While you don’t need to become a policy expert, it will be helpful to master some basic CMMC vocabulary. You’ll encounter these terms throughout your journey to CMMC compliance.
CMMC acronyms you need to know
Cisco Certified Internetwork Expert is a series of technical certifications for senior networking professionals who design, build, implement, maintain and troubleshoot complex enterprise networking infrastructures.
Cisco Certified Network Professional Security personnel manage security in Routers, Switches, Networking Devices, and appliances. The certified professional is responsible for configuring, supporting, and resolving Firewalls, VPNs, and IDS/IPS solutions for their networking environment.
Certified Information Systems Security Professional is an information security certification developed by the International Information Systems Security Certification Consortium, also known as (ISC)².
The Cybersecurity Maturity Model Certification covers three maturity levels ranging from “Basic Cybersecurity Hygiene” to “Advanced/Progressive.” In time, you will need to demonstrate CMMC compliance to do business – as a prime or subcontractor – with the U.S. Department of Defense.
The CMMC Accreditation Body oversees a community of qualified, trained, and trustworthy assessors who can assess your performance against the controls and best practices outlined in CMMC. CyberSheath is one of the Registered Provider Organizations (RPOs).
Controlled Unclassified Information is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended. All CUI in possession of a government contractor is FCI, but not all FCI is CUI.
48 CFR 52.204-21
Federal acquisition regulation (FAR) 48 CFR 52.204-21 spells out 15 basic cybersecurity controls for contractor information systems upon which “Federal Contract Information” is stored, processed, or transmitted. These FAR cybersecurity controls also form the basis for the Cybersecurity Maturity Model Certification (CMMC) Level 1.
DFARS Clause 252.204-7012
Clause 252.204-7012 is entitled “Safeguarding Covered Defense Information and Cyber Incident Reporting.” This is the regulation that requires contractors that do business with the DOD to comply with NIST 800-171.
DFARS Clause 252.204-7021
Clause 252.204-7021 is a newer regulation that establishes a timetable for DOD contractors to comply with Cybersecurity Maturity Model Certification requirements.
DFARS Clause 2019-D041
Finalized and enacted as law in 2020, Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Clause 2019-D041) “requires a contractor to provide the Government with access to its facilities, systems, and personnel when it is necessary for DOD to conduct or renew a higher-level Assessment.” This clause also requires contractors to ensure that applicable subcontractors have uploaded results of a current DOD Assessment (“Basic,” “Medium,” or “High”) to the Supply Performance Risk System (SPRS) before awarding any subcontracts. Further, the clause requires that it flow down to other subcontractors.
Data Loss Prevention makes sure that users do not send sensitive or critical information outside the corporate network. The term describes software products that help a network administrator control the data that users can transfer.
The defense industrial base is the collection of organizations that support the mission of the Department of Defense. DIB includes some of the nation’s largest aerospace and defense corporations, as well as thousands of smaller businesses that contribute to the successful execution of DOD missions.
Endpoint Detection and Response, also known as endpoint threat detection and response (ETDR), is an integrated endpoint security solution that combines real-time continuous monitoring and collection of endpoint data with rules-based automated response and analysis capabilities.
Federal Contract Information (from 48 CFR 52.204-21) means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.
The Federal Risk and Authorization Management Program provides a standardized approach to security authorizations for Cloud Service Offerings. FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP empowers agencies to use modern cloud technologies, with emphasis on security and protection of federal information, and helps accelerate the adoption of secure, cloud solutions.
Federal Information Processing Standards is a set of standards that describe document processing, encryption algorithms and other information technology processes for use within non-military federal government agencies and by government contractors and vendors who work with these agencies.
The Federal Information Security Management Act is United States legislation that defines a framework of guidelines and security standards to protect government information and operations.
Foreign Ownership, Control or Influence is a company considered to be operating under FOCI whenever a foreign interest has the power, direct or indirect, whether or not exercised, and whether or not exercisable, to direct or decide matters affecting the management or operations of that company in a manner which may result in unauthorized access to classified information or may adversely affect the performance of classified contracts.
Microsoft maintains several clouds, including Microsoft Office 365 (Commercial) and Office 365 GCC (Government Community). Additionally, Microsoft created a cloud specifically for DOD, with authorization for impact Level 5 in Azure Government. GCC High is yet another cloud designed for other agencies and contractors that are not permitted access to the GCC Level 5 environment.
Multi-factor Authentication is a security feature offered by many websites, applications and devices that dramatically improves account security. Sometimes MFA is also referred to as Two-Factor Authentication or 2FA. Technically, MFA could refer to a system where there are more than two forms of authentication.
A Managed Security Services Provider is a third party that supports an organization in addressing specific compliance requirements. This includes providing not only the technical support but also guidance on policy, practice, and cultural changes necessary to attain and maintain compliance. CyberSheath is one of the largest and most experienced MSSPs focused on CMMC Compliance.
The U.S. National Institute of Standards and Technology (NIST) promotes and maintains measurement standards and guidelines to help protect federal agencies’ information and IT systems. NIST 800-171, Protecting Controlled Unclassified Information In Nonfederal Information Systems and Organizations, was first published in June 2015 but has since been updated in response to evolving cyberthreats. It offers guidelines on how to securely access, transmit, and store CUI in nonfederal information systems and organizations.
As part of any NIST 800-171/CMMC assessment, you should create Plans of Action & Milestones to map out next steps for remediation.
A Security Incident & Event Management system combines Security Event Management (SEM), which analyzes event and log data in real-time to provide event correlation, threat monitoring, and incident response, with Security Information Management (SIM), which gathers and analyzes log data and generates a report.
Supply Performance Risk System is DOD’s single, authorized application to retrieve information about a supplier’s performance. This web-enabled enterprise application gathers, processes, and displays data about supplier performance – including compliance with NIST 800-171.
A System Security Plan is a “living” document that articulates an organization’s security posture.
Security Orchestration, Automation, and Response refers to a collection of software solutions and tools that allow organizations to streamline security operations in three key areas: threat and vulnerability management, incident response, and security operations automation.
Need greater understanding of all things CMMC?
The best partner to help you follow the rules is the one that helped write them. At CyberSheath, our executives have been involved in development of the first and every version of DOD cybersecurity initiatives since 2008. If you need any assistance navigating the cybersecurity standards and applying them to your business, contact us.
*Note: acronyms sourced through internet search, product and government documentation.