Skip to content
ISI has rebranded and updated to a new URL—if you are here from dodsecurity.com you are in the right place!
Talk to an Advisor
Talk to an Advisor

CMMC 101: Glossary of CMMC-Related Terms

What Is Controlled Unclassified Information (CUI)?

Controlled Unclassified Information or CUI is a category of sensitive information that requires safeguarding.

  • CUI is information the US Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.
  • For the DIB, CUI also enables consistent processes to safeguard information for specific national security purposes, such as physical and operations security.
  • CUI markings alert recipients that special handling may be required to comply with law, regulation, or Government-wide policy.  

What Is a C3PAO?

C3PAOs—or CMMC third-party assessment organizations—are authorized by Cyber AB to conduct assessments of Organizations Seeking Certifications (OSCs).

  • C3PAOs review an organization’s practices, policies and security controls against NIST SP 800-171A requirements, and report the findings to the DoD.
  • A C3PAO assessment is required for CMMC Level 2.
  • C3PAOs can also be Registered Provider Organizations (RPOs), but cannot provide the same client organization (or OSC) with both pre-assessment consulting services and assessments.

What Is Cybersecurity Maturity Model Certification (CMMC)?

Cybersecurity Maturity Model Certification or CMMC is a unified set of security standards designed to protect controlled unclassified information (CUI) that the DIB shares with its vendors and partners.

  • Since December 2017, defense contracts have included a requirement through DFARS 252.204-7012 for contractors and subcontractors to adhere to NIST SP 800-171A.
  • CMMC introduces the requirement to be audited against these controls by a certified third-party assessment organization (C3PAO). 

What Are 32 CFR CMMC and 48 CFR CMMC?

CMMC is split into two separate rules in the Code of Federal Regulation (CFR):

  • 32 CFR CMMC Proposed Rule introduces the CMMC Marketplace. When it becomes effective, it means assessors (C3PAOs) become active and assessments can begin.
  • 48 CFR CMMC Proposed Rule introduces CMMC in DoD contracts. CMMC language in contracts will be rolled out in phases over a three-year period.

What Are the DFARS Clauses Relevant to NIST 800-171 and CMMC?

The Federal Acquisition Regulation (FAR) codifies how the US military, NASA, and government agencies can establish contracts and procure goods and services. The Defense Federal Acquisition Regulation Supplement (DFARS) is a subset of these rules that applies to the DoD.

What is DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting?

  • The DFARS 7012 clause requires contractors to implement the cybersecurity standard NIST 800-171A, and meet all 110 controls.
  • Compliance with the standard will be on a self-attestation basis, with no external audit requirement. All contractors must self-assess and self-attest.

What is DFARS 252.204-7019 Notice of NIST SP 800-171 DoD Assessment Requirements?

  • The DFARS 7019 clause notifies the contractor that they are required to maintain a record of their NIST 800-171 compliance within the Supplier Performance Risk System (SPRS).
  • All contractors with DFARS 7019 listed in their contract(s) must report their NIST 800-171A assessment score to the SPRS database (located on the PIEE website).

What is DFARS 252.204-7020 NIST SP 800-171 DoD Assessment Requirements?

  • Contractors must complete a NIST 800-171A assessment and submit the resulting score to the SPRS database. The assessment used in the scoring must not be more than three years old.
  • In order to submit a score, contractors are required to have fully assessed their environment and have a System Security Plan (SSP) in place.

What is DFARS 252.204-7021 Cybersecurity Maturity Model Certification Requirements?

  • Contractors must be CMMC certified at the level specified by the contract at the time of award.

What Is NIST SP 800-171/NIST SP 800-171A?

The National Institute of Standards and Technology (NIST), the non-regulatory federal agency responsible for setting standards and establishing guidelines, issued a special publication in 2015: NIST SP 800-171.

  • This document listed the specific processes and controls that entities handling controlled unclassified information (CUI) need to have in place to protect it.
  • Updated versions (new revisions) have continued to be published on a semi-regular basis ever since.
  • NIST SP 800-171A provides assessment procedures for evaluating compliance with NIST SP 800-171 standards: it establishes clarifying objective statements for each of the 110 controls outlined in NIST SP 800-171.
  • What this means: NIST SP 800-171A provides contractors with more guidance on how to complete the tasks outlined in NIST SP 800-171.

NIST SP 800-171/800-171A example: Control 3.1.1 – Authorized Access Control:

NIST SP 800-171 establishes the control statement: Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

NIST SP 800-171A provides the control statement and clarifying objective statements:

Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

  • Authorized users are identified.
  • Processes acting on behalf of authorized users are identified.
  • Devices (and other systems) authorized to connect to the system are identified.
  • System access is limited to authorized users.
  • System access is limited to processes acting on behalf of authorized users.
  • System access is limited to authorized devices (including other systems).

CMMC establishes the assessment methodologies for confirming satisfactory implementation of the controls of NIST SP 800-171A.

What Is an Organization Seeking Certification (OSC)?

OSCs are the companies, vendors, suppliers or contractors that require CMMC certification to work on defense contracts.

What Is a Registered Practitioner (RP)?

Registered Practitioners or RPs are individuals that specialize in helping Organizations Seeking Certification (OSCs) prepare for CMMC.

  • RPs provide advice and guidance to companies seeking to achieve and maintain CMMC compliance, including conducting gap analysis and building remediation plans.
  • To act as an RP, an individual is required to undertake training and become certified with Cyber AB.

What Is a Registered Provider Organization (RPO)?

Registered Provider Organizations or RPOs assist Organizations Seeking Certification (OSCs) in achieving CMMC certification. They are registered with Cyber AB.

  • RPOs provide pre-assessment consulting services to government contractors and other organizations, and offer support during assessments.
  • Unlike C3PAOs, RPOs are not authorized to conduct CMMC assessments.

Related Posts