CAP Glossary: Difference between revisions

From CMMC Toolkit Wiki
Jump to navigation Jump to search
(Created page with "'''Source of Reference: official [https://www.acq.osd.mil/cmmc/documentation.html CMMC Glossary] from Office of Under Secretary of Defense for Acquisition & Sustainment.''' For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you. == A == {|class="wikitable" style="width: 85%;" ! style="width: 15%"| Term ! style="width: 65%"| Description ! style="width: 20%"| Source |- |Access |Ability to make use of any information...")
 
No edit summary
Line 1: Line 1:
'''Source of Reference: official [https://www.acq.osd.mil/cmmc/documentation.html CMMC Glossary] from Office of Under Secretary of Defense for Acquisition & Sustainment.'''
'''Source of Reference: The [https://cyberab.org/Portals/0/Documents/Process-Documents/CMMC-Assessment-Process-CAP-v1.0.pdf CMMC Assessment Process] from Cybersecurity Maturity Model Certification Accreditation Body, Inc.'''


For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you.
For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you.
Line 5: Line 5:
== A ==
== A ==
{|class="wikitable" style="width: 85%;"
{|class="wikitable" style="width: 85%;"
! style="width: 15%"| Term
! style="width: 20%"| Term
! style="width: 65%"| Description
! style="width: 65%"| Description
! style="width: 20%"| Source
! style="width: 15%"| Footnote
|-
|-
|Access
|Access
|Ability to make use of any information system (IS) resource.
|Ability to make use of any information system (IS) resource.
|
|
* CNSSI 4009
|-
* NIST SP 800-32
Access Authority
An entity responsible for monitoring and granting access privileges for other authorized entities.
 
Access Control
The process of granting or denying specific requests to:
  ▪ obtain and use information and related information-processing services; and
  ▪ enter specific physical facilities (e.g., federal buildings, company offices).
 
                            4
Agreements / Arrangements
Agreements and arrangements are any vehicle that sets out specific CUI handling requirements for
contractors and other information-sharing partners when the arrangement with the other party involves CUI.
Agreements and arrangements include, but are not necessarily limited to, contracts, grants, licenses,
certificates, and memoranda of understanding. When disseminating or sharing CUI with non-executive
branch entities, agencies should enter into a written agreement/arrangement or understanding (see
§2002.16(a)(5) and (6) for details). When sharing information with foreign entities, agencies should also
enter agreements or arrangements, where feasible (see §2002.16(a)(5)(iii) and (a)(6) for details).
 
Artifacts
Tangible and reviewable records that are the direct outcome of a practice or process being performed by a
system, person, or persons performing a role in that practice, control, or process.  Artifacts may be a printed
hard-copy or a soft- or electronic copy of a document or file embedded in a system or software but must be
a result or an output from the performance of a process within the Organization Seeking Certification.
 
Assessment
The testing or evaluation (e.g., interviews, document reviews, observations) of security practices to
determine the extent to which the practices are implemented correctly, operating as intended, and
producing the desired outcome with respect to meeting the security requirements for an information system
or organization. Source: NIST SP 800-37 Rev. 2 Also referred to as “CMMC Assessment”.
 
Assessment is the term used by CMMC for the activity performed by the C3PAO to evaluate the CMMC
level of a DIB contractor. Source: CMMC
 
Assessment Appeals Process
A formal process managed by the Cyber AB to seek resolution of a disagreement of an assessment result.
 
Assessment Official
The most senior representative of an Organization Seeking Certification (OSC) who is directly and actively
responsible for leading and managing the OSC’s engagement in the Assessment.
 
Assessor
An individual who is both certified and authorized to participate on a C3PAO Assessment Team and
evaluate the conformity of an Organization Seeking Certification to meeting a particular CMMC level
standard.  See also Provisional Assessor.
 
 
 
 
 
4
32CFR §2002(c) - https://www.govinfo.gov/content/pkg/CFR-2017-title32-vol6/pdf/CFR-2017-title32-vol6-part2002.pdf
                                      PRE-DECISIONAL DRAFT
                                CMMC Assessment Process (CAP) v1.0
                                                Page 35
 
 
 
 
 
 
                                      PRE-DECISIONAL DRAFT
 
 
Certificate
A Record issued to an OSC upon successful completion of an Assessment which evidences the CMMC
Level against which the OSC has been successfully assessed by an authorized C3PAO. See also Limited
CMMC Certification.
 
