CAP Glossary: Difference between revisions

From CMMC Toolkit Wiki
Jump to navigation Jump to search
No edit summary
 
(11 intermediate revisions by the same user not shown)
Line 1: Line 1:
'''Source of Reference: The [https://cyberab.org/Portals/0/Documents/Process-Documents/CMMC-Assessment-Process-CAP-v1.0.pdf CMMC Assessment Process] from Cybersecurity Maturity Model Certification Accreditation Body, Inc.'''
'''Source of Reference: The [https://cyberab.org/Portals/0/Documents/Process-Documents/CMMC-Assessment-Process-CAP-v1.0.pdf CMMC Assessment Process document] from Cybersecurity Maturity Model Certification Accreditation Body, Inc.'''


For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you.
For inquiries and reporting errors on this wiki, please [mailto:support@cmmctoolkit.org contact us]. Thank you.
Line 6: Line 6:
{|class="wikitable" style="width: 85%;"
{|class="wikitable" style="width: 85%;"
! style="width: 15%"| Term
! style="width: 15%"| Term
! style="width: 70%"| Description
! style="width: 65%"| Description
! style="width: 15%"| Footnote
! style="width: 20%"| Footnote
|-
|-
|Access
|Access
Line 23: Line 23:
|
|
|-
|-
|
|Agreements / Arrangements
|Agreements / Arrangements
|Agreements and arrangements are any vehicle that sets out specific CUI handling requirements for contractors and other information-sharing partners when the arrangement with the other party involves CUI. Agreements and arrangements include, but are not necessarily limited to, contracts, grants, licenses, certificates, and memoranda of understanding. When disseminating or sharing CUI with non-executive branch entities, agencies should enter into a written agreement/arrangement or understanding (see §2002.16(a)(5) and (6) for details). When sharing information with foreign entities, agencies should also enter agreements or arrangements, where feasible (see §2002.16(a)(5)(iii) and (a)(6) for details).
|Agreements and arrangements are any vehicle that sets out specific CUI handling requirements for contractors and other information-sharing partners when the arrangement with the other party involves CUI. Agreements and arrangements include, but are not necessarily limited to, contracts, grants, licenses, certificates, and memoranda of understanding. When disseminating or sharing CUI with non-executive branch entities, agencies should enter into a written agreement/arrangement or understanding (see §2002.16(a)(5) and (6) for details). When sharing information with foreign entities, agencies should also enter agreements or arrangements, where feasible (see §2002.16(a)(5)(iii) and (a)(6) for details).
Line 29: Line 28:
|-
|-
|Artifacts
|Artifacts
Tangible and reviewable records that are the direct outcome of a practice or process being performed by a
|Tangible and reviewable records that are the direct outcome of a practice or process being performed by a system, person, or persons performing a role in that practice, control, or process.  Artifacts may be a printed hard-copy or a soft- or electronic copy of a document or file embedded in a system or software but must be a result or an output from the performance of a process within the Organization Seeking Certification.
system, person, or persons performing a role in that practice, control, or process.  Artifacts may be a printed
|
hard-copy or a soft- or electronic copy of a document or file embedded in a system or software but must be
|-
a result or an output from the performance of a process within the Organization Seeking Certification.
|Assessment
|The testing or evaluation (e.g., interviews, document reviews, observations) of security practices to determine the extent to which the practices are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for an information system or organization. Source: NIST SP 800-37 Rev. 2 Also referred to as “CMMC Assessment”.


Assessment
Assessment is the term used by CMMC for the activity performed by the C3PAO to evaluate the CMMC level of a DIB contractor. Source: CMMC
The testing or evaluation (e.g., interviews, document reviews, observations) of security practices to
|
determine the extent to which the practices are implemented correctly, operating as intended, and
|-
producing the desired outcome with respect to meeting the security requirements for an information system
|Assessment Appeals Process
or organization. Source: NIST SP 800-37 Rev. 2 Also referred to as “CMMC Assessment”.
|A formal process managed by the Cyber AB to seek resolution of a disagreement of an assessment result.
|
|-
|Assessment Official
|The most senior representative of an Organization Seeking Certification (OSC) who is directly and actively responsible for leading and managing the OSC’s engagement in the Assessment.
|
|-
|Assessor
|An individual who is both certified and authorized to participate on a C3PAO Assessment Team and evaluate the conformity of an Organization Seeking Certification to meeting a particular CMMC level standard. See also Provisional Assessor.
|
|}


