A - B - C - D - E - F - G - H - I - J - K - L - M - N - O - P - Q - R - S - T - U - V - W - X - Y - Z
#
Two Factor Authentication (2FA)
A
Access
Ability to make use of any information system ("IS") resource.
Attribute Based Access Control (ABAC)
Access Control (AC)
- The process of granting or denying specific requests to:
- obtain and use information and related information processing services; and
- enter specific physical facilities (e.g., federal buildings, military establishments, border crossing entrances, etc.).
Access Control List (ACL)
A mechanism that implements access control for a system resource by listing the identities of the system entities that are permitted to access the resource.
Access Control Policy (Access Management Policy)
The set of rules that define the conditions under which any access may take place.
Access Profile
Association of a user with a list of protected objects the user may access.
Activity/Activities
Set of actions that are accomplished within an practice in order to make it successful. Multiple activities can make up a practice. Practices may have only one activity or a set of activities.
Administrative Safeguards
Administrative actions and policies and procedures to manage the selection, development, implementation, and maintenance of security measures to protect any electronic information that is by definition “protected information” (e.g., protected health information) and to manage the conduct of the covered entity's workforce in relation to the protection of that information.
Advanced Persistent Threat ("APT")
An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltrating information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future. The advanced persistent threat:
-
- pursues its objectives repeatedly over an extended period of time,
- adapts to defenders’ efforts to resist it, and
- is determined to maintain the level of interaction needed to execute its objectives.
Adversarial Assessment
Assess the ability of an organization equipped with a system to support its mission while withstanding cyber threat activity representative of an actual adversary.
Adversary
Individual, group, organization, or government that conducts or has the intent to conduct detrimental activities.
Air Gap
An interface between two systems that:
- are not connected physically, and,
- do not have any logical connection automated (i.e., data is transferred through the interface only manually, under human control).
Alert
An internal or external notification that a specific action has been identified within an organization’s information systems.
Anti-Malware Tools
Tools that help identify, prevent execution, and reverse engineer malware.
Anti-Spyware Software
A program that specializes in detecting both malware and non-malware forms of spyware.
Anti-Tamper
Systems engineering activities intended to deter and/or delay exploitation of technologies in a system in order to impede countermeasure development, unintended technology transfer, or alteration of a system.
Anti-Virus Software
A program that monitors a computer or network to identify all major types of malware and prevent or contain malware incidents.
Assessment
The testing or evaluation of security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for an information system or organization [NIST SP 800-37 Rev. 2].
Assessment is the term used by CMMC for the activity performed by the C3PAO to evaluate the CMMC level of a DIB contractor. Self-assessment is the term used by CMMC for the activity performed by a DIB contractor to evaluate their own CMMC level. [CMMC]
Assessment Scope
- The Overview collects the most basic data about the organization.
- The Assessment Scope is critical to defining what is "in" and what is "out" of the assessment. Here the type of assessment is defined, Enterprise vs. Organizational Unit vs. Enclave. Additionally, details defining system boundaries, CAGE codes and contracts are captured. The Assessment Scope section contains useful elements that may be revisited after the assessment by management as needed:
Company Settings - provides a place to reset review flags and organize assessment consultants/partners - Contract Manager - contracts provide the regulatory justification for compliance and give the government rights to validate self-assessments (DFARS Interim Rule Change 30 Nov 2020), remotely or onsite. This element provides a place to track which contracts contain relevant DFARS clauses and relates contracts to CAGE codes (used to track suppliers in the government's SAM database).
For more information about choosing amongst Enterprise-wide, Organizational Unit or Program Enclave, see the Scoping an Assessment article. -
Physical Data Locations provide a place to record the physical locations for the organization. It can also be used to store other physical locations where the organization's data may be stored. The inventory of locations creates a roadmap of what needs physical security controls.
- Electronic Data Locations are the corollary to physical data locations and list the databases where CUI, FCI or other confidential data is stored. Electronic Data Locations is not an area to record the tools that the organization uses, but the location of the data stored by them.
The goal of the assessment is to protect data. The list of databases provides a roadmap for what needs to be protected.
Activity
Set of actions that are accomplished within an practice in order to make it successful. Multiple activities can make up a practice. Practices may have only one activity or a set of activities.
Australian Cyber Security Centre (ACSC)
Advanced Encryption Standard (AES )
Aerospace Industries Association (AIA)
Asset Management (AM)
Management of organizational assets. This may include inventory, configuration, destruction, disposal, and updates to organizational assets.
Application Programming Interface (API)
Advanced Persistent Threat (APT)
Awareness and Training (AT)
Audit and Accountability (AU)
Asset (Organizational Asset)
Anything that has value to an organization, including, but not limited to, another organization, person, computing device, IT system, IT network, IT circuit, software (both an installed instance and a physical instance), virtual computing platform (common in cloud and virtualized computing), and related hardware (e.g., locks, cabinets, keyboards) [NISTIR 7693, NISTIR 7694].
Understanding assets is critical to identifying the CMMC Assessment Scope; for more information see CMMC Assessment Scope – Level 2.
Asset Category (CMMC)
CMMC defines five asset categories for scoping activities:
- Contractor Risk Managed Asset;
- CUI Asset;
- Out-of-Scope Asset;
- Security Protection Asset; and,
- Specialized Asset.
Asset Custodian (Custodian)
A person or group responsible for the day-to-day management, operation, and security of an asset.
Asset Owner (Information Asset Owner)
A person or organizational unit (internal or external to the organization) with primary responsibility for the viability, productivity, security, and resilience of an organizational asset. For example, the accounts payable department is the owner of the vendor database.
Asset Types
The following asset types should be included when classifying assets:
People - employees, contractors, vendors, and external service provider personnel;
Technology - servers, client computers, mobile devices, network appliances (e.g., firewalls, switches, APs, and routers), VoIP devices, applications, virtual machines, and database systems;
Facilities - physical office locations, satellite offices, server rooms, datacenters, manufacturing plants, and secured rooms; and
External Service Provider ("ESP") - external people, technology, or facilities that the organization utilizes including Cloud Service Providers, Managed Service Providers, Managed Security Service Providers, Cybersecurity-as-a-Service Providers.
Attack Surface
The set of points on the boundary of a system, a system element, or an environment where an attacker can try to enter, cause an effect on, or from which data can be extracted.
Attribute-based Access Control ("ABAC")
Access control based on attributes associated with an about subjects, objects, targets, initiators, resources, or the environment. An access control rule set defines the combination of attributes under which an access may take place.
Audit
Independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures, and to recommend necessary changes in controls, policies, or procedures.
Audit Log
A chronological record of system activities. Includes records of system access and operations performed in a given period.
Audit Record
An individual entry in an audit log related to an audited event.
Authentication
A security measure designed to protect a communications system against acceptance of fraudulent transmission or simulation by establishing the validity of a transmission, message, originator, or a means of verifying an individual's eligibility to receive specific categories of information.
Authenticator
Something that the claimant possesses and controls (typically a cryptographic module or password) that is used to authenticate the claimant's identity. This was previously referred to as a token.
Authoritative Source (Trusted Source)
An entity that has access to, or verified copies of, accurate information from an issuing source such that a Credential Service Provider ("CSP") can confirm the validity of the identity evidence supplied by an applicant during identity proofing. An issuing source may also be an authoritative source. Often, authoritative sources are determined by a policy decision of the agency or CSP before they can be used in the identity proofing validation phase.