Certification
The official CMMC credential that attests to: 1) an organization’s conformance to a particular CMMC Level;
or 2) an individual’s achievement of meeting the requirements and standards of a specific CMMC profession
(e.g., Assessor, Instructor).  See also Limited CMMC Certification.
 
Certified CMMC Assessor (CCA)
A person who has successfully completed all certification program requirements as outlined by the CAICO
for becoming a Level 2 CMMC Assessor. A Provisional Assessor (PA) will become a CCP and then a CCP
by passing the associated certification exam(s).
 
CMMC Certified Professional (CCP)
A person who has successfully completed all certification program requirements as outlined by the CAICO
for becoming a Level 1 CMMC Assessor. A Provisional Assessor (PA) will become a CCP by passing the
associated certification exam.
 
CMMC Certification Boundary
Defines the assets to which an Assessor will evaluate conformity with applicable CMMC practices. This is
the boundary to which a CMMC Certification will be applied.
 
CMMC Certified Assessor
An individual who holds official CAICO Certification as a CMMC Certified Assessor.  Lead Assessors can
be certified at Level 2 or Level 3, which correspond to the CMMC Level against which they are authorized
to conduct CMMC Assessments.  Also referred to as “CMMC Assessor” or “Assessor”.
 
CMMC Ecosystem
The interactive community of all CMMC professionals, including C3PAOs, Assessors, Instructors, Licensed
Training Providers,  Licensed  Publishing  Partners,  Registered  Practitioners,  Registered  Provider
Organizations, as well as the Department of Defense and the CMMC Accreditation Body.
 
CMMC Level
A specific step or level within the CMMC Standard against which CMMC Assessments are conducted.
 
CMMC Standard
A framework that combines widely accepted NIST cybersecurity standards and maps those controls and
requirements across several maturity levels that range from basic to expert cyber hygiene, and that, when
implemented, will reduce risk against a specific set of cyber threats.
 
CMMC Third-Party Assessment Organization (C3PAO)
An Entity that is authorized to be contracted to conduct independent CMMC Assessments and issue CMMC
Certifications for Organizations Seeking Certification (OSCs).
 
Conflict of Interest (COI)
A situation within the CMMC Ecosystem in which the concerns or objectives of two different parties are
incompatible with one another.  Conflicts of Interest must be disclosed where they exist and, if possible,
mitigated.  Conflicts of Interest left unattended by CMMC actors can threaten the impartiality of CMMC
Assessments and the integrity of the CMMC Ecosystem overall.
 
 
 
 
                                      PRE-DECISIONAL DRAFT
                                CMMC Assessment Process (CAP) v1.0
                                              Page 36
 
 
 
 
 
 
                                        PRE-DECISIONAL DRAFT
 
 
                        5
Controlled Environment
Any area or space an Authorized Holder deems to have adequate physical or procedural practices (e.g.,
barriers or managed access practices) to protect FCI/CUI from unauthorized access or disclosure. Also
called “FCI/CUI Environment”.
 
                                            6
Controlled Unclassified Information (CUI)
Government-created or owned UNCLASSIFIED information that must be safeguarded from unauthorized
                                                              7                            8
disclosure. DoDCUI.Mil is the authoritative source for DoD CUI  as defined in DoDI 5200.48
 
Daily Checkpoint
An immediate "after-action" discussion and evaluation of an OSC’s current compliance status against
CMMC practices conducted with the OSC Assessment participants, following the completion of that day’s
Assessment activities such as objective Evidence review, interviews, or observations/tests. Also known in
industry as a “hot wash” or “hot wash review.”  Daily Checkpoint results/discussion must be recorded in a
log by the Lead Assessor.
 
              9
Disseminating
The act of transmitting, transferring, of providing access to FCI or CUI to other authorized holders through
any means, whether internal or external to an agency.
 
