Glossary & Acronyms

info

Many of the definitions in this glossary are taken from the DOD CMMC Glossary and Acronyms document.

Glossary

ACE (Automated Collection of Evidence)

Manual evidence collection can be arduous and time-consuming. ASCERA streamlines this process through the utilization of Splunk tools, automating the evidence-collection procedure.

CCM (Continuous Control Monitoring)

The automation and monitoring of CMMC controls' effectiveness and relevant information gathering in near real-time. CMMC controls designated as CCM will have their compliance statuses automated. ASCERA deploys a Compliance Rules Engine to test the effectiveness of controls in real-time, determining compliance status.

CMMC Assessment Scope

Includes all assets in the contractor’s environment that will be assessed.

CMMC Asset Categories

CMMC defined five asset categories for scoping activities: CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, Specialized Assets, and Out-of-Scope Asset. Asset categories determine: assessment, segmentation, documentation, and management of assets.

CMMC Level

The DoD has introduced the CMMC 2.0 model, encompassing Level 1 and Level 2. Level 1 or the Foundation level requires basic cybersecurity protocols. Achieving this level mandates the implementation of 17 NIST SP 800-171 controls. Level 2 (advanced cybersecurity practice) aligns with DoD cybersecurity requirements outlined in NIST SP 800-171. Full implementation of all 110 NIST SP 800-171 controls is requisite to attain Level 2.

Compliance

Conformity in fulfilling official requirements.

Control

The methods, policies, and procedures—manual or automated—used by an organization to safeguard and protect assets, promote efficiency, or adhere to standards. A measure that is modifying risk. Note: controls include any process, policy, device, practice, or other actions which modify risk.

Controlled Unclassified Information (CUI)

Information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or Atomic Energy Act of 1954, as amended.

DoD Weight

This scoring methodology is designed to provide an objective assessment of a contractor’s NIST SP 800-171/CMMC L2 Practice implementation status. If all CMMC practices are implemented, a contractor is awarded a score of 110, consistent with the total number of CMMC L2 Practices. For each CMMC Practice not met, the associated value is subtracted from 110. The score of 110 is reduced by practice not implemented, which may result in a negative score. While NIST SP 800-171 does not prioritize security requirements, certain requirements have more impact on the security of the network and its data than others. This scoring methodology incorporates this concept by weighting each security requirement based on the impact on the information system and the DoD CUI created on or transiting through that system when that requirement is not implemented.

Defense Industrial Base (DIB)

The worldwide industrial complex that enables research and development, as well as design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts, to meet U.S. military requirements.

Domain

Grouping of like practices based on the 14 control families set forth in NIST SP 800-171.

NIST SP 800-171

Is a NIST Special Publication that provides 110 recommended requirements for protecting the confidentiality of CUI

N/A (Not Applicable)

An implementation can be 'not applicable' (applies only to the implementation of the NIST SP 800-171 security requirements under DFARS 252.204-7012) if approved by DoD CIO or the organization implemented an alternative but equally effective security measure (that must also be approved by DoD CIO). Note: If a control is approved as 'not applicable' it does not mean it should not be assessed, it just changes the verification procedures. The CMMC assessor should accept a properly implemented DoD CIO approved alternative security measure or a requirement adjudicated as 'not applicable' by the DoD CIO as 'met.'

ODPs (Organizational Defined Parameters)

User-configurable variables and resources used for the automation of controls. ODPs within the app consist of numerical values used in ACE saved searches and lookups that must be defined to meet control and assessment objective requirements.

Owner (Control Owner)

The entity ultimately accountable for ensuring the control’s effectiveness and mitigating the risks it is designed to address.

Operator (Control Operator)

The entity responsible for the day-to-day operation of the control.

POA&M (Plan of Action and Milestones)

An artifact or collection of artifacts that provides oversight for implementing defined CMMC policies. A plan should include a mission and/or vision statement, strategic goals/objectives, relevant standards and procedures, and the people, funding, and tool resources needed to implement the defined CMMC policies.

SPRS Score

The numerical grade that the DoD leverages for its review and assessment of the stance of a supplier.

Status Partial

The organization has implemented some aspects of the assessment objectives.

Status In Progress

The organization is currently implementing the assessment objectives.

System Boundary (CUI System)

The scope of the system and environment being assessed. All components of an information system to be authorized for operation by an authorizing official and excludes separately authorized systems, to which the information system is connected. The System Boundary is equivalent to the defined CMMC Assessment Scope.

System Security Plan (SSP)

The formal document prepared by the information system owner (or common control owner for inherited controls) that provides an overview of the controls for the system and describes the controls in place or planned for meeting those requirements. The plan can also contain as supporting appendices or as references, other key security-related documents such as a risk assessment, privacy impact assessment, system interconnection agreements, contingency plan, security configurations, configuration management plan, and incident response plan.

Acronyms

CMMC - Cybersecurity Maturity Model Certification DoD - Department of Defence NIST - National Institute of Standards and Technology SPRS - Supplier Performance Risk System

Glossary​

ACE (Automated Collection of Evidence)​

CCM (Continuous Control Monitoring)​

CMMC Assessment Scope​

CMMC Asset Categories​

CMMC Level​

Compliance​

Control​

Controlled Unclassified Information (CUI)​

DoD Weight​

Defense Industrial Base (DIB)​

Domain​

NIST SP 800-171​

N/A (Not Applicable)​

ODPs (Organizational Defined Parameters)​

Owner (Control Owner)​

Operator (Control Operator)​

POA&M (Plan of Action and Milestones)​

SPRS Score​

Status Partial​

Status In Progress​

System Boundary (CUI System)​

System Security Plan (SSP)​

Acronyms​