instructions 

Requires registering and logging into the PIEE system to receive authority as the SPRS security role.

• Simple instructions to obtain PIEE Access and the SPRS Vendor Support role.
• SPRS Access Instruction
• Detailed instructions with screenshot examples
  Add SPRS Cyber Vendor Role Instruction and SPRS Quick Entry Guide
• PIEE Helpdesk telephone #:  866-618-5988
• For submission detail: please follow the instructions here.
• SPRS Submission website
• CMMCAUDIT’s Guide to submit a NIST 800-171 self-assessment to the DoD’s SPRS

• Safeguarding Covered Defense Information and Cyber Incident Reporting
• DoDI 5200.48 “Controlled Unclassified Information.”
• 32 CFR 2002 Part IV National Archives and Records Administration 32 CFR Part 2002 “Controlled Unclassified Information.”
• EO 13556 Vol 75, No 216. “Controlled Unclassified Information”
• NIST Special Publication 800-171 Rev. 2 “Protecting Controlled Unclassified Information in Non-federal Systems and Organizations”
• 2019 CUI Reports to the President & CUI Notices
• US Under Secretary of Defense’s Office of Acquisition & Sustainment CMMC Page

CMMC, CUI, DFARS, and NIST Authoritative Regulations

• DFARS 70xx Index
  • DFARS 252.204-7008
  • DFARS 252.204-7012
  • DFARS 252.204-7019
  • DFARS 252.204-7020
  • DFARS 252.204-7021 (CMMC)

48 CFR Federal Acquisition Regulations – Basic Safeguarding of Contractor Information Systems

Official CMMC Documents

• CMMC Information:
• CMMC Model Overview

CMMC Scoping

• Link to CMMC Level 1 Scoping Guidance
• Link to CMMC Level 2 Scoping Guidance
• NIST Special Publication 800-171 Rev. 2 “Protecting Controlled Unclassified Information in Non federal Systems and Organizations”

• Cyber AB – Manages the CMMC ecosystem, C3PAOs, Registered Practitioners (RP)
• Cyber AB Marketplace – for searching entities within the CMC ecosystem, such as C3PAOs or Registered Practitioners (RP)

CUI / DFARS 7012 / NIST 800-171 / CMMC FAQ

Government sources

• US Under Secretary of Defense’s Office of Acquisition & Sustainment CMMC FAQ Page
• DoD Procurement Toolbox CMMC FAQ Page
• Defense Counterintelligence and Security Agency (DCSA) CUI FAQ – CUI Marking FAQ
• NIST CUI FAQ
• DCSA CUI Frequently Asked Questions (FAQ)
• CDSA – CUI and Freedom of Information Act (FOIA) FAQ CUI and the FOIA FAQs

Non-Government sources

• CMMC Accreditation Body (CMMC AB) FAQ
• CMMCAudit.org – CMMC Compliance FAQs – Organizations seeking certification

Other Resources: CUI Registry

• DoD CUI Registry

Defense Counterintelligence and Security Agency (DCSA)

• DCSA CUI Information Page
• DCSA CUI Slick Sheet – One-page overview of CUI
• DCSA CUI Quick Start Guide – to assist in building a CUI program
• DCSA CUI Marking Job Aid
• DCSA CUI Baseline Requirements
• DCSA CUI Roadmap to Compliance
• DCSA CUI Standard Practice and Procedure (SPP) Template
• DCSA CUI Training Reference Guide
• DCSA CUI Resources One-Pager
• DCSA CUI Glossary & Policy Summaries
• DCSA CUI Training Presentation
• DCSA CUI Manager Customer Engagement Questions
• DCSA CUI Self-Inspection Tool for DOD and Industry
• CUI Cover Sheet
• NARA CUI Marking Handbook (2016)
• NIST MEP Cybersecurity Self-Assessment Handbook 162 For Assessing NIST SP 800-171 Security Requirements in Response to DFARS Cybersecurity Requirements
• CDSE CUI Toolkit/Resources
• Safeguarding Covered Defense Information (CDI) – 2 pager
• Implementing DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting – What happens on 12/31/2017
• One page information about CUI