Authorization
The right or a permission that is granted to a system entity (user, program, or process) to access a system resource.
Authorized User
Any employee, contractor, agent, or other person that participates in the business operations of the organization and is authorized to access and use any of the Organization's Information Systems or Nonpublic Data.
Availability
- Ensuring timely and reliable access to and use of information.
- Timely, reliable access to data and information services for authorized users.
Awareness
A learning process that sets the stage for training by changing individual and organizational attitudes to realize the importance of security and the adverse consequences of its failure.
Awareness and Training Program
Explains proper rules of behavior for the use of agency information systems and information. The program communicates information technology (IT) security policies and procedures that need to be followed. (i.e., NSTISSD 501, NIST SP 800-50).
B
Backup
A copy of files and programs made to facilitate recovery, if necessary.
Baseline
Hardware, software, databases, and relevant documentation for an information system at a given point in time.
Baseline Configuration
A set of specifications for a system, or Configuration Item ("CI") within a system, that has been formally reviewed and agreed on at a given point in time, and which can be changed only through change control procedures. The baseline configuration is used as a basis for future builds, releases, and/or changes.
Baseline Security
The minimum security controls required for safeguarding an IT system based on its identified needs for confidentiality, integrity, and/or availability protection.
Baselining
Monitoring resources to determine typical utilization patterns so that significant deviations can be detected.
Blacklist
A list of discrete entities, such as IP addresses, host names, applications, software libraries, and so forth that have been previously determined to be associated with malicious activity thus requiring access or execution restrictions.
Blacklisting Software
A list of applications (software) and software libraries that are forbidden to execute on an organizational asset.
Blue Team
The group responsible for defending an organization’s use of information systems by maintaining its security posture against a group of mock attackers (i.e., the Red Team). Typically, the Blue Team and its supporters must defend against real or simulated attacks:
- over a significant period of time,
- in a representative operational context (e.g., as part of an operational exercise), and
- according to rules established and monitored with the help of a neutral group refereeing the simulation or exercise (i.e., the White Team).
The term Blue Team is also used for defining a group of individuals who conduct operational network vulnerability evaluations and provide mitigation techniques to customers who have a need for an independent technical review of their network security posture. The Blue Team identifies security threats and risks in the operating environment, and in cooperation with the customer, analyzes the network environment and its current state of security readiness. Based on the Blue Team findings and expertise, they provide recommendations that integrate into an overall community security solution to increase the customer's cyber security readiness posture. Often, a Blue Team is employed by itself or prior to a Red Team employment to ensure that the customer's networks are as secure as possible before having the Red Team test the systems.
Breach
An incident where an adversary has gained access to the internal network of an organization or an organizationally owned asset in a manner that breaks the organizational policy for accessing cyber assets and results in the loss of information, data, or asset. A breach usually consists of the loss of an asset due to the gained access.
Bring Your Own Device (BYOD)
C
Cybersecurity Capability Maturity Model (C2M2)
CMMC Third-Party Assessment Organization (C3PAO)
Security Assessment (CA)
Corrective Action Request (CAR)
Certified CMMC Assessor (CCA)
Certified CMMC Instructor (CCI)
Certified CMMC Professional (CCP)
CD-ROM Compact Disc Read Only Memory (CD-ROM)
CDI Covered Defense Information (CDI)
CEA Council of Economic Advisors (CEA)
CEH Certified Ethical Hacker (CEH)
CERT Computer Emergency Response Team (CERT)
CFR Code of Federal Regulations (CFR)
CI Configuration Item (CI)
CIO Chief Information Officer (CIO)
CIS Center for Internet Security (CIS)
CISA Cybersecurity and Infrastructure Security Agency (CISA)
CM Configuration Management (CM)
CMMC Cybersecurity Maturity Model Certification (CMMC)
A framework developed by the Office of the Undersecretary of Defense for Acquisition and Sustainment ("OUSD(A&S)") in concert with DoD stakeholders, University Affiliated Research Centers ("UARCs"), Federally Funded Research and Development Centers ("FFRDCs"), and the DIB sector. It encompasses the basic safeguarding requirements specified for FCI specified in Federal Acquisition Regulation ("FAR") 52.204-21 and the security requirements for CUI specified in National Institute of Standards and Technology ("NIST") Special Publication ("SP") 800-171 Revision ("Rev") 2 per Defense Federal Acquisition Regulation Supplement ("DFARS") Claus 252.204-7012. DFARS Clause 252.204-7012 specifies additional requirements beyond the NIST SP 800-171 security requirements, such as incident reporting. CMMC is designed to provide assurance to DoD that a DIB contractor can adequately protect CUI at a level commensurate with the risk, account for information flow down to its subcontractors in a multi-tier supply chain. CMMC is implemented through DFARS Clause 252.204-7021.
Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB)
Computer Numeric Control (CNC)
Committee on National Security Systems Directive (CNSSD)
Committee on National Security Systems Directive (CNSSI)
CERT Resilience Management Model (CERT RMM )
Code of Federal Regulations (CFR )
Communications Security (COMSEC )
Consequence
Effect (change or non-change), usually associated with an event or condition or with the system and usually allowed, facilitated, caused, prevented, changed, or contributed to by the event, condition, or system.
Consumer
A natural person
Container (Information Asset Container)
A physical or logical location where assets are stored, transported, and processed. A container can encompass technical containers (servers, network segments, personal computers), physical containers (paper, file rooms, storage spaces, or other media such as CDs, disks, and flash drives), and people (including people who might have detailed knowledge about the information asset).
Context Aware
The ability of a system or a system component to gather information about its environment at any given time and adapt behaviors accordingly. Contextual or context-aware computing uses software and hardware to automatically collect and analyze data to guide responses.
Continuity of Operations
An organization’s ability to sustain assets and services in response to a disruptive event. It is typically used interchangeably with service continuity or continuity of service.
Continuous
Continuing without stopping; ongoing.
Continuous Monitoring
Maintaining ongoing awareness to support organizational risk decisions. Maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.
Contractor Risk Managed Assets
Capable of, but are not intended to, process, store, or transmit CUI because of the security policy, procedures, and practices in place. Contractor Risk Managed Assets are not required to be physically or logically separated from CUI Assets.
Children's Online Privacy Protection Act (COPPA )
COPPA imposes certain requirements on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age.
FutureFeed is not a service directed to children under 13 years of age, and as per our Terms of Use, persons under 18 are not permitted to use FutureFeed.
Critical Program Information (CPI)
Contractor Risk Managed Assets (CRMA )
Asset Description:
- Assets that can, but are not intended to, process, store, or transmit CUI because of security policy, procedures, and practices in place
- Assets are not required to be physically or logically separated from CUI assets
Contractor Requirements:
- Document in the asset inventory
- Document in the System Security Plan (SSP)
- Show these assets are managed using the contractor's risk-based security policies, procedures, and practices
- Document in the network diagram of the CMMC Assessment Scope
CMMC Assessment Requirements:
- Review the SSP in accordance with practice CA.L2-3.12.4
- If appropriately documented, do not assess against other CMMC practices
- If contractor's risk-based security policies, procedures, and practices documentation or other findings raise questions about these assets, the assessor can conduct a limited spot check to identify risks
- The limited spot check(s) shall not materially increase the assessment duration nor the assessment cost
- The limited spot check(s) will be within the defined assessment scope
Control
The methods, policies, and procedures—manual or automated—used by an organization to safeguard and protect assets, promote efficiency, or adhere to standards. A measure that is modifying risk. Note: controls include any process, policy, device, practice, or other actions which modify risk.
