Glossary of Terms and Acronyms

Limiting information system access to authorized users only.

Creating and maintaining audit logs to track user activities.

Providing basic cybersecurity awareness training to all employees.

A visual representation of the scope of the CMMC assessment, identifying the systems, networks, and data that are subject to the certification requirements.

Certified Third-Party Assessment Organization – An organization authorized to conduct CMMC assessments and issue certifications.

Certified CMMC Assessor – A professional certified to conduct CMMC assessments.

Certified CMMC Professional – A professional certified to assist organizations in preparing for CMMC assessments.

Cybersecurity Maturity Model Certification – A program established by the Department of Defense (DoD) to ensure that contractors have implemented adequate cybersecurity measures to protect sensitive data.

Establishing a baseline configuration for information systems.

The ongoing process of monitoring an organization’s cybersecurity posture to detect and respond to threats and vulnerabilities in real-time.

Controlled Unclassified Information – Information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies1.

Defense Federal Acquisition Regulation Supplement – A set of regulations that provide DoD-specific acquisition regulations that supplement the Federal Acquisition Regulation (FAR).

Defense Industrial Base – The worldwide industrial complex that enables research and development, as well as design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts, to meet U.S. military requirements.

Federal Contract Information – Information provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, which is not intended for public release.

A method of assessing the differences between the current state and desired state of an organization’s cybersecurity posture, identifying areas that need improvement to achieve compliance.

Ensuring users are uniquely identified and authenticated before accessing systems.

Developing basic procedures to address cybersecurity incidents.

Security controls and objectives that are inherited from a service provider, reducing the burden on the client organization to implement them independently.

Protecting physical and digital media containing sensitive information.

A simulated assessment conducted to prepare an organization for the actual CMMC certification process.

Managed Service Provider – A company that remotely manages a customer’s IT infrastructure and/or end-user systems, typically on a proactive basis and under a subscription model.

Managed Security Service Provider – A company that provides outsourced monitoring and management of security devices and systems.

National Institute of Standards and Technology Special Publication 800-171 – A publication that provides guidelines for protecting controlled unclassified information in non-federal systems and organizations.

Securing physical access to information systems and facilities.

A collection of policies and procedures that an organization must implement to achieve and maintain CMMC compliance.

The process of addressing and correcting any deficiencies or gaps identified during a CMMC assessment to achieve compliance.

The process by which an organization certifies its own compliance with CMMC requirements, typically on an annual basis.

A framework that outlines the division of responsibilities between the service provider and the client for implementing and maintaining security controls.

Security Information and Event Management – A system that collects, analyzes, and reports on security-related data from various sources within an organization.

Security Operations Center as a Service – A cloud-based service that provides security operations center capabilities, including monitoring, detection, and response.