Assessment is the term used by CMMC for the activity performed by the C3PAO to evaluate the CMMC
== C ==
level of a DIB contractor. Source: CMMC
{|class="wikitable" style="width: 85%;"
! style="width: 15%"| Term
! style="width: 65%"| Description
! style="width: 20%"| Footnote
|-
|Certificate
|A Record issued to an OSC upon successful completion of an Assessment which evidences the CMMC Level against which the OSC has been successfully assessed by an authorized C3PAO. See also Limited CMMC Certification.
|
|-
|Certification
|The official CMMC credential that attests to: 1) an organization’s conformance to a particular CMMC Level; or 2) an individual’s achievement of meeting the requirements and standards of a specific CMMC profession (e.g., Assessor, Instructor).  See also Limited CMMC Certification.
|
|-
|Certified CMMC Assessor (CCA)
|A person who has successfully completed all certification program requirements as outlined by the CAICO for becoming a Level 2 CMMC Assessor. A Provisional Assessor (PA) will become a CCP and then a CCP by passing the associated certification exam(s).
|
|-
|CMMC Certified Professional (CCP)
|A person who has successfully completed all certification program requirements as outlined by the CAICO for becoming a Level 1 CMMC Assessor. A Provisional Assessor (PA) will become a CCP by passing the associated certification exam.
|
|-
|CMMC Certification Boundary
|Defines the assets to which an Assessor will evaluate conformity with applicable CMMC practices. This is the boundary to which a CMMC Certification will be applied.
|
|-
|CMMC Certified Assessor
|An individual who holds official CAICO Certification as a CMMC Certified Assessor.  Lead Assessors can be certified at Level 2 or Level 3, which correspond to the CMMC Level against which they are authorized to conduct CMMC Assessments.  Also referred to as “CMMC Assessor” or “Assessor”.
|
|-
|CMMC Ecosystem
|The interactive community of all CMMC professionals, including C3PAOs, Assessors, Instructors, Licensed Training Providers,  Licensed  Publishing  Partners,  Registered  Practitioners,  Registered  Provider Organizations, as well as the Department of Defense and the CMMC Accreditation Body.
|
|-
|CMMC Level
|A specific step or level within the CMMC Standard against which CMMC Assessments are conducted.
|
|-
|CMMC Standard
|A framework that combines widely accepted NIST cybersecurity standards and maps those controls and requirements across several maturity levels that range from basic to expert cyber hygiene, and that, when implemented, will reduce risk against a specific set of cyber threats.
|
|-
|CMMC Third-Party Assessment Organization (C3PAO)
|An Entity that is authorized to be contracted to conduct independent CMMC Assessments and issue CMMC Certifications for Organizations Seeking Certification (OSCs).
|
|-
|Conflict of Interest (COI)
|A situation within the CMMC Ecosystem in which the concerns or objectives of two different parties are incompatible with one another.  Conflicts of Interest must be disclosed where they exist and, if possible, mitigated.  Conflicts of Interest left unattended by CMMC actors can threaten the impartiality of CMMC Assessments and the integrity of the CMMC Ecosystem overall.
|
|-
|Controlled Environment
|Any area or space an Authorized Holder deems to have adequate physical or procedural practices (e.g., barriers or managed access practices) to protect FCI/CUI from unauthorized access or disclosure. Also called “FCI/CUI Environment”.
|[https://www.govinfo.gov/content/pkg/CFR-2017-title32-vol6/pdf/CFR-2017-title32-vol6-part2002.pdf 32CFR §2002(f)]
|-
|Controlled Unclassified Information (CUI)
|Government-created or owned UNCLASSIFIED information that must be safeguarded from unauthorized disclosure. DoDCUI.Mil is the authoritative source for DoD CUI as defined in DoDI 5200.48.
|
* [https://www.archives.gov/cui NARA CUI Registry]
* [https://www.dodcui.mil/ DoD CUI Registry]
* [https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/520048p.PDF DoDI 5200.48 Controlled Unclassified Information]
|}


Assessment Appeals Process
== D ==
  A formal process managed by the Cyber AB to seek resolution of a disagreement of an assessment result.
{|class="wikitable" style="width: 85%;"
! style="width: 15%"| Term
! style="width: 65%"| Description
! style="width: 20%"| Footnote
|-
|Daily Checkpoint
|An immediate "after-action" discussion and evaluation of an OSC’s current compliance status against CMMC practices conducted with the OSC Assessment participants, following the completion of that day’s Assessment activities such as objective Evidence review, interviews, or observations/tests. Also known in industry as a “hot wash” or “hot wash review.”  Daily Checkpoint results/discussion must be recorded in a log by the Lead Assessor.
|
|-
|Disseminating
|The act of transmitting, transferring, of providing access to FCI or CUI to other authorized holders through any means, whether internal or external to an agency.
|[https://www.govinfo.gov/content/pkg/CFR-2017-title32-vol6/pdf/CFR-2017-title32-vol6-part2002.pdf 32CFR §2002(v)]
|-
|Document
|Any tangible thing which constitutes or contains information and means the original and any copies (whether different from the originals because of notes made on such copies or otherwise) of all writings of every kind and description over which an agency has authority. A document may be inscribed by hand or by mechanical, facsimile, electronic, magnetic, microfilm, photographic or other means, as well as phonic or visual reproductions or oral statements, conversations or events and including, but not limited to: correspondence, email, notes, reports, papers, files, manuals, books, pamphlets, periodicals, letters, memoranda, notations, messages, telegrams, cables, facsimiles, records, studies, working papers, accounting papers, contracts, licenses, certificates, grants, agreements, computer disks, computer tapes, telephone logs, computer mail, computer printouts, worksheets, sent or received communications of any kind, teletype messages, agreements, diary entries, calendars and journals, printouts, drafts, tables, compilations, tabulations, recommendations, accounts, work papers, summaries, address books, other records and recordings or transcriptions of conferences, meetings, visits, interviews, discussions or telephone conversations, charts, graphs, indexes, tapes, minutes, contracts, leases, invoices, records of purchase or sale correspondence, electronic or other transcription of taping of personal conversations or conferences and any written, printed, typed, punched, taped, filmed or graphic matter however produced or reproduced. Document also includes the file, folder, exhibits and containers, the labels on them and any metadata, associated with each original or copy. Document also includes voice records, film, tapes, video tapes, email, personal computer files, electronic matter and other data compilations from which information can be obtained, including materials used in data processing.
|[https://www.govinfo.gov/content/pkg/CFR-2017-title32-vol6/pdf/CFR-2017-title32-vol6-part2002.pdf 32CFR §2002(w)]
|}


Assessment Official
== E ==
The most senior representative of an Organization Seeking Certification (OSC) who is directly and actively
{|class="wikitable" style="width: 85%;"
responsible for leading and managing the OSC’s engagement in the Assessment.
! style="width: 15%"| Term
! style="width: 65%"| Description
! style="width: 20%"| Footnote
|-
|CMMC eMASS
|The Enterprise Mission Assurance Support Service (CMMC eMASS) is a web-based, U.S. Department of Defense off-the-shelf solution that automates a broad range of services for cybersecurity management. CMMC eMASS serves as the system of record for CMMC Assessment data and reporting.
|
|-
|Enclave
|A set of system resources that operate within the same security domain and that share the protection of a single, common, and continuous security perimeter. A segmentation of an organization’s network or data that is intended to “wall off” that network or database from all other networks or systems.  A CMMC Assessment scope can be within the Assessment scope of an enclave.
|[https://csrc.nist.gov/glossary/term/enclave Reference]
|-
|Enterprise
|An organization with a defined mission/goal and a defined boundary, using information systems to execute that mission, and with responsibility for managing its own risks and performance.
|
|-
|Evidence
|The observable proof that an organization has either met or not met the standard for a particular CMMC practice.
|
|-
|Examine
|The process of checking, inspecting, reviewing, observing, studying, or analyzing one or more Assessment objects or artifacts to facilitate understanding, achieve clarification, or obtain additional Evidence. The results are used to support the determination of security safeguard existence, functionality, correctness, completeness, and potential for improvement over time. For an artifact to be accepted as Evidence in an Assessment, it must demonstrate the extent of implementing, performing, or supporting the organizational or project procedures that can be mapped to one or more CMMC practices and those artifacts must be produced by people who implement or perform or support the procedures.
|
|-
|External Cloud Service Provider
|A Supporting Organization that is providing cloud computing services to the OSC through an external connection.
|
|}


