Glossary

Artifact = A product or byproduct of the software development process. Examples include source code, architecture diagrams, requirements documents, a written test plan, results of code reviews, and a report of test results. Analysis of artifacts can provide evidence of a system’s quality with respect to various attributes, such as security.

BoE = Body of Evidence – The set of artifacts that the DoD uses to support CMMC/NIST/DFARS assessment of a DoD contractor/vendor.

C3PAO = MMC 3rd Party Assessment Organization – An Entity that is certified to be contracted to and OSC to provide consultative advice OR certified assessments.  

CCP = Certified CMMC Professional – A person who has successfully completed all certification program requirements as outlined by the CAICO for becoming a Level 1 CMMC Assessor. A Provisional Assessor (PA) will become a CCP by passing the associated certification exam.

CCA = Certified CMMC Assessor – A person who has successfully completed all certification program requirements as outlined by the CAICO for becoming a Level 2 CMMC Assessor. 

CUI = Controlled Unclassified Information – Information that law, regulation, or government-wide policy requires to have safeguarding or disseminating controls.

DFARS = Defense Federal Acquisition Regulations Supplement – The principal set of rules regarding federal government defense procurement in the United States. 

DIB = Defense Industrial Base – the worldwide industrial complex that enables research and development, as well as design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts, to meet U.S. military requirements

DIBCAC = Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) – DIBCAC assesses DoD contractors’ compliance with the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, and the National Institute of Standards and Technology (NIST) 800-171, “Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations,” as well as the DFARS clause 252.204-7020’s NIST SP 800-171 DoD Assessment Requirements.

FedRAMP = Federal Risk and Authorization Management Program – A government-wide program that promotes the adoption of secure cloud services across the federal government by providing a standardized approach to security and risk assessment for cloud technologies and federal agencies.

FCI = Federal Contract Information – Federal contract information means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public Web sites) or simple transactional information, such as necessary to process payments. Source: 48 CFR § 52.204-21

ITAR = International Traffic in Arms Regulations – The Department of State is responsible for controlling the export of defense and military related technologies to safeguard U.S. national security and further U.S. foreign policy objectives.

MEP = Manufacturing Extension Partnership – a public-private partnership with Centers in all 50 states and Puerto Rico dedicated to serving small and medium-sized manufacturers.

NIST = National Institute of Standards and Technology – Part of the U.S. Department of Commerce, NIST promotes U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve American quality of life. NIST issues guidelines and standards for computer security. http://www.nist.gov

POAM = Plan of Action & Milestones – A document for a system that identifies tasks needing to be accomplished and details resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for milestones. 

RMF = Risk Management Framework – a high-level approach to iterative risk analysis that is deeply integrated throughout the software development life cycle (SDLC); RMF consists of the five fundamental activity stages: 1) Understand the business context. 2) Identify the business and technical risks, 3) Synthesize and prioritize the risks, producing a ranked set, 4) Define the risk mitigation strategy, and 5) Carry out required fixes and validate that they are correct.

RP/RPA = Registered Practitioner & Registered Practitioner Advanced – Professionals who provide CMMC implementation consultative services. 

RPO = Registered Practitioner Organization – An organization authorized to represent itself as familiar with the basic constructs of the CMMC Standard, with a CMMC-AB provided logo, to deliver non-certified CMMC Consulting Services.  This signifies that the organization has agreed to the CMMC-AB Code of Professional Conduct. 

SOC = Security Operations Center – a command center facility for a team of information technology (IT) professionals with expertise in information security (infosec) who monitors, analyzes, and protects an organization from cyber-attacks.

SPRS Score = Supplier Performance Risk System Score – the result of a NIST SP 800-171 DoD Assessment that is performed in accordance with the NIST SP 800-171 DoD Assessment Methodology.  SPRS is a web-enabled enterprise application that gathers processes and displays data about supplier performance – DoD’s single, authorized application to retrieve supplier performance information.

SSP = System Security Plan – A formal document that provides an overview of the security requirements for an information system and describes the security controls in place or planned for meeting those requirements. 

* Sources: cyberab.org; nist.gov; dod.gov; cisa.gov