          10
Document
Any tangible thing which constitutes or contains information and means the original and any copies (whether
different from the originals because of notes made on such copies or otherwise) of all writings of every kind
and description over which an agency has authority.  A document may be inscribed by hand or by
mechanical, facsimile, electronic, magnetic, microfilm, photographic or other means, as well as phonic or
visual reproductions or oral statements, conversations or events and including, but not limited to:
correspondence, email, notes, reports, papers, files, manuals, books, pamphlets, periodicals, letters,
memoranda, notations, messages, telegrams, cables, facsimiles, records, studies, working papers,
accounting papers, contracts, licenses, certificates, grants, agreements, computer disks, computer tapes,
telephone logs, computer mail, computer printouts, worksheets, sent or received communications of any
kind, teletype messages, agreements, diary entries, calendars and journals, printouts, drafts, tables,
compilations, tabulations, recommendations, accounts, work papers, summaries, address books, other
records and recordings or transcriptions of conferences, meetings, visits, interviews, discussions or
telephone conversations, charts, graphs, indexes, tapes, minutes, contracts, leases, invoices, records of
purchase or sale correspondence, electronic or other transcription of taping of personal conversations or
conferences and any written, printed, typed, punched, taped, filmed or graphic matter however produced
or reproduced. Document also includes the file, folder, exhibits and containers, the labels on them and any
metadata, associated with each original or copy. Document also includes voice records, film, tapes, video
tapes, email, personal computer files, electronic matter and other data compilations from which information
can be obtained, including materials used in data processing.
 
CMMC eMASS
The Enterprise Mission Assurance Support Service (CMMC eMASS) is a web-based, U.S. Department of
Defense off-the-shelf solution that automates a broad range of services for cybersecurity management.
CMMC eMASS serves as the system of record for CMMC Assessment data and reporting.
 
        11
Enclave
 
 
5
32CFR §2002(f) - https://www.govinfo.gov/content/pkg/CFR-2017-title32-vol6/pdf/CFR-2017-title32-vol6-part2002.pdf
6
NARA CUI Registry - https://www.archives.gov/cui
7
DoD CUI Registry:  https://www.dodcui.mil/
8
DoDI 5200.48 Controlled Unclassified Information -
https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/520048p.PDF
9
32CFR §2002(v) - https://www.govinfo.gov/content/pkg/CFR-2017-title32-vol6/pdf/CFR-2017-title32-vol6-part2002.pdf
10
  32CFR §2002(w) - https://www.govinfo.gov/content/pkg/CFR-2017-title32-vol6/pdf/CFR-2017-title32-vol6-part2002.pdf
11
  https://csrc.nist.gov/glossary/term/enclave
                                        PRE-DECISIONAL DRAFT
                                  CMMC Assessment Process (CAP) v1.0
                                                Page 37
 
 
 
 
 
 
                                        PRE-DECISIONAL DRAFT
 
 
A set of system resources that operate within the same security domain and that share the protection of a
single, common, and continuous security perimeter. A segmentation of an organization’s network or data
that is intended to “wall off” that network or database from all other networks or systems.  A CMMC
Assessment scope can be within the Assessment scope of an enclave.
 
Enterprise
An organization with a defined mission/goal and a defined boundary, using information systems to execute
that mission, and with responsibility for managing its own risks and performance.
 
Evidence
The observable proof that an organization has either met or not met the standard for a particular CMMC
practice.
 
Examine
The process of checking, inspecting, reviewing, observing, studying, or analyzing one or more Assessment
objects or artifacts to facilitate understanding, achieve clarification, or obtain additional Evidence. The
results are used to support the determination of security safeguard existence, functionality, correctness,
completeness, and potential for improvement over time. For an artifact to be accepted as Evidence in an
Assessment, it must demonstrate the extent of implementing, performing, or supporting the organizational
or project procedures that can be mapped to one or more CMMC practices and those artifacts must be
produced by people who implement or perform or support the procedures.
 
External Cloud Service Provider
A Supporting Organization that is providing cloud computing services to the OSC through an external
connection.
 
                                    12
Federal Contract Information (FCI)
Information, not intended for public release, that is provided by or generated for the U.S. Government under
a contract to develop or deliver a product or service to the U.S. Government, but not including information
provided by the U.S. Government to the public (such as on public web sites) or simple transactional
information, such as necessary to process payments).
 
              13
Foreign Entity
A foreign government, an international organization of governments or any element thereof, an international
or foreign public or judicial body or an international or foreign private or non-governmental organization.
 
        14
Handling
Any use of CUI, including, but not necessarily limited to, marking, safeguarding, transporting, disseminating,
re-using, and disposing of the information.
 
Host Unit
The part of a company being assessed and considered the OSC for purposes of the CMMC Assessment.
A Host Unit could be a location, a division, a product line, or any other logical segmentation of an
organization that can be independently assessed.  Assessment results will be codified with the Host Unit
name.
 
