As the CMMC ecosystem grows, it is starting to get hard to track all the key players and concepts. This page is meant as an easy to understand “who’s who” and “what’s what” for the CMMC.
This CMMC glossary of terms is ordered so that each term builds on the previous terms. If you are new to CMMC, it is recommended to read this list from top to bottom.
Please comment or send us an email if you would like to see a new item added to the glossary, or if any information is wrong / needs to be updated. Please always double-check the source (links included where possible).
Thanks to Kieri Solutions for authoring this CMMC glossary of terms and definitions!
Department of Defense (DoD)
The Department of Defense is an executive branch of the United States Federal Government. Its mission is to provide combat-credible military forces needed to deter war and protect the security of our nation. With a budget of $716 billion, 2.15 million service members, and 732,000 civilians, it is America’s largest employer.
The Department of Defense (specifically the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) is the government agency that is responsible for creating the CMMC model.
Defense Contractors are organizations which provide products or services to the Department of Defense. They are generally privately-owned companies who have at least one contract with the Department of Defense. Note: while most Defense Contractors are located and operated within the United States, there are many overseas and multinational companies which provide products and services to the DoD.
Federal Acquisition Regulation (FAR)
The Federal Acquisition Regulation is an almost 2000 page document (as of 2019) which is used to standardize policies and procedures for any contract made with the United States Federal Government (including Department of Defense).
Federal contractors have to follow this regulation during bidding and performance on contracts.
This is one small section of the Federal Acquisition Regulation.
The Federal Acquisition Regulation 52.204-21 Basic Safeguarding of Covered Contractor Information applies to any Federal contractor that processes Federal Contract Information (FCI). This rule also applies to DoD contracts.
This rule states that contractors are required to apply 15 cyber security and facilities security best practices to protect their information systems. These best practices are known as the FAR Critical 15 or FAR Critical 17 and are re-stated in the CMMC Level 1 requirements.
Federal Contract Information (FCI)
Federal Contract Information is defined as “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.”
Examples of FCI: Emails between a contractor company and government personnel. Order quantities and arrangements. Pretty much any document or file that is provided by the government during a contract that isn’t public information.
Related: FCI and scope discussion
Defense Federal Acquisition Regulation Supplement (DFARS)
DFARS is a published supplement to the Federal Acquisition Regulation (FAR) which adds additional guidance and requirements for DoD contracts.
DFARS 252.204-7012 Safeguarding Covered Defense Information
This is a small section of the Defense Federal Acquisition Regulation Supplement.
DFARS 252.204-7012 is a roughly 3-page contract clause currently required in all contracts with the Department of Defense, except those that are solely for the purchase of Commercial-Off-The-Shelf (COTS) products. (COTS products are sold to the general public and are not customized before delivery).
In other words, if a defense contractor provides services or customization as part of a DoD contract, their contract will include this requirement. Reference: defense.gov – “Safeguarding Covered Defense Information – The Basics”
The requirements in DFARS 252.204-7012 are very tough to implement for most companies. Key terms included in it are:
- Controlled Unclassified Information (CUI)
- Controlled Technical Information (CTI)
- NIST Special Publication 800-171 (NIST SP 800-171)
- Defense Industrial Base (DIB)
- Defense Industrial Base Cybersecurity Program (DIBNet)
- Federal Risk and Authorization Management Program (FedRAMP)
- Medium Assurance Certificate
- DoD Cyber Crime Center (DC3)
Resource: The DoD Procurement Toolbox hosts a FAQ document which addresses questions about DFARS 252.204-7012 and other regulations.
DFARS 252.204-7021 Cybersecurity Maturity Model Certification
This section of the Defense Federal Acquisition Regulation Supplement has been proposed as an Interim Rule, to go into effect on November 30, 2020.
For contracts which include the 252.204-7021 clause, at the time of award, the contractor will need to provide evidence of holding a CMMC certification. The specific CMMC certification level will be identified on a contract-by-contract basis.
After November 30, 2025, all DoD contracts are expected to include the 252.204-7021 clause. In other words, after 2025, all DoD contractors will need at least CMMC level 1 in order to participate in contracts.