Assessor
== F ==
An individual who is both certified and authorized to participate on a C3PAO Assessment Team and
{|class="wikitable" style="width: 85%;"
evaluate the conformity of an Organization Seeking Certification to meeting a particular CMMC level
! style="width: 15%"| Term
standard. See also Provisional Assessor.
! style="width: 65%"| Description
! style="width: 20%"| Footnote
|-
|Federal Contract Information (FCI)
|Information, not intended for public release, that is provided by or generated for the U.S. Government under a contract to develop or deliver a product or service to the U.S. Government, but not including information provided by the U.S. Government to the public (such as on public web sites) or simple transactional information, such as necessary to process payments).
|[https://www.federalregister.gov/documents/2016/05/16/2016-11001/federal-acquisition-regulation-basic-safeguarding-of-contractor-information-systems Reference]
|-
|Foreign Entity
|A foreign government, an international organization of governments or any element thereof, an international or foreign public or judicial body or an international or foreign private or non-governmental organization.
|[https://www.govinfo.gov/content/pkg/CFR-2017-title32-vol6/pdf/CFR-2017-title32-vol6-part2002.pdf 32CFR §2002(y)]
|}


== H ==
{|class="wikitable" style="width: 85%;"
! style="width: 15%"| Term
! style="width: 65%"| Description
! style="width: 20%"| Footnote
|-
|Handling
|Any use of CUI, including, but not necessarily limited to, marking, safeguarding, transporting, disseminating, re-using, and disposing of the information.
|[https://www.govinfo.gov/content/pkg/CFR-2017-title32-vol6/pdf/CFR-2017-title32-vol6-part2002.pdf 32CFR §2002(aa)]
|-
|Host Unit
|The part of a company being assessed and considered the OSC for purposes of the CMMC Assessment. A Host Unit could be a location, a division, a product line, or any other logical segmentation of an organization that can be independently assessed.  Assessment results will be codified with the Host Unit name.
|
|-
|HQ Organization
|The legal entity that will be delivering services or products under the terms of a DoD contract.  The HQ Organization itself could be the OSC, or it could designate a Host Unit as the OSC.
|
|}


== I ==
{|class="wikitable" style="width: 85%;"
! style="width: 15%"| Term
! style="width: 65%"| Description
! style="width: 20%"| Footnote
|-
|Interviews
|The process of conducting discussions with individuals or groups of individuals in an organization to facilitate understanding, achieve clarification, or lead to the location of Evidence. The results are used to support the determination of security safeguard existence, functionality, correctness, completeness, and potential for improvement over time.  For an interview statement to be accepted as Evidence in an Assessment, it must demonstrate the extent of implementing, performing, or supporting the CMMC practice. Interview affirmations must be provided by people who implement, perform, or support procedures.
|
|}


== L ==
{|class="wikitable" style="width: 85%;"
! style="width: 15%"| Term
! style="width: 65%"| Description
! style="width: 20%"| Footnote
|-
|Lead Assessor
|The Certified CMMC Assessor (Lead Assessor) who oversees and manages a discrete CMMC Assessment Team.
|
|-
|Limited Practice Deficiency Correction
|With CMMC v2.0, the DoD has adopted a method to allow OSCs to ability to correct deficient CMMC practices that are found during the assessment, prior to assessment closeout (Phase 3). These practices cannot change and/or limit the effectiveness of other practices that have been scored “MET”, nor can they be previously listed on the OSCs Self-Assessment Practice Deficiency Tracker prior to the assessment. Finally, the practice(s) cannot lead to a significant exploitation of the OSCs network or exfiltration of CUI, basic and derived security requirements/practices are listed in Appendix K, paragraph e & f.
|
|}


== M ==
{|class="wikitable" style="width: 85%;"
! style="width: 15%"| Term
! style="width: 65%"| Description
! style="width: 20%"| Footnote
|-
|Mechanism
|An established process, which can involve people and/or technology, by which something takes place that brings about an intended and predictable outcome. For CMMC purposes, a mechanism might include:
* A technology-specific solution (e.g., anti-malware, firewall, file-integrity monitoring, intrusion-prevention system, multi-factor authentication, etc.);
* A manual procedure that an individual performs; or
* An administrative solution (e.g., acceptable use policy, human reviews, non-disclosure agreements, etc.).