Cybersecurity
Prevention of damage to, protection of, and restoration of computers, electronic communication systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation.
Cybersecurity Event
Any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt, or misuse an information system or information stored on such information system including, without limitation, a Breach.
Cybersecurity Framework (CSF )
Center for Strategic and International Studies (CSIS )
Cloud Service Provider (CSP )
Controlled Technical Information (CTI)
Controlled Unclassified Information (CUI )
Controlled Unclassified Information (CUI) is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. However, CUI does not include classified information (see definition above) or information a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency. Law, regulation, or Government-wide policy may require or permit safeguarding or dissemination controls in three ways: Requiring or permitting agencies to control or protect the information but providing no specific controls, which makes the information CUI Basic; requiring or permitting agencies to control or protect the information and providing specific controls for doing so, which makes the information CUI Specified; or requiring or permitting agencies to control the information and specifying only some of those controls, which makes the information CUI Specified, but with CUI Basic controls where the authority does not specify.
CUI Asset (CUIA)
An Asset that Processes, Stores, or Transmits CUI.
Source: CMMC 2.0 Level 2 Scoping Guide
Term: Controlled Unclassified (CUI) Assets
Asset Description: Assets that process, store, or transmit CUI
Contractor Requirements:
- Document in the asset inventory
- Document in the System Security Plan
- Document in the network diagram of the CMMC Assessment Scope
- Prepare to be assessed against CMMC practices
CMMC Assessment Requirements: Assess against CMMC practices
Covered Defense Information (CDI)
A term used to identify information that requires protection under DFARS Clause 252.204-7012. Unclassified controlled technical information ("CTI") or other information, as described in the CUI Registry, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government wide policies and is:
- Marked or otherwise identified in the contract, task order, or delivery order and provided to contractor by or on behalf of, DoD in support of the performance of the contract; or
- Collected, developed, received, transmitted, used, or stored by—or on behalf of—the contractor in support of the performance of the contract.
CRMA - Contractor Risk Managed Assets
Source: CMMC 2.0 Level 2 Scoping Guide
Term: Contractor Risk Managed Assets
Asset Description:
- Assets that can, but are not intended to, process, store, or transmit CUI because of security policy, procedures, and practices in place
- Assets are not required to be physically or logically separated from CUI assets
Contractor Requirements:
- Document in the asset inventory
- Document in the System Security Plan (SSP)
- Show these assets are managed using the contractor's risk-based security policies, procedures, and practices
- Document in the network diagram of the CMMC Assessment Scope
CMMC Assessment Requirements:
- Review the SSP in accordance with practice CA.L2-3.12.4
- If appropriately documented, do not assess against other CMMC practices
- If contractor's risk-based security policies, procedures, and practices documentation or other findings raise questions about these assets, the assessor can conduct a limited spot check to identify risks
- The limited spot check(s) shall not materially increase the assessment duration nor the assessment cost
- The limited spot check(s) will be within the defined assessment scope
Common Vulnerabilities and Exposures (CVE )
Cryptographic Hashing Function
The process of using a mathematical algorithm against data to produce a numeric value that is representative of the data.
Customer Information
Any Nonpublic Information provided to the organization by a customer and includes, without limitation, any customer documents uploaded to the organization's systems, any Customer Information entered into systems maintained by the organization, and any Personally Identifiable Information.
Cryptographic Module Validation Program (CVMP )
Common Weakness Enumeration (CWE )
D
Data Loss Prevention
Data Loss Prevention (DLP) is the practice of detecting and preventing data breaches, exfiltration, or unwanted destruction of sensitive data. Organizations use DLP to protect and secure their data and comply with regulations.
The DLP term refers to defending organizations against both data loss and data leakage prevention. Data loss refers to an event in which important data is lost to the enterprise, such as in a ransomware attack. Data loss prevention focuses on preventing illicit transfer of data outside organizational boundaries.
Department/Agency (D/A )
DIB Collaborative Information Sharing Environment (DCISE )
Defense Contract Management Agency (DCMA )
Distributed Control System (DCS )
Represents any two-character CMMC Domain acronym (DD )
Defense Federal Acquisition Regulation Supplement (DFARS )
Device Health Check (DHC)
Defense Industrial Base (DIB)
The worldwide industrial complex that enables research and development, as well as design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts, to meet U.S. military requirements.
Defense Industrial Base Cybersecurity Assessment Center (DIBCAC )
Defense Industrial Base Network (DIBNET )
Defined Process
A defined process includes guidelines for tailoring the process to meet the needs of an organizational unit. A defined process provides a predictable level of consistency in asset management activities across the organization. A defined process may include:
- process description,
- process activities and practices to be performed,
- process flow including diagrams,
- inputs and expected outputs, and
- performance measures for improvement.
Deidentified
Information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer, provided that a business that uses deidentified information:
- Has implemented technical safeguards that prohibit reidentification of the consumer to whom the information may pertain;
- Has implemented business processes that specifically prohibit reidentification of the information;
- Has implemented business processes to prevent inadvertent release of deidentified information; and,
- Makes no attempt to reidentify the information.
Demilitarized Zone (DMZ)
A perimeter network segment that is logically between internal and external networks. Its purpose is to enforce the internal network’s Information Assurance (IA) policy for external information exchange and to provide external, untrusted sources with restricted access to releasable information while shielding the internal networks from outside attacks.
Dependancy
When an entity has access to, control of, ownership in, possession of, responsibility for or other defined obligations related to one or more assets or services of the organization.
Device
Any physical object that is capable of connecting to the Internet, directly or indirectly, or to another device.
Domain
CMMC: Grouping of like practices based on the 14 control families set forth in NIST SP 800-171.
Networking: A region characterized by a special feature, or a territory governed by a single ruler or government.
Domain Key Identified Mail (DKIM )
Data Loss Prevention (DLP )
Domain-based Message Authentication, Reporting, and Conformance (DMARC)
Demilitarized Zone (DMZ)
Domain Name System (DNS)
Domain Name System Security (DNSSEC )
Department of Defense (DoD)
Department of Defense Instruction (DoDI)
Derived PIV Credential Issuers (DPCI)
Digital Versatile Disc (DVD)
E
Enclave
Any small, distinct area or group enclosed or isolated within a larger one.
Encryption
The process of changing plain text into ciphertext.
Encryption Policies
Policies that manage the use, storage, disposal, and protection of cryptographic keys used to protect organization data and communications.
Endorse
Declare one's public approval or support of.
Enterprise
An organization with a defined mission/goal and a defined boundary, using information systems to execute that mission, and with responsibility for managing its own risks and performance. An enterprise may consist of all or some of the following business aspects: acquisition, program management, financial management (e.g., budgets), human resources, security, and information systems, information and mission management.
Enterprise Architecture
The description of an enterprise’s entire set of information systems: how they are configured, how they are integrated, how they interface to the external environment at the enterprise’s boundary, how they are operated to support the enterprise mission, and how they contribute to the enterprise’s overall security posture.
Enterprise Mission Assurance Support Service (eMass)
A government owned web-based application with a broad range of services for comprehensive fully integrated cybersecurity management. Features include dashboard reporting, controls scorecard measurement, and the generation of a system security authorization package. eMASS provides an integrated suite of authorization capabilities and prevents cyber attacks by establishing strict process control mechanisms for obtaining authorization decisions.