Cybersecurity Maturity Model Certification (CMMC)
The CMMC was spearheaded by Ms. Katie Arrington, the chief information security officer for the Department of Defense’s Acquisition and Sustainment office.
Per the DoD’s CMMC website, “The CMMC will encompass multiple maturity levels that ranges from “Basic Cybersecurity Hygiene” to “Advanced/Progressive”. The intent is to incorporate CMMC into Defense Federal Acquisition Regulation Supplement (DFARS) and use it as a requirement for contract award.”
The major players in the CMMC are
- Department of Defense (specifically the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S))
- CMMC Accreditation Body (CMMC-AB)
- Carnegie Mellon University Software Engineering Institute (SEI)
- CMMC-Center of Excellence (CMMC-COE) / IT Acquisition Advisory Council (IT-AAC)
Controlled Unclassified Information (CUI)
Controlled Unclassified Information (CUI) is information that the government creates or possesses, or that an entity creates or possesses for or on-behalf of the government. It also needs to fit into a category that the United States Federal Government identifies as needing special safeguarding or dissemination controls.
In layman’s terms: CUI is sensitive (but not classified) information that the U.S Government wants to keep private. Examples are weapons test data or information about military personnel.
The National Archives (archives.gov) maintains a list of the categories of information that are considered CUI.
Defense Contractors are required to safeguard CUI on their networks according to DFARS 252.204-7012.
This PowerPoint released by the DoD has additional training about CUI and the difference between it and other data types like Classified and FOUO.
This “Mandatory CUI Training” from the DoD is also available for free.
Covered Defense Information (CDI)
Covered Defense Information is defined in DFARS 252.204-7012 as “unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry…” and is either marked and provided by the DoD, or generated by the contractor during a contract.
In layman’s terms: CDI is synonymous with CUI.
Controlled Technical Information (CTI)
Controlled Technical Information is a sub-category of CUI specific to Defense. As a sub-category of CUI, it is affected by requirements that apply to CUI.
NIST Special Publication 800-171 (NIST SP 800-171)
NIST SP 800-171 is a 113 page document published by the National Institute of Standards and Technology (NIST). It provides “recommended security requirements for protecting the confidentiality of CUI… when the CUI is resident in a nonfederal system and organization.”
This document lists 110 security requirements with guidance on how to implement them. These requirements are re-stated in CMMC levels 1-3.
Defense Industrial Base (DIB)
The Defense Industrial Base is defined as “the worldwide industrial complex that enables research and development, as well as design, production, delivery and maintenance of military weapons systems/software systems, subsystems, and components or parts, as well as purchased services to meet US Military requirements.”
Many (most?) (almost all?) Defense Contractors are considered to be part of the Defense Industrial Base.
The DIB is identified as a Critical Infrastructure Sector by the Department of Homeland Security.
Critical Infrastructure or Essential Critical Infrastructure
Per a March 20, 2020 memo from the Under Secretary of Defense for Acquisition and Sustainment, Ellen Lord:
“If your contract or subcontract supports the development, production, testing, fielding, or sustainment of our weapon systems/software systems, or the infrastructure to support those activities. If your efforts support manning, training, equipping, deploying, or supporting our military forces, your work is considered Essential Critical Infrastructure.”
This term is important because vulnerability data for Critical Infrastructure is a category of CUI. This means that cybersecurity vendors that provide compliance portals, security vulnerability assessments, consulting, and audits for Critical Infrastructure companies will be creating, storing, and/or processing CUI.
Defense Industrial Base Cybersecurity Program (DIBNet)
The Defense Industrial Base Cybersecurity Program (DIBNet) is meant to “enhance and supplement DIB participants’ capabilities to safeguard DoD information that resides on or transits DIB unclassified networks or information systems. This public-private cybersecurity partnership is designed to improve DIB network defenses, reduce damage to critical programs, and increase DoD and DIB cyber situational awareness.”
Defense contractors subject to DFARS 252.204-7012 are required to report cyber incidents to DIBNet.
The DIBNet portal can be reached at: https://dibnet.dod.mil/
Federal Risk and Authorization Management Program (FedRAMP)
The Federal Risk and Authorization Management Program (FedRAMP) promotes the adoption of secure cloud services across the Federal Government by providing a standardized approach to security and risk assessment.