4
 
                                      PRE-DECISIONAL DRAFT
                                CMMC Assessment Process (CAP) v1.0
                                                Page 35
                                      PRE-DECISIONAL DRAFT
Certificate
A Record issued to an OSC upon successful completion of an Assessment which evidences the CMMC
Level against which the OSC has been successfully assessed by an authorized C3PAO. See also Limited
CMMC Certification.
Certification
The official CMMC credential that attests to: 1) an organization’s conformance to a particular CMMC Level;
or 2) an individual’s achievement of meeting the requirements and standards of a specific CMMC profession
(e.g., Assessor, Instructor).  See also Limited CMMC Certification.
Certified CMMC Assessor (CCA)
A person who has successfully completed all certification program requirements as outlined by the CAICO
for becoming a Level 2 CMMC Assessor. A Provisional Assessor (PA) will become a CCP and then a CCP
by passing the associated certification exam(s).
CMMC Certified Professional (CCP)
A person who has successfully completed all certification program requirements as outlined by the CAICO
for becoming a Level 1 CMMC Assessor. A Provisional Assessor (PA) will become a CCP by passing the
associated certification exam.
CMMC Certification Boundary
Defines the assets to which an Assessor will evaluate conformity with applicable CMMC practices. This is
the boundary to which a CMMC Certification will be applied.
CMMC Certified Assessor
An individual who holds official CAICO Certification as a CMMC Certified Assessor.  Lead Assessors can
be certified at Level 2 or Level 3, which correspond to the CMMC Level against which they are authorized
to conduct CMMC Assessments.  Also referred to as “CMMC Assessor” or “Assessor”.
CMMC Ecosystem
The interactive community of all CMMC professionals, including C3PAOs, Assessors, Instructors, Licensed
Training Providers,  Licensed  Publishing  Partners,  Registered  Practitioners,  Registered  Provider
Organizations, as well as the Department of Defense and the CMMC Accreditation Body.
CMMC Level
A specific step or level within the CMMC Standard against which CMMC Assessments are conducted.
CMMC Standard
A framework that combines widely accepted NIST cybersecurity standards and maps those controls and
requirements across several maturity levels that range from basic to expert cyber hygiene, and that, when
implemented, will reduce risk against a specific set of cyber threats.
CMMC Third-Party Assessment Organization (C3PAO)
An Entity that is authorized to be contracted to conduct independent CMMC Assessments and issue CMMC
Certifications for Organizations Seeking Certification (OSCs).
Conflict of Interest (COI)
A situation within the CMMC Ecosystem in which the concerns or objectives of two different parties are
incompatible with one another.  Conflicts of Interest must be disclosed where they exist and, if possible,
mitigated.  Conflicts of Interest left unattended by CMMC actors can threaten the impartiality of CMMC
Assessments and the integrity of the CMMC Ecosystem overall.
                                      PRE-DECISIONAL DRAFT
                                CMMC Assessment Process (CAP) v1.0
                                              Page 36
                                        PRE-DECISIONAL DRAFT
                        5
Controlled Environment
Any area or space an Authorized Holder deems to have adequate physical or procedural practices (e.g.,
barriers or managed access practices) to protect FCI/CUI from unauthorized access or disclosure. Also
called “FCI/CUI Environment”.
                                            6
Controlled Unclassified Information (CUI)
Government-created or owned UNCLASSIFIED information that must be safeguarded from unauthorized
                                                              7                            8
disclosure. DoDCUI.Mil is the authoritative source for DoD CUI  as defined in DoDI 5200.48
Daily Checkpoint
An immediate "after-action" discussion and evaluation of an OSC’s current compliance status against
CMMC practices conducted with the OSC Assessment participants, following the completion of that day’s
Assessment activities such as objective Evidence review, interviews, or observations/tests. Also known in
industry as a “hot wash” or “hot wash review.”  Daily Checkpoint results/discussion must be recorded in a
log by the Lead Assessor.
              9
Disseminating
The act of transmitting, transferring, of providing access to FCI or CUI to other authorized holders through
any means, whether internal or external to an agency.
          10
Document
Any tangible thing which constitutes or contains information and means the original and any copies (whether
different from the originals because of notes made on such copies or otherwise) of all writings of every kind
and description over which an agency has authority.  A document may be inscribed by hand or by
mechanical, facsimile, electronic, magnetic, microfilm, photographic or other means, as well as phonic or
visual reproductions or oral statements, conversations or events and including, but not limited to:
correspondence, email, notes, reports, papers, files, manuals, books, pamphlets, periodicals, letters,
memoranda, notations, messages, telegrams, cables, facsimiles, records, studies, working papers,
accounting papers, contracts, licenses, certificates, grants, agreements, computer disks, computer tapes,
telephone logs, computer mail, computer printouts, worksheets, sent or received communications of any
kind, teletype messages, agreements, diary entries, calendars and journals, printouts, drafts, tables,
compilations, tabulations, recommendations, accounts, work papers, summaries, address books, other
records and recordings or transcriptions of conferences, meetings, visits, interviews, discussions or
telephone conversations, charts, graphs, indexes, tapes, minutes, contracts, leases, invoices, records of
purchase or sale correspondence, electronic or other transcription of taping of personal conversations or
conferences and any written, printed, typed, punched, taped, filmed or graphic matter however produced
or reproduced. Document also includes the file, folder, exhibits and containers, the labels on them and any
metadata, associated with each original or copy. Document also includes voice records, film, tapes, video
tapes, email, personal computer files, electronic matter and other data compilations from which information
can be obtained, including materials used in data processing.
CMMC eMASS
The Enterprise Mission Assurance Support Service (CMMC eMASS) is a web-based, U.S. Department of
Defense off-the-shelf solution that automates a broad range of services for cybersecurity management.
CMMC eMASS serves as the system of record for CMMC Assessment data and reporting.
        11
Enclave
5
32CFR §2002(f) - https://www.govinfo.gov/content/pkg/CFR-2017-title32-vol6/pdf/CFR-2017-title32-vol6-part2002.pdf
6
NARA CUI Registry - https://www.archives.gov/cui
7
DoD CUI Registry:  https://www.dodcui.mil/
8
DoDI 5200.48 Controlled Unclassified Information -
https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/520048p.PDF
9
32CFR §2002(v) - https://www.govinfo.gov/content/pkg/CFR-2017-title32-vol6/pdf/CFR-2017-title32-vol6-part2002.pdf
10
  32CFR §2002(w) - https://www.govinfo.gov/content/pkg/CFR-2017-title32-vol6/pdf/CFR-2017-title32-vol6-part2002.pdf
11
  https://csrc.nist.gov/glossary/term/enclave
                                        PRE-DECISIONAL DRAFT
                                  CMMC Assessment Process (CAP) v1.0
                                                Page 37
                                        PRE-DECISIONAL DRAFT
A set of system resources that operate within the same security domain and that share the protection of a
single, common, and continuous security perimeter. A segmentation of an organization’s network or data
that is intended to “wall off” that network or database from all other networks or systems.  A CMMC
Assessment scope can be within the Assessment scope of an enclave.
Enterprise
An organization with a defined mission/goal and a defined boundary, using information systems to execute
that mission, and with responsibility for managing its own risks and performance.
Evidence
The observable proof that an organization has either met or not met the standard for a particular CMMC
practice.
Examine
The process of checking, inspecting, reviewing, observing, studying, or analyzing one or more Assessment
objects or artifacts to facilitate understanding, achieve clarification, or obtain additional Evidence. The
results are used to support the determination of security safeguard existence, functionality, correctness,
completeness, and potential for improvement over time. For an artifact to be accepted as Evidence in an
Assessment, it must demonstrate the extent of implementing, performing, or supporting the organizational
or project procedures that can be mapped to one or more CMMC practices and those artifacts must be
produced by people who implement or perform or support the procedures.
External Cloud Service Provider
A Supporting Organization that is providing cloud computing services to the OSC through an external
connection.
                                    12
Federal Contract Information (FCI)
Information, not intended for public release, that is provided by or generated for the U.S. Government under
a contract to develop or deliver a product or service to the U.S. Government, but not including information
provided by the U.S. Government to the public (such as on public web sites) or simple transactional
information, such as necessary to process payments).
              13
Foreign Entity
A foreign government, an international organization of governments or any element thereof, an international
or foreign public or judicial body or an international or foreign private or non-governmental organization.
        14
Handling
Any use of CUI, including, but not necessarily limited to, marking, safeguarding, transporting, disseminating,
re-using, and disposing of the information.
Host Unit
The part of a company being assessed and considered the OSC for purposes of the CMMC Assessment.
A Host Unit could be a location, a division, a product line, or any other logical segmentation of an
organization that can be independently assessed.  Assessment results will be codified with the Host Unit
name.
HQ Organization
12
  https://www.federalregister.gov/documents/2016/05/16/2016-11001/federal-acquisition-regulation-basic-safeguarding-of-
contractor-information-systems
13
  32CFR §2002(y) - https://www.govinfo.gov/content/pkg/CFR-2017-title32-vol6/pdf/CFR-2017-title32-vol6-part2002.pdf
14
  32CFR §2002(aa) - https://www.govinfo.gov/content/pkg/CFR-2017-title32-vol6/pdf/CFR-2017-title32-vol6-part2002.pdf
                                        PRE-DECISIONAL DRAFT
                                  CMMC Assessment Process (CAP) v1.0
                                                Page 38
                                        PRE-DECISIONAL DRAFT
The legal entity that will be delivering services or products under the terms of a DoD contract.  The HQ
Organization itself could be the OSC, or it could designate a Host Unit as the OSC.
Interviews
The process of conducting discussions with individuals or groups of individuals in an organization to
facilitate understanding, achieve clarification, or lead to the location of Evidence. The results are used to
support the determination of security safeguard existence, functionality, correctness, completeness, and
potential for improvement over time.  For an interview statement to be accepted as Evidence in an
Assessment, it must demonstrate the extent of implementing, performing, or supporting the CMMC practice.
Interview affirmations must be provided by people who implement, perform, or support procedures.
Lead Assessor
The Certified CMMC Assessor (Lead Assessor) who oversees and manages a discrete CMMC Assessment
Team.
Limited Practice Deficiency Correction
With CMMC v2.0, the DoD has adopted a method to allow OSCs to ability to correct deficient CMMC
practices that are found during the assessment, prior to assessment closeout (Phase 3). These practices
cannot change and/or limit the effectiveness of other practices that have been scored “MET”, nor can they
be previously listed on the OSCs Self-Assessment Practice Deficiency Tracker prior to the assessment.
Finally, the practice(s) cannot lead to a significant exploitation of the OSCs network or exfiltration of CUI,
basic and derived security requirements/practices are listed in Appendix K, paragraph e & f.
Mechanism
An established process, which can involve people and/or technology, by which something takes place that
brings about an intended and predictable outcome. For CMMC purposes, a mechanism might include:
    ▪  A technology-specific solution (e.g., anti-malware, firewall, file-integrity monitoring, intrusion-
        prevention system, multi-factor authentication, etc.);
    ▪ A manual procedure that an individual performs; or
    ▪  An administrative solution (e.g., acceptable use policy, human reviews, non-disclosure
        agreements, etc.).
In Assessment criteria for CMMC practices, the phrase “mechanisms exist to…” provides flexibility for the
In Assessment criteria for CMMC practices, the phrase “mechanisms exist to…” provides flexibility for the
OSC to define what is most appropriate for its unique business practices. For example, more mature
OSC to define what is most appropriate for its unique business practices. For example, more mature
organizations might automate their security infrastructure and prefer technology-specific solutions, whereas
organizations might automate their security infrastructure and prefer technology-specific solutions, whereas
less mature organizations might rely on manual procedures or administrative solutions.
less mature organizations might rely on manual procedures or administrative solutions.
|
|-
|Misuse of CUI
|Actions involving the utilization of CUI in a manner discordant with the policies and provisions contained in Executive Order 13556, the CUI Registry, Department of Defense CUI policy, or the applicable laws, regulations, and government-wide policies that govern the affected information. This may include intentional violations or unintentional errors in safeguarding or disseminating CUI. This may also include designating or marking information as CUI when it does not qualify as CUI.
|[https://www.govinfo.gov/content/pkg/CFR-2017-title32-vol6/pdf/CFR-2017-title32-vol6-part2002.pdf 32CFR §2002(e)]
|}


