[qdeck card_back=”white” align=”center” random=”true”]
Welcome to this set of flashcards about the CMMC and related topics. Here’s how it works:
Click ‘Check answer’ to see the answer to each card.
If you don’t know it as well as you’d like to, click ‘Need more practice,’ and that card will go to the bottom of the stack so you can practice it again.
If you know it, click ‘Got it.’
‘Shuffle’ lets you shuffle the deck.
[start]
[q] AA
[a] Audit and Accountability
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] ABAC
[a] Attribute-Based Access Control
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] AC
[a] Access Control
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] Access
[a] Ability to make use of any information system (IS) resource.
Source: CNSSI 4009, NIST SP 800-32
[q] Access Authority
[a] An entity responsible for monitoring and granting access privileges for other authorized entities.
Source: CNSSI 4009
[q] Access Control
[a] The process of granting or denying specific requests to:
– obtain and use information and related information-processing services; and
– enter specific physical facilities (e.g., federal buildings, company offices).
source: CMMC-Assessment-Process-CAP-v1.0
[q] Access Control Policy (Access Management Policy)
[a] The set of rules that define the conditions under which an access may take place.
Source: NISTIR 7316
[q] Access Profile
[a] Association of a user with a list of protected objects the user may access.
Source: CNSSI 4009
[q] Accountability
[a] The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity. This supports nonrepudiation, deterrence, fault isolation, intrusion detection and prevention, and after-action recovery and legal action.
Source: NIST SP 800-27
[q] ACSC
[a] Australian Cyber Security Centre
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] Activity / Activities
[a] Set of actions that are accomplished within a practice in order to make it successful. Multiple activities can make up a practice. Practices may have only one activity or a set of activities.
Source: CMMC
[q] Adequate security
[a] means protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information.
source: DFARS 252.204-7012
[q] Administrative Safeguards
[a] Administrative actions and policies and procedures to manage the selection, development, implementation, and maintenance of security measures to protect any electronic information that is by definition “protected information” (e.g., protected health information) and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.
Source: NIST SP 800-66 Rev 1 (adapted)
[q] Advanced Persistent Threat (APT)
[a] An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltrating information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future. The advanced persistent threat:
• pursues its objectives repeatedly over an extended period of time;
• adapts to defenders’ efforts to resist it;, and
• is determined to maintain the level of interaction needed to execute its objectives.
Source: NIST SP 800-39
[q] Adversarial Assessment
[a] Assesses the ability of an organization equipped with a system to support its mission while withstanding cyber threat activity representative of an actual adversary.
Source: DoDI 5000.02 Enclosure 14 (adapted)
[q] Adversary
[a] Individual, group, organization, or government that conducts or has the intent to conduct detrimental activities.
Source: CNSSI 4009
[q] AES
[a] Advanced Encryption Standard
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] Agency
[a] Agency (also Federal agency, executive agency, executive branch agency) is any “executive agency, as defined in 5 U.S.C. 105; the United States Postal Service; and any other independent entity within the executive branch that designates or handles CUI.
source: 32 CFR Part 2002 (up to date as of 1-13-2023)
[q] Agency CUI policies
[a] Agency CUI policies are the policies the agency enacts to implement the CUI Program within the agency. They must be in accordance with the Order, this part, and the CUI Registry and approved by the CUI EA.
source: 32 CFR Part 2002 (up to date as of 1-13-2023)
[q] aggregation
[a] The creation of classified information from the accumulation ofunclassified data or information from several areas within adocument.
source: DoD Instruction 5200.48
[q] Agreements / Arrangements
[a] Agreements and arrangements are any vehicle that sets out specific CUI handling requirements for contractors and other information-sharing partners when the arrangement with the other party involves CUI. Agreements and arrangements include, but are not necessarily limited to, contracts, grants, licenses, certificates, and memoranda of understanding. When disseminating or sharing CUI with non-executive branch entities, agencies should enter into a written agreement/arrangement or understanding (see §2002.16(a)(5) and (6) for details). When sharing information with foreign entities, agencies should also enter agreements or arrangements, where feasible (see §2002.16(a)(5)(iii) and (a)(6) for details).
source: CMMC-Assessment-Process-CAP-v1.0
[q] AIA
[a] Aerospace Industries Association
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] Air Gap
[a] An interface between two systems that:
• are not connected physically and
• do not have any logical connection automated (i.e., data is transferred through the interface only manually, under human control).
Source: IETF RFC 4949 v2
[q] Alert
[a] An internal or external notification that a specific action has been identified within an organization’s information systems.
Source: CNSSI 4009 (adapted)
[q] AM
[a] Asset Management
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] Anti-Malware Tools
[a] Tools that help identify, prevent execution, and reverse engineer malware.
Source: CMMC
[q] Anti-Spyware Software
[a] A program that specializes in detecting both malware and non-malware forms of spyware.
Source: NIST SP 800-69
[q] Anti-Tamper
[a] Systems engineering activities intended to deter and/or delay exploitation of technologies in a system in order to impede countermeasure development, unintended technology transfer, or alteration of a system.
Source: DoDI 5200.39 (adapted)
[q] Anti-Virus Software
[a] A program that monitors a computer or network to identify all major types of malware and prevent or contain malware incidents.
Source: NIST SP 800-83
[q] API
[a] Application Programming Interface
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] APT
[a] Advanced Persistent Threat
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] Artifacts
[a] Tangible and reviewable records that are the direct outcome of a practice or process being performed by a system, person, or persons performing a role in that practice, control, or process. Artifacts may be a printed hard-copy or a soft- or electronic copy of a document or file embedded in a system or software but must be a result or an output from the performance of a process within the Organization Seeking Certification.
source: CMMC-Assessment-Process-CAP-v1.0
[q] Assessment
[a] The testing or evaluation of security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for an information system or organization.
Source: NIST SP 800-37 Rev. 2
Assessment is the term used by CMMC for the activity performed by the C3PAO to evaluate the CMMC level of a DIB contractor. Self-assessment is the term used by CMMC for the activity performed by a DIB contractor to evaluate their own CMMC level.
Source: CMMC
[q] Assessment Appeals Process
[a] A formal process managed by the Cyber AB to seek resolution of a disagreement of an assessment result.
source: CMMC-Assessment-Process-CAP-v1.0
[q] Assessment Official
[a] The most senior representative of an Organization Seeking Certification (OSC) who is directly and actively responsible for leading and managing the OSC’s engagement in the Assessment.
source: CMMC-Assessment-Process-CAP-v1.0
[q] Assessor
[a] An individual who is both certified and authorized to participate on a C3PAO Assessment Team and evaluate the conformity of an Organization Seeking Certification to meeting a particular CMMC level standard. See also Provisional Assessor.
source: CMMC-Assessment-Process-CAP-v1.0
[q] Asset (Organizational Asset)
[a] Anything that has value to an organization, including, but not limited to, another organization, person, computing device, information technology (IT) system, IT network, IT circuit, software (both an installed instance and a physical instance), virtual computing platform (common in cloud and virtualized computing), and related hardware (e.g., locks, cabinets, keyboards).
Source(s): NISTIR 7693, NISTIR 7694
[q] Asset Custodian (Custodian)
[a] A person or group responsible for the day-to-day management, operation, and security of an asset.
Source: CMMC
[q] Asset Management (AM)
[a] Management of organizational assets. This may include inventory, configuration, destruction, disposal, and updates to organizational assets.
Source: CERT RMM v1.2
[q] Asset Owner (Information Asset Owner)
[a] A person or organizational unit (internal or external to the organization) with primary responsibility for the viability, productivity, security, and resilience of an organizational asset. For example, the accounts payable department is the owner of the vendor database.
Source: CERT RMM v1.2
[q] Asset Types
[a] The following asset types should be included when classifying assets:
• People – employees, contractors, vendors, and external service provider personnel;
• Technology – servers, client computers, mobile devices, network appliances (e.g., firewalls, switches, APs, and routers), VoIP devices, applications, virtual machines, and database systems;
• Facilities – physical office locations, satellite offices, server rooms, datacenters, manufacturing plants, and secured rooms; and
• External Service Provider (ESP) – external people, technology, or facilities that the organization utilizes, including Cloud Service Providers, Managed Service Providers, Managed Security Service Providers, Cybersecurity-as-a-Service Providers.
Source: CMMC
[q] AT
[a] Awareness and Training
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] Attack Surface
[a] The set of points on the boundary of a system, a system element, or an environment where an attacker can try to enter, cause an effect on, or extract data from.
Source: NIST SP 800-160 Vol. 2
[q] Attribute-Based Access Control (ABAC)
[a] Access control based on attributes associated with and about subjects, objects, targets, initiators, resources, or the environment. An access control rule set defines the combination of attributes under which an access may take place.
Source: CNSSI 4009
[q] AU
[a] Audit and Accountability
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] Audit
[a] Independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures, and to recommend necessary changes in controls, policies, or procedures.
Source: NIST SP 800-32
[q] Audit Log
[a] A chronological record of system activities. Includes records of system accesses and operations performed in a given period.
Source: CNSSI 4009
[q] Audit Record
[a] An individual entry in an audit log related to an audited event.
Source: NIST SP 800-53 Rev 5
[q] Authentication
[a] A security measure designed to protect a communications system against acceptance of fraudulent transmission or simulation by establishing the validity of a transmission, message, originator, or a means of verifying an individual’s eligibility to receive specific categories of information.
Source: CNSSI 4005, NSA/CSS Manual Number 3-16
[q] Authenticator
[a] Something that the claimant possesses and controls (typically a cryptographic module or password) that is used to authenticate the claimant’s identity. This was previously referred to as a token.
Source: NIST SP 800-53 Rev 5
[q] Authoritative Source (Trusted Source)
[a] An entity that has access to, or verified copies of, accurate information from an issuing source such that a Credential Service Provider (CSP) can confirm the validity of the identity evidence supplied by an applicant during identity proofing. An issuing source may also be an authoritative source. Often, authoritative sources are determined by a policy decision of the agency or CSP before they can be used in the identity proofing validation phase.
Source: NIST SP 800-63-3
[q] Authorization
[a] The right or a permission that is granted to a system entity (user, program, or process) to access a system resource.
Source: NIST SP 800-82 Rev 2 (adapted)
[q] Authorized holder
[a] Authorized holder is an individual, agency, organization, or group of users that is permitted to designate or handle CUI, in accordance with this part.
source: 32 CFR Part 2002 (up to date as of 1-13-2023)
[q] Availability
[a] • Ensuring timely and reliable access to and use of information.
• Timely, reliable access to data and information services for authorized users.
Source: CNSSI 4009
[q] Awareness
[a] A learning process that sets the stage for training by changing individual and organizational attitudes to realize the importance of security and the adverse consequences of its failure.
Source: NIST SP 800-16
[q] Awareness and Training Program
[a] Explains proper rules of behavior for the use of agency information systems and information. The program communicates information technology (IT) security policies and procedures that need to be followed. (i.e., NSTISSD 501, NIST SP 800-50).
Source: CNSSI 4009
[q] Backup
[a] A copy of files and programs made to facilitate recovery, if necessary.
Source: NIST SP 800-34, CNSSI 4009
[q] Baseline
[a] Hardware, software, databases, and relevant documentation for an information system at a given point in time.