DFARS 252.204-7012 says that if an external cloud provider is used to store, process, or transmit any Covered Defense Information (aka CUI), the cloud provider needs to meet security requirements equivalent to the FedRAMP Moderate baseline.
Medium Assurance Certificate
In order to report a cyber incident to DIBNet, you need to have been issued a Medium Assurance Certificate. In layman’s terms, this is a digital ID which only provides “medium assurance” of your identity (because they don’t verify your identity in person).
To get this certificate, you need to photocopy your IDs, get a form certified, and pay a fee that is roughly $100 per year of certificate validity.
More information can be found here: http://public.cyber.mil/eca
DoD Cyber Crime Center (DC3)
The DoD Cyber Crime Center (DC3) is listed in DFARS 252.204-7012 as the point of contact to send malware samples to. The DC3 also operates the cyber incident report portion of the DIBNet portal.
Their contact information can be found here: https://dibnet.dod.mil/portal/intranet/
The Model, or CMMC Model
The CMMC Model refers to official documents published by the DoD which describe requirements for maturity and secure practices. Over time, more official documents which identify assessment scope and assessment pass/fail criteria are expected to be published.
Carnegie Mellon University Software Engineering Institute (SEI)
The Software Engineering Institute (SEI), along with Johns Hopkins Applied Physics Laboratory (APL), lead the development of the CMMC.
As authors, SEI and APL have quite a bit of authority in interpreting the CMMC model.
CMMC Accreditation Body (CMMC-AB)
The CMMC Accreditation Body (CMMC-AB) is a private sector, non-profit organization. The DoD has granted the CMMC-AB official responsibility for some aspects of the CMMC rollout. It has the following mission:
“The CMMC-AB establishes and oversees a qualified, trained, and high-fidelity community of assessors that can deliver consistent and informative assessments to participating organizations against a defined set of controls/best practices within the Cybersecurity Maturity Model Certification (CMMC) Program.”
In layman’s terms:
- The CMMC-AB was granted authority by the DoD to manage and accredit private-sector trainers and auditors for the CMMC.
- The CMMC-AB is not responsible for the CMMC model (the DoD has that), but for building the infrastructure to roll it out to Defense Contractors.
- The CMMC-AB is expected to fund itself via fees from assessments, training, and certification programs.
- The CMMC-AB is responsible for performing quality control on C3PAOs and assessments.
The CMMC Assessment Guides
The CMMC Assessment Guides (version 1.10) were published in late December 2020. A significant update is expected in March-April 2021.
These guides are the most relevant source of information to understand CMMC practice requirements and whether implementation scenarios would pass a CMMC assessment.
The guides are owned by DoD’s Acquisition and Sustainment team for CMMC: https://www.acq.osd.mil/cmmc/draft.html
CMMC Maturity Level 1-5 (ML#)
ML stands for Maturity Level. This term is used to describe the security practices successfully implemented by a CMMC-assessed Defense Contractor and verified during an audit sanctioned by the CMMC-AB
In casual use, “CMMC Level #” is synonymous with “CMMC ML#”
CMMC Registered Practitioner (RP)
Registered Practitioner is a person who has completed training about the CMMC, passed a background check, and signed the CMMC-AB’s code of conduct. The CMMC-AB does not warrant their skills or abilities, but will revoke their badge if they violate the code of conduct.
Learn more about the RP program here.
CMMC Certified Practitioner (CP)
Certified Practitioner is a cybersecurity professional who has been sanctioned to work on an assessment team (but not lead an assessment) by the CMMC-AB. This is the entry level assessor qualification.
Learn more about Certified Professional and Certified Assessors here.
CMMC Certified Assessor Level 1-5 (CA#)
Certified Assessor (CA) is a cybersecurity professional who has been sanctioned to lead CMMC assessments. The CA# corresponds to the highest ML# that the professional is authorized to assess.
Learn more about Certified Professional and Certified Assessors here.
CMMC Third-Party Assessor Organization (C3PAO)
C3PAO refers to organizations (generally cybersecurity or accounting firms) which have CPs and CAs on staff to perform assessments. The C3PAO is the entity that contracts with Defense Contractors seeking CMMC Maturity Level certification. The C3PAO is the first line of quality control for audits.