              15
== O ==
Misuse of CUI
{|class="wikitable" style="width: 85%;"
Actions involving the utilization of CUI in a manner discordant with the policies and provisions contained in
! style="width: 15%"| Term
Executive Order 13556, the CUI Registry, Department of Defense CUI policy, or the applicable laws,
! style="width: 65%"| Description
regulations, and government-wide policies that govern the affected information. This may include intentional
! style="width: 20%"| Footnote
violations or unintentional errors in safeguarding or disseminating CUI. This may also include designating
|-
or marking information as CUI when it does not qualify as CUI.  
|Observation
|A real-time demonstration or review of a test, system, tool, software, hardware, practice, control, or process being performed and witnessed first-hand by the Lead Assessor and if applicable, Assessment Team.
|
|-
|Organization Seeking Certification (OSC)
|The Defense Industrial Base (DIB) company or legal entity that is going through the CMMC Assessment process—and contracting with a C3PAO in pursuit of CMMC Certification—for a given environment and a particular CMMC Level. Also referred to as “HQ Unit”.
|
|}


Observation
== P ==
A real-time demonstration or review of a test, system, tool, software, hardware, practice, control, or process
{|class="wikitable" style="width: 85%;"
being performed and witnessed first-hand by the Lead Assessor and if applicable, Assessment Team.
! style="width: 15%"| Term
! style="width: 65%"| Description
! style="width: 20%"| Footnote
|-
|Provisional Assessor (PA)
|An individual who has received authorization from the CMMC-AB/CAICO to serve as a Provisional Assessor (PA) during the provisional CMMC Interim Voluntary Period.  PAs are authorized to conduct CMMC Assessments during the CMMC Interim Voluntary Period only and will eventually be required to pass CCP, CCA, and/or Lead Assessor exams in order to attain their formal Assessor Certifications.
|
|}


