CAP Glossary

From CMMC Toolkit Wiki
Jump to navigation Jump to search

Source of Reference: The CMMC Assessment Process document from Cybersecurity Maturity Model Certification Accreditation Body, Inc.

For inquiries and reporting errors on this wiki, please contact us. Thank you.


Term Description Footnote
Access Ability to make use of any information system (IS) resource.
Access Authority An entity responsible for monitoring and granting access privileges for other authorized entities.
Access Control The process of granting or denying specific requests to:
  • obtain and use information and related information-processing services; and
  • enter specific physical facilities (e.g., federal buildings, company offices).
Agreements / Arrangements Agreements and arrangements are any vehicle that sets out specific CUI handling requirements for contractors and other information-sharing partners when the arrangement with the other party involves CUI. Agreements and arrangements include, but are not necessarily limited to, contracts, grants, licenses, certificates, and memoranda of understanding. When disseminating or sharing CUI with non-executive branch entities, agencies should enter into a written agreement/arrangement or understanding (see §2002.16(a)(5) and (6) for details). When sharing information with foreign entities, agencies should also enter agreements or arrangements, where feasible (see §2002.16(a)(5)(iii) and (a)(6) for details). 32CFR §2002(c)
Artifacts Tangible and reviewable records that are the direct outcome of a practice or process being performed by a system, person, or persons performing a role in that practice, control, or process. Artifacts may be a printed hard-copy or a soft- or electronic copy of a document or file embedded in a system or software but must be a result or an output from the performance of a process within the Organization Seeking Certification.
Assessment The testing or evaluation (e.g., interviews, document reviews, observations) of security practices to determine the extent to which the practices are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for an information system or organization. Source: NIST SP 800-37 Rev. 2 Also referred to as “CMMC Assessment”.

Assessment is the term used by CMMC for the activity performed by the C3PAO to evaluate the CMMC level of a DIB contractor. Source: CMMC

Assessment Appeals Process A formal process managed by the Cyber AB to seek resolution of a disagreement of an assessment result.
Assessment Official The most senior representative of an Organization Seeking Certification (OSC) who is directly and actively responsible for leading and managing the OSC’s engagement in the Assessment.
Assessor An individual who is both certified and authorized to participate on a C3PAO Assessment Team and evaluate the conformity of an Organization Seeking Certification to meeting a particular CMMC level standard. See also Provisional Assessor.


Term Description Footnote
Certificate A Record issued to an OSC upon successful completion of an Assessment which evidences the CMMC Level against which the OSC has been successfully assessed by an authorized C3PAO. See also Limited CMMC Certification.
Certification The official CMMC credential that attests to: 1) an organization’s conformance to a particular CMMC Level; or 2) an individual’s achievement of meeting the requirements and standards of a specific CMMC profession (e.g., Assessor, Instructor). See also Limited CMMC Certification.
Certified CMMC Assessor (CCA) A person who has successfully completed all certification program requirements as outlined by the CAICO for becoming a Level 2 CMMC Assessor. A Provisional Assessor (PA) will become a CCP and then a CCP by passing the associated certification exam(s).
CMMC Certified Professional (CCP) A person who has successfully completed all certification program requirements as outlined by the CAICO for becoming a Level 1 CMMC Assessor. A Provisional Assessor (PA) will become a CCP by passing the associated certification exam.
CMMC Certification Boundary Defines the assets to which an Assessor will evaluate conformity with applicable CMMC practices. This is the boundary to which a CMMC Certification will be applied.
CMMC Certified Assessor An individual who holds official CAICO Certification as a CMMC Certified Assessor. Lead Assessors can be certified at Level 2 or Level 3, which correspond to the CMMC Level against which they are authorized to conduct CMMC Assessments. Also referred to as “CMMC Assessor” or “Assessor”.
CMMC Ecosystem The interactive community of all CMMC professionals, including C3PAOs, Assessors, Instructors, Licensed Training Providers, Licensed Publishing Partners, Registered Practitioners, Registered Provider Organizations, as well as the Department of Defense and the CMMC Accreditation Body.
CMMC Level A specific step or level within the CMMC Standard against which CMMC Assessments are conducted.
CMMC Standard A framework that combines widely accepted NIST cybersecurity standards and maps those controls and requirements across several maturity levels that range from basic to expert cyber hygiene, and that, when implemented, will reduce risk against a specific set of cyber threats.
CMMC Third-Party Assessment Organization (C3PAO) An Entity that is authorized to be contracted to conduct independent CMMC Assessments and issue CMMC Certifications for Organizations Seeking Certification (OSCs).
Conflict of Interest (COI) A situation within the CMMC Ecosystem in which the concerns or objectives of two different parties are incompatible with one another. Conflicts of Interest must be disclosed where they exist and, if possible, mitigated. Conflicts of Interest left unattended by CMMC actors can threaten the impartiality of CMMC Assessments and the integrity of the CMMC Ecosystem overall.
Controlled Environment Any area or space an Authorized Holder deems to have adequate physical or procedural practices (e.g., barriers or managed access practices) to protect FCI/CUI from unauthorized access or disclosure. Also called “FCI/CUI Environment”. 32CFR §2002(f)
Controlled Unclassified Information (CUI) Government-created or owned UNCLASSIFIED information that must be safeguarded from unauthorized disclosure. DoDCUI.Mil is the authoritative source for DoD CUI as defined in DoDI 5200.48.