HQ Organization
 
 
 
 
12
  https://www.federalregister.gov/documents/2016/05/16/2016-11001/federal-acquisition-regulation-basic-safeguarding-of-
contractor-information-systems
13
  32CFR §2002(y) - https://www.govinfo.gov/content/pkg/CFR-2017-title32-vol6/pdf/CFR-2017-title32-vol6-part2002.pdf
14
  32CFR §2002(aa) - https://www.govinfo.gov/content/pkg/CFR-2017-title32-vol6/pdf/CFR-2017-title32-vol6-part2002.pdf
                                        PRE-DECISIONAL DRAFT
                                  CMMC Assessment Process (CAP) v1.0
                                                Page 38
 
 
 
 
 
 
                                        PRE-DECISIONAL DRAFT
 
 
The legal entity that will be delivering services or products under the terms of a DoD contract.  The HQ
Organization itself could be the OSC, or it could designate a Host Unit as the OSC.
 
Interviews
The process of conducting discussions with individuals or groups of individuals in an organization to
facilitate understanding, achieve clarification, or lead to the location of Evidence. The results are used to
support the determination of security safeguard existence, functionality, correctness, completeness, and
potential for improvement over time.  For an interview statement to be accepted as Evidence in an
Assessment, it must demonstrate the extent of implementing, performing, or supporting the CMMC practice.
Interview affirmations must be provided by people who implement, perform, or support procedures.
 
Lead Assessor
The Certified CMMC Assessor (Lead Assessor) who oversees and manages a discrete CMMC Assessment
Team.
 
Limited Practice Deficiency Correction
With CMMC v2.0, the DoD has adopted a method to allow OSCs to ability to correct deficient CMMC
practices that are found during the assessment, prior to assessment closeout (Phase 3). These practices
cannot change and/or limit the effectiveness of other practices that have been scored “MET”, nor can they
be previously listed on the OSCs Self-Assessment Practice Deficiency Tracker prior to the assessment.
Finally, the practice(s) cannot lead to a significant exploitation of the OSCs network or exfiltration of CUI,
basic and derived security requirements/practices are listed in Appendix K, paragraph e & f.
 
Mechanism
An established process, which can involve people and/or technology, by which something takes place that
brings about an intended and predictable outcome. For CMMC purposes, a mechanism might include:
    ▪  A technology-specific solution (e.g., anti-malware, firewall, file-integrity monitoring, intrusion-
        prevention system, multi-factor authentication, etc.);
    ▪ A manual procedure that an individual performs; or
    ▪  An administrative solution (e.g., acceptable use policy, human reviews, non-disclosure
        agreements, etc.).
In Assessment criteria for CMMC practices, the phrase “mechanisms exist to…” provides flexibility for the
OSC to define what is most appropriate for its unique business practices. For example, more mature
organizations might automate their security infrastructure and prefer technology-specific solutions, whereas
less mature organizations might rely on manual procedures or administrative solutions.
 
              15
Misuse of CUI
Actions involving the utilization of CUI in a manner discordant with the policies and provisions contained in
Executive Order 13556, the CUI Registry, Department of Defense CUI policy, or the applicable laws,
regulations, and government-wide policies that govern the affected information. This may include intentional
violations or unintentional errors in safeguarding or disseminating CUI. This may also include designating
or marking information as CUI when it does not qualify as CUI.
 
Observation
A real-time demonstration or review of a test, system, tool, software, hardware, practice, control, or process
being performed and witnessed first-hand by the Lead Assessor and if applicable, Assessment Team.
 
Organization Seeking Certification (OSC)
 
 
 
 
 
15
  32CFR §2002(e) - https://www.govinfo.gov/content/pkg/CFR-2017-title32-vol6/pdf/CFR-2017-title32-vol6-part2002.pdf
                                        PRE-DECISIONAL DRAFT
                                  CMMC Assessment Process (CAP) v1.0
                                                Page 39
 
 
 
 
 
 
                                        PRE-DECISIONAL DRAFT
 
 
The Defense Industrial Base (DIB) company or legal entity that is going through the CMMC Assessment
process—and contracting with a C3PAO in pursuit of CMMC Certification—for a given environment and a
particular CMMC Level. Also referred to as “HQ Unit”.
 
Provisional Assessor (PA)
An individual who has received authorization from the CMMC-AB/CAICO to serve as a Provisional Assessor
(PA) during the provisional CMMC Interim Voluntary Period.  PAs are authorized to conduct CMMC
Assessments during the CMMC Interim Voluntary Period only and will eventually be required to pass CCP,
CCA, and/or Lead Assessor exams in order to attain their formal Assessor Certifications.
 