Source: CNSSI 4009
[q] Baseline Configuration
[a] A set of specifications for a system, or Configuration Item (CI) within a system, that has been formally reviewed and agreed on at a given point in time, and which can be changed only through change control procedures. The baseline configuration is used as a basis for future builds, releases, and/or changes.
Source: NIST SP 800-128
[q] Baseline Security
[a] The minimum security controls required for safeguarding an IT system based on its identified needs for confidentiality, integrity, and/or availability protection.
Source: NIST SP 800-16
[q] Baselining
[a] Monitoring resources to determine typical utilization patterns so that significant deviations can be detected.
Source: NIST SP 800-61
[q] Blacklist
[a] A list of discrete entities, such as IP addresses, host names, applications, software libraries, and so forth that have been previously determined to be associated with malicious activity thus requiring access or execution restrictions.
Source: NIST SP 800-114 (adapted), NIST SP 800-94 (adapted), CNSSI 4009 (adapted)
[q] Blacklisting Software
[a] A list of applications (software) and software libraries that are forbidden to execute on an organizational asset.
Source: NIST SP 800-94 (adapted)
[q] Blue Team
[a] • The group responsible for defending an organization’s use of information systems by maintaining its security posture against a group of mock attackers (i.e., the Red Team). Typically, the Blue Team and its supporters must defend against real or simulated attacks:
— over a significant period of time;
— in a representative operational context (e.g., as part of an operational exercise); and
— according to rules established and monitored with the help of a neutral group refereeing the simulation or exercise (i.e., the White Team).
• The term Blue Team is also used for defining a group of individuals who conduct operational network vulnerability evaluations and provide mitigation techniques to customers who have a need for an independent technical review of their network security posture. The Blue Team identifies security threats and risks in the operating environment, and in cooperation with the customer, analyzes the network environment and its current state of security readiness. Based on the Blue Team findings and expertise, they provide recommendations that integrate into an overall community security solution to increase the customer’s cyber security readiness posture. Often, a Blue Team is employed by itself or prior to a Red Team employment to ensure that the customer’s networks are as secure as possible before having the Red Team test the systems.
Source: CNSSI 4009 (adapted)
[q] Breach
[a] An incident where an adversary has gained access to the internal network of an organization or an organizationally owned asset in a manner that breaks the organizational policy for accessing cyber assets and results in the loss of information, data, or asset. A breach usually consists of the loss of an asset due to the gained access.
Source: CMMC
[q] BYOD
[a] Bring Your Own Device
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] C2M2
[a] Cybersecurity Capability Maturity Model
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] C3PAO
[a] CMMC Third-Party Assessment Organization
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] CA
[a] Security Assessment
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] CDI
[a] Covered Defense Information
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] CD-ROM
[a] Compact Disc Read-Only Memory
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] CEA
[a] Council of Economic Advisers
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] CERT
[a] Computer Emergency Response Team
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] CERT RMM
[a] CERT® Resilience Management Model
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] Certificate
[a] A Record issued to an OSC upon successful completion of an Assessment which evidences the CMMC Level against which the OSC has been successfully assessed by an authorized C3PAO. See also Limited CMMC Certification.
source: CMMC-Assessment-Process-CAP-v1.0
[q] Certification
[a] The official CMMC credential that attests to: 1) an organization’s conformance to a particular CMMC Level; or 2) an individual’s achievement of meeting the requirements and standards of a specific CMMC profession (e.g., Assessor, Instructor). See also Limited CMMC Certification.
source: CMMC-Assessment-Process-CAP-v1.0
[q] Certified CMMC Assessor (CCA)
[a] A person who has successfully completed all certification program requirements as outlined by the CAICO for becoming a Level 2 CMMC Assessor. A Provisional Assessor (PA) will become a CCP and then a CCP by passing the associated certification exam(s).
source: CMMC-Assessment-Process-CAP-v1.0
[q] CFR
[a] Code of Federal Regulations
source: DoD Instruction 5200.48
[q] Change Control (Change Management)
[a] The process of regulating and approving changes to hardware, firmware, software, and documentation throughout the development and operational life cycle of an information system.
Source: NIST SP 800-128, CNSSI 4009
[q] CI
[a] Configuration Item
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] CIO
[a] Chief Information Officer
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] Cipher
[a] • Any cryptographic system in which arbitrary symbols or groups of symbols, represent units of plain text, or in which units of plain text are rearranged, or both.
• A series of transformations that converts plaintext to ciphertext using the Cipher Key.
Source: FIPS 197
[q] Ciphertext
[a] A term that describes data in its encrypted form.
Source: NIST SP 800-57 Part 1 Rev 3
[q] CIS
[a] Computer Information System
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] CISA
[a] Cybersecurity and Infrastructure Security Agency
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] Classified information
[a] Classified information is information that Executive Order 13526, “Classified National Security Information,December 29, 2009 (3 CFR, 2010 Comp., p. 298), or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended, requires agencies to mark with classified markings and protect against unauthorized disclosure.
source: 32 CFR Part 2002 (up to date as of 1-13-2023)
[q] CM
[a] Configuration Management
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] CMMC
[a] Cybersecurity Maturity Model Certification
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] CMMC Assessment Scope
[a] Includes all assets in the contractor’s environment that will be assessed.
Source: CMMC
[q] CMMC Asset Categories
[a] CMMC defined five asset categories for scoping activities: CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, Specialized Assets, and Out-of-Scope Asset. Asset categories determine: assessment, segmentation, documentation, and management of assets.
Source: CMMC
[q] CMMC Certification Boundary
[a] Defines the assets to which an Assessor will evaluate conformity with applicable CMMC practices. This is the boundary to which a CMMC Certification will be applied.
source: CMMC-Assessment-Process-CAP-v1.0
[q] CMMC Certified Assessor
[a] An individual who holds official CAICO Certification as a CMMC Certified Assessor. Lead Assessors can be certified at Level 2 or Level 3, which correspond to the CMMC Level against which they are authorized to conduct CMMC Assessments. Also referred to as “CMMC Assessor” or “Assessor”.
source: CMMC-Assessment-Process-CAP-v1.0
[q] CMMC Certified Professional (CCP)
[a] A person who has successfully completed all certification program requirements as outlined by the CAICO for becoming a Level 1 CMMC Assessor. A Provisional Assessor (PA) will become a CCP by passing the associated certification exam.
source: CMMC-Assessment-Process-CAP-v1.0
[q] CMMC Ecosystem
[a] The interactive community of all CMMC professionals, including C3PAOs, Assessors, Instructors, Licensed Training Providers, Licensed Publishing Partners, Registered Practitioners, Registered Provider Organizations, as well as the Department of Defense and the CMMC Accreditation Body.
source: CMMC-Assessment-Process-CAP-v1.0
[q] CMMC eMASS
[a] The Enterprise Mission Assurance Support Service (CMMC eMASS) is a web-based, U.S. Department of Defense off-the-shelf solution that automates a broad range of services for cybersecurity management. CMMC eMASS serves as the system of record for CMMC Assessment data and reporting.
source: CMMC-Assessment-Process-CAP-v1.0
[q] CMMC Level
[a] A specific step or level within the CMMC Standard against which CMMC Assessments are conducted.
source: CMMC-Assessment-Process-CAP-v1.0
[q] CMMC Standard
[a] A framework that combines widely accepted NIST cybersecurity standards and maps those controls and requirements across several maturity levels that range from basic to expert cyber hygiene, and that, when implemented, will reduce risk against a specific set of cyber threats.
source: CMMC-Assessment-Process-CAP-v1.0
[q] CMMC Third-Party Assessment Organization (C3PAO)
[a] An Entity that is authorized to be contracted to conduct independent CMMC Assessments and issue CMMC Certifications for Organizations Seeking Certification (OSCs).
source: CMMC-Assessment-Process-CAP-v1.0
[q] CMO
[a] Chief Management Officer of the Department of Defense
source: DoD Instruction 5200.48
[q] CNSI
[a] classified national security information
source: DoD Instruction 5200.48
[q] CNSSD
[a] Committee on National Security Systems Directive
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] CNSSI
[a] Committee on National Security Systems Instructions
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] compilation
[a] The creation of classified information resulting from theaccumulation of unclassified data or information from severaldocuments.
source: DoD Instruction 5200.48
[q] Compliance
[a] Conformity in fulfilling official requirements.
Source: Merriam-Webster
[q] Component
[a] A discrete identifiable information technology asset that represents a building block of a system and may include hardware, software, and firmware.
Source: NIST SP 800-171 Rev. 2 under system component NIST SP 800-128
[q] Compromise
[a] means disclosure of information to unauthorized persons, or a violation of the security policy of a system, in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object, or the copying of information to unauthorized media may have occurred.
source: DFARS 252.204-7012
[q] COMSEC
[a] Communications Security
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] Confidentiality
[a] Preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information.
Source: 44 U.S.C. 3542
[q] Configuration Item (CI)
[a] An aggregation of system components that is designated for configuration management and treated as a single entity in the configuration management process.
Source: NIST SP 800-53 Rev 5
[q] Configuration Management (CM)
[a] A collection of activities focused on establishing and maintaining the integrity of information technology products and systems, through control of processes for initializing, changing, and monitoring the configurations of those products and systems throughout the system development life cycle.
Source: NIST SP 800-53 Rev 5
[q] Conflict of Interest (COI)
[a] A situation within the CMMC Ecosystem in which the concerns or objectives of two different parties are incompatible with one another. Conflicts of Interest must be disclosed where they exist and, if possible, mitigated. Conflicts of Interest left unattended by CMMC actors can threaten the impartiality of CMMC Assessments and the integrity of the CMMC Ecosystem overall.
source: CMMC-Assessment-Process-CAP-v1.0
[q] Consequence
[a] Effect (change or non-change), usually associated with an event or condition or with the system and usually allowed, facilitated, caused, prevented, changed, or contributed to by the event, condition, or system.
Source: NIST SP 800-160
[q] Container (Information Asset Container)
[a] A physical or logical location where assets are stored, transported, and processed. A container can encompass technical containers (servers, network segments, personal computers), physical containers (paper, file rooms, storage spaces, or other media such as CDs, disks, and flash drives), and people (including people who might have detailed knowledge about the information asset).
Source: CERT RMM v1.2
[q] Context Aware
[a] The ability of a system or a system component to gather information about its environment at any given time and adapt behaviors accordingly. Contextual or context-aware computing uses software and hardware to automatically collect and analyze data to guide responses.
Source: CMMC
[q] Continuity of Operations
[a] An organization’s ability to sustain assets and services in response to a disruptive event. It is typically used interchangeably with service continuity or continuity of service.
Source: CERT RMM v1.2 (adapted)
[q] Continuous
[a] Continuing without stopping; ongoing.
Source: Merriam-Webster (adapted)
[q] Continuous Monitoring
[a] Maintaining ongoing awareness to support organizational risk decisions. Maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.
Source(s): CNSSI 4009-2015, NIST SP 800-137, NIST SP 800-150
[q] Contractor attributional/proprietary information
[a] means information that identifies the contractor(s), whether directly or indirectly, by the grouping of information that can be traced back to the contractor(s) (e.g., program description, facility locations), personally identifiable information, as well as trade secrets, commercial or financial information, or other commercially sensitive information that is not customarily shared outside of the company.
source: DFARS 252.204-7012
[q] Contractor Risk Managed Assets
[a] Contractor Risk Managed Assets are capable of, but are not intended to, process, store, or transmit CUI because of the security policy, procedures, and practices in place.