Environment of Operations
The physical and logical surroundings in which an information system processes, stores, and transmits information.
Establish and Maintain
Whenever “establish and maintain” (or “established and maintained”) is used as a phrase, it refers not only to the development and maintenance of the object of the practice (such as a policy) but to the documentation of the object and observable usage of the object. For example, “Formal agreements with external entities are established and maintained” means that not only are the agreements formulated, but they also are documented, have assigned ownership, and are maintained relative to corrective actions, changes in requirements, or improvements.
Event
Any observable occurrence in a system and/or network. Events sometimes provide indication that an incident is occurring [CNSSI 4009]
Event Correlation
Finding relationships between two or more events.
Exercise
A simulation of an emergency designed to validate the viability of one or more aspects of an information technology plan.
Executive Order (E.O. )
External Serial Advanced Technology Attachment (eSATA )
External Service Provider (ESP )
F
Facility
Physical means or equipment for facilitating the performance of an action, e.g., buildings, instruments, tools.
Federal Contract Information ("FCI")
Federal contract information means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.
Federated Trust
Trust established within a federation or organization, enabling each of the mutually trusting realms to share and use trust information (e.g., credentials) obtained from any of the other mutually trusting realms. This trust can be established across computer systems and networks architectures.
Federation
A collection of realms (domains) that have established trust among themselves. The level of trust may vary, but typically includes authentication and may include authorization.
FIPS 140-2 and 140-3
The National Institute for Standards and Technology ("NIST") published Federal Information Processing Standard ("FIPS") 140-2 on December 3, 2002. FIPS 140-2 was superseded by FIPS 140-3 on March 22, 2019.
FIPS 140-2 specifies the security requirements that will be satisfied by a cryptographic module [i.e., computer code that handles encryption], providing four increasing, qualitative levels intended to cover a wide range of potential applications and environments. The areas covered, related to the secure design and implementation of a cryptographic module, include specification; ports and interfaces; roles, services, and authentication; finite state model; physical security; operational environment; cryptographic key management; electromagnetic interference/electromagnetic compatibility (EMI/EMC); self-tests; design assurance; and mitigation of other attacks.
Organizations making cryptographic modules can submit their modules to NIST for verification that they meet the requirements defined in FIPS 140-2 or 140-3. The list of FIPS validated modules can be accessed via the NIST website (https://csrc.nist.gov/Projects/cryptographic-module-validation-program/validated-modules)
From the NIST website:
The FIPS 140-1 and FIPS 140-2 validated modules search provides access to the official validation information of all cryptographic modules that have been tested and validated under the Cryptographic Module Validation Program as meeting requirements for FIPS PUB 140-1 and FIPS PUB 140-2. The search results list all issued validation certificates that meet the supplied search criteria and provide a link to view more detailed information about each certificate. The Certificate Detail listing provides the detailed module information including algorithm implementation references to the CAVP algorithm validation, Security Policies, original certificate images or reference to the consolidated validation lists, and vendor product links if provided.
If a validation certificate is marked as revoked, the module validation is no longer valid and may not be referenced to demonstrate compliance to FIPS 140-1 or FIPS 140-2.
If a validation certificate is marked as historical, Federal Agencies should not include these in new procurement. This does not mean that the overall FIPS-140 certificates for these modules have been revoked, rather it indicates that the certificates and the documentation posted with them are either more than 5 years old, or were moved to the historical list because of an algorithm transition. In these cases, the certificates have not been updated to reflect latest guidance and/or transitions, and may not accurately reflect how the module can be used in FIPS mode. In some cases, a module may use functionality from another module (bound module) that will be referenced in the binding module's certificate. The movement to the historical list of the binding module will coincide with the sunset date of the bound module, regardless of its own sunset date. Agencies may make a risk determination on whether to continue using the modules on the historical list based on their own assessment of where and how the module is used.
It is important to note that validation certificates are issued for cryptographic modules. A module may either be an embedded component of a product or application, or a complete product in and of itself. If the cryptographic module is a component of a larger product or application, one should contact the product or application vendor in order to determine what products utilize an embedded validated cryptographic module. There are inevitably a larger number of security products available which use a validated cryptographic module than the number of modules which are found in this list. In addition, it is possible that other vendors, who are not found in this list, might incorporate a validated cryptographic module from this list into their own products.
Users in Federal Government organizations are advised to utilize the validated module search to aid in product acquisition. Only modules tested and validated to FIPS 140-1 or FIPS 140-2 meet the applicability requirements for cryptographic modules to protect sensitive information - a product or implementation does not meet the FIPS 140-1 or FIPS 140-2 applicability requirements by simply implementing an approved security function and acquiring algorithm validation certificates.
When selecting a module from a vendor, verify that the application or product that is being offered is either a validated cryptographic module itself (e.g. VPN, SmartCard, etc) or the application or product uses an embedded validated cryptographic module (toolkit, etc). Ask the vendor to supply a signed letter stating their application, product or module is a validated module or incorporates a validated module, the module provides all the cryptographic services in the solution, and reference the modules validation certificate number. The information on the CMVP validation entry can be checked against the information provided by the vendor and verified that they agree. If they do not agree, the vendor is not offering a validated solution. Each entry will state what version/part number/release is validated, and the operational environment (if applicable) the module has been validated. If the validated module is a software or firmware module, guidance on how the module can be ported to similar operational environments while maintaining the validation can be found in FIPS 140-2 IG G.5.
Firewall
A device or program that controls the flow of network traffic between networks or hosts that employ differing security postures.
Flash Drive
A removable storage device that utilizes the USB port of a system for data transfer.
Frequently Asked Question (FAQ )
Federal Acquisition Regulation (FAR )
Federal Bureau of Investigation (FBI)
Federal Contract Information (FCI )
Fiber Distributed Data Interface (FDDI)
Full Disk Encryption (FDE)
Federal Risk and Authorization Management Program (FedRAMP)
Federally Funded Research and Development Center (FFRDC)
Federal Information Processing Standard (FIPS)
FTE (FTE)
A full-time equivalent, sometimes abbreviated as FTE, is a unit to measure employed persons or students in a way that makes them comparable although they may work or study a different number of hours per week.
File Transfer Protocol (FTP)
G
General Data Protection Regulation (GDPR )
Government Property
All property owned or leased by the government. Government property includes both government-furnished and contractor-acquired property. Government property includes material, equipment, special tooling, special test equipment, and real property. Government property does not include intellectual property or software.
H
Health Insurance Portability and Accountability Act (HIPAA )
Homeland Security Presidential Directive (HSPD )
Hashing
A cryptographic reference which provides a mechanism to track the integrity of a digital artifact, but does not provide confidentiality for the artifact. Confidentiality of the digital artifact must be handled separately using a different mechanism, such as encryption.
High-Value Asset ("HVA")
Asset, organization information system, information, and data for which an unauthorized access, use, disclosure, disruption, modification, or destruction could cause a significant impact to the organization’s interests, relations, economy, or to the employee or stockholder confidence, civil liberties, or health and safety of the organization’s people. An HVA may contain sensitive controls, instructions, data used in critical organization operations, or unique collections of data (by size or content), or support an organization’s mission essential functions, making it of specific value to criminal, politically motivated, or state sponsored actors for either direct exploitation or to cause a loss of confidence in the organization.
High-Value Service
Service on which the success of the organization's mission depends.
