Cybersecurity Glossary

Artifacts: Artifacts are physical and reversible recordings that are the direct result of a practice or process being carried out by a system, person, or people playing a role in that practice, control, or process. They can be a hard, soft, or electronic copy of a document or file in the system or program, but they must be the result or product of a process performed within the organization seeking certification (OSC).
Assessment: An assessment is a formal procedure for evaluating an organization’s level of performance in all of the CMMI and/or CMMC practice areas in the context of that organization’s specific model (i.e. Assessments can only be conducted by a certified CMMC Assessor (CCA).
C3PAO: A CMMC 3rd Party Assessment Organization (C3PAO), otherwise known as a C3PAO, is an organization that has been approved by the Cyber AB to carry out certified assessments or to give advisory guidance to organizations with CMMC certification. SteelToad is the first C3PAO to be authorized in the State of Maryland.
CAICO: CAICO is the acronym representing the CMMC Assessors and Instructors Certification Organization. They are the specialized CMMC body that supports the education, testing, development, and professional certification of those inside the CMMC Ecosystem.
CCA: A Certified CMMC Assessor, or CCA, isa person who has successfully fulfilled all of the CMMC Assessors and Instructors Certification Organization (CAICOs) certification program requirements for Level 2 CMMC Assessor certification. If a Provisional Assessor (PA) passes the relevant certification exam(s), they will eventually become a CCP.
CCI: A CCI is a Certified CMMC Instructor; a person who has successfully fulfilled all of the CMMC Assessors and Instructors Certification Organization (CAICOs) certification program requirements for CMMC Instructor certification. In order to become a CCI, a Provisional Instructor (PI) must ace the relevant certification test.
CCP: A CCP is a Certified CMMC Professional. They are a person who has fulfilled all of the CMMC Assessors and Instructors Certification Organization (CAICOs) certification program criteria for Level 1 CMMC Assessor certification. In order to become a CCP, a Provisional Assessor (PA) must ace the relevant certification test.
CISA: Cybersecurity and Infrastructure Security Agency. Prepare for, respond to, and mitigate cyber attacks.
CMMC: CMMC is an acronym for The Cybersecurity Maturity Model Certification, a set of requirements defined by the Department of Defense (DoD) that will be used to evaluate an organization or a business undergoing the CMMC evaluation process in order to be certified at a certain level for a certain environment. It is a set of standards that is still in the embryonic stage of development and is constantly undergoing updates to be more efficient.
CMMC Ecosystem: The CMMC Ecosystem is just a technical term for the established community made up of Certified CMMC Professionals (CCPs), Certified CMMC Assessors, CMMC Assessment Teams; Registered Practitioners (RPs), and Registered Practitioner Organizations (RPOs), who advise and help Defense Industrial Base (DIB) firms adopt CMMC standards and practices.
CoPC: CoPC is the shortened name for the Code of Professional Conduct. Most organizations already have one. In this context however, a CoPC refers to a document signed by all personnel in the CMMC ecosystem that explains the DoD’s and The Cyber AB’s expectations, responsibilities, and rules for conducting work on their behalf.
CUI: CUI is an acronym that stands for controlled unclassified information. It is information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, the amended Atomic Energy Act of 1954, or any predecessor or successor order, but not information that is protected or controlled from disclosure in accordance with laws, regulations, and governmentwide policies.
Defense Supply Chain: The Defense Supply Chain (DSC) consists of the global network of companies that design, manufacture, deliver, and maintain the weapons systems, parts, and components needed by the U.S. military.
DIACAP: DoD information Assurance Certification and Accreditation Process. Predecessor to RMF for the DOD. ended in 2015, and replaced with RMF.
DOD: The DoD is the shortened form of the U.S. Department of Defense. As of 2023, the Department of Defense has required any organizations or businesses, contractors and/or subcontractors, and consultants that seek to deliver a good or service in government to be certified in CMMI and CMMC practices.
DOD CIO: A DOD CIO is the shortened term for the Department of Defense’s Chief Information Officer. They are the advisors to the Secretary of Defense. This position entails supervising several national security and defense business systems, managing information resources, and identifying efficiencies.
eMASS: eMass stands for Enterprise Mission Assurance Support Service. To simplify, it is an online record tool hosted by the U.S. Department of Defense that manages a wide variety of cybersecurity management functions. It is the repository for CMMC Assessment data and reporting.
FCI: FCI is an acronym that stands for federal contract information. It is defined as information that is generated for or provided by the government under a contract to develop or deliver a good or service but excludes information that the government makes available to the general public (such as on public Web sites) or simple transactional information, i.e., information related to process payments.
FedRAMP: FedRAMP is an acronym that stands for “Federal Risk and Authorization Management Program.”