Source: CMMC
[q] Control
[a] The methods, policies, and procedures—manual or automated—used by an organization to safeguard and protect assets, promote efficiency, or adhere to standards. A measure that is modifying risk.
Note: controls include any process, policy, device, practice, or other actions which modify risk.
Source: NISTIR 8053 (adapted)
[q] Control level
[a] Control level is a general term that indicates the safeguarding and disseminating requirements associated with CUI Basic and CUI Specified.
source: 32 CFR Part 2002 (up to date as of 1-13-2023)
[q] Controlled Environment
[a] Any area or space an Authorized Holder deems to have adequate physical or procedural practices (e.g., barriers or managed access practices) to protect FCI/CUI from unauthorized access or disclosure. Also called “FCI/CUI Environment”.
source: CMMC-Assessment-Process-CAP-v1.0
[q] Controlled technical information
[a] means technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Controlled technical information would meet the criteria, if disseminated, for distribution statements B through F using the criteria set forth in DoD Instruction 5230.24, Distribution Statements on Technical Documents. The term does not include information that is lawfully publicly available without restrictions.
source: DFARS 252.204-7012
[q] Controlled Unclassified Information (CUI)
[a] Information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or Atomic Energy Act of 1954, as amended.
Source: NIST SP 800-171 Rev 2
[q] Controls
[a] Controls are safeguarding or dissemination controls that a law, regulation, or Government-wide policy requires or permits agencies to use when handling CUI. The authority may specify the controls it requires or permits the agency to apply, or the authority may generally require or permit agencies to control the information (in which case, the agency applies controls from the Order, this part, and the CUI Registry).
source: 32 CFR Part 2002 (up to date as of 1-13-2023)
[q] Covered contractor information system
[a] means an unclassified information system that is owned, or operated by or for, a contractor and that processes, stores, or transmits covered defense information.
source: DFARS 252.204-7012
[q] Covered defense information
[a] means unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry at http://www.archives.gov/cui/registry/category-list.html, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies, and is—
(1) Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or
(2) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.
source: DFARS 252.204-7012
[q] Covered Defense Information (CDI)
[a] A term used to identify information that requires protection under DFARS Clause 252.204-7012. Unclassified controlled technical information (CTI) or other information, as described in the CUI Registry, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government wide policies and is:
• Marked or otherwise identified in the contract, task order, or delivery order and provided to contractor by or on behalf of, DoD in support of the performance of the contract; OR
• Collected, developed, received, transmitted, used, or stored by—or on behalf of—the contractor in support of the performance of the contract.
Source: DFARS Clause 252.204-7012
[q] CPI
[a] Critical Program Information
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] CPM
[a] Component program manager
source: DoD Instruction 5200.48
[q] Cryptographic Hashing Function
[a] The process of using a mathematical algorithm against data to produce a numeric value that is representative of that data.
Source: CNSSI 4009
[q] CSAO
[a] Component senior agency official
source: DoD Instruction 5200.48
[q] CSF
[a] Cybersecurity Framework
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] CSIS
[a] Center for Strategic and International Studies
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] CSP
[a] Credential Service Provider
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] CTI
[a] controlled technical information
source: DoD Instruction 5200.48
[q] CUI
[a] controlled unclassified information
source: DoD Instruction 5200.48
[q] CUI Assets
[a] Assets that process, store, or transmit CUI.
Source: CMMC
[q] CUI Basic
[a] CUI Basic is the subset of CUI for which the authorizing law, regulation, or Government-wide policy does not set out specific handling or dissemination controls. Agencies handle CUI Basic according to the uniform set of controls set forth in this part and the CUI Registry. CUI Basic differs from CUI Specified (see definition for CUI Specified in this section), and CUI Basic controls apply whenever CUI Specified ones do not cover the involved CUI.
source: 32 CFR Part 2002 (up to date as of 1-13-2023)
[q] CUI categories and subcategories
[a] CUI categories and subcategories are those types of information for which laws, regulations, or Government-wide policies require or permit agencies to exercise safeguarding or dissemination controls, and which the CUI EA has approved and listed in the CUI Registry. The controls for any CUI Basic categories and any CUI Basic subcategories are the same, but the controls for CUI Specified categories and subcategories can differ from CUI Basic ones and from each other. A CUI category may be Specified, while some or all of its subcategories may not be, and vice versa. If dealing with CUI that falls into a CUI Specified category or subcategory, review the controls for that category or subcategory on the CUI Registry. Also consult the agency’s CUI policy for specific direction from the Senior Agency Official.
source: 32 CFR Part 2002 (up to date as of 1-13-2023)
[q] CUI category or subcategory markings
[a] CUI category or subcategory markings are the markings approved by the CUI EA for the categories and subcategories listed in the CUI Registry.
source: 32 CFR Part 2002 (up to date as of 1-13-2023)
[q] CUI Executive Agent (EA)
[a] CUI Executive Agent (EA) is the National Archives and Records Administration (NARA), which implements the executive branch-wide CUI Program and oversees Federal agency actions to comply with the Order. NARA has delegated this authority to the Director of the Information Security Oversight Office (ISOO).
source: 32 CFR Part 2002 (up to date as of 1-13-2023)
[q] CUI Indexes
[a] An organizational grouping of CUI categories as defined by the CUIEA. The term was created by the CUI EA to replace the notion of asub-category which implies a hierarchy structure or importance.
source: DoD Instruction 5200.48
[q] CUI misuse
[a] Use of CUI in a manner not in accordance with the policy containedin E.O. 13556; Part 2002 of Title 32, CFR; the CUI Registry; agencyCUI policy; or the applicable LRGWP governing the information.
source: DoD Instruction 5200.48
[q] CUI Program
[a] CUI Program is the executive branch-wide program to standardize CUI handling by all Federal agencies. The Program includes the rules, organization, and procedures for CUI, established by the Order, this part, and the CUI Registry.
source: 32 CFR Part 2002 (up to date as of 1-13-2023)
[q] CUI Program manager
[a] CUI Program manager is an agency official, designated by the agency head or CUI SAO, to serve as the official representative to the CUI EA on the agency’s day-to-day CUI Program operations, both within the agency and in interagency contexts.
source: 32 CFR Part 2002 (up to date as of 1-13-2023)
[q] CUI Registry
[a] CUI Registry is the online repository for all information, guidance, policy, and requirements on handling CUI, including everything issued by the CUI EA other than this part. Among other information, the CUI Registry identifies all approved CUI categories and subcategories, provides general descriptions for each, identifies the basis for controls, establishes markings, and includes guidance on handling procedures.
source: 32 CFR Part 2002 (up to date as of 1-13-2023)
[q] CUI senior agency official (SAO)
[a] CUI senior agency official (SAO) is a senior official designated in writing by an agency head and responsible to that agency head for implementation of the CUI Program within that agency. The CUI SAO is the primary point of contact for official correspondence, accountability reporting, and other matters of record between the agency and the CUI EA.
source: 32 CFR Part 2002 (up to date as of 1-13-2023)
[q] CUI Specified
[a] CUI Specified is the subset of CUI in which the authorizing law, regulation, or Government-wide policy contains specific handling controls that it requires or permits agencies to use that differ from those for CUI Basic. The CUI Registry indicates which laws, regulations, and Government-wide policies include such specific requirements. CUI Specified controls may be more stringent than, or may simply differ from, those required by CUI Basic; the distinction is that the underlying authority spells out specific controls for CUI Specified information and does not for CUI Basic information. CUI Basic controls apply to those aspects of CUI Specified where the authorizing laws, regulations, and Government-wide policies do not provide specific guidance.
source: 32 CFR Part 2002 (up to date as of 1-13-2023)
[q] CVE
[a] Common Vulnerabilities and Exposures
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] CVMP
[a] Cryptographic Module Validation Program
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] CWE
[a] Common Weakness Enumeration
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] Cyber incident
[a] means actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.
source: DFARS 252.204-7012
[q] Cybersecurity
[a] Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation.
Source: NSPD-54/HSPD-23
[q] D/A
[a] Department/Agency
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] Daily Checkpoint
[a] An immediate “after-action” discussion and evaluation of an OSC’s current compliance status against CMMC practices conducted with the OSC Assessment participants, following the completion of that day’s Assessment activities such as objective Evidence review, interviews, or observations/tests. Also known in industry as a “hot wash” or “hot wash review.” Daily Checkpoint results/discussion must be recorded in a log by the Lead Assessor.
source: CMMC-Assessment-Process-CAP-v1.0
[q] DCISE
[a] DIB Collaborative Information Sharing Environment
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] DCS
[a] Distributed Control System
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] DCSA
[a] Defense Counterintelligence and Security Agency
source: DoD Instruction 5200.48
[q] DD
[a] Represents any two-character CMMC Domain acronym
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] DDI(CL&S)
[a] Director For Defense Intelligence (Counterintelligence, LawEnforcement, And Security)
source: DoD Instruction 5200.48
[q] Decontrolling
[a] Decontrolling occurs when an authorized holder, consistent with this part and the CUI Registry, removes safeguarding or dissemination controls from CUI that no longer requires such controls. Decontrol may occur automatically or through agency action. See § 2002.18.
source: 32 CFR Part 2002 (up to date as of 1-13-2023)
[q] Defense Industrial Base (DIB)
[a] The worldwide industrial complex that enables research and development, as well as design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts, to meet U.S. military requirements.
Source: DIB Sector-Specific Plan, DHS CISA
[q] Demilitarized Zone (DMZ)
[a] A perimeter network segment that is logically between internal and external networks. Its purpose is to enforce the internal network’s Information Assurance (IA) policy for external information exchange and to provide external, untrusted sources with restricted access to releasable information while shielding the internal networks from outside attacks.
Source: CNSSI 4009
[q] Dependency
[a] When an entity has access to, control of, ownership in, possession of, responsibility for, or other defined obligations related to one or more assets or services of the organization.
