Glossary of CMMC Terms

Policies and mechanisms that limit access to systems, networks, and data to authorized individuals only.

Creating and retaining detailed records of system activity to ensure actions can be traced back to individuals

Programs designed to educate employees on cybersecurity best practices and potential threats.

A visual representation of the scope of the CMMC assessment, identifying the systems, networks, and data that are subject to the certification requirements.

Certified Third-Party Assessment Organization – An organization authorized to conduct CMMC assessments and issue certifications.

Certified CMMC Assessor – A professional certified to conduct CMMC assessments.

Certified CMMC Professional – A professional certified to assist organizations in preparing for CMMC assessments.

Cybersecurity Maturity Model Certification – A program established by the Department of Defense (DoD) to ensure that contractors have implemented adequate cybersecurity measures to protect sensitive data.

Establishing and maintaining a baseline configuration for information systems, including managing changes to those configurations.

The ongoing process of monitoring an organization’s cybersecurity posture to detect and respond to threats and vulnerabilities in real-time.

Controlled Unclassified Information – Information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies1.

Defense Federal Acquisition Regulation Supplement – A set of regulations that provide DoD-specific acquisition regulations that supplement the Federal Acquisition Regulation (FAR).

Defense Industrial Base – The worldwide industrial complex that enables research and development, as well as design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts, to meet U.S. military requirements.

Federal Contract Information – Information provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, which is not intended for public release.

A method of assessing the differences between the current state and desired state of an organization’s cybersecurity posture, identifying areas that need improvement to achieve compliance.

Ensuring users, systems, and processes are uniquely identified and their identities verified before granting access to systems and sensitive information.

Developing and maintaining a clear plan with defined procedures and tools to detect, respond to, and recover from cybersecurity incidents.

Security controls and objectives that are inherited from a service provider, reducing the burden on the client organization to implement them independently.

Regular procedures to sustain service, and repair systems to ensure optimal performance and security.

Protecting and securely storing all physical and digital media containing sensitive information, including both paper and electronic formats.

A simulated assessment conducted to prepare an organization for the actual CMMC certification process.

Managed Service Provider – A company that remotely manages a customer’s IT infrastructure and/or end-user systems, typically on a proactive basis and under a subscription model.

Managed Security Service Provider – A company that provides outsourced monitoring and management of security devices and systems.

National Institute of Standards and Technology Special Publication 800-171 – A publication that provides guidelines for protecting controlled unclassified information in non-federal systems and organizations.

Measures to prevent unauthorized access and mitigate insider threats by ensuring individuals with access to critical data are trustworthy.

Managing and securing physical access to information systems, facilities, and infrastructure against unauthorized access and physical threats.

A collection of policies and procedures that an organization must implement to achieve and maintain CMMC compliance.

The process of addressing and correcting any deficiencies or gaps identified during a CMMC assessment to achieve compliance.

Identifying and evaluating risks to the organization’s information systems to implement appropriate security measures.

Regular evaluations of the security posture of an organization to ensure compliance with security requirements.

The process by which an organization certifies its own compliance with CMMC requirements, typically on an annual basis.

A framework that outlines the division of responsibilities between the service provider and the client for implementing and maintaining security controls.

Security Information and Event Management – A system that collects, analyzes, and reports on security-related data from various sources within an organization.

Security Operations Center as a Service – A cloud-based service that provides security operations center capabilities, including monitoring, detection, and response.

Safeguarding the integrity and confidentiality of information transmitted across networks.

Ensuring the accuracy and reliability of information and protect