Organization Seeking Certification (OSC)
== S ==
{|class="wikitable" style="width: 85%;"
! style="width: 15%"| Term
! style="width: 65%"| Description
! style="width: 20%"| Footnote
|-
|Supporting Organization
|A logical organizational boundary that is supporting the Host Unit of enclave being assessed.  Though not part of the logical segmentation, systems or people within the Supporting Unit may still have access to CUI or FCI, so therefore must be included within the scope of the Assessment.
|
|}


== T ==
{|class="wikitable" style="width: 85%;"
! style="width: 15%"| Term
! style="width: 65%"| Description
! style="width: 20%"| Footnote
|-
|Test
|The process of exercising one or more Assessment objects under specified conditions to compare actual with expected behavior. The results are used to support the determination of security safeguard existence, functionality, correctness, completeness, and potential for improvement over time and institutionalization. For a test/demonstration to be accepted as Evidence in an Assessment, it must pass its requirements and criteria while being observed by the Assessment Team.  Any failed test results in a failed CMMC practice.
|
|}


== U ==
{|class="wikitable" style="width: 85%;"
! style="width: 15%"| Term
! style="width: 65%"| Description
! style="width: 20%"| Footnote
|-
|Unauthorized Disclosure
|Unauthorized disclosure occurs when an Authorized Holder of CUI intentionally or unintentionally discloses CUI without a lawful government purpose, in violation of restrictions imposed by safeguarding or dissemination practices or contrary to limited dissemination practices.
|[https://www.govinfo.gov/content/pkg/CFR-2017-title32-vol6/pdf/CFR-2017-title32-vol6-part2002.pdf 32CFR §2002(rr)]
|}


 
== W ==
 
{|class="wikitable" style="width: 85%;"
15
! style="width: 15%"| Term
  32CFR §2002(e) - https://www.govinfo.gov/content/pkg/CFR-2017-title32-vol6/pdf/CFR-2017-title32-vol6-part2002.pdf
! style="width: 65%"| Description
                                        PRE-DECISIONAL DRAFT
! style="width: 20%"| Footnote
                                  CMMC Assessment Process (CAP) v1.0
|-
                                                Page 39
|Working Papers
 
|Documents or materials, regardless of form, that an organization or user expects to revise prior to creating a finished product.  Also referred to as “drafts”.
 
|[https://www.govinfo.gov/content/pkg/CFR-2017-title32-vol6/pdf/CFR-2017-title32-vol6-part2002.pdf 32CFR §2002(tt)]
 
 
 
 
                                        PRE-DECISIONAL DRAFT
 
 
The Defense Industrial Base (DIB) company or legal entity that is going through the CMMC Assessment
process—and contracting with a C3PAO in pursuit of CMMC Certification—for a given environment and a
particular CMMC Level. Also referred to as “HQ Unit”.
 
Provisional Assessor (PA)
An individual who has received authorization from the CMMC-AB/CAICO to serve as a Provisional Assessor
(PA) during the provisional CMMC Interim Voluntary Period.  PAs are authorized to conduct CMMC
Assessments during the CMMC Interim Voluntary Period only and will eventually be required to pass CCP,
CCA, and/or Lead Assessor exams in order to attain their formal Assessor Certifications.
 
Supporting Organization
A logical organizational boundary that is supporting the Host Unit of enclave being assessed.  Though not
part of the logical segmentation, systems or people within the Supporting Unit may still have access to CUI
or FCI, so therefore must be included within the scope of the Assessment.
 
Test
The process of exercising one or more Assessment objects under specified conditions to compare actual
with expected behavior. The results are used to support the determination of security safeguard existence,
functionality, correctness, completeness, and potential for improvement over time and institutionalization.
For a test/demonstration to be accepted as Evidence in an Assessment, it must pass its requirements and
criteria while being observed by the Assessment Team.  Any failed test results in a failed CMMC practice.
 
                          16
Unauthorized Disclosure
Unauthorized disclosure occurs when an Authorized Holder of CUI intentionally or unintentionally discloses
CUI without a lawful government purpose, in violation of restrictions imposed by safeguarding or
dissemination practices or contrary to limited dissemination practices.
 
                17
Working Papers
Documents or materials, regardless of form, that an organization or user expects to revise prior to
creating a finished product.  Also referred to as “drafts”.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
16
  32CFR §2002(rr) - https://www.govinfo.gov/content/pkg/CFR-2017-title32-vol6/pdf/CFR-2017-title32-vol6-part2002.pdf
17
  32CFR §2002(tt) - https://www.govinfo.gov/content/pkg/CFR-2017-title32-vol6/pdf/CFR-2017-title32-vol6-part2002.pdf
|}
|}

Latest revision as of 01:36, 6 August 2022

Source of Reference: The CMMC Assessment Process document from Cybersecurity Maturity Model Certification Accreditation Body, Inc.

For inquiries and reporting errors on this wiki, please contact us. Thank you.

A

Term Description Footnote
Access Ability to make use of any information system (IS) resource.
Access Authority An entity responsible for monitoring and granting access privileges for other authorized entities.
Access Control The process of granting or denying specific requests to:
  • obtain and use information and related information-processing services; and
  • enter specific physical facilities (e.g., federal buildings, company offices).
Agreements / Arrangements Agreements and arrangements are any vehicle that sets out specific CUI handling requirements for contractors and other information-sharing partners when the arrangement with the other party involves CUI. Agreements and arrangements include, but are not necessarily limited to, contracts, grants, licenses, certificates, and memoranda of understanding. When disseminating or sharing CUI with non-executive branch entities, agencies should enter into a written agreement/arrangement or understanding (see §2002.16(a)(5) and (6) for details). When sharing information with foreign entities, agencies should also enter agreements or arrangements, where feasible (see §2002.16(a)(5)(iii) and (a)(6) for details). 32CFR §2002(c)
Artifacts Tangible and reviewable records that are the direct outcome of a practice or process being performed by a system, person, or persons performing a role in that practice, control, or process. Artifacts may be a printed hard-copy or a soft- or electronic copy of a document or file embedded in a system or software but must be a result or an output from the performance of a process within the Organization Seeking Certification.
Assessment The testing or evaluation (e.g., interviews, document reviews, observations) of security practices to determine the extent to which the practices are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for an information system or organization. Source: NIST SP 800-37 Rev. 2 Also referred to as “CMMC Assessment”.

