Comprehensive CMMC Glossary of Terms

The process of granting or denying specific requests to obtain and use information, IT services, and physical access to facilities.

A sophisticated adversary with significant resources employing multiple attack vectors over extended periods to gain unauthorized access.

The evaluation of security controls against CMMC practices to ensure they are effectively implemented and achieving intended outcomes.

Defined boundaries of an assessment including systems, networks, processes, technologies, people, and facilities associated with CUI or FCI.

Anything that holds value to an organization, such as data, equipment, systems, networks, or intellectual property.

Clearly-defined limits that determine the scope of a cybersecurity assessment, separating assessed systems from those not under assessment.

An accredited entity authorized to perform formal CMMC assessments.

A trusted entity responsible for issuing digital certificates for secure communication and verification of identity.

A OSC that uses an ESP who has compliant systems, they “inherit” the security controls from the provider.

A unified cybersecurity standard created by the DoD for the defense supply chain to safeguard sensitive data.

A person who has successfully completed all certification program requirements as outlined by the CAICO for becoming a Level 1 CMMC Assessor. A Provisional Assessor (PA) will become a CCP by passing the associated certification exam.

Professionals who provide CMMC implementation consultative services. Any level of RP cannot participate on assessment teams.

An organization authorized to represent itself as familiar with the basic constructs of the CMMC Standard, with a CMMC-AB provided logo, to deliver non-certified CMMC Consulting Services. Signifies that the organization has agreed to the CMMC-AB Code of Professional Conduct.

Sensitive information requiring safeguarding measures per federal regulations, not classified under executive orders or the Atomic Energy Act.

Formerly Shared Responsibility Matrix (SRM), a critical piece of the certification process outlining who is responsible for each cybersecurity objective in a CMMC assessment between an OSCs and ESPs.

• Supports Certification Process: CRM is critical for the certification process as it outlines the responsibilities of both the service provider and the client, ensuring clarity and compliance.
• Reduce Compliance Complexity: CRM lowers the risk and complexity of assessments by clearly defining the responsibilities and ensuring that all necessary controls are in place.

A DoD-specific supplement to federal acquisition regulations detailing cybersecurity compliance requirements.

The global network of entities supplying products and services critical to U.S. defense operations.

A segmented and clearly-defined computing environment specifically implemented to protect sensitive information such as CUI, with distinct security boundaries.

External people, technology, or facilities that the organization utilizes, including Cloud Service Providers, Managed Service Providers, Managed Security Service Providers, and Cybersecurity-as-a-Service Providers.

The primary regulation guiding procurement for U.S. federal agencies, including cybersecurity standards for contractors.

Information provided by or generated for the government under contract, not publicly available.

A structured evaluation identifying gaps between current cybersecurity practices and required compliance standards, resulting in actionable recommendations.

An occurrence compromising or potentially compromising the confidentiality, integrity, or availability of information systems or data.

Procedures established to identify, respond, mitigate, and recover from cybersecurity incidents.

The use of existing security controls or practices implemented by external service providers or parent organizations within an assessment scope.

A defined stage within the CMMC framework indicating an organization’s capability and sophistication in cybersecurity practices.

Any external entity (contractors, subcontractors) subject to cybersecurity requirements through contractual obligations with federal entities.

The entity currently undergoing a formal cybersecurity evaluation by a C3PAO.

An organization actively preparing for or seeking formal CMMC certification.

Authorized simulated cyberattacks conducted to identify vulnerabilities and test the effectiveness of cybersecurity defenses.

A structured document outlining required actions, timelines, and resources necessary to address and remediate identified cybersecurity deficiencies.

Specific cybersecurity activities defined within the CMMC model that organizations must implement to achieve a desired maturity level.

Recognition and acceptance of cybersecurity assessments or certifications from other authoritative frameworks or entities.

Systematic identification, analysis, evaluation, and documentation of cybersecurity risks and their potential impacts on an organization.

Structured approach and documented methods used for managing cybersecurity risks, including identifying, prioritizing, and addressing them.

A detailed document produced by assessors summarizing findings, documenting tested security controls, and outcomes of the cybersecurity evaluation.

An internal review conducted by an organization to evaluate its own cybersecurity posture against CMMC practices, typically used to identify readiness gaps prior to formal assessment.

A DoD-managed system where suppliers record their cybersecurity self-assessment scores, enabling informed procurement decisions based on cybersecurity risk profiles.

The protection of information systems and data against unauthorized alterations or corruption, ensuring accuracy, consistency, and reliability.

A comprehensive document describing implemented and planned security measures, clearly detailing how an organization safeguards information systems and sensitive data.

Methods and strategies utilized by adversaries during cyberattacks, crucial for understanding threat landscapes and developing defensive strategies.

Any circumstance or entity with the potential to negatively impact the confidentiality, integrity, or availability of information or systems.

The process of verifying that implemented cybersecurity practices effectively meet the intended security requirements or controls.

Weaknesses or flaws within systems, procedures, or controls that adversaries could be potentially exploited.