Term Description Footnote
Daily Checkpoint An immediate "after-action" discussion and evaluation of an OSC’s current compliance status against CMMC practices conducted with the OSC Assessment participants, following the completion of that day’s Assessment activities such as objective Evidence review, interviews, or observations/tests. Also known in industry as a “hot wash” or “hot wash review.” Daily Checkpoint results/discussion must be recorded in a log by the Lead Assessor.
Disseminating The act of transmitting, transferring, of providing access to FCI or CUI to other authorized holders through any means, whether internal or external to an agency. 32CFR §2002(v)
Document Any tangible thing which constitutes or contains information and means the original and any copies (whether different from the originals because of notes made on such copies or otherwise) of all writings of every kind and description over which an agency has authority. A document may be inscribed by hand or by mechanical, facsimile, electronic, magnetic, microfilm, photographic or other means, as well as phonic or visual reproductions or oral statements, conversations or events and including, but not limited to: correspondence, email, notes, reports, papers, files, manuals, books, pamphlets, periodicals, letters, memoranda, notations, messages, telegrams, cables, facsimiles, records, studies, working papers, accounting papers, contracts, licenses, certificates, grants, agreements, computer disks, computer tapes, telephone logs, computer mail, computer printouts, worksheets, sent or received communications of any kind, teletype messages, agreements, diary entries, calendars and journals, printouts, drafts, tables, compilations, tabulations, recommendations, accounts, work papers, summaries, address books, other records and recordings or transcriptions of conferences, meetings, visits, interviews, discussions or telephone conversations, charts, graphs, indexes, tapes, minutes, contracts, leases, invoices, records of purchase or sale correspondence, electronic or other transcription of taping of personal conversations or conferences and any written, printed, typed, punched, taped, filmed or graphic matter however produced or reproduced. Document also includes the file, folder, exhibits and containers, the labels on them and any metadata, associated with each original or copy. Document also includes voice records, film, tapes, video tapes, email, personal computer files, electronic matter and other data compilations from which information can be obtained, including materials used in data processing. 32CFR §2002(w)


Term Description Footnote
CMMC eMASS The Enterprise Mission Assurance Support Service (CMMC eMASS) is a web-based, U.S. Department of Defense off-the-shelf solution that automates a broad range of services for cybersecurity management. CMMC eMASS serves as the system of record for CMMC Assessment data and reporting.
Enclave A set of system resources that operate within the same security domain and that share the protection of a single, common, and continuous security perimeter. A segmentation of an organization’s network or data that is intended to “wall off” that network or database from all other networks or systems. A CMMC Assessment scope can be within the Assessment scope of an enclave. Reference
Enterprise An organization with a defined mission/goal and a defined boundary, using information systems to execute that mission, and with responsibility for managing its own risks and performance.
Evidence The observable proof that an organization has either met or not met the standard for a particular CMMC practice.
Examine The process of checking, inspecting, reviewing, observing, studying, or analyzing one or more Assessment objects or artifacts to facilitate understanding, achieve clarification, or obtain additional Evidence. The results are used to support the determination of security safeguard existence, functionality, correctness, completeness, and potential for improvement over time. For an artifact to be accepted as Evidence in an Assessment, it must demonstrate the extent of implementing, performing, or supporting the organizational or project procedures that can be mapped to one or more CMMC practices and those artifacts must be produced by people who implement or perform or support the procedures.
External Cloud Service Provider A Supporting Organization that is providing cloud computing services to the OSC through an external connection.


Term Description Footnote
Federal Contract Information (FCI) Information, not intended for public release, that is provided by or generated for the U.S. Government under a contract to develop or deliver a product or service to the U.S. Government, but not including information provided by the U.S. Government to the public (such as on public web sites) or simple transactional information, such as necessary to process payments). Reference
Foreign Entity A foreign government, an international organization of governments or any element thereof, an international or foreign public or judicial body or an international or foreign private or non-governmental organization. 32CFR §2002(y)


Term Description Footnote
Handling Any use of CUI, including, but not necessarily limited to, marking, safeguarding, transporting, disseminating, re-using, and disposing of the information. 32CFR §2002(aa)
Host Unit The part of a company being assessed and considered the OSC for purposes of the CMMC Assessment. A Host Unit could be a location, a division, a product line, or any other logical segmentation of an organization that can be independently assessed. Assessment results will be codified with the Host Unit name.
HQ Organization The legal entity that will be delivering services or products under the terms of a DoD contract. The HQ Organization itself could be the OSC, or it could designate a Host Unit as the OSC.