Supporting Organization
A logical organizational boundary that is supporting the Host Unit of enclave being assessed.  Though not
part of the logical segmentation, systems or people within the Supporting Unit may still have access to CUI
or FCI, so therefore must be included within the scope of the Assessment.
 
Test
The process of exercising one or more Assessment objects under specified conditions to compare actual
with expected behavior. The results are used to support the determination of security safeguard existence,
functionality, correctness, completeness, and potential for improvement over time and institutionalization.
For a test/demonstration to be accepted as Evidence in an Assessment, it must pass its requirements and
criteria while being observed by the Assessment Team.  Any failed test results in a failed CMMC practice.
 
                          16
Unauthorized Disclosure
Unauthorized disclosure occurs when an Authorized Holder of CUI intentionally or unintentionally discloses
CUI without a lawful government purpose, in violation of restrictions imposed by safeguarding or
dissemination practices or contrary to limited dissemination practices.
 
                17
Working Papers
Documents or materials, regardless of form, that an organization or user expects to revise prior to
creating a finished product.  Also referred to as “drafts”.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
16
  32CFR §2002(rr) - https://www.govinfo.gov/content/pkg/CFR-2017-title32-vol6/pdf/CFR-2017-title32-vol6-part2002.pdf
17
  32CFR §2002(tt) - https://www.govinfo.gov/content/pkg/CFR-2017-title32-vol6/pdf/CFR-2017-title32-vol6-part2002.pdf
|}
|}

Revision as of 16:40, 5 August 2022

Source of Reference: The CMMC Assessment Process from Cybersecurity Maturity Model Certification Accreditation Body, Inc.

For inquiries and reporting errors on this wiki, please contact us. Thank you.