Honey pot
Programs that simulate one or more network services that you designate on your computer's ports. An attacker assumes you're running vulnerable services that can be used to break into the machine. A honey pot can be used to log access attempts to those ports including the attacker's keystrokes. This could give you advanced warning of a more concerted attack.
I
Identification
The process of discovering the true identity (i.e., origin, initial history) of a person or item from the entire collection of similar persons or items.
Identity
The set of attribute values (i.e., characteristics) by which an entity is recognizable and that, within the scope of an identity manager’s responsibility, is sufficient to distinguish that entity from any other entity.
Note: This also encompasses non-person entities ("NPEs").
Identity Management System
Identity management system comprised of one or more systems or applications that manages the identity verification, validation, and issuance process.
Identity, Credential, and Access Management (ICAM)
Programs, processes, technologies, and personnel used to create trusted digital identity representations of individuals and non-person entities (NPEs), bind those identities to credentials that may serve as a proxy for the individual or NPE in access transactions, and leverage the credentials to provide authorized access to an organization‘s resources.
Identity-Based Access Control ("IBAC")
Access control based on the identity of the user (typically relayed as a characteristic of the process acting on behalf of that user) where access authorizations to specific objects are assigned based on user identity.
Incident
An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of a system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.
Incident Handling (Incident Response)
The actions the organization takes to prevent or contain the impact of an incident to the organization while it is occurring or shortly after it has occurred.
Incident Stakeholder
A person or organization with a vested interest in the management of an incident throughout its life cycle.
Industrial Control System ("ICS")
General term that encompasses several types of control systems, including supervisory control and data acquisition ("SCADA") systems, distributed control systems ("DCSs"), and other control system configurations such as programmable logic controllers ("PLCs") found in the industrial sectors and critical infrastructures. An industrial control system consists of combinations of control components (e.g., electrical, mechanical, hydraulic, pneumatic) that act together to achieve an industrial objective (e.g., manufacturing, transportation of matter or energy).
Industrial Internet of Things ("IIOT")
See Internet of Things
Information Flow
The flow of information or connectivity from one location to another. This can be related to data as well as connectivity from one system to another, or from one security domain to another. The authorization granting permission for information flow comes from a control authority granting permission to an entity, asset, role, or group.
Information System ("IS")
A discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of electronic information, as well as any specialized system such as industrial/process controls systems, telephone switching and private branch exchange systems, and environmental control systems.
Information System Component
A discrete, identifiable information technology asset (e.g., hardware, software, firmware) that represents a building block of an information system, excluding separately authorized systems to which the information system is connected. Information system components include commercial information technology products.
Insider
Any person with authorized access to any organization or United States Government resource to include personnel, facilities, information equipment, networks, or systems.
Insider Threat
The threat that an insider will use her/his authorized access, wittingly or unwittingly, to do harm to the security of the organization or the United States. This threat can include damage to the United States through espionage, terrorism, unauthorized disclosure, or through the loss or degradation of departmental resources or capabilities.
Integrity
The security objective that generates the requirement for protection against either intentional or accidental attempts to violate data integrity (the property that data has not been altered in an unauthorized manner) or system integrity (the quality that a system has when it performs its intended function in an unimpaired manner, free from unauthorized manipulation).
Internet of Things ("IOT") or Industrial Internet of Things ("IIoT")
Interconnected devices having physical or virtual representation in the digital world, sensing/actuation capability, and programmability features. They are uniquely identifiable and may include smart electric grids, lighting, heating, air conditioning, and fire and smoke detectors.
Inventory
The physical or virtual verification of the presence of each organizational asset.
J
K
L
Law, Regulation, or Government-Wide Policy (LRGWP )
Least Privilege
Requires that each user account, processes, system, device, etc. within the computing environment can only access the information and resources that are necessary for its legitimate purpose.
Life Cycle
Evolution of a system, product, service, project, or other human-made entity from conception through retirement.
M
Maintenance
Any act that either prevents the failure or malfunction of equipment or restores its operating capability.
Malicious Code
Software or firmware intended to perform an unauthorized process that will have adverse impact on the confidentiality, integrity, or availability of an information system. A virus, worm, Trojan horse, or other code-based entity that infects a host. Spyware and some forms of adware are also examples of malicious code. Source: CNSSI 4009
Malware
Software or firmware intended to perform an unauthorized process that will have adverse impact on the confidentiality, integrity, or availability of an information system. A virus, worm, Trojan horse, or other code-based entity that infects a host. Spyware and some forms of adware are also examples of malicious code (malware).
Media
Physical devices or writing surfaces including but not limited to, magnetic tapes, optical disks, magnetic disks, Large-Scale Integration (LSI) memory chips, printouts (but not including display media) onto which information is recorded, stored, or printed within an information system.
Media Sanitization
The actions taken to render data written on media unrecoverable by both ordinary and extraordinary means.
Mobile Code
Software programs or parts of programs obtained from remote systems, transmitted across a network, and executed on a local system without explicit installation or execution by the recipient. Note: Some examples of software technologies that provide the mechanisms for the production and use of mobile code include Java, JavaScript, ActiveX, VBScript, etc.
Mobile Device
A portable computing device that:
- has a small form factor such that it can easily be carried by a single individual;
- is designed to operate without a physical connection (e.g., wirelessly transmit or receive information);
- possesses local, non-removable data storage; and
- is powered on for extended periods of time with a self-contained power source.
Mobile devices may also include voice communication capabilities, on-board sensors that allow the device to capture (e.g., photograph, video, record, or determine location) information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones, tablets, and e-readers.
Note: If the device only has storage capability and is not capable of processing or transmitting/receiving information, then it is considered a portable storage device, not a mobile device.
Monitor
The act of continually checking, supervising, critically observing, or determining the status in order to identify change from the performance level required or expected at an organizationally defined frequency and rate [NIST SP 800-160 (adapted)].
Multifactor Authentication (MFA )
An authentication system or an authenticator that requires more than one authentication factor for successful authentication. Multifactor authentication can be performed using a single authenticator that provides more than one factor or by a combination of authenticators that provide different factors. The three authentication factors are:
- something you know,
- something you have, and
- something you are.
Managed Services Provider (MSP )
Managed Security Services Provider (MSSP )
N
National Institute of Standards and Technology (NIST )
Natural Person
A human being, as opposed to a Legal Person, which is an entity or group considered collectively as a single individual for legal purposes.
Nonpublic Information
All electronic information that is not Publicly Available Information and is:
- business related information of a client, the tampering with, unauthorized disclosure of, or access or use of, which would cause a material adverse impact to the business, operations, or security of the client;
- Personally Identifiable Information; or,
- any information or data, except age or gender, in any form or medium created by or derived from a health care provider or an individual and that relates to:
- the past, present or future physical, mental, or behavioral health or condition of any individual or a member of the individual's family;
- the provision of health care to any individual; or
- payment for the provision of health care to any individual.
O
Ongoing Basis
Actions that do not stop unless a stop action is purposely put in place.
OoSA - Out-of-Scope Assets
Source: CMMC 2.0 Level 2 Scoping Guide
Term: Out-of-Scope Assets
Asset Description: Assets that cannot process, store, or transmit CUI
Contractor Requirements: Assets are required to be physically or logically separated from CUI assets
CMMC Assessment Requirements: None
Operational Technology ("OT")
Used in manufacturing systems, industrial control systems ("ICS"), or supervisory control and data acquisition ("SCADA") systems. OT may include programmable logic controllers ("PLCs"), computerized numerical control ("CNC") devices, machine controllers, fabricators, assemblers, and machining. OT includes hardware and software that use direct monitoring and control of industrial equipment to detect or cause a change.