NIST 800-171 Resources

• NIST 800-171 Revision 2 document: Protecting Controlled Unclassified Information in Non-federal Systems and Organizations PDF
• NIST 800-171 Assessment Guide PDF
• NIST 800-171 System Security Plan (SSP) Template by NIST (Word format)
• NIST 800-171 CUI Plan of Action and Milestone (POA&M) (Word format)
• NIST 800-172 – Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171  – CMMC 2.0 Level 3 is based on NIST 800-171 and 800-172
• NIST 800-171 Rev 2 Mapping: Cybersecurity Framework v.1.0 to SP 800-171 Rev. 2 (xls)

CMMC / CUI Related Training

• KLC’s CMMC videos – Cybersecurity Maturity Model Certification (CMMC)
• DoD Mandatory CUI Training
• DOD Mandatory CUI Training Student Guide
• DCSA CUI Training Presentation
• DODCUI.MIL – CUI Training page
• ISOO – CUI Training
• The National Archive – Controlled Unclassified Information Program (Video) 

CUI Marking, Handling, and Labeling

• ISOO CUI Marking Training (YouTube)
• DoD CUI Marking Job Aid
• CUI Marking Quick Reference Guide
• CUI Marking Category List
• CUI Marking – Limited Dissemination Controls
• KLC’s CUI Marking, Handling, and Labeling video discussion 
• ISOO – CUI: Lawful Government Purpose 
• ISOO – CUI – Introduction to Marking 
• ISOO – CUI – Marking Commingled Information 
• ISOO – CUI – Controlled Environments 
• ISOO – CUI – Destruction of CUI 
• ISOO – CUI: Unauthorized Disclosure: Prevention and Reporting 

Controlled Unclassified Information [EO 13556]: Information that law, regulation, or government wide policy requires safeguarding or disseminating controls. It excludes Classified Information under Executive Order 13526, Classified National Security Information, December 29, 2009, any predecessor or successor order, or the Atomic Energy Act of 1954, as amended.