Assessment is the term used by CMMC for the activity performed by the C3PAO to evaluate the CMMC level of a DIB contractor. Source: CMMC

Assessment Appeals Process A formal process managed by the Cyber AB to seek resolution of a disagreement of an assessment result.
Assessment Official The most senior representative of an Organization Seeking Certification (OSC) who is directly and actively responsible for leading and managing the OSC’s engagement in the Assessment.
Assessor An individual who is both certified and authorized to participate on a C3PAO Assessment Team and evaluate the conformity of an Organization Seeking Certification to meeting a particular CMMC level standard. See also Provisional Assessor.

C

Term Description Footnote
Certificate A Record issued to an OSC upon successful completion of an Assessment which evidences the CMMC Level against which the OSC has been successfully assessed by an authorized C3PAO. See also Limited CMMC Certification.
Certification The official CMMC credential that attests to: 1) an organization’s conformance to a particular CMMC Level; or 2) an individual’s achievement of meeting the requirements and standards of a specific CMMC profession (e.g., Assessor, Instructor). See also Limited CMMC Certification.
Certified CMMC Assessor (CCA) A person who has successfully completed all certification program requirements as outlined by the CAICO for becoming a Level 2 CMMC Assessor. A Provisional Assessor (PA) will become a CCP and then a CCP by passing the associated certification exam(s).
CMMC Certified Professional (CCP) A person who has successfully completed all certification program requirements as outlined by the CAICO for becoming a Level 1 CMMC Assessor. A Provisional Assessor (PA) will become a CCP by passing the associated certification exam.
CMMC Certification Boundary Defines the assets to which an Assessor will evaluate conformity with applicable CMMC practices. This is the boundary to which a CMMC Certification will be applied.
CMMC Certified Assessor An individual who holds official CAICO Certification as a CMMC Certified Assessor. Lead Assessors can be certified at Level 2 or Level 3, which correspond to the CMMC Level against which they are authorized to conduct CMMC Assessments. Also referred to as “CMMC Assessor” or “Assessor”.
CMMC Ecosystem The interactive community of all CMMC professionals, including C3PAOs, Assessors, Instructors, Licensed Training Providers, Licensed Publishing Partners, Registered Practitioners, Registered Provider Organizations, as well as the Department of Defense and the CMMC Accreditation Body.
CMMC Level A specific step or level within the CMMC Standard against which CMMC Assessments are conducted.
CMMC Standard A framework that combines widely accepted NIST cybersecurity standards and maps those controls and requirements across several maturity levels that range from basic to expert cyber hygiene, and that, when implemented, will reduce risk against a specific set of cyber threats.
CMMC Third-Party Assessment Organization (C3PAO) An Entity that is authorized to be contracted to conduct independent CMMC Assessments and issue CMMC Certifications for Organizations Seeking Certification (OSCs).
Conflict of Interest (COI) A situation within the CMMC Ecosystem in which the concerns or objectives of two different parties are incompatible with one another. Conflicts of Interest must be disclosed where they exist and, if possible, mitigated. Conflicts of Interest left unattended by CMMC actors can threaten the impartiality of CMMC Assessments and the integrity of the CMMC Ecosystem overall.
Controlled Environment Any area or space an Authorized Holder deems to have adequate physical or procedural practices (e.g., barriers or managed access practices) to protect FCI/CUI from unauthorized access or disclosure. Also called “FCI/CUI Environment”. 32CFR §2002(f)
Controlled Unclassified Information (CUI) Government-created or owned UNCLASSIFIED information that must be safeguarded from unauthorized disclosure. DoDCUI.Mil is the authoritative source for DoD CUI as defined in DoDI 5200.48.

D

Term Description Footnote
Daily Checkpoint An immediate "after-action" discussion and evaluation of an OSC’s current compliance status against CMMC practices conducted with the OSC Assessment participants, following the completion of that day’s Assessment activities such as objective Evidence review, interviews, or observations/tests. Also known in industry as a “hot wash” or “hot wash review.” Daily Checkpoint results/discussion must be recorded in a log by the Lead Assessor.
Disseminating The act of transmitting, transferring, of providing access to FCI or CUI to other authorized holders through any means, whether internal or external to an agency. 32CFR §2002(v)
Document Any tangible thing which constitutes or contains information and means the original and any copies (whether different from the originals because of notes made on such copies or otherwise) of all writings of every kind and description over which an agency has authority. A document may be inscribed by hand or by mechanical, facsimile, electronic, magnetic, microfilm, photographic or other means, as well as phonic or visual reproductions or oral statements, conversations or events and including, but not limited to: correspondence, email, notes, reports, papers, files, manuals, books, pamphlets, periodicals, letters, memoranda, notations, messages, telegrams, cables, facsimiles, records, studies, working papers, accounting papers, contracts, licenses, certificates, grants, agreements, computer disks, computer tapes, telephone logs, computer mail, computer printouts, worksheets, sent or received communications of any kind, teletype messages, agreements, diary entries, calendars and journals, printouts, drafts, tables, compilations, tabulations, recommendations, accounts, work papers, summaries, address books, other records and recordings or transcriptions of conferences, meetings, visits, interviews, discussions or telephone conversations, charts, graphs, indexes, tapes, minutes, contracts, leases, invoices, records of purchase or sale correspondence, electronic or other transcription of taping of personal conversations or conferences and any written, printed, typed, punched, taped, filmed or graphic matter however produced or reproduced. Document also includes the file, folder, exhibits and containers, the labels on them and any metadata, associated with each original or copy. Document also includes voice records, film, tapes, video tapes, email, personal computer files, electronic matter and other data compilations from which information can be obtained, including materials used in data processing. 32CFR §2002(w)

E

Term Description Footnote
CMMC eMASS The Enterprise Mission Assurance Support Service (CMMC eMASS) is a web-based, U.S. Department of Defense off-the-shelf solution that automates a broad range of services for cybersecurity management. CMMC eMASS serves as the system of record for CMMC Assessment data and reporting.
Enclave A set of system resources that operate within the same security domain and that share the protection of a single, common, and continuous security perimeter. A segmentation of an organization’s network or data that is intended to “wall off” that network or database from all other networks or systems. A CMMC Assessment scope can be within the Assessment scope of an enclave. Reference
Enterprise An organization with a defined mission/goal and a defined boundary, using information systems to execute that mission, and with responsibility for managing its own risks and performance.
Evidence The observable proof that an organization has either met or not met the standard for a particular CMMC practice.
Examine The process of checking, inspecting, reviewing, observing, studying, or analyzing one or more Assessment objects or artifacts to facilitate understanding, achieve clarification, or obtain additional Evidence. The results are used to support the determination of security safeguard existence, functionality, correctness, completeness, and potential for improvement over time. For an artifact to be accepted as Evidence in an Assessment, it must demonstrate the extent of implementing, performing, or supporting the organizational or project procedures that can be mapped to one or more CMMC practices and those artifacts must be produced by people who implement or perform or support the procedures.
External Cloud Service Provider A Supporting Organization that is providing cloud computing services to the OSC through an external connection.