Source: CERT RMM v1.2 (adapted)
[q] Designating agency
[a] Designating agency is the executive branch agency that designates or approves the designation of a specific item of information as CUI.
source: 32 CFR Part 2002 (up to date as of 1-13-2023)
[q] Designating CUI
[a] Designating CUI occurs when an authorized holder, consistent with this part and the CUI Registry, determines that a specific item of information falls into a CUI category or subcategory. The authorized holder who designates the CUI must make recipients aware of the information’s CUI status in accordance with this part.
source: 32 CFR Part 2002 (up to date as of 1-13-2023)
[q] DFARS
[a] Defense Federal Acquisition Regulation Supplement
source: DoD Instruction 5200.48
[q] DHC
[a] Device Health Check
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] DIB
[a] Defense Industrial Base
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] Disseminating
[a] The act of transmitting, transferring, of providing access to FCI or CUI to other authorized holders through any means, whether internal or external to an agency.
source: CMMC-Assessment-Process-CAP-v1.0
[q] DKIM
[a] Domain Key Identified Mail
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] DMARC
[a] Domain-based Message Authentication, Reporting, and Conformance
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] DMZ
[a] Demilitarized Zone
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] DNI
[a] Director of National Intelligence
source: DoD Instruction 5200.48
[q] DNS
[a] Domain Name System
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] DNSSEC
[a] Domain Name System Security
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] Document
[a] Any tangible thing which constitutes or contains information and means the original and any copies (whether different from the originals because of notes made on such copies or otherwise) of all writings of every kind and description over which an agency has authority. A document may be inscribed by hand or by mechanical, facsimile, electronic, magnetic, microfilm, photographic or other means, as well as phonic or visual reproductions or oral statements, conversations or events and including, but not limited to: correspondence, email, notes, reports, papers, files, manuals, books, pamphlets, periodicals, letters, memoranda, notations, messages, telegrams, cables, facsimiles, records, studies, working papers, accounting papers, contracts, licenses, certificates, grants, agreements, computer disks, computer tapes, telephone logs, computer mail, computer printouts, worksheets, sent or received communications of any kind, teletype messages, agreements, diary entries, calendars and journals, printouts, drafts, tables, compilations, tabulations, recommendations, accounts, work papers, summaries, address books, other records and recordings or transcriptions of conferences, meetings, visits, interviews, discussions or telephone conversations, charts, graphs, indexes, tapes, minutes, contracts, leases, invoices, records of purchase or sale correspondence, electronic or other transcription of taping of personal conversations or conferences and any written, printed, typed, punched, taped, filmed or graphic matter however produced or reproduced. Document also includes the file, folder, exhibits and containers, the labels on them and any metadata, associated with each original or copy. Document also includes voice records, film, tapes, video tapes, email, personal computer files, electronic matter and other data compilations from which information can be obtained, including materials used in data processing.
source: CMMC-Assessment-Process-CAP-v1.0
[q] DoD
[a] Department of Defense
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] DoD CIO
[a] Department of Defense Chief Information Officer
source: DoD Instruction 5200.48
[q] DoDD
[a] DoD directive
source: DoD Instruction 5200.48
[q] DoDI
[a] DoD instruction
source: DoD Instruction 5200.48
[q] DoDM
[a] DoD manual
source: DoD Instruction 5200.48
[q] Domain
[a] Grouping of like practices based on the 14 control families set forth in NIST SP 800-171.
Source: CMMC
[q] DPCI
[a] Derived PIV Credential Issuers
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] DVD
[a] Digital Versatile Disc
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] E.O.
[a] Executive order
source: DoD Instruction 5200.48
[q] EA
[a] Executive Agent
source: DoD Instruction 5200.48
[q] Enclave
[a] A set of system resources that operate within the same security domain and that share the protection of a single, common, and continuous security perimeter. A segmentation of an organization’s network or data that is intended to “wall off” that network or database from all other networks or systems. A CMMC Assessment scope can be within the Assessment scope of an enclave.
source: CMMC-Assessment-Process-CAP-v1.0
[q] Encryption
[a] The process of changing plaintext into cipher text.
Source: NISTIR 7621 Rev 1, CNSSI 4009
[q] Encryption Policies
[a] Policies that manage the use, storage, disposal, and protection of cryptographic keys used to protect organization data and communications.
Source: CERT RMM v1.2
[q] Endorse
[a] Declare one’s public approval or support of.
Source: Oxford Dictionary
[q] Enterprise
[a] An organization with a defined mission/goal and a defined boundary, using information systems to execute that mission, and with responsibility for managing its own risks and performance. An enterprise may consist of all or some of the following business aspects: acquisition, program management, financial management (e.g., budgets), human resources, security, and information systems, information and mission management.
Source: CNSSI 4009
[q] Enterprise Architecture
[a] The description of an enterprise’s entire set of information systems: how they are configured, how they are integrated, how they interface to the external environment at the enterprise’s boundary, how they are operated to support the enterprise mission, and how they contribute to the enterprise’s overall security posture.
Source: CNSSI 4009
[q] Environment of Operations
[a] The physical and logical surroundings in which an information system processes, stores, and transmits information.
Source: NIST 800-53 Rev 5 (adapted)
[q] eSATA
[a] External Serial Advanced Technology Attachment
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] ESP
[a] External Service Provider
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] Establish and Maintain
[a] Whenever “establish and maintain” (or “established and maintained”) is used as a phrase, it refers not only to the development and maintenance of the object of the practice (such as a policy) but to the documentation of the object and observable usage of the object. For example, “Formal agreements with external entities are established and maintained” means that not only are the agreements formulated, but they also are documented, have assigned ownership, and are maintained relative to corrective actions, changes in requirements, or improvements.
Source: CERT RMM v1.2
[q] Event
[a] Any observable occurrence in a system and/or network. Events sometimes provide indication that an incident is occurring.
Source: CNSSI 4009
[q] Event Correlation
[a] Finding relationships between two or more events.
Source: NIST SP 800-92
[q] Evidence
[a] The observable proof that an organization has either met or not met the standard for a particular CMMC practice.
source: CMMC-Assessment-Process-CAP-v1.0
[q] Examine
[a] The process of checking, inspecting, reviewing, observing, studying, or analyzing one or more Assessment objects or artifacts to facilitate understanding, achieve clarification, or obtain additional Evidence. The results are used to support the determination of security safeguard existence, functionality, correctness, completeness, and potential for improvement over time. For an artifact to be accepted as Evidence in an Assessment, it must demonstrate the extent of implementing, performing, or supporting the organizational or project procedures that can be mapped to one or more CMMC practices and those artifacts must be produced by people who implement or perform or support the procedures.
source: CMMC-Assessment-Process-CAP-v1.0
[q] Exercise
[a] A simulation of an emergency designed to validate the viability of one or more aspects of an information technology plan.
Source: NIST SP 800-84
[q] External Cloud Service Provider
[a] A Supporting Organization that is providing cloud computing services to the OSC through an external connection.
source: CMMC-Assessment-Process-CAP-v1.0
[q] Facility
[a] Physical means or equipment for facilitating the performance of an action, e.g., buildings, instruments, tools.
Source: NIST SP 800-160
[q] FAQ
[a] Frequently Asked Question
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] FAR
[a] Federal Acquisition Regulation
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] FBI
[a] Federal Bureau of Investigation
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] FCI
[a] Federal Contract Information
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] FDDI
[a] Fiber Distributed Data Interface
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] FDE
[a] Full Disk Encryption
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] Federal Contract Information (FCI)
[a] Federal contract information means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.
Source: 48 CFR § 52.204-21
[q] Federal information system
[a] Federal information system is an information system used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency. 44 U.S.C. 3554(a)(1)(A)(ii).
source: 32 CFR Part 2002 (up to date as of 1-13-2023)
[q] Federated Trust
[a] Trust established within a federation or organization, enabling each of the mutually trusting realms to share and use trust information (e.g., credentials) obtained from any of the other mutually trusting realms. This trust can be established across computer systems and networks architectures.
Source: NIST SP 800-95
[q] Federation
[a] A collection of realms (domains) that have established trust among themselves. The level of trust may vary, but typically includes authentication and may include authorization.
Source: NIST SP 800-95
[q] FedRAMP
[a] Federal Risk and Authorization Management Program
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] FFRDC
[a] Federally Funded Research and Development Center
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] FIPS
[a] Federal Information Processing Standard
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] Firewall
[a] A device or program that controls the flow of network traffic between networks or hosts that employ differing security postures.
Source: NIST SP 800-41 Rev 1
[q] Flash Drive
[a] A removable storage device that utilizes the USB port of a system for data transfer.
Source: CMMC
[q] FOIA
[a] Freedom of Information Act
source: DoD Instruction 5200.48
[q] Foreign Entity
[a] A foreign government, an international organization of governments or any element thereof, an international or foreign public or judicial body or an international or foreign private or non-governmental organization.
source: CMMC-Assessment-Process-CAP-v1.0
[q] Forensic analysis
[a] means the practice of gathering, retaining, and analyzing computer-related data for investigative purposes in a manner that maintains the integrity of the data.
source: DFARS 252.204-7012
[q] Formerly Restricted Data (FRD)
[a] Formerly Restricted Data (FRD) is a type of information classified under the Atomic Energy Act, and defined in 10 CFR 1045, Nuclear Classification and Declassification.
source: 32 CFR Part 2002 (up to date as of 1-13-2023)
[q] FTP
[a] File Transfer Protocol
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] GDPR
[a] General Data Protection Regulation
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] Government Property
[a] All property owned or leased by the Government. Government property includes both Government-furnished and Contractor-acquired property. Government property includes material, equipment, special tooling, special test equipment, and real property. Government property does not include intellectual property or software.
Source: FAR 52.245-1
[q] GPI
[a] Geodetic Product Information
source: DoD Instruction 5200.48
[q] Handling
[a] Any use of CUI, including, but not necessarily limited to, marking, safeguarding, transporting, disseminating, re-using, and disposing of the information.
source: CMMC-Assessment-Process-CAP-v1.0
[q] High-Value Asset (HVA)
[a] Asset, organization information system, information, and data for which an unauthorized access, use, disclosure, disruption, modification, or destruction could cause a significant impact to the organization’s interests, relations, economy, or to the employee or stockholder confidence, civil liberties, or health and safety of the organization’s people. An HVA may contain sensitive controls, instructions, data used in critical organization operations, or unique collections of data (by size or content), or support an organization’s mission essential functions, making it of specific value to criminal, politically motivated, or state sponsored actors for either direct exploitation or to cause a loss of confidence in the organization.
Source: OMB M-17-09 (adapted)
[q] High-Value Service
[a] Service on which the success of the organization’s mission depends.
Source: CERT RMM v.12
[q] HIPAA
[a] Health Insurance Portability and Accountability Act
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] Host Unit
[a] The part of a company being assessed and considered the OSC for purposes of the CMMC Assessment. A Host Unit could be a location, a division, a product line, or any other logical segmentation of an organization that can be independently assessed. Assessment results will be codified with the Host Unit name.
source: CMMC-Assessment-Process-CAP-v1.0
[q] HQ Organization
[a] The legal entity that will be delivering services or products under the terms of a DoD contract. The HQ Organization itself could be the OSC, or it could designate a Host Unit as the OSC.
source: CMMC-Assessment-Process-CAP-v1.0
[q] HSPD
[a] Homeland Security Presidential Directive
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] HTTP
[a] Hypertext Transfer Protocol
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] HTTPS
[a] Hypertext Transfer Protocol Secure
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] HVA
[a] High-Value Asset
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] IA
[a] Information Assurance
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] IBAC
[a] Identity-Based Access Control
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] IC3
[a] Internet Crime Complaint Center
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] ICAM
[a] Identity, Credential, and Access Management
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] ICS
[a] Industrial Control System
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] ID
[a] Identification
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] IDA
[a] Identification and Authentication
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] Identification
[a] The process of discovering the true identity (i.e., origin, initial history) of a person or item from the entire collection of similar persons or items.
Source: CNSSI 4009-2015, FIPS 201-1, NIST SP 800-79-2
[q] Identity
[a] The set of attribute values (i.e., characteristics) by which an entity is recognizable and that, within the scope of an identity manager’s responsibility, is sufficient to distinguish that entity from any other entity.
Note: This also encompasses non-person entities (NPEs).
Source: NIST SP 800-161, NISTIR 7622, CNSSI 4009
[q] Identity Management System
[a] Identity management system comprised of one or more systems or applications that manages the identity verification, validation, and issuance process.