FISMA: FISMA is an acronym for the “Federal Information Security Management Act.”
FISMA 2014: Federal Information Security Modernization Act of 2014 updates the government's cybersecurity practices.
Gap Analysis: A Gap Analysis is an examination of an organization seeking certification (or OSC’s) practice areas within the context of that organization’s CMMI model in order to identify issues, obstacles, and potential dangers to long-term adoption. It is typically conducted by an individual or a third-party organization that is a registered CMMC 3rd Party Assessment Organization (C3PAO).
Governance: Governance is the term that umbrellas all the policies, methods, and controls used by an organization seeking certification (OSC) to ensure long-term viability and continuous improvement in the detection, prevention, and quick reaction to cyber threats and issues.
LPP: An LLP is a Licensed Publishing Partner of the CMMI Institute. They develop the CMMC curriculum for licensed training providers (LTPs) to use during CMMC training.
LTP: An LTP is a Licensed Training Provider of the CMMC curriculum. They provide services such as training and development to organizations learning the CMMC standards and guidelines.
NIST: National Institute of Standards and Technology
NIST SP 500-83: NIST Special Publication provides a catalog of security and privacy controls for all U.S Federal info systems except those related to national security
NIST SP 800-171: This doozy of an acronym is the shortened term for the phrase “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.” Simply put, it symbolizes the protection of unclassified information in businesses and organizations in non-government entities.
NIST SP 800-171A: This acronym is the shortened term for the phrase “Assessing Security Requirements For Controlled Unclassified Information.”
NIST SP 800-172: This acronym is treated as a companion to NIST SP 800-171 (the Protection of Controlled Unclassified Information in Nonfederal Systems and Organizations). It stands for “Enhanced Security Requirements for Protecting Controlled Unclassified Information.”
NIST SP 800-37 Rev. 1: The guidelines for establishing RMF. “Guide for applying the risk management framework to federal information systems: A security lifecycle approach.” Published in 2010. Originally only had 6 steps in the RMF lifecycle. Withdrawn in 2019 to be replaced by Rev. 2
NIST SP 800-37 Rev. 2: Revision 2 of the guidelines for establishing RMF. “Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy”. Added the prepare step.
NIST SP 800-60: Reports on ITL’s research, guidelines, and outreach efforts in information system security and it’s collaborative activities with industry, government, and academic organizations.
OMB: Office of Management and Budget
OSC (Organization Seeking Certification): An OSC is simply an Organization Seeking Certification. Those who wish to work with the Department of Defense (DOD), or businesses who typically seek SteelToad’s services are considered to be OSCs.
OSC Assessment Official: Organizations seeking certification (OSCs) must have an OSC Assessment Official, who is directly and actively responsible for leading and directing OSC assessment activities. They are the ones who have the decision-making power over the CMMC Assessment Process (CAP). One of the requirements, in order to be an Assessment Official, is that they must be a current member of the organization being evaluated.
RP: Remember RPOs (registered practitioner organizations)? An RP is the same, just minus the O. An RP is a registered practitioner who offers consultation services such as non-certified CMMC guidance. It is important to note that the official CMMC Assessment procedure does not include RPs.
RPO: RPO stands for a Registered Practitioner Organization. They are an entity permitted to use a CMMC-AB logo to portray themselves as associated with the fundamental structures of the CMMC Standard and are officially authorized to provide non-certified CMMC Consulting Services.
Scope: Scope is the size or “scope”, of what will be evaluated for conformity, which includes assets within the organization seeking certification (OSC’s) environment that is targeted for CMMC Assessment because they interact with sensitive information.
SPRS: SPRS is an acronym that stands for Supplier Performance Risk System. Thanks to SPRS, the Defense Information Systems Agency’s (DISA) database allows firms to disclose their self-assessment cybersecurity ratings.
SSP: An SSP is a system security plan. It’s a formal document generated by the owner of the information system (or the owner of common security controls for inherited controls) that offers an overview of the system’s security needs and details the security controls in place or intended to fulfill those requirements.Other critical security-related papers can be included as supporting appendices or references in a plan, including risk assessments, privacy impact assessments, system interconnection agreements, contingency plans, configuration management plans, security configurations, and incident response plans.
Stakeholder: A stakeholder is anyone who is interested in or concerned about the success of your business. This can vary wildly from friends and family to financial investors and manufacturers. Interviews with them are a great way to get insight and build context.
The CyberAB: The Cyber AB is the exclusive approved non-governmental partner of the U.S. Department of Defense (DOD) in setting up and managing the CMMC conformance regime. It serves as the official accrediting body of the Cybersecurity Maturity Model Certification (CMMC) Ecosystem.

Glossary

LOCK IT DOWN

Services

Company