F

Term Description Footnote
Federal Contract Information (FCI) Information, not intended for public release, that is provided by or generated for the U.S. Government under a contract to develop or deliver a product or service to the U.S. Government, but not including information provided by the U.S. Government to the public (such as on public web sites) or simple transactional information, such as necessary to process payments). Reference
Foreign Entity A foreign government, an international organization of governments or any element thereof, an international or foreign public or judicial body or an international or foreign private or non-governmental organization. 32CFR §2002(y)

H

Term Description Footnote
Handling Any use of CUI, including, but not necessarily limited to, marking, safeguarding, transporting, disseminating, re-using, and disposing of the information. 32CFR §2002(aa)
Host Unit The part of a company being assessed and considered the OSC for purposes of the CMMC Assessment. A Host Unit could be a location, a division, a product line, or any other logical segmentation of an organization that can be independently assessed. Assessment results will be codified with the Host Unit name.
HQ Organization The legal entity that will be delivering services or products under the terms of a DoD contract. The HQ Organization itself could be the OSC, or it could designate a Host Unit as the OSC.

I

Term Description Footnote
Interviews The process of conducting discussions with individuals or groups of individuals in an organization to facilitate understanding, achieve clarification, or lead to the location of Evidence. The results are used to support the determination of security safeguard existence, functionality, correctness, completeness, and potential for improvement over time. For an interview statement to be accepted as Evidence in an Assessment, it must demonstrate the extent of implementing, performing, or supporting the CMMC practice. Interview affirmations must be provided by people who implement, perform, or support procedures.

L

Term Description Footnote
Lead Assessor The Certified CMMC Assessor (Lead Assessor) who oversees and manages a discrete CMMC Assessment Team.
Limited Practice Deficiency Correction With CMMC v2.0, the DoD has adopted a method to allow OSCs to ability to correct deficient CMMC practices that are found during the assessment, prior to assessment closeout (Phase 3). These practices cannot change and/or limit the effectiveness of other practices that have been scored “MET”, nor can they be previously listed on the OSCs Self-Assessment Practice Deficiency Tracker prior to the assessment. Finally, the practice(s) cannot lead to a significant exploitation of the OSCs network or exfiltration of CUI, basic and derived security requirements/practices are listed in Appendix K, paragraph e & f.

M

Term Description Footnote
Mechanism An established process, which can involve people and/or technology, by which something takes place that brings about an intended and predictable outcome. For CMMC purposes, a mechanism might include:
  • A technology-specific solution (e.g., anti-malware, firewall, file-integrity monitoring, intrusion-prevention system, multi-factor authentication, etc.);
  • A manual procedure that an individual performs; or
  • An administrative solution (e.g., acceptable use policy, human reviews, non-disclosure agreements, etc.).

In Assessment criteria for CMMC practices, the phrase “mechanisms exist to…” provides flexibility for the OSC to define what is most appropriate for its unique business practices. For example, more mature organizations might automate their security infrastructure and prefer technology-specific solutions, whereas less mature organizations might rely on manual procedures or administrative solutions.

Misuse of CUI Actions involving the utilization of CUI in a manner discordant with the policies and provisions contained in Executive Order 13556, the CUI Registry, Department of Defense CUI policy, or the applicable laws, regulations, and government-wide policies that govern the affected information. This may include intentional violations or unintentional errors in safeguarding or disseminating CUI. This may also include designating or marking information as CUI when it does not qualify as CUI. 32CFR §2002(e)

O

Term Description Footnote
Observation A real-time demonstration or review of a test, system, tool, software, hardware, practice, control, or process being performed and witnessed first-hand by the Lead Assessor and if applicable, Assessment Team.
Organization Seeking Certification (OSC) The Defense Industrial Base (DIB) company or legal entity that is going through the CMMC Assessment process—and contracting with a C3PAO in pursuit of CMMC Certification—for a given environment and a particular CMMC Level. Also referred to as “HQ Unit”.

P

Term Description Footnote
Provisional Assessor (PA) An individual who has received authorization from the CMMC-AB/CAICO to serve as a Provisional Assessor (PA) during the provisional CMMC Interim Voluntary Period. PAs are authorized to conduct CMMC Assessments during the CMMC Interim Voluntary Period only and will eventually be required to pass CCP, CCA, and/or Lead Assessor exams in order to attain their formal Assessor Certifications.

S

Term Description Footnote
Supporting Organization A logical organizational boundary that is supporting the Host Unit of enclave being assessed. Though not part of the logical segmentation, systems or people within the Supporting Unit may still have access to CUI or FCI, so therefore must be included within the scope of the Assessment.

T

Term Description Footnote
Test The process of exercising one or more Assessment objects under specified conditions to compare actual with expected behavior. The results are used to support the determination of security safeguard existence, functionality, correctness, completeness, and potential for improvement over time and institutionalization. For a test/demonstration to be accepted as Evidence in an Assessment, it must pass its requirements and criteria while being observed by the Assessment Team. Any failed test results in a failed CMMC practice.

U

Term Description Footnote
Unauthorized Disclosure Unauthorized disclosure occurs when an Authorized Holder of CUI intentionally or unintentionally discloses CUI without a lawful government purpose, in violation of restrictions imposed by safeguarding or dissemination practices or contrary to limited dissemination practices. 32CFR §2002(rr)

W

Term Description Footnote
Working Papers Documents or materials, regardless of form, that an organization or user expects to revise prior to creating a finished product. Also referred to as “drafts”. 32CFR §2002(tt)