This is the main content of the page.

 
 

CMMC ReferenceTerminology In CMMC

Clarifying Terminology

The Cyber AB maintains a glossary of relevant ecosystem terms. All specific CMMC Framework terms can be found in the resources provided by the DoD as well as the Cyber AB and CAICO. See the CMMC Glossary and Acronyms (osd.mil) for additional CMMC terms

Accreditation – The process of issuance of certificate(s) of accreditation.

Accreditation Body Board of Directors - The board of directors is the governing body of a nonprofit. Individuals who sit on the board are responsible for overseeing the organization’s activities. Directors meet periodically to discuss and vote on the affairs of the organization. The board of directors, as a governing body, should focus on the organization’s mission, strategy, and goals as defined in the bylaws.

Advisory Councils - Advisory Councils operate at the discretion of, but independently from the board, to inform and advise the board from the perspective of the Advisory Council’s membership. The advisory council’s leaders participate in the board as a non-voting member.

Affiliates - Business concerns, organizations, or individuals that control each other or that are controlled by a common third party. Control may consist of shared management or ownership; common use of facilities, equipment, and employees; or family interest.

Assessment - Formal process of assessing the implementation and reliable use of issuer controls using various methods of assessment (e.g., interviews, document reviews, observations) that support the assertion that an issuer is reliably meeting the requirements of a standard.  In the context of CMMC, Assessments are performed against the requirements set forth in the CMMC for the OSC’s desired CMMC Level.  Source: NIST SP 800-79-2 (adapted)

Assessment Appeals Process -  A formal process managed by the Cyber AB to seek resolution of a disagreement of an assessment result.

CAICO Approved Training Materials (CATM) - Training content developed by a Licensed Publishing Partner (LPP) and approved by the CAICO and its designated authorized agent, currently ProCert Communications.

CMMC 3rd Party Assessment Organization (“C3PAO”) – An Entity that is certified to be contracted to and OSC to provide consultative advice OR certified assessments.  

Certificate – A Record issued to an OSC upon successful completion of an Assessment which evidences the CMMC Level against which the OSC has been successfully assessed.

Certification – The process of receiving a Certificate upon successful completion of requirements mandated for earning specified certification.

Certified CMMC Assessor (CCA) – A person who has successfully completed all certification program requirements as outlined by the CAICO for becoming a Level 2 CMMC Assessor. A Provisional Assessor (PA) will become a CCP and then a CCP by passing the associated certification exam(s).

Certified CMMC Instructor (CCI) –A person who has successfully completed all certification program requirements as outlined by the CAICO for becoming a CMMC Instructor. A Provisional Instructor (PI) will become a CCI by passing the associated certification exam.

Certified Professional (CCP) - A person who has successfully completed all certification program requirements as outlined by the CAICO for becoming a Level 1 CMMC Assessor. A Provisional Assessor (PA) will become a CCP by passing the associated certification exam.

CMMC – The Cybersecurity Maturity Model Certification (CMMC) set of standards established by the DoD against which an OSC is to be Assessed. OUSD A&S - Cybersecurity Maturity Model Certification (CMMC) (osd.mil)

CMMC Assessment Process (CAP) –Provides procedures and guidance for CMMC C3PAOs conducting official CMMC Assessments of organizations seeking CMMC certification.

CMMC Certified Organization – An Organization whose cybersecurity program has received a CMMC Certificate from the Cyber AB.

CMMC Quality Assurance Professional (CQAP) – A Cyber AB trained person that is responsible for ensuring assessment documentation completeness and accuracy.

Code of Professional Conduct (CoPC) – Represents the performance standards by which the roles of the CMMC ecosystem will be held accountable, and the procedures for addressing violations of those performance standards.

CUI (Controlled Unclassified Information) - Information that requires safeguarding or dissemination control pursuant to and consistent with laws, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or Atomic Engergy Act of 1954, as amended. Source: NIST SP800-171 Rev 2 Controlled Unclassified Information (CUI) | National Archives

Cybersecurity - Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation.   Source: NSPD-54/HSPD-23

Defense Supply Chain (“DSC”) - The worldwide industrial complex that enables research and development, as well as design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts, to meet U.S. military requirements. DSC was substituted for Defense Industrial Base to reflect more specifically the base subject to CMMC assessments.

Digital Signature – An electronic file which is used to authenticate other electronic files and to encrypt files at rest and/or in motion.

FCI (Federal Contract Information) - Federal contract information means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public Web sites) or simple transactional information, such as necessary to process payments.  Source: 48 CFR § 52.204-21

Licensed Publishing Partner (LPP) - Developer of CMMC curriculum to be utilized by LTPs for delivering CMMC training.

Licensed Training Provider (LTP) -Provides the delivery of CMMC training to individuals.

Organization Seeking Certification (OSC) - The Organization that is going through the CMMC assessment process to receive a level of Certification for a given environment.  Source: CMMC

Registered Practitioner (RP) & Registered Practitioner Advanced (RPA) - Professionals who provide CMMC implementation consultative services. Any level of RP cannot participate on assessment teams.

Registered Practitioner Organization (RPO) - An organization authorized to represent itself as familiar with the basic constructs of the CMMC Standard, with a CMMC-AB provided logo, to deliver non-certified CMMC Consulting Services.  Signifies that the organization has agreed to the CMMC-AB Code of Professional Conduct. Source: CMMC.