A

Access Authority An entity responsible for monitoring and granting access privileges for other authorized entities. Access Control The process of granting or denying specific requests to: ▪ obtain and use information and related information-processing services; and ▪ enter specific physical facilities (e.g., federal buildings, company offices). 4 Agreements / Arrangements Agreements and arrangements are any vehicle that sets out specific CUI handling requirements for contractors and other information-sharing partners when the arrangement with the other party involves CUI. Agreements and arrangements include, but are not necessarily limited to, contracts, grants, licenses, certificates, and memoranda of understanding. When disseminating or sharing CUI with non-executive branch entities, agencies should enter into a written agreement/arrangement or understanding (see §2002.16(a)(5) and (6) for details). When sharing information with foreign entities, agencies should also enter agreements or arrangements, where feasible (see §2002.16(a)(5)(iii) and (a)(6) for details). Artifacts Tangible and reviewable records that are the direct outcome of a practice or process being performed by a system, person, or persons performing a role in that practice, control, or process. Artifacts may be a printed hard-copy or a soft- or electronic copy of a document or file embedded in a system or software but must be a result or an output from the performance of a process within the Organization Seeking Certification. Assessment The testing or evaluation (e.g., interviews, document reviews, observations) of security practices to determine the extent to which the practices are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for an information system or organization. Source: NIST SP 800-37 Rev. 2 Also referred to as “CMMC Assessment”. Assessment is the term used by CMMC for the activity performed by the C3PAO to evaluate the CMMC level of a DIB contractor. Source: CMMC Assessment Appeals Process A formal process managed by the Cyber AB to seek resolution of a disagreement of an assessment result. Assessment Official The most senior representative of an Organization Seeking Certification (OSC) who is directly and actively responsible for leading and managing the OSC’s engagement in the Assessment. Assessor An individual who is both certified and authorized to participate on a C3PAO Assessment Team and evaluate the conformity of an Organization Seeking Certification to meeting a particular CMMC level standard. See also Provisional Assessor. 4 32CFR §2002(c) - https://www.govinfo.gov/content/pkg/CFR-2017-title32-vol6/pdf/CFR-2017-title32-vol6-part2002.pdf PRE-DECISIONAL DRAFT CMMC Assessment Process (CAP) v1.0 Page 35 PRE-DECISIONAL DRAFT Certificate A Record issued to an OSC upon successful completion of an Assessment which evidences the CMMC Level against which the OSC has been successfully assessed by an authorized C3PAO. See also Limited CMMC Certification. Certification The official CMMC credential that attests to: 1) an organization’s conformance to a particular CMMC Level; or 2) an individual’s achievement of meeting the requirements and standards of a specific CMMC profession (e.g., Assessor, Instructor). See also Limited CMMC Certification. Certified CMMC Assessor (CCA) A person who has successfully completed all certification program requirements as outlined by the CAICO for becoming a Level 2 CMMC Assessor. A Provisional Assessor (PA) will become a CCP and then a CCP by passing the associated certification exam(s). CMMC Certified Professional (CCP) A person who has successfully completed all certification program requirements as outlined by the CAICO for becoming a Level 1 CMMC Assessor. A Provisional Assessor (PA) will become a CCP by passing the associated certification exam. CMMC Certification Boundary Defines the assets to which an Assessor will evaluate conformity with applicable CMMC practices. This is the boundary to which a CMMC Certification will be applied. CMMC Certified Assessor An individual who holds official CAICO Certification as a CMMC Certified Assessor. Lead Assessors can be certified at Level 2 or Level 3, which correspond to the CMMC Level against which they are authorized to conduct CMMC Assessments. Also referred to as “CMMC Assessor” or “Assessor”. CMMC Ecosystem The interactive community of all CMMC professionals, including C3PAOs, Assessors, Instructors, Licensed Training Providers, Licensed Publishing Partners, Registered Practitioners, Registered Provider Organizations, as well as the Department of Defense and the CMMC Accreditation Body. CMMC Level A specific step or level within the CMMC Standard against which CMMC Assessments are conducted. CMMC Standard A framework that combines widely accepted NIST cybersecurity standards and maps those controls and requirements across several maturity levels that range from basic to expert cyber hygiene, and that, when implemented, will reduce risk against a specific set of cyber threats. CMMC Third-Party Assessment Organization (C3PAO) An Entity that is authorized to be contracted to conduct independent CMMC Assessments and issue CMMC Certifications for Organizations Seeking Certification (OSCs). Conflict of Interest (COI) A situation within the CMMC Ecosystem in which the concerns or objectives of two different parties are incompatible with one another. Conflicts of Interest must be disclosed where they exist and, if possible, mitigated. Conflicts of Interest left unattended by CMMC actors can threaten the impartiality of CMMC Assessments and the integrity of the CMMC Ecosystem overall. PRE-DECISIONAL DRAFT CMMC Assessment Process (CAP) v1.0 Page 36 PRE-DECISIONAL DRAFT 5 Controlled Environment Any area or space an Authorized Holder deems to have adequate physical or procedural practices (e.g., barriers or managed access practices) to protect FCI/CUI from unauthorized access or disclosure. Also called “FCI/CUI Environment”. 