Organization
An entity of any size, complexity, or positioning within an organizational structure (e.g., a federal agency, or, as appropriate, any of its operational elements).
Organization Seeking Certification ("OSC")
The entity that is going through the CMMC assessment process to receive a level of certification for a given environment.
Organizational System(s)
The term organizational system is used in many of the CUI security requirements in NIST Special Publication 800-171. This term has a specific meaning regarding the scope of applicability for the CUI security requirements. The requirements apply only to components of nonfederal systems that process, store, or transmit CUI, or that provide security protection for such components. The appropriate scoping for the security requirements is an important factor in determining protection-related investment decisions and managing security risk for nonfederal organizations that have the responsibility of safeguarding CUI.
Organizationally Defined
Out-of-Scope Assets (CMMC 2.0 Level 2 Scoping Guide) (OoSA)
An asset that cannot process, store, or transmit CUI because it is physically or logically separated from CUI Assets or is inherently unable to do so.
P
Patch
An update to an operating system, application, or other software issued specifically to correct particular problems with the software.
Patching
The process of downloading and installing a patch.
Publicly available Information
Any information that the organization has a reasonable basis to believe is lawfully made available to the general public from: Federal, State or local government records; widely distributed media, including the Internet; or disclosures to the general public that are required to be made by Federal, State or local law. For the purposes of these policies, the organization has a reasonable basis to believe that information is lawfully made available to the public if the organization has taken steps to determine:
- that the information is of the type that is available to the general public; and
- whether an individual can direct that the information not be made available to the general public and, if so, that such individual has not done so.
Proxy
An application that “breaks” the connection between client and server. The proxy accepts certain types of traffic entering or leaving a network and processes it and forwards it.
Note: This effectively closes the straight path between the internal and external networks making it more difficult for an attacker to obtain internal addresses and other details of the organization’s internal network. Proxy servers are available for common Internet services; for example, a hypertext transfer protocol (HTTP/HTTPS) proxy used for Web access.
Process
verb: with respect to CUI Assets, process means that CUI can be used by that asset (e.g., accessed, entered, edited, generated, manipulated, or printed).
noun: a procedural activity that is performed to implement a defined objective.
Penetration Testing (Pentesting)
Security testing in which evaluators mimic real-world attacks in an attempt to identify ways to circumvent the security features of an application, system, or network. Penetration testing often involves issuing real attacks on real systems and data, using the same tools and techniques used by actual attackers. Most penetration tests involve looking for combinations of vulnerabilities on a single system or multiple systems that can be used to gain more access than could be achieved through a single vulnerability. Penetration Testing frequently leverages, but is distinct from, a vulnerability testing.
Periodically
Occurring at regular intervals [Oxford Dictionary (adapted)]. As used in many practices within CMMC, the interval length is organizationally defined to provided contractor flexibility, with an interval length of no more than one year.
Person
A Natural Person, proprietorship, firm, partnership, joint venture, syndicate, business trust, company, corporation, limited liability company, association, committee, and any other organization or group of persons acting in concert.
Personally Identifiable Information ("PII")
Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, including, without limitation:
- social security number;
- drivers’ license number or non-driver identification card number;
- account number, credit, or debit card number;
- any security code, access code or password that would permit access to an individual’s financial account; or
- biometric records.
Phishing
An email-borne attack that attempts to get you and your email software to do something malicious. Many attacks are an attempt to obtain confidential information (passwords, financial information, etc.) from an unsuspecting person – typically by sending an email with a link or attachment that looks like its form a legitimate source and requests the recipient to take action.
PII Subject
The person about whom the Personally Identifiable Information pertains.
Plan
An artifact or collection of artifacts that provides oversight for implementing defined CMMC policies. A plan should include a mission and/or vision statement, strategic goals/objectives, relevant standards and procedures, and the people, funding, and tool resources needed to implement the defined CMMC policies. Unlike Procedures, Plans are inherently intended to be more flexible because the nature of an event can vary.
Policy
An artifact or collection of artifacts that establishes governance over the implementation of CMMC practices and activities. The policy should establish or direct the establishment of procedures to carry out and meet the intent of the policy and should be endorsed by senior management to show its support of the policy. Policies are created at several levels, ranging from organization or corporate policy to specific operational constraints (e.g., remote access). In general, policies provide answers to the questions “what” and “why” without dealing with “how.” Policies are normally stated in terms that are technology-independent. Policies are implemented by the organization by way of one or more Procedures. The policy should include:
- the stated purpose;
- the defined scope;
- roles and responsibilities of the activities covered by the policy; and,
- any included regulatory guidelines.
Privileged Access
Rights to access information and computer resources that are greater than those of a regular user.
Privileged Account
A user, system, or network account authorized (and, therefore, trusted) to perform security-relevant functions that ordinary accounts are not authorized to perform.
Privileged User
A user who is authorized (and, therefore, trusted) to perform security-relevant functions that ordinary users are not authorized to perform.
Privilege
A right granted to an individual, program, or process.
Practice
An activity or set of activities that are performed to meet a defined objective.
Procedure
A set of steps that is to be followed to ensure a policy is properly implemented. The documented details for how an activity is implemented to achieve a desired outcome. A procedure should provide enough detail for a trained individual to perform the activity.
Process
Source: CMMC 2.0 Level 2 Scoping Guide
Context: CUI Assets
Definition: Process - CUI can be used by an asset (e.g., accessed, entered, edited, generated, manipulated, or printed).
Portable Storage Device
A system component that can be inserted into and removed from a system, and that is used to store data or information (e.g., text, video, audio, and/or image data). Such components are typically implemented on magnetic, optical, or solid-state devices (e.g., floppy disks, compact/digital video disks, flash/thumb drives, external hard disk drives, and flash memory cards/drives that contain nonvolatile memory).
Plan of Action and Milestones (POA&M, POAM)
Q
R
Responsible, Accountable, Consulted, and Informed (RACI)
RACI is an acronym for Responsible, Accountable, Consulted, and Informed. A RACI matrix defines the roles and responsibilities for a given task.
Real Time (Real-Time)
Pertaining to the performance of a computation during the actual time that the related physical process transpires so that the results of the computation can be used to guide the physical process.
Recovery
Actions necessary to restore data files of an information system and computational capability after a system failure.
Red Team
A group of people authorized and organized to emulate a potential adversary’s attack or exploitation capabilities against an enterprise’s security posture. The Red Team’s objective is to improve enterprise Information Assurance by demonstrating the impacts of successful attacks and by demonstrating what works for the defenders (i.e., the Blue Team) in an operational environment.
Red Teaming
The act(s) performed by a “red team” in order to identify weaknesses, vulnerabilities, procedural shortcomings, and misconfigurations within an organization’s cyber environment. Red Teaming includes creation of a “Rules of Engagement” document by which the red team honors over the course of their actions. It is expected that the Red Team will produce a final report at the end of the event period.
Regularly
On a regular basis: at regular intervals
Remote Access
Access to an organizational system by a user (or a process acting on behalf of a user) communicating through an external network (e.g., the Internet).
Removeable Media
Portable data storage medium that can be added to or removed from a computing device or network.