Term	Definition
Controlled Unclassified Information [EO 13556]	Controlled Unclassified Information (CUI): Information that requires safeguarding or disseminating controls through laws, regulation, or government wide policy. It excludes Classified Information under Executive Order 13526, Classified National Security Information, December 29, 2009, any predecessor or successor order, or the Atomic Energy Act of 1954, as amended.
CUI categories [32 CFR 2002]	Types of Information requiring (or permitting) agencies to exercise safeguarding or dissemination controls through laws, regulations, or government wide policies. and which the CUI Executive Agent has approved and listed in the CUI Registry
CUI Executive Agent [32 CFR 2002]	The National Archives and Records Administration (NARA) implements the executive branch-wide CUI Program and oversees federal agency actions to comply with Executive Order 13556. NARA has delegated this authority to the Director of the Information Security Oversight Office (ISOO).
CUI program [32 CFR 2002]	The executive branch program standardizes CUI handling by all Federal agencies. The program includes CUI’s rules, organization, and procedures, established by Executive Order 13556, 32 CFR Part 2002, and the CUI Registry.
CUI registry [32 CFR 2002]	The CUI Registry is an online repository for all information, guidance, policy, and requirements for handling CUI, including everything issued by the CUI Executive Agent (other than 32 CFR Part 2002). The CUI Registry identifies all approved CUI categories, provides general descriptions for each, identifies the basis for controls, establishes markings, and includes guidance on handling procedures.
Federal Information System [40 USC 11331]	An information system used or operated by an executive agency, contractor of an executive agency, or another organization on behalf of an executive agency.
External Network	An external network is a network not controlled by your business organization.
External System Service Provider	A provider of external system services to an organization through broad consumer-producer relationships. These include joint ventures, business partnerships, outsourcing arrangements (i.e., contracts, interagency agreements, lines of business arrangements), licensing agreements, or supply chain exchanges.
FIPS-Validated Cryptography	A cryptographic module validated by the Cryptographic Module Validation Program (CMVP) to meet requirements specified in FIPS Publication 140-2 (as amended). As a prerequisite to CMVP validation, the cryptographic module requires employing a cryptographic algorithm implementation that has successfully passed validation testing by the Cryptographic Algorithm Validation Program (CAVP). See NSA-approved cryptography.   Information on validated cryptographic modules.
Incident [44 USC 3552]	An occurrence that actually or imminently jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of a breach of law, security policies, security procedures, or acceptable use policies
Information Resources [44 USC 3502]	Information and related resources include personnel, equipment, funds, and information technology.
Information Security [44 USC 3552]	Protecting information and systems from unauthorized access, disclosure, disruption, modification, or destruction. Information Security provides confidentiality, integrity, and availability.
Information System [44 USC 3502]	An Information System is a discrete set of information resources organized for collecting, processing, maintaining, using, sharing, disseminating, or disposing of information.
Information Technology [OMB A-130]	Information Technology is any service, equipment, or interconnected system(s) or subsystem(s) of equipment used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the agency. Information Technology includes: Computers, ancillary equipment (including imaging peripherals, input, output, and storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware, and similar procedures, services (including cloud computing and helpdesk services or other professional services which support any point of the life cycle of the equipment or service), and related resources. Information technology does not include any equipment acquired by a contractor incidental to a contract that does not require its use.
Insider Threat	Insider Threat is the threat that an insider will use their authorized access, wittingly or unwittingly, to harm the security of the United States. This threat can include damage to the United States through espionage, terrorism, unauthorized disclosure, or the loss or degradation of departmental resources or capabilities.
Internal Network	A network where establishment, maintenance, and provisioning of security controls are under the direct control of organizational employees or contractors; or the cryptographic encapsulation or similar security technology implemented between organization-controlled endpoints provides the same effect (concerning confidentiality and integrity). An internal network is typically organization-owned yet may be organization-controlled while not being organization-owned.
Least Privilege	Least Privilege is a principle of designing security architecture to grant the minimum system authorizations and resources needed for employees to perform their functions.
Malicious Code	Malicious code is software or firmware intended to perform an unauthorized process that harms a system’s confidentiality, integrity, or availability. Examples are a virus, worm, Trojan horse, or other code-based entity that infects a host. Spyware and some forms of adware are also examples of malicious code.
Media [FIPS 200]	Physical devices or writing surfaces include magnetic tapes, optical disks, magnetic disks, Large-Scale Integration (LSI) memory chips, and printouts (but not display media) onto which information is recorded, stored, or printed within a system.
Mobile Code	Software programs or parts of programs obtained from remote systems, transmitted across a network, and executed on a local system without explicit installation or execution by the recipient.
Mobile Device	A portable computing device with a small form factor such that a single individual can easily carry it. It’s designed to: Operate without a physical connection (e.g., wirelessly transmit or receive information), possess local, nonremovable/removable data storage, and it has a self-contained power source. Mobile devices may also include voice communication capabilities, onboard sensors that allow the devices to capture information or built-in features that synchronize local data with remote locations. Examples include smartphones, tablets, and E-readers.
Multifactor Authentication	Multifactor Authentication uses two or more different factors to achieve Authentication. Factors include something you know (e.g., PIN, password); something you have (e.g., cryptographic identification device, token); or something you are (e.g., biometric)