Source: NISTIR 8149
[q] Identity, Credential, and Access Management (ICAM)
[a] Programs, processes, technologies, and personnel used to create trusted digital identity representations of individuals and non-person entities (NPEs), bind those identities to credentials that may serve as a proxy for the individual or NPE in access transactions, and leverage the credentials to provide authorized access to an organization‘s resources.
Source: CNSSI 4009 (adapted)
[q] Identity-Based Access Control (IBAC)
[a] Access control based on the identity of the user (typically relayed as a characteristic of the process acting on behalf of that user) where access authorizations to specific objects are assigned based on user identity.
Source: CERT RMM v1.2
[q] IDPS
[a] Intrusion Detection and Prevention Systems
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] IEC
[a] International Electrotechnical Commission
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] IETF
[a] Internet Engineering Task Force
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] IIoT
[a] Industrial Internet of Things
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] Incident
[a] An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of a system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.
Source: NIST SP 800-171 Rev 2
[q] Incident Handling (Incident Response)
[a] The actions the organization takes to prevent or contain the impact of an incident to the organization while it is occurring or shortly after it has occurred
Source: CERT RMM v1.2
[q] Incident Stakeholder
[a] A person or organization with a vested interest in the management of an incident throughout its life cycle.
Source: CERT RMM v1.2
[q] Industrial Control System (ICS)
[a] General term that encompasses several types of control systems, including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCSs), and other control system configurations such as programmable logic controllers (PLCs) found in the industrial sectors and critical infrastructures. An industrial control system consists of combinations of control components (e.g., electrical, mechanical, hydraulic, pneumatic) that act together to achieve an industrial objective (e.g., manufacturing, transportation of matter or energy).
Source: NIST SP 800-53 Rev 5
[q] Information Flow
[a] The flow of information or connectivity from one location to another. This can be related to data as well as connectivity from one system to another, or from one security domain to another. The authorization granting permission for information flow comes from a control authority granting permission to an entity, asset, role, or group.
Source: CMMC
[q] Information system
[a] means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.
source: DFARS 252.204-7012
[q] Information System Component
[a] A discrete, identifiable information technology asset (e.g., hardware, software, firmware) that represents a building block of an information system, excluding separately authorized systems to which the information system is connected. Information system components include commercial information technology products.
Source: CNSSI 4009-2015, NIST SP 800-53 Rev 4 (adapted)
[q] Insider
[a] Any person with authorized access to any organization or United States Government resource to include personnel, facilities, information, equipment, networks, or systems.
Source: CNSSD No. 504
[q] Insider Threat
[a] The threat that an insider will use her/his authorized access, wittingly or unwittingly, to do harm to the security of the organization or the United States. This threat can include damage to the United States through espionage, terrorism, unauthorized disclosure, or through the loss or degradation of departmental resources or capabilities.
Source: CNSSD No. 504 (adapted)
[q] Insider Threat Program
[a] A coordinated collection of capabilities authorized by the Department/Agency (D/A) that is organized to deter, detect, and mitigate the unauthorized disclosure of sensitive information.
Source: CNSSD No. 504
[q] Integrity
[a] The security objective that generates the requirement for protection against either intentional or accidental attempts to violate data integrity (the property that data has not been altered in an unauthorized manner) or system integrity (the quality that a system has when it performs its intended function in an unimpaired manner, free from unauthorized manipulation).
Source: NIST SP 800-33
[q] Internet of Things (IoT)
[a] Interconnected devices having physical or virtual representation in the digital world, sensing/actuation capability, and programmability features. They are uniquely identifiable and may include smart electric grids, lighting, heating, air conditioning, and fire and smoke detectors.
Source: iot.ieee.org/definition; NIST SP 800-183
[q] Interviews
[a] The process of conducting discussions with individuals or groups of individuals in an organization to facilitate understanding, achieve clarification, or lead to the location of Evidence. The results are used to support the determination of security safeguard existence, functionality, correctness, completeness, and potential for improvement over time. For an interview statement to be accepted as Evidence in an Assessment, it must demonstrate the extent of implementing, performing, or supporting the CMMC practice. Interview affirmations must be provided by people who implement, perform, or support procedures.
source: CMMC-Assessment-Process-CAP-v1.0
[q] Inventory
[a] The physical or virtual verification of the presence of each organizational asset.
Source: CNSSI 4005 (adapted)
[q] IoT
[a] Internet of Things
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] IP
[a] Internet Protocol
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] IPSec
[a] Internet Protocol Security
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] IR
[a] Incident Response
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] IS
[a] information systems
source: DoD Instruction 5200.48
[q] ISAC
[a] Information Sharing and Analysis Center
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] ISAO
[a] Information Sharing and Analysis Organization
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] ISCM
[a] Information Security Continuous Monitoring
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] ISDN
[a] Integrated Services Digital Network
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] ISO
[a] International Organization for Standardization
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] ISOO
[a] Information Security Oversight Office
source: DoD Instruction 5200.48
[q] IT
[a] Information Technology
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] ITIL
[a] Information Technology Infrastructure Library
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] L#
[a] Level Number
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] LAN
[a] Local Area Network
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] Lawful Government purpose
[a] Lawful Government purpose is any activity, mission, function, operation, or endeavor that the U.S. Government authorizes or recognizes as within the scope of its legal authorities or the legal authorities of non-executive branch entities (such as state and local law enforcement).
source: 32 CFR Part 2002 (up to date as of 1-13-2023)
[q] LDC
[a] limited dissemination controls
source: DoD Instruction 5200.48
[q] Lead Assessor
[a] The Certified CMMC Assessor (Lead Assessor) who oversees and manages a discrete CMMC Assessment Team.
source: CMMC-Assessment-Process-CAP-v1.0
[q] Least Privilege
[a] A security principle that restricts the access privileges of authorized personnel (e.g., program execution privileges, file modification privileges) to the minimum necessary to perform their jobs.
Source: NIST SP 800-57 Part 2
[q] Legacy material
[a] Legacy material is unclassified information that an agency marked as restricted from access or dissemination in some way, or otherwise controlled, prior to the CUI Program.
source: 32 CFR Part 2002 (up to date as of 1-13-2023)
[q] Life Cycle
[a] Evolution of a system, product, service, project, or other human-made entity from conception through retirement.
Source: NIST SP 800-161
[q] Limited dissemination control
[a] Limited dissemination control is any CUI EA-approved control that agencies may use to limit or specify CUI dissemination.
source: 32 CFR Part 2002 (up to date as of 1-13-2023)
[q] Limited Distribution
[a] A legacy CUI category used by the National Geospatial-IntelligenceAgency to identify a select group of sensitive, unclassified imageryor geospatial information and data created or distributed by NationalGeospatial Intelligence Agency or information, data, and productsderived from such information (marked as LIMDIS and now referredto a GPI by CUI EA).
source: DoD Instruction 5200.48
[q] Limited Practice Deficiency Correction
[a] With CMMC v2.0, the DoD has adopted a method to allow OSCs to ability to correct deficient CMMC practices that are found during the assessment, prior to assessment closeout (Phase 3). These practices cannot change and/or limit the effectiveness of other practices that have been scored “MET”, nor can they be previously listed on the OSCs Self-Assessment Practice Deficiency Tracker prior to the assessment. Finally, the practice(s) cannot lead to a significant exploitation of the OSCs network or exfiltration of CUI, basic and derived security requirements/practices are listed in Appendix K, paragraph e & f.
source: CMMC-Assessment-Process-CAP-v1.0
[q] logical access
[a] Electronic access controls authenticated through outside certificatesaccepted by the DoD to limit access to data files and systems only byvetted individuals.
source: DoD Instruction 5200.48
[q] LSI
[a] Large-Scale Integration
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] MA
[a] Maintenance
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] MAC
[a] Media Access Control
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] Maintenance
[a] Any act that either prevents the failure or malfunction of equipment or restores its operating capability.
Source: NIST SP 800-82 Rev 2
[q] Malicious Code
[a] Software or firmware intended to perform an unauthorized process that will have adverse impact on the confidentiality, integrity, or availability of an information system. A virus, worm, Trojan horse, or other code-based entity that infects a host. Spyware and some forms of adware are also examples of malicious code.
Source: CNSSI 4009
[q] Malicious software
[a] means computer software or firmware intended to perform an unauthorized process that will have adverse impact on the confidentiality, integrity, or availability of an information system. This definition includes a virus, worm, Trojan horse, or other code-based entity that infects a host, as well as spyware and some forms of adware.
source: DFARS 252.204-7012
[q] Malware
[a] Software or firmware intended to perform an unauthorized process that will have adverse impact on the confidentiality, integrity, or availability of an information system. A virus, worm, Trojan horse, or other code-based entity that infects a host. Spyware and some forms of adware are also examples of malicious code (malware).
Source: NIST SP 800-82 Rev 2
[q] Maturity Model
[a] A maturity model is a set of characteristics, attributes, or indicators that represent progression in a particular domain. A maturity model allows an organization or industry to have its practices, processes, and methods evaluated against a clear set of requirements (such as activities or processes) that define specific maturity levels. At any given maturity level, an organization is expected to exhibit the capabilities of that level. A tool that helps assess the current effectiveness of an organization, and supports determining what capabilities they need in order to obtain the next level of maturity in order to continue progression up the levels of the model.
Source: CERT RMM v1.2
[q] MC
[a] Maturity Capability
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] MC##
[a] Maturity Capability Number
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] MDM
[a] Mobile Device Management
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] Mechanism
[a] An established process, which can involve people and/or technology, by which something takes place that brings about an intended and predictable outcome. For CMMC purposes, a mechanism might include:
– A technology-specific solution (e.g., anti-malware, firewall, file-integrity monitoring, intrusion-prevention system, multi-factor authentication, etc.);
– A manual procedure that an individual performs; or
– An administrative solution (e.g., acceptable use policy, human reviews, non-disclosure agreements, etc.).
In Assessment criteria for CMMC practices, the phrase “mechanisms exist to…” provides flexibility for the OSC to define what is most appropriate for its unique business practices. For example, more mature organizations might automate their security infrastructure and prefer technology-specific solutions, whereas less mature organizations might rely on manual procedures or administrative solutions.
source: CMMC-Assessment-Process-CAP-v1.0
[q] Media
[a] Physical devices or writing surfaces including but not limited to, magnetic tapes, optical disks, magnetic disks, Large-Scale Integration (LSI) memory chips, printouts (but not including display media) onto which information is recorded, stored, or printed within an information system.
Source: FIPS 200
[q] Media Sanitization
[a] The actions taken to render data written on media unrecoverable by both ordinary and extraordinary means.
Source: NIST SP 800-88 Rev 1
[q] MEP
[a] Manufacturing Extension Partnership
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] MFA
[a] Multifactor Authentication
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] Misuse of CUI
[a] Actions involving the utilization of CUI in a manner discordant with the policies and provisions contained in Executive Order 13556, the CUI Registry, Department of Defense CUI policy, or the applicable laws, regulations, and government-wide policies that govern the affected information. This may include intentional violations or unintentional errors in safeguarding or disseminating CUI. This may also include designating or marking information as CUI when it does not qualify as CUI.
source: CMMC-Assessment-Process-CAP-v1.0
[q] ML
[a] Maturity Level
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] ML#
[a] Maturity Level Number
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] MMC
[a] Multimedia Card
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] Mobile Code
[a] Software programs or parts of programs obtained from remote systems, transmitted across a network, and executed on a local system without explicit installation or execution by the recipient. Note: Some examples of software technologies that provide the mechanisms for the production and use of mobile code include Java, JavaScript, ActiveX, VBScript, etc.