6 Controlled Unclassified Information (CUI) Government-created or owned UNCLASSIFIED information that must be safeguarded from unauthorized 7 8 disclosure. DoDCUI.Mil is the authoritative source for DoD CUI as defined in DoDI 5200.48 Daily Checkpoint An immediate "after-action" discussion and evaluation of an OSC’s current compliance status against CMMC practices conducted with the OSC Assessment participants, following the completion of that day’s Assessment activities such as objective Evidence review, interviews, or observations/tests. Also known in industry as a “hot wash” or “hot wash review.” Daily Checkpoint results/discussion must be recorded in a log by the Lead Assessor. 9 Disseminating The act of transmitting, transferring, of providing access to FCI or CUI to other authorized holders through any means, whether internal or external to an agency. 10 Document Any tangible thing which constitutes or contains information and means the original and any copies (whether different from the originals because of notes made on such copies or otherwise) of all writings of every kind and description over which an agency has authority. A document may be inscribed by hand or by mechanical, facsimile, electronic, magnetic, microfilm, photographic or other means, as well as phonic or visual reproductions or oral statements, conversations or events and including, but not limited to: correspondence, email, notes, reports, papers, files, manuals, books, pamphlets, periodicals, letters, memoranda, notations, messages, telegrams, cables, facsimiles, records, studies, working papers, accounting papers, contracts, licenses, certificates, grants, agreements, computer disks, computer tapes, telephone logs, computer mail, computer printouts, worksheets, sent or received communications of any kind, teletype messages, agreements, diary entries, calendars and journals, printouts, drafts, tables, compilations, tabulations, recommendations, accounts, work papers, summaries, address books, other records and recordings or transcriptions of conferences, meetings, visits, interviews, discussions or telephone conversations, charts, graphs, indexes, tapes, minutes, contracts, leases, invoices, records of purchase or sale correspondence, electronic or other transcription of taping of personal conversations or conferences and any written, printed, typed, punched, taped, filmed or graphic matter however produced or reproduced. Document also includes the file, folder, exhibits and containers, the labels on them and any metadata, associated with each original or copy. Document also includes voice records, film, tapes, video tapes, email, personal computer files, electronic matter and other data compilations from which information can be obtained, including materials used in data processing. CMMC eMASS The Enterprise Mission Assurance Support Service (CMMC eMASS) is a web-based, U.S. Department of Defense off-the-shelf solution that automates a broad range of services for cybersecurity management. CMMC eMASS serves as the system of record for CMMC Assessment data and reporting. 11 Enclave 5 32CFR §2002(f) - https://www.govinfo.gov/content/pkg/CFR-2017-title32-vol6/pdf/CFR-2017-title32-vol6-part2002.pdf 6 NARA CUI Registry - https://www.archives.gov/cui 7 DoD CUI Registry: https://www.dodcui.mil/ 8 DoDI 5200.48 Controlled Unclassified Information - https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/520048p.PDF 9 32CFR §2002(v) - https://www.govinfo.gov/content/pkg/CFR-2017-title32-vol6/pdf/CFR-2017-title32-vol6-part2002.pdf 10 32CFR §2002(w) - https://www.govinfo.gov/content/pkg/CFR-2017-title32-vol6/pdf/CFR-2017-title32-vol6-part2002.pdf 11 https://csrc.nist.gov/glossary/term/enclave PRE-DECISIONAL DRAFT CMMC Assessment Process (CAP) v1.0 Page 37 PRE-DECISIONAL DRAFT A set of system resources that operate within the same security domain and that share the protection of a single, common, and continuous security perimeter. A segmentation of an organization’s network or data that is intended to “wall off” that network or database from all other networks or systems. A CMMC Assessment scope can be within the Assessment scope of an enclave. Enterprise An organization with a defined mission/goal and a defined boundary, using information systems to execute that mission, and with responsibility for managing its own risks and performance. Evidence The observable proof that an organization has either met or not met the standard for a particular CMMC practice. Examine The process of checking, inspecting, reviewing, observing, studying, or analyzing one or more Assessment objects or artifacts to facilitate understanding, achieve clarification, or obtain additional Evidence. The results are used to support the determination of security safeguard existence, functionality, correctness, completeness, and potential for improvement over time. For an artifact to be accepted as Evidence in an Assessment, it must demonstrate the extent of implementing, performing, or supporting the organizational or project procedures that can be mapped to one or more CMMC practices and those artifacts must be produced by people who implement or perform or support the procedures. External Cloud Service Provider A Supporting Organization that is providing cloud computing services to the OSC through an external connection. 12 Federal Contract Information (FCI) Information, not intended for public release, that is provided by or generated for the U.S. Government under a contract to develop or deliver a product or service to the U.S. Government, but not including information provided by the U.S. Government to the public (such as on public web sites) or simple transactional information, such as necessary to process payments). 13 Foreign Entity A foreign government, an international organization of governments or any element thereof, an international or foreign public or judicial body or an international or foreign private or non-governmental organization. 