CMMC
Cybersecurity Maturity Model Certification (CMMC) is a unifying standard for the implementation of cybersecurity across the Defense Industrial Base (DIB). As set forth by the National Institute of Standards and Technology (NIST) under the United States Commerce Department, the CMMC cybersecurity framework provides formal guidelines that private sector companies must follow in order to be eligible for DoD contract awards. The CMMC program standards, building on NIST 800-171 and selected FARS requirements, ensure that companies working as part of the DIB are better prepared in identifying, detecting and responding to cyber-attacks.
CMMC-AB
The Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB) is an independent organization that was established to help secure the U.S. supply chain. Authorized by the DoD as the sole source for operationalizing CMMC assessments and training, the Body will oversee a qualified, trained, and high-fidelity community of assessors who deliver consistent and informative assessments to participating organizations against a defined set of controls/best practices within the Cybersecurity Maturity Model Certification (CMMC) program.
C3PAO
A CMMC Third-Party Assessor Organization (C3PAO) is an organization accredited by the CMMC Accreditation Body (CMMC-AB) to provide services to organizations who seek CMMC certification. C3PAOs are authorized to conduct CMMC assessments, and to submit results and recommendations to the CMMC-AB, to certify that Organizations Seeking Certification (OSCs) comply with the desired CMMC maturity level (1 through 5).
CMMC Framework
The CMMC program is organized within a framework of four components:
- Domains,
- Processes,
- Capabilities, and
- Practices.
Each of these components encompasses those processes and practices that are used to evaluate a contractor’s adherence to the standards of their desired certification level.
CMMC Certification Levels
Within the CMMC framework, contractors seek the certification level that correlates to the type of Covered Defense Information (CDI) or Federal Contract Information (FCI) that entity handles in their DoD contracting activities. The five CMMC certification levels range from Level 1 (basic cybersecurity hygiene to safeguard FCI) to Level 5 (advanced cybersecurity protocols to protect CUI and reduce risk of Advanced Persistent Threats). In most cases, if a contractor creates, processes, possesses, or transmits Controlled Unclassified Information (CUI) and Controlled Technical Information (CTI), that entity will require Level 3 CMMC certification.
DIB (Contractor)
Defense Industrial Base (DBI) is the industry sector that provides products and services related to the U.S. armed forces. This includes but is not limited to the design, production, delivery, and maintenance of military weapons and software systems; research and development; and purchased services. A DIB contractor is any non-federal organization that contracts with the DoD or that engage in any aspect of the DBI supply chain.
OSC
An Organization Seeking Certification (OSC) is any DIB contractor that has begun the formal process of becoming CMMA certified.
CDI
Covered Defense Information (CDI) is defined as unclassified controlled information (specifically as described in the Controlled Unclassified Information (CUI) Registry) that and is marked and provided by DoD or generated by a DIB contractor as a part of a DoD contract.
FCI
Federal Contract Information (FCI) information is any information provided by or generated for the federal government which is not intended for public release.
CUI
Controlled Unclassified Information (CUI) is information created or possessed by the federal government that requires special dissemination controls and security protections. Information may fall into any one of the CUI categories maintained by The National Archives.
FAR
Federal Acquisition Regulation (FAR) 52.204-21 set forth 15 specific controls for the basic safeguarding of covered contractor information systems. These controls are incorporated into the CMMC program.
DFARS
Defense Federal Acquisition Regulation Supplement (DFARS) section 7012 was a precursor to the CMMA model. Section 7012 required federal contractors to safeguard CDI, report cybersecurity breaches and ensure that any subcontractors with access to CDI/CUI also comply with the regulation. Under DFARS 7012, contractors self-reported their CUI cybersecurity compliance.
NIST 800-171
National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” outlined security requirements for protecting the confidentiality of CUI when the information is resident in nonfederal systems and organizations. The 110 cybersecurity controls set forth in NIST 800-171 were incorporated, in varying degrees, to the CMMC program controls and standards.
Cybersecurity Maturity
Cybersecurity maturity refers to the level of capabilities and efficacy an organization possesses for protecting sensitive data and information assets, evaluated and measured using a cybersecurity maturity model.
Incident
An occurrence wherein cyber systems or sensitive information assets are jeopardized (or potentially jeopardize) with regard to availability, integrity or confidentiality. A critical incident could include a violation of security policies, procedures or policies as well as the imminent threat of such violation.
Incident Response
The steps taken to mitigate violations of security policies and recommended practices.
MSP
Managed Serviced Providers (MSP) provide professional information technology services in conjunction with an agreed-upon level of support and system administration. Services may be provided at the customer’s location, at the MSP’s data facilities (hosting) or in a third-party data center. MSP services may be provided alone or in coordination with services from other providers.
MSSP
Managed Security Services Providers (MSSP) provide professional network and data security services (monitoring, management, etc.) necessary to ensure the client’s cybersecurity posture. Services are typically provided from the MSSP’s security operations center or that of another data provider. Services may include intrusion detection, vulnerability scanning, incident reporting, forensics, alerting, orchestration rule maintenance, log management, training and support.
SIM
Security Information Management (SIM) is the term used to describe the systems and controls necessary to provide long-term protection of data assets from threats and vulnerabilities, including logging and analyzing data.
SEM
Security Event Management (SEM) refers to the tools necessary to monitor data security in real-time, identify events and report events per protocol.
SIEM (Software)
Security Information and Event Management (SIEM) software, a robust approach that combines SIM and SEM protocols, provides the necessary systems and support to monitor and analyze cybersecurity threat alerts to networks, information systems, and data assets.
SOC
Security Operations Centers (SOC) are highly-available facilities staffed with cybersecurity experts who monitor a client’s network, information systems, and data assets for cyber threats 24 hours a day, 7 days a week. The goal of the SOC and its team is to prevent, detect and analyze threat incidents and to provide an immediate, proactive response to manage any threats that do occur.
IDS
Intrusion Detection Systems (IDS) monitor network traffic for any potential cybersecurity threats or breaches as well as suspicious activity, then reports or issues alerts for those events per protocol.
Secure Enclave
A secure enclave is an operating environment dedicated to the secure and compliant storage, handling, and transmission of CDI/CUI, separate from other information technology networks, systems, and information assets. In the context of DoD and CMMC requirements for federal contractors, a secure enclave must be secure, encrypted, covert, and purpose-built to meet or exceed published cybersecurity standards and requirements.