CMMC Terms

The CMMC Program has custom terms that align with program requirements. Although some terms may have other definitions in open forums, it is important to understand these terms as they apply to the CMMC Program.

(Information sourced from the CMMC Assessment Guide Level 2 https://dodcio.defense.gov/Portals/0/Documents/CMMC/AssessmentGuideL2.pdf)

 

Terms to Know

The specific terms as associated with Level 2 are:

  • Assessment: As defined in 32 CFR § 170.4 means the testing or evaluation of security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for an information system or organization, as defined in 32 CFR §170.15 to 32 CFR § 170.18. 
    • Level 2 self-assessment is the term for the activity performed by an OSA to evaluate its own information system when seeking a CMMC Status of Level 2 (Self).
    • Level 2 certification assessment is the term for the activity performed by a C3PAO to evaluate the information system of an OSC when seeking a CMMC Status of Level 2 (C3PAO).
    • POA&M closeout self-assessment is the term for the activity performed by an OSA to evaluate only the NOT MET requirements that were identified with POA&M during the initial assessment, when seeking a CMMC Status of Final Level 2 (Self).
    • POA&M closeout certification assessment is the term for the activity performed by a C3PAO or DCMA DIBCAC to evaluate only the NOT MET requirements that were identified with POA&M during the initial assessment, when seeking a CMMC Status of Final Level 2 (C3PAO) or Final Level 3 (DIBCAC) respectively.
  • Assessment Objective: As defined in 32 CFR § 170.4 means a set of determination statements that, taken together, expresses the desired outcome for the assessment of a security requirement. Successful implementation of the corresponding CMMC security requirement requires meeting all applicable assessment objectives defined in NIST SP 800–171A or NIST SP 800-172A.
    • Asset: An item of value to stakeholders. An asset may be tangible (e.g., a physical item such as hardware, firmware, computing platform, network device, or other technology component) or intangible (e.g., humans, data, information, software, capability, function, service, trademark, copyright, patent, intellectual property, image, or reputation). The value of an asset is determined by stakeholders in consideration of loss concerns across the entire system life cycle. Such concerns include but are not limited to business or mission concerns, as defined in NIST SP 800-160 Rev 1.
  • CMMC Assessment Scope: As defined in 32 CFR § 170.4 means the set of all assets in the OSA’s environment that will be assessed against CMMC security requirements.
    • CMMC Status: As defined in 32 CFR § 170.4 is the result of meeting or exceeding the minimum required score for the corresponding assessment. The CMMC Status of an OSA information system is officially stored in SPRS and additionally issued on a Certificate of CMMC Status, if the assessment was conducted by a C3PAO or DCMA DIBCAC.
    • Conditional Level 2 (Self) is defined in § 170.16(a)(1)(ii). The OSA has conducted a Level 2 self-assessment, submitted compliance results in the Supplier Performance Risk System (SPRS), and created a CMMC POA&M that meets all CMMC POA&M requirements listed in 32 CFR §170.16(a)(1)(ii).
    • Final Level 2 (Self) is defined in § 170.16(a)(1)(iii). The OSA will achieve a CMMC Status of Final Level 2 (Self) for the information system(s) within the CMMC Assessment Scope upon implementation of all security requirements and close out of the POA&M, as applicable.
    • Conditional Level 2 (C3PAO) is defined in § 170.17(a)(1)(ii). The OSC will achieve a CMMC Status of Conditional Level 2 (C3PAO) if a POA&M exists upon completion of the assessment and the POA&M meets all Level 2 POA&M requirements listed in 32 CFR § 170.21(a)(2).
    • Final Level 2 (C3PAO) is defined in § 170.17(a)(1)(iii). The OSC will achieve a CMMC Status of Final Level 2 (C3PAO) for the information systems within the CMMC Assessment Scope upon implementation of all security requirements and as applicable, a POA&M closeout assessment conducted by the C3PAO within 180 days. Additional guidance can be found in 32 CFR § 170.21.
  • Component: A discrete identifiable information technology asset that represents a building block of a system and may include hardware, software, and firmware2. A component is one type of asset.
  • Enduring Exception: As defined in 32 CFR § 170.4 means a special circumstance or system where remediation and full compliance with CMMC security requirements is not feasible. Examples include systems required to replicate the configuration of ‘fielded’ systems, medical devices, test equipment, OT, and IoT. No operational plan of action is required but the circumstance must be documented within a system security plan. Specialized Assets and GFE may be Enduring Exceptions.
  • Event: Any observable occurrence in a system. As described in NIST SP 800-171A, the terms “information system” and “system” can be used interchangeably. Events sometimes provide indication that an incident is occurring.
  • Incident: An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of a system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.
  • Information System (IS): As defined in 32 CFR § 170.4 means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. An IS is one type of asset.
    • 2 NIST SP 800-171 Rev 2, p 59 under system component
    • 3 NIST SP 800-53 Rev. 5, p. 402
    • 4 NIST SP 800-171A, p. v
    • 5 NIST SP 800-171 Rev. 2, Appendix B, p. 54 (adapted)
  • Monitoring: The act of continually checking, supervising, critically observing, or determining the status in order to identify change from the performance level required or expected at an organization-defined frequency and rate.
  • Operational plan of action: As used in security requirement CA.L2-3.12.2, means the formal artifact which identifies temporary vulnerabilities and temporary deficiencies in implementation of requirements and documents how and when they will be mitigated, corrected, or eliminated. The OSA defines the format (e.g., document, spreadsheet, database) and specific content of its operational plan of action. An operational plan of action is not the same as a POA&M associated with an assessment.
  • Organization-defined: As determined by the OSA being assessed except as defined in the case of Organization-Defined Parameter (ODP). This can be applied to a frequency or rate at which something occurs within a given time period, or it could be associated with describing the configuration of an OSA’s solution.
  • Periodically: Occurring at a regular interval as determined by the OSA that may not exceed one year. As used in many requirements within CMMC, the interval length is organization-defined to provide OSA flexibility, with an interval length of no more than one year.
  • Security Protection Data (SPD): As defined in 32 CFR § 170.4 means data stored or processed by Security Protection Assets (SPA) that are used to protect an OSC's assessed environment. SPD is security relevant information and includes, but is not limited to: configuration data required to operate an SPA, log files generated by or ingested by an SPA, data related to the configuration or vulnerability status of in-scope assets, and passwords that grant access to the in-scope environment.
  • System Security Plan (SSP): As defined in 32 CFR § 170.4 means the formal document that provides an overview of the security requirements for an information system or an information security program and describes the security controls in place or planned for meeting those requirements. The system security plan describes the system components that are included within the system, the environment in which the system operates, how the security requirements are implemented, and the relationships with or connections to other systems, as defined in NIST SP 800-53 Rev 5.
  • Temporary deficiency: As defined in 32 CFR § 170.4 means a condition where remediation of a discovered deficiency is feasible and a known fix is available or is in process. The deficiency must be documented in an operational plan of action. A temporary deficiency is not based on an ‘in progress’ initial implementation of a CMMC security requirement but arises after implementation. A temporary deficiency may apply during the initial implementation of a security requirement if, during roll-out, specific issues with a very limited subset of equipment is discovered that must be separately addressed. There is no standard duration for which a temporary deficiency may be active. For example, FIPS-validated cryptography that requires a patch and the patched version is no longer the validated version may be a temporary deficiency.