14 Handling Any use of CUI, including, but not necessarily limited to, marking, safeguarding, transporting, disseminating, re-using, and disposing of the information. Host Unit The part of a company being assessed and considered the OSC for purposes of the CMMC Assessment. A Host Unit could be a location, a division, a product line, or any other logical segmentation of an organization that can be independently assessed. Assessment results will be codified with the Host Unit name. HQ Organization 12 https://www.federalregister.gov/documents/2016/05/16/2016-11001/federal-acquisition-regulation-basic-safeguarding-of- contractor-information-systems 13 32CFR §2002(y) - https://www.govinfo.gov/content/pkg/CFR-2017-title32-vol6/pdf/CFR-2017-title32-vol6-part2002.pdf 14 32CFR §2002(aa) - https://www.govinfo.gov/content/pkg/CFR-2017-title32-vol6/pdf/CFR-2017-title32-vol6-part2002.pdf PRE-DECISIONAL DRAFT CMMC Assessment Process (CAP) v1.0 Page 38 PRE-DECISIONAL DRAFT The legal entity that will be delivering services or products under the terms of a DoD contract. The HQ Organization itself could be the OSC, or it could designate a Host Unit as the OSC. Interviews The process of conducting discussions with individuals or groups of individuals in an organization to facilitate understanding, achieve clarification, or lead to the location of Evidence. The results are used to support the determination of security safeguard existence, functionality, correctness, completeness, and potential for improvement over time. For an interview statement to be accepted as Evidence in an Assessment, it must demonstrate the extent of implementing, performing, or supporting the CMMC practice. Interview affirmations must be provided by people who implement, perform, or support procedures. Lead Assessor The Certified CMMC Assessor (Lead Assessor) who oversees and manages a discrete CMMC Assessment Team. Limited Practice Deficiency Correction With CMMC v2.0, the DoD has adopted a method to allow OSCs to ability to correct deficient CMMC practices that are found during the assessment, prior to assessment closeout (Phase 3). These practices cannot change and/or limit the effectiveness of other practices that have been scored “MET”, nor can they be previously listed on the OSCs Self-Assessment Practice Deficiency Tracker prior to the assessment. Finally, the practice(s) cannot lead to a significant exploitation of the OSCs network or exfiltration of CUI, basic and derived security requirements/practices are listed in Appendix K, paragraph e & f. Mechanism An established process, which can involve people and/or technology, by which something takes place that brings about an intended and predictable outcome. For CMMC purposes, a mechanism might include: ▪ A technology-specific solution (e.g., anti-malware, firewall, file-integrity monitoring, intrusion- prevention system, multi-factor authentication, etc.); ▪ A manual procedure that an individual performs; or ▪ An administrative solution (e.g., acceptable use policy, human reviews, non-disclosure agreements, etc.). In Assessment criteria for CMMC practices, the phrase “mechanisms exist to…” provides flexibility for the OSC to define what is most appropriate for its unique business practices. For example, more mature organizations might automate their security infrastructure and prefer technology-specific solutions, whereas less mature organizations might rely on manual procedures or administrative solutions. 15 Misuse of CUI Actions involving the utilization of CUI in a manner discordant with the policies and provisions contained in Executive Order 13556, the CUI Registry, Department of Defense CUI policy, or the applicable laws, regulations, and government-wide policies that govern the affected information. This may include intentional violations or unintentional errors in safeguarding or disseminating CUI. This may also include designating or marking information as CUI when it does not qualify as CUI. Observation A real-time demonstration or review of a test, system, tool, software, hardware, practice, control, or process being performed and witnessed first-hand by the Lead Assessor and if applicable, Assessment Team. Organization Seeking Certification (OSC) 15 32CFR §2002(e) - https://www.govinfo.gov/content/pkg/CFR-2017-title32-vol6/pdf/CFR-2017-title32-vol6-part2002.pdf PRE-DECISIONAL DRAFT CMMC Assessment Process (CAP) v1.0 Page 39 PRE-DECISIONAL DRAFT The Defense Industrial Base (DIB) company or legal entity that is going through the CMMC Assessment process—and contracting with a C3PAO in pursuit of CMMC Certification—for a given environment and a particular CMMC Level. Also referred to as “HQ Unit”. Provisional Assessor (PA) An individual who has received authorization from the CMMC-AB/CAICO to serve as a Provisional Assessor (PA) during the provisional CMMC Interim Voluntary Period. PAs are authorized to conduct CMMC Assessments during the CMMC Interim Voluntary Period only and will eventually be required to pass CCP, CCA, and/or Lead Assessor exams in order to attain their formal Assessor Certifications. Supporting Organization A logical organizational boundary that is supporting the Host Unit of enclave being assessed. Though not part of the logical segmentation, systems or people within the Supporting Unit may still have access to CUI or FCI, so therefore must be included within the scope of the Assessment. Test The process of exercising one or more Assessment objects under specified conditions to compare actual with expected behavior. The results are used to support the determination of security safeguard existence, functionality, correctness, completeness, and potential for improvement over time and institutionalization. For a test/demonstration to be accepted as Evidence in an Assessment, it must pass its requirements and criteria while being observed by the Assessment Team. Any failed test results in a failed CMMC practice. 16 Unauthorized Disclosure Unauthorized disclosure occurs when an Authorized Holder of CUI intentionally or unintentionally discloses CUI without a lawful government purpose, in violation of restrictions imposed by safeguarding or dissemination practices or contrary to limited dissemination practices. 17 Working Papers Documents or materials, regardless of form, that an organization or user expects to revise prior to creating a finished product. Also referred to as “drafts”. 16 32CFR §2002(rr) - https://www.govinfo.gov/content/pkg/CFR-2017-title32-vol6/pdf/CFR-2017-title32-vol6-part2002.pdf 17 32CFR §2002(tt) - https://www.govinfo.gov/content/pkg/CFR-2017-title32-vol6/pdf/CFR-2017-title32-vol6-part2002.pdf
Term Description Footnote
Access Ability to make use of any information system (IS) resource.