Learn more about C3PAOs here.
CMMC Assessors and Instructors Certification Organization (CAICO)
CAICO stands for the CMMC Assessors and Instructors Certification Organization. This is an organization that will coordinate training and ensure quality among CMMC professionals (individuals). This organization is still in extremely early stages (just planning, mostly) as of February 2021.
Learn more about the CAICO here.
CMMC Body of Knowledge (CMMC-BOK)
The CMMC-BOK is information on standards, practices, implementation, scenarios, best practices, and exam-specific learning objectives. The CMMC-AB expects to maintain this official knowledge set.
CMMC Licensed Partner Publisher (LPP)
CMMC Licensed Partner Publishers (LPPs) are approved by the CMMC-AB to develop and publish CMMC training materials.
CMMC Licensed Training Provider (LTP)
CMMC Licensed Training Providers (LTPs) are approved by the CMMC-AB to…
Actually, there isn’t an official page on this topic yet. Per webinars published by the CMMC-AB, the intent seems to be that LTPs will be organizations that are authorized to offer CMMC training courses using CMMC official curriculum.
CMMC Licensed Instructor (LI)
CMMC Licensed Instructors (LIs) are approved by the CMMC-AB to…
Actually, there isn’t an official page on this topic yet. Per webinars published by the CMMC-AB, the intent seems to be that LIs will be the only people authorized to actually teach CMMC classes (generally these will be classes to prepare for certified professional or certified assessor). LIs will need to meet requirements for the equivalent CMMC CA level that they are teaching.
Q&A video about status of training: CAICO and current state of CMMC training – Ben Tchoubineh (CMMC-AB)
System Security Plan (SSP)
A System Security Plan (SSP) is normally a document (or several documents) created by a cybersecurity professional which describes the information system of an organization. This document is expected to be very detailed and in-depth about the network, devices connected to the network, software in use, clouds in use, and security requirements that have been implemented (or not).
Creating and maintaining an SSP is listed as one of the requirements in NIST SP 800-171. Creating and maintaining an SSP is also listed as a CMMC Level 2 practice (CA.2.157). Per the reporting procedures supplement to DFARS 252.204-7012, after a cyber incident, the DoD Cyber Crime Center may request a copy of the SSP for review.
SSPs are often more than 100 pages long, and should be updated regularly as the information system changes. This document may contain vulnerability information about Critical Infrastructure companies.
Plan of Action and Milestones (POA&M)
Note: The formal requirement statements call this a “Plan of Action” or “POA”. Most industry members use the term POA&M.
A Plan of Action and Milestones (POA&M) is normally a document created by a cybersecurity professional which identifies missing security requirements and lays out a plan to resolve them. This document is expected to contain mid-or-high level tasks and milestones to reach a certain cybersecurity goal. This goal could be full compliance with NIST SP 800-171 (currently) or in the future, it could be a goal to reach a higher level of CMMC maturity.
Creating and maintaining a POA&M is listed as one of the requirements in NIST SP 800-171. Creating and maintaining POA&M(s) is also listed as a CMMC Level 2 practice (CA.2.159).
Editor’s note: POA&Ms are one of the key ways to show process maturity. They should show that you have properly funded and allocated resources to your remediation efforts. They should show progress (completion of tasks and milestones) over time.
Enterprise Mission Assurance Support Service (eMASS) is a web-based Government solution which is designed to support cybersecurity management. This is the Compliance Platform that DoD programs use internally to manage their cybersecurity compliance.
eMASS is used for DoD mission networks and historically has not been associated with Defense Contractor compliance. Access to private sector is restricted. However, the CMMC will need to record assessments and hold certification status for thousands of companies in a central place. eMASS is the most likely solution.
Thanks for the read!
If you haven’t yet, I recommend checking out this article next: Policy templates and tools for CMMC compliance.
V. Amira Armond (CISSP, CISA, PMP, MBA) is a computer systems architect, cyber-security consultant, and owner of Kieri Solutions LLC. She specializes in CMMC preparation and DFARS 252.204-7012 compliance, and designing secure and resilient enterprise systems for private sector and the DoD. She is the chief editor for cmmcaudit.org, a non-sales website that provides news and informational articles about the Cybersecurity Maturity Model Certification.