Nonfederal Organization	An entity that owns operates, or maintains a nonfederal system.
Nonfederal System	A system that does not meet the criteria for a federal system.
Network	A Network is an implemented system with a collection of interconnected components. Such components may include routers, hubs, cabling, telecommunications controllers, key distribution centers, and technical control devices.
Network Access	Access to a system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide-area network, Internet).
Organization [FIPS 200, Adapted]	An Organization is an entity of any size, complexity, or position with a hierarchical structure.
Personnel Security [SP 800-53]	Personnel Security is the discipline of assessing individual conduct, integrity, judgment, loyalty, reliability, and stability for duties and responsibilities requiring trustworthiness.
Portable Storage Device	A Portable Storage Device is a system component that can be inserted into and removed from another system. They store data or information (e.g., text, video, audio, and image data). And they typically use magnetic, optical, or solid-state devices (e.g., floppy disks, compact/digital video disks, flash/thumb drives, external hard disk drives, and flash memory cards/drives that contain nonvolatile memory).
Potential Impact [FIPS 199]	The Potential Impact is the expected loss of confidentiality, integrity, or availability: (i) a limited adverse effect (FIPS Publication 199 low); (ii) a serious adverse effect (FIPS Publication 199 moderate); or (iii) a severe or catastrophic adverse effect (FIPS Publication 199 high) on organizational operations, organizational assets, or individuals.
Privileged Account	A Privileged Account is a system account with authorizations of a privileged user.
Privileged User	A Privileged User has authorization (and therefore, trusted) to perform security-relevant functions that ordinary users are not authorized to perform.
Remote Access	Remote Access allows a user (or a process acting on behalf of a user) to communicate through an external network (e.g., the Internet).
Remote Maintenance	People conduct Remote Maintenance activities by communicating through an external network (e.g., the Internet).
Replay Resistance	Replay Resistance protects against the capture of transmitted authentication or access control information and its subsequent retransmission with the intent of producing an unauthorized effect or gaining unauthorized access.
Risk [OMB A-130]	Risk measures the extent to which a potential circumstance or event threatens an entity. It typically functions as (i) the adverse impact or magnitude of the harm that would arise if the circumstance or event occurs and (ii) the likelihood of occurrence.
Risk Assessment [SP 800-30]	A Risk Assessment identifies risks to organizational operations (including mission, functions, image, and reputation), corporate assets, individuals, other organizations, and the Nation resulting from the operation of a system.
Sanitization	Sanitation is the action to render data written on media unrecoverable by ordinary and extraordinary means. Some forms of sanitization remove information from media such that data recovery is impossible. It includes removing all classified labels, markings, and activity logs.
Security Control [OMB A-130]	Security Control(s) are the safeguards or countermeasures prescribed for an information system or an organization to protect the confidentiality, integrity, and availability of the system and its information.
Security Control Assessment [OMB A-130]	A Security Control Assessment is the testing or evaluation of security controls to determine the extent the controls are: implemented correctly, operating as intended, and producing the desired outcome to meet the security requirements for an information system or organization.
Security Domain [CNSSI 4009, Adapted]	A Security Domain implements a security policy administered by a single authority.
Security Functions	Security Functions are the hardware, software, or firmware of the system responsible for enforcing system security policy and supporting the isolation of the system’s code.
Split Tunneling	Split Tunneling allows a remote user or device to establish a non-remote connection with a system and simultaneously communicate via another connection to a resource in an external network. This network access method enables users to access remote devices (e.g., a networked printer) simultaneously while accessing uncontrolled networks.
System Component [SP 800-128]	A discrete, identifiable information technology asset that represents a building block of a system and may include hardware, software, and firmware.
System Security Plan (SSP)	A document that describes how an organization meets the security requirements for a system. Or how an organization plans to meet the requirements if it doesn’t currently. The System Security Plan describes the system boundary, the environment in which the system operates, the implementation of the security requirements, and the relationships with or connections to other systems.
System Service	a system’s capability to process, store, and transmit information.
Threat [SP 800-30]	A Threat is a circumstance or event that can adversely impact operations, assets, individuals, other organizations, or the Nation. In a system, a threat arises through unauthorized access, destruction, disclosure, modification of information, or denial of service.
System User	A System User is an individual or (system) process acting on behalf of an individual authorized to access a system.
Whitelisting	Whitelisting is a process to identify software programs authorized to execute on a system or authorized Universal Resource Locators (URL)/websites.
Wireless Technology	Wireless technology allows information transfer between separated points without a physical connection. Wireless technologies include microwave, packet radio (ultra-high-frequency or very high frequency), 802.11x, and Bluetooth.

Acronym	Term
2FA	2-Factor Authentication
C3PAO	CMMC 3rd Party Assessment Organization
CFR	Code of Federal Regulations
CMMC	Cybersecurity Maturity Model Certification
CNSS	Committee on National Security Systems
CUI	Controlled Unclassified Information
CISA	Cybersecurity and Infrastructure Security Agency
DMZ	Demilitarized Zone
FAR	Federal Acquisition Regulation
FCI	Federal Contract Information
FIPS	Federal Information Processing Standards
FISMA	Federal Information Security Modernization Act
IoT	Internet of Things
IP	Internet Protocol
ISOO	Information Security Oversight Office
IT	Information Technology
ITL	Information Technology Laboratory
MFA	Multi-Factor Authentication
NARA	National Archives and Records Administration
NFO	Nonfederal Organization
NIST	National Institute of Standards and Technology
OMB	Office of Management and Budget
POA&M	Plan of Actions and Milestone
RP	Registered Practitioner
RPO	Registered Provider Organization
SP	Special Publication
VoIP	Voice over Internet Protocol