Note: Examples include, but are not limited to: optical discs (CD, DVD, Blu-ray); external/removable hard drives; external/removable Solid-State Disk (SSD) drives; magnetic/optical tapes; flash memory devices (USB, eSATA, Flash Drive, Thumb Drive); flash memory cards (Secure Digital, CompactFlash, Memory Stick, MMC, xD); and other external/removable disks (floppy, Zip, Jaz, Bernoulli, UMD).
Reporting (Forensics)
The final phase of the computer and network forensic process, which involves reporting the results of the analysis; this may include describing the actions used, explaining how tools and procedures were selected, determining what other actions need to be performed (e.g., forensic examination of additional data sources, securing identified vulnerabilities, improving existing security controls), and providing recommendations for improvement to policies, guidelines, procedures, tools, and other aspects of the forensic process. The formality of the reporting step varies greatly depending on the situation.
Residual Risk
Portion of risk remaining after security measures have been applied.
Resilience
The ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions. Resilience includes the ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents.
Restricted Information Systems
Systems (and associated IT components comprising the system) that are configured based on government requirements (i.e., connected to something that was required to support a functional requirement) and are used to support a contract (e.g., fielded systems, obsolete systems, and product deliverable replicas).
Risk
A measure of the extent to which an entity is threatened by a potential circumstance or event (such as the exploitation of a vulnerability). System-related security risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or systems. Such risks reflect the potential adverse impacts to organizational operations, organizational assets, individuals, other organizations, and the Nation. Risk is typically expressed as a function of:
- the adverse impacts that would arise if the circumstance or event occurs; and
- the likelihood of occurrence.
Risk Analysis
The process of identifying the risks to system security and determining the likelihood of occurrence, the resulting impact, and the additional safeguards that mitigate this impact. Part of risk management and synonymous with risk assessment.
Risk Assessment
The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of a system. Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place. Synonymous with risk analysis.
Risk Categories
An organizationally defined description of risk that typically aligns with the various sources of operational risk but can be tailored to the organization’s unique risk environment. Risk categories provide a means to collect and organize risks to assist in the analysis and mitigation processes
Risk Based Authentication
Any risk-based system of authentication that detects anomalies or changes in the normal use patterns of a person and requires additional verification of the person’s identity when such deviations or changes are detected, such as using challenge questions.
Risk Management (RM)
The program and supporting processes to manage information security risk to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, and includes:
- establishing the context for risk-related activities,
- assessing risk,
- responding to risk once determined, and
- monitoring risk over time.
Risk Mitigation
Prioritizing, evaluating, and implementing the appropriate risk-reducing controls/countermeasures recommended from the risk management process.
Risk Mitigation Plan
A strategy for mitigating risk that seeks to minimize the risk to an acceptable level.
Risk Management Criteria
Objective criteria that the organization uses for evaluating, categorizing, and prioritizing operational risks based on areas of impact.
Risk Sources
The fundamental areas of risk that can affect organizational services and associated assets while they are in operation to meet the organization’s mission.
Risk Tolerance
The level of risk an entity is willing to assume in order to achieve a potential desired result.
Root Cause Analysis
An approach for determining the underlying causes of events or problems as a means of addressing the symptoms of such events as they manifest in organizational disruptions.
Root Directory
The top-level directory in a folder hierarchy.
S
Specialized Asset (SA )
- Assets that may or may not process, store, or transmit CUI
- Assets include: government property, Internet of Things ("IoT") devices, Operational Technology ("OT"), Restricted Information Systems, and Test Equipment
Source: CMMC 2.0 Level 2 Scoping Guide
Term: Specialized Assets
Asset Description:
- Assets that may or may not process, store, or transmit CUI
- Assets include: government property, Internet of Things ("IoT") devices, Operational Technology ("OT"), Restricted Information Systems, and Test Equipment
Contractor Requirements:
- Document in the asset inventory
- Document in the System Security Plan (SSP)
- Show these assets are managed using the contractor's risk-based security policies, procedures, and practices
- Document in the network diagram of the CMMC Assessment Scope
CMMC Assessment Requirements:
- Review the SSP in accordance with practice CA.L2-3.12.4
- Do not assess against other CMMC practices
Security Incident and Event Management tool (SIEM )
Small and Medium Businesses (SMB)
Security Protection Asset (SPA)
Supplier Performance Risk System (SPRS)
Supplier Performance Risk System (SPRS) is a web-enabled enterprise
application accessed through the Procurement Integrated Enterprise
Environment (PIEE). SPRS (pronounced spurz) gathers, processes, and displays data about the performance of suppliers. SPRS is the Department of Defense’s (DoD) single, authorized application to retrieve suppliers’ performance information. (DoDI 5000.79)
SPRS alerts procurement specialists to Federal Supply Classification/Product
Service Code (FSC/PSC) specific risks and risk mitigations. SPRS’s Supplier
Risk Score provides procurement specialists with a composite score that
considers each supplier’s performance in the areas of product delivery and
quality. The quality and delivery classifications identified for a supplier in SPRS
may be used by the contracting officer to evaluate a supplier’s performance.
SPRS provides storage and retrieval for the NIST Institute of Standards and
Technology (NIST) Special Publication (SP) 800-171 assessment results and
maintains the National Security Systems (NSS) Restricted List.
Suppliers/Vendors may view their own company information in SPRS.
Source: SPRS Software User’s Guide SPRS 3.2.14
Service Responsibility Matrix (Service Responsibility Model, SRM)
Single Sign On (SSO)
System Security Plan (SSP)
Safeguards
The protective measures prescribed to meet the security requirements (i.e., confidentiality, integrity, and availability) specified for an information system. Safeguards may include security features, management constraints, personnel security, and security of physical structures, areas, and devices. Synonymous with security controls and countermeasures.
Sandboxing
A restricted, controlled execution environment that prevents potentially malicious software, such as mobile code, from accessing any system resources except those for which the software is authorized.
Scanning
Sending packets or requests to another system to gain knowledge about the asset, processes, services, and operations.
Scope
Defines all assets that will be assessed.
Security Control Assessment (Security Assessment, Security Practice Assessment)
The testing or evaluation of security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for a system or organization.
Security Control Inheritance
A situation in which an information system or application receives protection from security controls (or portions of security controls) that are developed, implemented, and assessed, authorized, and monitored by entities other than those responsible for the system or application (CNSSI 4009).
Security Domain
An environment or context that includes a set of system resources and a set of system entities that have the right to access the resources as defined by a common security policy, security model, or security architecture.
Security Operations Center (SOC)
A centralized function within an organization utilizing people, processes, and technologies to continuously monitor and improve an organization's security posture while preventing, detecting, analyzing, and responding to cybersecurity incidents.
Security Policy
Defines the objectives and constraints for the security program. For more details, see Policy definition.
Security Protection Assets
Provide security functions or capabilities within the contractor's CMMC Assessment Scope.
Senior Executive Team
The senior individual or individuals (acting collectively or as a committee) responsible for the management, operations, security, information systems, compliance and/or risk of the organization. A list of Senior Executive Team members can be found in the Team section of the Company Profile.
Sensitive Information
Information where the loss, misuse, or unauthorized access or modification could adversely affect the national interest or the conduct of federal programs, or the privacy to which individuals are entitled under 5 U.S.C. Section 552a (the Privacy Act).
Separation of Duties
The principle of splitting privileges among multiple individuals or systems.
Service Continuity plan
A service-specific plan for sustaining services and associated assets under degraded conditions.