Term Description Footnote
Interviews The process of conducting discussions with individuals or groups of individuals in an organization to facilitate understanding, achieve clarification, or lead to the location of Evidence. The results are used to support the determination of security safeguard existence, functionality, correctness, completeness, and potential for improvement over time. For an interview statement to be accepted as Evidence in an Assessment, it must demonstrate the extent of implementing, performing, or supporting the CMMC practice. Interview affirmations must be provided by people who implement, perform, or support procedures.


Term Description Footnote
Lead Assessor The Certified CMMC Assessor (Lead Assessor) who oversees and manages a discrete CMMC Assessment Team.
Limited Practice Deficiency Correction With CMMC v2.0, the DoD has adopted a method to allow OSCs to ability to correct deficient CMMC practices that are found during the assessment, prior to assessment closeout (Phase 3). These practices cannot change and/or limit the effectiveness of other practices that have been scored “MET”, nor can they be previously listed on the OSCs Self-Assessment Practice Deficiency Tracker prior to the assessment. Finally, the practice(s) cannot lead to a significant exploitation of the OSCs network or exfiltration of CUI, basic and derived security requirements/practices are listed in Appendix K, paragraph e & f.


Term Description Footnote
Mechanism An established process, which can involve people and/or technology, by which something takes place that brings about an intended and predictable outcome. For CMMC purposes, a mechanism might include:
  • A technology-specific solution (e.g., anti-malware, firewall, file-integrity monitoring, intrusion-prevention system, multi-factor authentication, etc.);
  • A manual procedure that an individual performs; or
  • An administrative solution (e.g., acceptable use policy, human reviews, non-disclosure agreements, etc.).

In Assessment criteria for CMMC practices, the phrase “mechanisms exist to…” provides flexibility for the OSC to define what is most appropriate for its unique business practices. For example, more mature organizations might automate their security infrastructure and prefer technology-specific solutions, whereas less mature organizations might rely on manual procedures or administrative solutions.

Misuse of CUI Actions involving the utilization of CUI in a manner discordant with the policies and provisions contained in Executive Order 13556, the CUI Registry, Department of Defense CUI policy, or the applicable laws, regulations, and government-wide policies that govern the affected information. This may include intentional violations or unintentional errors in safeguarding or disseminating CUI. This may also include designating or marking information as CUI when it does not qualify as CUI. 32CFR §2002(e)


Term Description Footnote
Observation A real-time demonstration or review of a test, system, tool, software, hardware, practice, control, or process being performed and witnessed first-hand by the Lead Assessor and if applicable, Assessment Team.
Organization Seeking Certification (OSC) The Defense Industrial Base (DIB) company or legal entity that is going through the CMMC Assessment process—and contracting with a C3PAO in pursuit of CMMC Certification—for a given environment and a particular CMMC Level. Also referred to as “HQ Unit”.


Term Description Footnote
Provisional Assessor (PA) An individual who has received authorization from the CMMC-AB/CAICO to serve as a Provisional Assessor (PA) during the provisional CMMC Interim Voluntary Period. PAs are authorized to conduct CMMC Assessments during the CMMC Interim Voluntary Period only and will eventually be required to pass CCP, CCA, and/or Lead Assessor exams in order to attain their formal Assessor Certifications.


Term Description Footnote
Supporting Organization A logical organizational boundary that is supporting the Host Unit of enclave being assessed. Though not part of the logical segmentation, systems or people within the Supporting Unit may still have access to CUI or FCI, so therefore must be included within the scope of the Assessment.


Term Description Footnote
Test The process of exercising one or more Assessment objects under specified conditions to compare actual with expected behavior. The results are used to support the determination of security safeguard existence, functionality, correctness, completeness, and potential for improvement over time and institutionalization. For a test/demonstration to be accepted as Evidence in an Assessment, it must pass its requirements and criteria while being observed by the Assessment Team. Any failed test results in a failed CMMC practice.


Term Description Footnote
Unauthorized Disclosure Unauthorized disclosure occurs when an Authorized Holder of CUI intentionally or unintentionally discloses CUI without a lawful government purpose, in violation of restrictions imposed by safeguarding or dissemination practices or contrary to limited dissemination practices. 32CFR §2002(rr)


Term Description Footnote
Working Papers Documents or materials, regardless of form, that an organization or user expects to revise prior to creating a finished product. Also referred to as “drafts”. 32CFR §2002(tt)