Source: NIST SP 800-53 Rev 5, NIST SP 800-18, CNSSI 4009
[q] Mobile Device
[a] A portable computing device that:
• has a small form factor such that it can easily be carried by a single individual;
• is designed to operate without a physical connection (e.g., wirelessly transmit or receive information);
• possesses local, non-removable data storage; and
• is powered on for extended periods of time with a self-contained power source.
Mobile devices may also include voice communication capabilities, on-board sensors that allow the device to capture (e.g., photograph, video, record, or determine location) information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones, tablets, and e-readers.
Note: Laptops are excluded from the scope of this definition (see NIST SP 800-124).
Source: NIST SP 800-53 Rev 5
[q] Monitor
[a] The act of continually checking, supervising, critically observing, or determining the status in order to identify change from the performance level required or expected at an organizationally defined frequency and rate.
Source: NIST SP 800-160 (adapted)
[q] MP
[a] Media Protection
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] Multifactor Authentication (MFA)
[a] An authentication system or an authenticator that requires more than one authentication factor for successful authentication. Multifactor authentication can be performed using a single authenticator that provides more than one factor or by a combination of authenticators that provide different factors.
Source: NIST SP 800-53 Rev 5
[q] N/A
[a] Not Applicable (NA)
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] NARA
[a] National Archives and Records Administration
source: DoD Instruction 5200.48
[q] NAS
[a] Networked Attached Storage
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] National Security System
[a] National Security System is a special type of information system (including telecommunications systems) whose function, operation, or use is defined in National Security Directive 42 and 44 U.S.C. 3542(b)(2).
source: 32 CFR Part 2002 (up to date as of 1-13-2023)
[q] NCSC
[a] National Cyber Security Centre
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] NISP
[a] National Industrial Security Program
source: DoD Instruction 5200.48
[q] NIST
[a] National Institute of Standards and Technology
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] NIST SP
[a] National Institute of Standards and Technology Special Publication
source: DoD Instruction 5200.48
[q] NISTIR
[a] NIST Interagency (or Internal) Report
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] NNPI
[a] Naval Nuclear Propulsion Information
source: DoD Instruction 5200.48
[q] NOFORN or NF
[a] not releasable to foreign nationals
source: DoD Instruction 5200.48
[q] Non-executive branch entity
[a] Non-executive branch entity is a person or organization established, operated, and controlled by individual(s) acting outside the scope of any official capacity as officers, employees, or agents of the executive branch of the Federal Government. Such entities may include: Elements of the legislative or judicial branches of the Federal Government; state, interstate, tribal, or local government elements; and private organizations. Non-executive branch entity does not include foreign entities as defined in this part, nor does it include individuals or organizations when they receive CUI information pursuant to federal disclosure laws, including the Freedom of Information Act (FOIA) and the Privacy Act of 1974.
source: 32 CFR Part 2002 (up to date as of 1-13-2023)
[q] NPE
[a] Non-Person Entity
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] NSA
[a] National Security Agency
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] NSA/CSS
[a] NSA Central Security Service
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] NSPD
[a] National Security Presidential Directive
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] NSTISSD
[a] National Security Telecommunications and Information Systems Security Directive
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] NTP
[a] Network Time Protocol
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] NYSSCPA
[a] New York State Society of CPAs
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] Observation
[a] A real-time demonstration or review of a test, system, tool, software, hardware, practice, control, or process being performed and witnessed first-hand by the Lead Assessor and if applicable, Assessment Team.
source: CMMC-Assessment-Process-CAP-v1.0
[q] OCA
[a] original classification authority
source: DoD Instruction 5200.48
[q] Official
[a] for direction, administration, and oversight of the DoD’s InformationSecurity Program, including classification, declassification, CUI,safeguarding, and security education and training programs, and forthe efficient and effective implementation of the guidance in thisissuance.
source: DoD Instruction 5200.48
[q] OIG DoD
[a] Office of the Inspector General of the Department of Defense
source: DoD Instruction 5200.48
[q] OMB
[a] Office of Management and Budget
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] On behalf of an agency
[a] On behalf of an agency occurs when a non-executive branch entity uses or operates an information system or maintains or collects information for the purpose of processing, storing, or transmitting Federal information, and those activities are not incidental to providing a service or product to the Government.
source: 32 CFR Part 2002 (up to date as of 1-13-2023)
[q] Ongoing Basis
[a] Actions occurring, indefinitely. Actions that do not stop unless a stop action is purposely put in place.
Source: CMMC
[q] Operational Resilience
[a] The ability of systems to resist, absorb, and recover from or adapt to an adverse occurrence during operation that may cause harm, destruction, or loss of ability to perform mission-related functions.
Source: CNSSI 4009
[q] Operational Technology (OT)
[a] Hardware and software that detects or causes a change through the direct monitoring and/or control of physical devices, processes and events in the enterprise.
Source: DOE O 205.1C, Department of Energy Cyber Security Program
[q] Operationally critical support
[a] means supplies or services designated by the Government as critical for airlift, sealift, intermodal transportation services, or logistical support that is essential to the mobilization, deployment, or sustainment of the Armed Forces in a contingency operation.
source: DFARS 252.204-7012
[q] Order
[a] Order is Executive Order 13556, Controlled Unclassified Information, November 4, 2010 (3 CFR, 2011 Comp., p. 267), or any successor order.
source: 32 CFR Part 2002 (up to date as of 1-13-2023)
[q] Organization
[a] An entity of any size, complexity, or positioning within an organizational structure (e.g., a federal agency, or, as appropriate, any of its operational elements).
Source: NIST SP 800-37 Rev 1
[q] Organization Seeking Certification (OSC)
[a] The entity that is going through the CMMC assessment process to receive a level of certification for a given environment.
Source: CMMC
[q] Organizational System(s)
[a] The term organizational system is used in many of the CUI security requirements in NIST Special Publication 800-171. This term has a specific meaning regarding the scope of applicability for the CUI security requirements. The requirements apply only to components of nonfederal systems that process, store, or transmit CUI, or that provide security protection for such components. The appropriate scoping for the security requirements is an important factor in determining protection-related investment decisions and managing security risk for nonfederal organizations that have the responsibility of safeguarding CUI.
Source: NIST SP 800-171 Rev 1
[q] Organizationally Defined
[a] As determined by the contractor being assessed. This can be applied to a frequency or rate at which something occurs within a given time period, or it could be associated with describing the configuration of a contractor’s solution.
Source: CMMC
[q] OS
[a] Operating System
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] OSC
[a] Organization Seeking Certification
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] OT
[a] Operational Technology
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] OUSD A&S
[a] Office of the Under Secretary of Defense for Acquisition and Sustainment
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] Out-of-Scope Asset
[a] Out-of-Scope Assets cannot process, store, or transmit CUI because they are physically or logically separated from CUI Assets or are inherently unable to do so.
Source: CMMC
[q] Patch
[a] An update to an operating system, application, or other software issued specifically to correct particular problems with the software.
Source: NIST SP 800-123
[q] PCI
[a] Personal Identity Verification Card Issuers
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] PDA
[a] Personal Digital Assistant
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] PE
[a] Physical Protection
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] Penetration Testing (Pentesting)
[a] Security testing in which evaluators mimic real-world attacks in an attempt to identify ways to circumvent the security features of an application, system, or network. Penetration testing often involves issuing real attacks on real systems and data, using the same tools and techniques used by actual attackers. Most penetration tests involve looking for combinations of vulnerabilities on a single system or multiple systems that can be used to gain more access than could be achieved through a single vulnerability.
Source: NIST SP 800-115
[q] Periodically
[a] Occurring at regular intervals. As used in many practices within CMMC, the interval length is organizationally defined to provided contractor flexibility, with an interval length of no more than one year.
Source: Oxford Dictionary (adapted)
[q] Personally Identifiable Information (PII)
[a] Information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.
Source: NIST SP 800-53 Rev 5
[q] PFPA
[a] Pentagon Force Protection Agency
source: DoD Instruction 5200.48
[q] PGP
[a] Pretty Good Privacy
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] physical access
[a] All DoD and non-DoD personnel entering or exiting DoD facilities orinstallations that authenticated a physical access control system(PACS).
source: DoD Instruction 5200.48
[q] PII
[a] Personally Identifiable Information
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] PIV
[a] Personal Identify Verification
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] PKI
[a] Public Key Infrastructure
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] Plan
[a] An artifact or collection of artifacts that provides oversight for implementing defined CMMC policies. A plan should include a mission and/or vision statement, strategic goals/objectives, relevant standards and procedures, and the people, funding, and tool resources needed to implement the defined CMMC policies.
Source: CMMC
[q] PLC
[a] Programmable Logic Controller
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] POC
[a] Point of Contact
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] Policy
[a] An artifact or collection of artifacts that establishes governance over the implementation of CMMC practices and activities. The policy should include the stated purpose, the defined scope, roles and responsibilities of the activities covered by the policy, and any included regulatory guidelines. The policy should establish or direct the establishment of procedures to carry out and meet the intent of the policy and should be endorsed by senior management to show its support of the policy.
Source: CMMC
[q] Portable Storage Device
[a] A system component that can be inserted into and removed from a system, and that is used to store data or information (e.g., text, video, audio, and/or image data). Such components are typically implemented on magnetic, optical, or solid-state devices (e.g., floppy disks, compact/digital video disks, flash/thumb drives, external hard disk drives, and flash memory cards/drives that contain nonvolatile memory).
Source: NIST SP 800-171 Rev 2
[q] Portion
[a] Portion is ordinarily a section within a document, and may include subjects, titles, graphics, tables, charts, bullet statements, sub-paragraphs, bullets points, or other sections.
source: 32 CFR Part 2002 (up to date as of 1-13-2023)
[q] POTS
[a] Plain Old Telephone Service
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] PP
[a] Physical Protection
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] PPD
[a] Presidential Policy Directive
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] Practice
[a] An activity or set of activities that are performed to meet the defined CMMC objectives.
Source: CMMC
[q] Privilege
[a] A right granted to an individual, a program, or a process.
Source: CNSSI 4009, NIST SP 800-12 Rev 1
[q] Privileged Account
[a] A user, system, or network account authorized (and, therefore, trusted) to perform security-relevant functions that ordinary accounts are not authorized to perform.
Source: NIST SP 800-171 Rev. 2 (adapted)
[q] Privileged User
[a] A user who is authorized (and, therefore, trusted) to perform security-relevant functions that ordinary users are not authorized to perform.
Source: NIST SP 800-171 Rev. 2
[q] Procedure
[a] The documented details for how an activity is implemented to achieve a desired outcome. A procedure should provide enough detail for a trained individual to perform the activity.
Source: CMMC
[q] Process
[a] A procedural activity that is performed to implement a defined objective.
