Our previous blog, CMMC Explained: What It Is and Why It Matters for Defense Contractors, provided an overview of CMMC, including its purpose, who it impacts, and the anticipated timeline for implementation. One key takeaway from that discussion is that CMMC comes with its own set of terminology, making it essential to understand the language used within the framework. Before diving deeper into CMMC requirements, let’s take a moment to define some of the most commonly used terms. The chart below outlines key CMMC-related terminology as defined in the Level 2 Scoping Guide.
Common CMMC Terminology and What They Mean
Term or Phrase / Acronym | What it stands for | What does it mean? |
AC | Access Control | One of the Security Requirements Families of CMMC – Safeguards that manage/restrict access |
AT | Awareness and Training | One of the Security Requirements Families of CMMC – safeguards and activities related to educating the workforce and raising their awareness |
AU | Audit and Accountability | One of the Security Requirements Families of CMMC – safeguards that provide the ability to answer who did what, when, and how. |
C3PAO | CMMC Third-Party Assessment Organization | Qualified organizations in the CMMC ecosystem that have obtained the certification (and thus the authority) to conduct official CMMC assessments |
CCA | Certified CMMC Assessor | An individual who has completed the official course of study, passed a comprehensive test, met all the experience requirements, and has signed the CMMC Code of Ethics. CCAs are the certified individuals who can officially assess organizations for CMMC compliance. They must work under the authority of a C3PAO and are the official assessors. CCAs must meet specific experience and certification requirements, as well as the items specified above. |
CCA Lead Assessor | Certified CMMC Assessor – Lead Assessor | An individual who has completed the official course of study, passed a comprehensive test, met all the experience requirements, and signed the CMMC Code of Ethics. CCA leads are certified individuals who can lead the official assessment of organizations for CMMC compliance. They must work under the authority of a C3PAO and are the head of the assessment process. CCA Leads must meet all the requirements of a regular CCA, as well as have additional experience and certifications. |
CCP | Certified CMMC Professional | An individual who has completed an official course of study, passed a comprehensive test, met all the experience requirements, and has signed the CMMC Code of Ethics. CCPs are certified individuals who can officially assist with CMMC assessments, but they must work under the guidance of a CCA. |
CFR | Code of Federal Regulations | Official published Federal law |
CM | Configuration Management | One of the Security Requirements Families of CMMC – Safeguards related to the configuration of IT assets |
CMMC | Cybersecurity Maturity Model Certification | The program itself, that specifies the protections/controls required, as well as the ecosystem and rules for getting assessed and certified. |
CMMC-AB | Cybersecurity Maturity Model Certification Accreditation Body | The non-profit entity responsible for developing, administering, and managing the CMMC program. |
CMVP | Cryptographic Module Validation Program | A NIST page that enumerates technology (hardware and software) that has been certified to meet Federal encryption requirements |
CUI | Controlled Unclassified Information | Data shared with non-federal organizations that is NOT classified but still require protection. The default arbiter of what is or is not CUI is the National Archives and Records Administration. |
CVE | Common Vulnerabilities and Exposures | A listing of published vulnerabilities. |
CWE | Common Weakness Enumeration | Similar to CVE above. |
FAR | Federal Acquisition Regulation | A section of federal law governs the acquisition system and process for the government. |
FCI | Federal Contract Information | Information about a federal contract that is not public information and must be protected. FCI is not as sensitive as CUI. |
FIPS | Federal Information Processing Standard | The encryption standards required for the protection of federal data. |
IA | Identification and Authentication | One of the Security Requirements Families of CMMC – safeguards related to properly identifying assets and authenticating them to an information system |
IR | Incident Response | The plan and activities related to how an organization responds to a potential security incident. This includes activities undertaken to evaluate a potential incident even before it’s declared an incident. |
MA | Maintenance | One of the Security Requirements Families of CMMC – safeguards concerned with ensuring the protection of assets and information when undergoing administrative or upkeep |
MP | Media Protection | One of the Security Requirements Families of CMMC – controls addressing how an organization protects the media on which data is stored within the organization |
NARA | National Archives and Records Administration | The Federal agency responsible for maintain the definition of CUI, as well as classifying the types of data that may be classified as CUI. |
OSA | Organization Seeking Assessment | The term for an organization (business, university, etc.) that chooses to begin the process of being assessed for CMMC compliance. |
OSC | Organization Seeking Certification | Another term for an organization that seeks to become CMMC certified by being assessed. |
PE | Physical Protection | One of the Security Requirements Families of CMMC – The security controls related to securing systems, data, and facilities physically. |
POAM | Plan of Action and Milestones | The official remediation plan an organization creates to address any deficiencies (areas where they are not meeting the full control requirements) |
PS | Personnel Security | One of the Security Requirements Families of CMMC – controls related to how personnel are evaluated and cleared to handle CUI |
RA | Risk Assessment | A required assessment of the risks to CUI within an organization |
RPO | Registered Provider Organization | An organization that has been officially recognized by the CMMC-AB |
RP | Registered Practitioner | An individual who has completed an official course of study, passed a background check, and passed an exam that verifies their knowledge of the CMMC program and assessment process |
SC | System and Communications Protection | One of the Security Requirements Families of CMMC – security controls that work to protect data at rest and in transit |
SI | System and Information Integrity | One of the Security Requirements Families of CMMC – safeguards designed to ensure the accuracy and correctness of data |
SSP | System Security Plan | The official documentation of the security plan in place that addresses all the in-scope assets of CMMC and describes how an organization is meeting the control requirements. |
Why CMMC Terminology Matters
Just like any industry or field of study, CMMC is filled with acronyms, abbreviations, and jargon. The terminology mentioned above is not exhaustive, as there are many terms not included here that can be found in various publications, including the CMMC Assessment Guide. This list should serve as a strong foundation for building your knowledge and awareness, helping you to effectively work within the CMMC system.
Navigating CMMC Compliance with Convergence Networks
Navigating CMMC compliance can be complex, but you don’t have to do it alone. If your organization needs expert guidance and support, Convergence Networks is here to help. Our team of professionals is dedicated to ensuring your success every step of the way. Reach out to us today and let’s navigate the path to CMMC compliance together!