Source: CMMC
[q] Protection
[a] Protection includes all controls an agency applies or must apply when handling information that qualifies as CUI.
source: 32 CFR Part 2002 (up to date as of 1-13-2023)
[q] Provisional Assessor (PA)
[a] An individual who has received authorization from the CMMC-AB/CAICO to serve as a Provisional Assessor (PA) during the provisional CMMC Interim Voluntary Period. PAs are authorized to conduct CMMC Assessments during the CMMC Interim Voluntary Period only and will eventually be required to pass CCP, CCA, and/or Lead Assessor exams in order to attain their formal Assessor Certifications.
source: CMMC-Assessment-Process-CAP-v1.0
[q] Proxy (Web Proxy)
[a] An application that “breaks” the connection between client and server. The proxy accepts certain types of traffic entering or leaving a network and processes it and forwards it.
Note: This effectively closes the straight path between the internal and external networks making it more difficult for an attacker to obtain internal addresses and other details of the organization’s internal network. Proxy servers are available for common Internet services; for example, a hypertext transfer protocol (HTTP/HTTPS) proxy used for Web access.
Source: CNSSI 4009 (adapted)
[q] PS
[a] Personnel Security
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] PUB
[a] Publication
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] Public release
[a] Public release occurs when the agency that originally designated particular information as CUI makes that information available to the public through the agency’s official public release processes. Disseminating CUI to non-executive branch entities as authorized does not constitute public release. Releasing information to an individual pursuant to the Privacy Act of 1974 or disclosing it in response to a FOIA request also does not automatically constitute public release, although it may if that agency ties such actions to its official public release processes. Even though an agency may disclose some CUI to a member of the public, the Government must still control that CUI unless the agency publicly releases it through its official public release processes.
source: 32 CFR Part 2002 (up to date as of 1-13-2023)
[q] RADIUS
[a] Remote Authentication Dial-in User Service
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] Rapidly report
[a] means within 72 hours of discovery of any cyber incident.
source: DFARS 252.204-7012
[q] RE
[a] Recovery
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] Real Time, Real-Time (modifier)
[a] Pertaining to the performance of a computation during the actual time that the related physical process transpires so that the results of the computation can be used to guide the physical process.
Source(s): NIST SP 800-82 Rev. 2, NISTIR 6859
[q] Records
[a] Records are agency records and Presidential papers or Presidential records (or Vice-Presidential), as those terms are defined in 44 U.S.C. 3301 and 44 U.S.C. 2201 and 2207. Records also include such items created or maintained by a Government contractor, licensee, certificate holder, or grantee that are subject to the sponsoring agency’s control under the terms of the entity’s agreement with the agency.
source: 32 CFR Part 2002 (up to date as of 1-13-2023)
[q] Recovery
[a] Actions necessary to restore data files of an information system and computational capability after a system failure.
Source: CNSSI 4009
[q] Red Team
[a] A group of people authorized and organized to emulate a potential adversary’s attack or exploitation capabilities against an enterprise’s security posture. The Red Team’s objective is to improve enterprise Information Assurance by demonstrating the impacts of successful attacks and by demonstrating what works for the defenders (i.e., the Blue Team) in an operational environment.
Source: CNSSI 4009
[q] Red Teaming
[a] The act(s) performed by a “red team” in order to identify weaknesses, vulnerabilities, procedural shortcomings, and misconfigurations within an organization’s cyber environment. Red Teaming includes creation of a “Rules of Engagement” document by which the red team honors over the course of their actions. It is expected that the Red Team will produce a final report at the end of the event period.
Source: CMMC
[q] Regularly
[a] On a regular basis: at regular intervals.
Source: Oxford Dictionary
[q] REL TO
[a] releasable to
source: DoD Instruction 5200.48
[q] Remote Access
[a] Access to an organizational system by a user (or a process acting on behalf of a user) communicating through an external network (e.g., the Internet).
Source: NIST SP 800-171 Rev. 2
[q] Removable Media
[a] Portable data storage medium that can be added to or removed from a computing device or network.
Note: Examples include, but are not limited to: optical discs (CD, DVD, Blu-ray); external/removable hard drives; external/removable Solid-State Disk (SSD) drives; magnetic/optical tapes; flash memory devices (USB, eSATA, Flash Drive, Thumb Drive); flash memory cards (Secure Digital, CompactFlash, Memory Stick, MMC, xD); and other external/removable disks (floppy, Zip, Jaz, Bernoulli, UMD).
Source: CNSSI 4009
[q] Reporting [forensics]
[a] The final phase of the computer and network forensic process, which involves reporting the results of the analysis; this may include describing the actions used, explaining how tools and procedures were selected, determining what other actions need to be performed (e.g., forensic examination of additional data sources, securing identified vulnerabilities, improving existing security controls), and providing recommendations for improvement to policies, guidelines, procedures, tools, and other aspects of the forensic process. The formality of the reporting step varies greatly depending on the situation.
Source: NIST SP 800-86
[q] Required or permitted (by a law, regulation, or Government-wide policy)
[a] Required or permitted (by a law, regulation, or Government-wide policy) is the basis by which information may qualify as CUI. If a law, regulation, or Government-wide policy requires that agencies exercise safeguarding or dissemination controls over certain information, or specifically permits agencies the discretion to do so, then that information qualifies as CUI. The term ‘specifically permits’ in this context can include language such as “is exempt from applying certain information release or disclosure requirements, “may release or disclose the information, “may not be required to release or disclose the information, “is responsible for protecting the information, and similar specific but indirect, forms of granting the agency discretion regarding safeguarding or dissemination controls. This does not include general agency or agency head authority and discretion to make decisions, risk assessments, or other broad agency authorities, discretions, and powers, regardless of the source. The CUI Registry reflects all appropriate authorizing authorities.
source: 32 CFR Part 2002 (up to date as of 1-13-2023)
[q] Residual Risk
[a] Portion of risk remaining after security measures have been applied.
Source: NIST SP 800-33 (adapted)
[q] Resilience
[a] The ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions. Resilience includes the ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents.
Source: PPD 21
[q] Restricted Data (RD)
[a] Restricted Data (RD) is a type of information classified under the Atomic Energy Act, defined in 10 CFR part 1045, Nuclear Classification and Declassification.
source: 32 CFR Part 2002 (up to date as of 1-13-2023)
[q] Restricted Information Systems
[a] Systems (and associated IT components comprising the system) that are configured based on government requirements (i.e., connected to something that was required to support a functional requirement) and are used to support a contract (e.g., fielded systems, obsolete systems, and product deliverable replicas).
Source: CMMC
[q] Re-use
[a] Re-use means incorporating, restating, or paraphrasing information from its originally designated form into a newly created document.
source: 32 CFR Part 2002 (up to date as of 1-13-2023)
[q] Rev
[a] Revision
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] RF
[a] Radio Frequency
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] RFC
[a] Request for Comments
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] Risk
[a] A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of:
• the adverse impacts that would arise if the circumstance or event occurs and
• the likelihood of occurrence.
System-related security risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or systems. Such risks reflect the potential adverse impacts to organizational operations, organizational assets, individuals, other organizations, and the Nation.
Source: FIPS 200 (adapted)
[q] Risk Analysis
[a] The process of identifying the risks to system security and determining the likelihood of occurrence, the resulting impact, and the additional safeguards that mitigate this impact. Part of risk management and synonymous with risk assessment.
Source: NIST SP 800-27
[q] Risk Assessment
[a] • The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of a system.
• Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place. Synonymous with risk analysis.
Source: NIST SP 800-171
[q] Risk Management (RM)
[a] The program and supporting processes to manage information security risk to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, and includes:
• establishing the context for risk-related activities,
• assessing risk,
• responding to risk once determined, and
• monitoring risk over time.
Source: CNSSI 4009
[q] Risk Mitigation
[a] Prioritizing, evaluating, and implementing the appropriate risk-reducing controls/ countermeasures recommended from the risk management process.
Source: CNSSI 4009
[q] Risk Mitigation Plan
[a] A strategy for mitigating risk that seeks to minimize the risk to an acceptable level.
Source: CERT RMM v1.2
[q] Risk Tolerance
[a] The level of risk an entity is willing to assume in order to achieve a potential desired result.
Source: CNSSI 4009
[q] RM
[a] Risk Management
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] RMM
[a] Resilience Management Model
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] Root Directory
[a] The top-level directory in a folder hierarchy.
Source: CMMC
[q] Root-Cause Analysis
[a] An approach for determining the underlying causes of events or problems as a means of addressing the symptoms of such events as they manifest in organizational disruptions.
Source: CERT RMM v1.2
[q] RPO
[a] Recovery Point Objectives
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] RTO
[a] Recovery Time Objectives
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] SA
[a] Situational Awareness
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] SaaS
[a] Software as a Service
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] safeguarding
[a] Prescribed measures and controls that protect classified informationand CUI.
source: DoD Instruction 5200.48
[q] Safeguards
[a] The protective measures prescribed to meet the security requirements (i.e., confidentiality, integrity, and availability) specified for an information system. Safeguards may include security features, management constraints, personnel security, and security of physical structures, areas, and devices. Synonymous with security controls and countermeasures.
Source: FIPS 200
[q] Sandboxing
[a] A restricted, controlled execution environment that prevents potentially malicious software, such as mobile code, from accessing any system resources except those for which the software is authorized.
Source: CNSSI 4009
[q] SAS
[a] Security Assessment
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] SC
[a] System and Communications Protection
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] SCADA
[a] Supervisory Control and Data Acquisition
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] Scanning
[a] Sending packets or requests to another system to gain knowledge about the asset, processes, services, and operations.
Source: CNSSI 4009 (adapted)
[q] SCG
[a] security classification guide
source: DoD Instruction 5200.48
[q] SCRM
[a] Supply Chain Risk Management
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] Security Control Assessment (Security Assessment, Security Practice Assessment)
[a] The testing or evaluation of security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for a system or organization.
Source: CNSSI 4009 (adapted)
[q] Security Domain
[a] An environment or context that includes a set of system resources and a set of system entities that have the right to access the resources as defined by a common security policy, security model, or security architecture.
Source: CNSSI 4009
[q] Security Operations Center (SOC)
[a] A centralized function within an organization utilizing people, processes, and technologies to continuously monitor and improve an organization’s security posture while preventing, detecting, analyzing, and responding to cybersecurity incidents.
Source: CMMC
[q] Security Policy
[a] Security policies define the objectives and constraints for the security program. Policies are created at several levels, ranging from organization or corporate policy to specific operational constraints (e.g., remote access). In general, policies provide answers to the questions “what” and “why” without dealing with “how.” Policies are normally stated in terms that are technology-independent.
Source: NIST SP 800-82 Rev 2
[q] Security Protection Assets
[a] Security provide security functions or capabilities within the contractor’s CMMC Assessment Scope.
Source: CMMC
[q] Self-inspection
[a] Self-inspection is an agency’s internally managed review and evaluation of its activities to implement the CUI Program.
source: 32 CFR Part 2002 (up to date as of 1-13-2023)
[q] Senior Agency
[a] An official appointed by the Secretary of Defense to be responsible
source: DoD Instruction 5200.48
[q] Sensitive Information
[a] Information where the loss, misuse, or unauthorized access or modification could adversely affect the national interest or the conduct of federal programs, or the privacy to which individuals are entitled under 5 U.S.C. Section 552a (the Privacy Act).
Source: NIST SP 800-53 Rev 4 (adapted)
[q] Separation of Duties
[a] Refers to the principle that no user should be given enough privileges to misuse the system on their own. For example, the person authorizing a paycheck should not also be the one who can prepare them. Separation of duties can be enforced either statically (by defining conflicting roles, i.e., roles which cannot be executed by the same user) or dynamically (by enforcing the control at access time).
Source: NIST SP 800-192
[q] Service Continuity Plan
[a] A service-specific plan for sustaining services and associated assets under degraded conditions.
Source: CERT RMM v1.2
[q] SHA
[a] Security Hash Algorithm
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] SHA-256
[a] A Secure Hash Algorithm (SHA) that produces a condensed representation of electronic data, or message digest, 256 bits in length.
Source: FIPS 180-4
[q] SI
[a] System and Information Integrity
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] SIEM
[a] Security Integration and Event Management
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] Situational Awareness (SA)
[a] Within a volume of time and space, the perception of an enterprise’s security posture and its threat environment; the comprehension/meaning of both taken together (risk); and the projection of their status into the near future.
Source: CNSSI 4009
[q] SMS
[a] Short Message Service
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] SNM
[a] special nuclear material
source: DoD Instruction 5200.48
[q] SOC
[a] Security Operations Center
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] SP
[a] Special Publication
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] Specialized Asset
[a] The following are considered specialized assets for CMMC: Government Property, Internet of Things (IoT) or Industrial Internet of Things (IIoT), Operational Technology (OT), and Restricted Information Systems.
Source: CMMC
[q] SPF
[a] Sender Policy Framework
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] Split Tunneling
[a] The process of allowing a remote user or device to establish a non-remote connection with a system and simultaneously communicate via some other connection to a resource in an external network. This method of network access enables a user to access remote devices (e.g., a networked printer) at the same time as accessing uncontrolled networks.
Source: NIST SP 800-171
[q] Spyware
[a] Software that is secretly or surreptitiously installed into an information system to gather information on individuals or organizations without their knowledge; a type of malicious code.
Source: NIST SP 800-53 Rev 5
[q] SSC
[a] Secure Socket Layer
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] SSD
[a] Solid-State Disk
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] SSP
[a] System Security Plan
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] Standard Process
[a] An operational definition of the basic process that guides the establishment of a common process in an organization. A standard process describes the fundamental process elements that are expected to be incorporated into any defined process. It also describes relationships (e.g., ordering, interfaces) among these process elements.
Source: CERT RMM v1.2
[q] Standards
[a] A document, established by consensus and approved by a recognized body, that provides for common and repeated use, rules, guidelines or characteristics for activities or their results, aimed at the achievement of the optimum degree of order in a given context.
Note: Standards should be based on the consolidated results of science, technology and experience, and aimed at the promotion of optimum community benefits.
Source: NISTIR 8074 Vol. 2
[q] Subnetwork
[a] A subordinate part of an organization’s enterprise network.
Source: CMMC
[q] Supply Chain
[a] A system of organizations, people, activities, information, and resources, possibly international in scope, that provides products or services to consumers.
Source: CNSSI 4009
[q] Supply Chain Attack
[a] Attacks that allow the adversary to utilize implants or other vulnerabilities inserted prior to installation in order to infiltrate data, or manipulate information technology hardware, software, operating systems, peripherals (information technology products) or services at any point during the life cycle.
Source: CNSSI 4009
[q] Supply Chain Risk Management (SCRM)
[a] A systematic process for managing supply chain risk by identifying susceptibilities, vulnerabilities, and threats throughout the supply chain and developing mitigation strategies to combat those threats whether presented by the supplier, the supplied product and its subcomponents, or the supply chain (e.g., initial production, packaging, handling, storage, transport, mission operation, and disposal).
Source: CNSSD No. 505
[q] Supporting Organization
[a] A logical organizational boundary that is supporting the Host Unit of enclave being assessed. Though not part of the logical segmentation, systems or people within the Supporting Unit may still have access to CUI or FCI, so therefore must be included within the scope of the Assessment.
source: CMMC-Assessment-Process-CAP-v1.0
[q] Sustain
[a] Maintain a desired operational state.
Source: CERT RMM v1.2
[q] System Assets
[a] Any software, hardware (IT, OT, IoT), data, administrative, physical, communications, or personnel resource within an information system.
Source: CNSSI 4009
[q] System Boundary
[a] The scope of the system and environment being assessed. All components of an information system to be authorized for operation by an authorizing official and excludes separately authorized systems, to which the information system is connected. The System Boundary is equivalent to the defined CMMC Assessment Scope.
Source(s): CNSSI 4009-2015 under authorization boundary NIST SP 800-53 Rev. 4, NIST SP 800-53A Rev. 1, NIST SP 800-37 Rev. 1.
[q] System Integrity
[a] The quality that a system has when it performs its intended function in an unimpaired manner, free from unauthorized manipulation of the system, whether intentional or accidental.
Source: NIST SP 800-27
[q] System Interconnection
[a] A system interconnection is defined as the direct connection of two or more IT systems for the purpose of sharing data and other information resources.
Source: NIST 800-47
[q] System Security Plan (SSP)
[a] The formal document prepared by the information system owner (or common security controls owner for inherited controls) that provides an overview of the security requirements for the system and describes the security controls in place or planned for meeting those requirements. The plan can also contain as supporting appendices or as references, other key security-related documents such as a risk assessment, privacy impact assessment, system interconnection agreements, contingency plan, security configurations, configuration management plan, and incident response plan.
Source: CNSSI 4009
[q] Tampering
[a] An intentional but unauthorized act resulting in the modification of a system, components of systems, its intended behavior, or data.
Source: NIST SP 800-53 Rev 5
[q] Technical information
[a] means technical data or computer software, as those terms are defined in the clause at DFARS 252.227-7013, Rights in Technical Data—Noncommercial Items, regardless of whether or not the clause is incorporated in this solicitation or contract. Examples of technical information include research and engineering data, engineering drawings, and associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses and related information, and computer software executable code and source code.
source: DFARS 252.204-7012
[q] Test
[a] The process of exercising one or more Assessment objects under specified conditions to compare actual with expected behavior. The results are used to support the determination of security safeguard existence, functionality, correctness, completeness, and potential for improvement over time and institutionalization. For a test/demonstration to be accepted as Evidence in an Assessment, it must pass its requirements and criteria while being observed by the Assessment Team. Any failed test results in a failed CMMC practice.
source: CMMC-Assessment-Process-CAP-v1.0
[q] Test Equipment
[a] Hardware and/or associated IT components used in the testing of products, system components, and contract deliverables (e.g., oscilloscopes, spectrum analyzers, power meters, and special test equipment).
Source: CMMC
[q] Threat
[a] Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.
Source: NIST SP 800-30 Rev 1
[q] Threat Actor
[a] An individual or a group posing a threat.
Source: NIST SP 800-150
[q] Threat Intelligence
[a] Threat information that has been aggregated, transformed, analyzed, interpreted, or enriched to provide the necessary context for decision-making processes.
Source: NIST SP 800-150
[q] Threat Monitoring
[a] Analysis, assessment, and review of audit trails and other information collected for the purpose of searching out system events that may constitute violations of system security.
Source: CNSSI 4009
[q] TLS
[a] Transport Layer Security
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] Trigger
[a] A set of logic statements to be applied to a data stream that produces an event when an anomalous incident or behavior occurs.
Source: CNSSD No. 504 (adapted)
[q] Trojan Horse
[a] A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the program.
Source: CNSSI 4009
[q] TTP
[a] Tactics, Techniques, and Procedures
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] Tunneling
[a] Technology enabling one network to send its data via another network’s connections. Tunneling works by encapsulating a network protocol within packets carried by the second network.
Source: CNSSI 4009
[q] U
[a] Unclassified information
source: DoD Instruction 5200.48
[q] U.S.
[a] United States
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] U.S.C.
[a] United States Code
source: DoD Instruction 5200.48
[q] UARC
[a] University Affiliated Research Center
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] UCNI
[a] unclassified controlled nuclear information
source: DoD Instruction 5200.48
[q] UD
[a] unauthorized disclosure
source: DoD Instruction 5200.48
[q] UK
[a] United Kingdom
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] UMD
[a] Universal Media Disc
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] Unauthorized Access
[a] Any access that violates the stated security policy.
Source: CNSSI 4009
[q] Unauthorized Disclosure
[a] Unauthorized disclosure occurs when an Authorized Holder of CUI intentionally or unintentionally discloses CUI without a lawful government purpose, in violation of restrictions imposed by safeguarding or dissemination practices or contrary to limited dissemination practices.
source: CMMC-Assessment-Process-CAP-v1.0
[q] unclassified
[a] Information not requiring control, but requiring review before publicrelease.
source: DoD Instruction 5200.48
[q] Uncontrolled unclassified information
[a] Uncontrolled unclassified information is information that neither the Order nor the authorities governing classified information cover as protected. Although this information is not controlled or classified, agencies must still handle it in accordance with Federal Information Security Modernization Act (FISMA) requirements.
source: 32 CFR Part 2002 (up to date as of 1-13-2023)
[q] URL
[a] Uniform Resource Locator
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] USB
[a] Universal Serial Bus
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] USD(A&S)
[a] Under Secretary of Defense for Acquisition and Sustainment
source: DoD Instruction 5200.48
[q] USD(I&S)
[a] Under Secretary of Defense for Intelligence and Security
source: DoD Instruction 5200.48
[q] USD(R&E)
[a] Under Secretary of Defense for Research and Engineering
source: DoD Instruction 5200.48
[q] User
[a] Individual, or (system) process acting on behalf of an individual, authorized to access a system.
Source: NIST SP 800-53 Rev 5
[q] UTC
[a] Coordinated Universal Time
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] UUENCODE
[a] Unix-to-Unix Encode
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] Virus
[a] A computer program that can copy itself and infect a computer without permission or knowledge of the user. A virus might corrupt or delete data on a computer, use e-mail programs to spread itself to other computers, or even erase everything on a hard disk.
Source: CNSSI 4009
[q] VLAN
[a] Virtual Local Area Network
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] VoIP
[a] Voice over Internet Protocol
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] Vol.
[a] Volume
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] VPN
[a] Virtual Private Network
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] Vulnerability
[a] Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source.
Source: NIST SP 800-30 Rev 1
[q] Vulnerability Assessment
[a] Systematic examination of an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation.
Source: CNSSI 4009
[q] Vulnerability Management
[a] An Information Security Continuous Monitoring (ISCM) capability that identifies vulnerabilities [Common Vulnerabilities and Exposures (CVEs)] on devices that are likely to be used by attackers to compromise a device and use it as a platform from which to extend compromise to the network.
Source: NISTIR 8011 Vol. 1
[q] WAP
[a] Wireless Access Point
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] Whitelist
[a] An approved list or register of entities that are provided a particular privilege, service, mobility, access or recognition. An implementation of a default deny-all or allow-by-exception policy across an enterprise environment, and a clear, concise, timely process for adding exceptions when required for mission accomplishments.
Source: CNSSI 1011
[q] Working Papers
[a] Documents or materials, regardless of form, that an organization or user expects to revise prior to creating a finished product. Also referred to as “drafts”.
source: CMMC-Assessment-Process-CAP-v1.0
[q] WPA2-PSK
[a] WiFi Protected Access-Pre-shared Key
source: Glossary_MasterV2.0_FINAL_202111217_508
[q] xD
[a] Extreme Digital (flash memory card device)
source: Glossary_MasterV2.0_FINAL_202111217_508
[/qdeck]