SHA-256
A Secure Hash Algorithm (SHA) that produces a condensed representation of electronic data, or message digest, 256 bits in length.
Session
A virtual connection between two devices by which network traffic is passed.
Session Key
In the context of symmetric encryption, a key that is temporary or is used for a relatively short period of time. Usually, a session key is used for a defined period of communication between two computers, such as for the duration of a single connection or transaction set, or the key is used in an application that protects relatively large amounts of data and, therefore, needs to be re-keyed frequently.
Situational Awareness (SA)
Within a volume of time and space, the perception of an enterprise’s security posture and its threat environment; the comprehension/meaning of both taken together (risk); and the projection of their status into the near future.
Software
Computer programs (which are stored in and executed by computer hardware) and associated data (which also is stored in the hardware) that may be dynamically written or modified during execution
SPAM
Unsolicited or unauthorized E-mail, blog postings, newsgroup postings, or related communications.
Specialized Assets
The following are considered specialized assets for a CMMC Level 2 assessment when properly documented:
- Government Property
- Internet of Things ("IOT") or Industrial Internet of Things ("IIOT")
- Operational Technology ("OT")
- Restricted Information Systems
- Test Equipment
Split Tunneling
The process of allowing a remote user or device to establish a non-remote connection with a system and simultaneously communicate via some other connection to a resource in an external network. This method of network access enables a user to access remote devices (e.g., a networked printer) at the same time as accessing uncontrolled networks.
Spyware
Software that is secretly or surreptitiously installed into an information system to gather information on individuals or organizations without their knowledge; a type of malicious code.
Standard
A document, established by consensus and approved by a recognized body, that provides for common and repeated use, rules, guidelines or characteristics for activities or their results, aimed at the achievement of the optimum degree of order in a given context.
Note: Standards should be based on the consolidated results of science, technology and experience, and aimed at the promotion of optimum community benefits.
Standard Process
An operational definition of the basic process that guides the establishment of a common process in an organization. A standard process describes the fundamental process elements that are expected to be incorporated into any defined process. It also describes relationships (e.g., ordering, interfaces) among these process elements.
Store
With respect to CUI Assets, store means that CUI is inactive or at rest on the asset (e.g., located on electronic media, in system component memory, or in physical format such as paper documents).
Subnetwork
A subordinate part of an organization's enterprise network.
Supplier Performance Risk System (SPRS)
The authoritative source to retrieve supplier and product PI [performance information] assessments for the DoD [Department of Defense] acquisition community to use in identifying, assessing, and monitoring unclassified performance.” (DoDI 5000.79) SPRS supports DoD Acquisition Professionals with meeting acquisition regulatory and policy requirements by providing:
- On-time delivery scores and quality classifications (DFARS 213.106-2)
- Price, Item and Supplier procurement risk data and assessments
- Company exclusion status (debarments, suspensions, etc.)
- NIST SP 800-171 Assessment results
- National Security System Restricted List
- Supply chain illumination
Supply Chain
A system of organizations, people, activities, information, and resources, possibly international in scope, that provides products or services to consumers.
Supply Chain Attack
Attacks that allow the adversary to utilize implants or other vulnerabilities inserted prior to installation in order to infiltrate data, or manipulate information technology hardware, software, operating systems, peripherals (information technology products) or services at any point during the life cycle.
Supply Chain Risk Management (SCRM)
A systematic process for managing supply chain risk by identifying susceptibilities, vulnerabilities, and threats throughout the supply chain and developing mitigation strategies to combat those threats whether presented by the supplier, the supplied product and its subcomponents, or the supply chain (e.g., initial production, packaging, handling, storage, transport, mission operation, and disposal).
Sustain
Maintain a desired operational state.
System Assets
Any software, hardware (IT, OT, IoT), data, administrative, physical, communications, or personnel resource within an information system.
System Boundary
The scope of the system and environment being assessed. All components of an information system to be authorized for operation by an authorizing official and excludes separately authorized systems, to which the information system is connected. The System Boundary is equivalent to the defined CMMC Assessment Scope.
System Integrity
The quality that a system has when it performs its intended function in an unimpaired manner, free from unauthorized manipulation of the system, whether intentional or accidental.
System Interconnection
A system interconnection is defined as the direct connection of two or more IT systems for the purpose of sharing data and other information resources.
System Security Plan (SSP)
The formal document prepared by the information system owner (or common security controls owner for inherited controls) that provides an overview of the security requirements for the system and describes the security controls in place or planned for meeting those requirements. The plan can also contain as supporting appendices or as references, other key security-related documents such as a risk assessment, privacy impact assessment, system interconnection agreements, contingency plan, security configurations, configuration management plan, and incident response plan.
T
Tampering
An intentional but unauthorized act resulting in the modification of a system, components of systems, its intended behavior, or data.
Test Equipment
Includes hardware and/or associated IT components used in the testing of products, system components, and contract deliverables (e.g., oscilloscopes, spectrum analyzers, power meters, and specialized testing equipment).
Third Party
A Person that:
- is not an affiliate of the organization; and
- provides services to the organization.
Third Party Service Provider
A Person that:
- is not an affiliate of the organization;
- provides services to the organization; and
- maintains, processes or otherwise is permitted access to Nonpublic Information through that person’s provision of services to the organization.
Threat
Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.
Threat Actor
An individual or a group posing a threat.
Threat Intelligence
Threat information that has been aggregated, transformed, analyzed, interpreted, or enriched to provide the necessary context for decision-making processes.
Threat Monitoring
Analysis, assessment, and review of audit trails and other information collected for the purpose of searching out system events that may constitute violations of system security.
Transmit
With respect to CUI Assets, transmit means that CUI is being transferred from one asset to another asset (e.g., data in transit using physical or digital transport methods).
Trigger
A set of logic statements to be applied to a data stream that produces an event when an anomalous incident or behavior occurs.
Trojan Horse
A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the program.
Tunneling
Technology enabling one network to send its data via another network’s connections. Tunneling works by encapsulating a network protocol within packets carried by the second network.
U
Unauthorized Access
Any access that violates the stated security policy.
Universal Serial Bus (USB )
User
Individual, or (system) process acting on behalf of an individual, authorized to access the system.
V
Virus
A computer program that can copy itself and infect a computer without permission or knowledge of the user. A virus might corrupt or delete data on a computer, use e-mail programs to spread itself to other computers, or even erase everything on a hard disk.
Vulnerability
Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source. In computer hardware and software, vulnerabilities often arise due to programming errors and misconfigurations.
Vulnerability Assessment
Systematic examination of an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation. Includes identifying, quantifying, and prioritizing (or ranking) vulnerabilities existing in the organization's Information Systems.
Vulnerability Management
An Information Security Continuous Monitoring (ISCM) capability that identifies vulnerabilities [Common Vulnerabilities and Exposures (CVEs)] on devices that are likely to be used by attackers to compromise a device and use it as a platform from which to extend compromise to the network.
Vulnerability Scan
Analyzing a device to identify any known vulnerabilities that exist within the device. This process usually involves identifying the software and/or hardware associated with the device and comparing the corresponding version(s) against publicly-maintained and/or private lists of known vulnerabilities, such as those maintained in the National Vulnerability Database. A vulnerability scan is separate from, but typically is an early step in, a Penetration Test.
W
Whitelist
An approved list or register of entities that are provided a particular privilege, service, mobility, access or recognition. An implementation of a default deny-all or allow-by-exception policy across an enterprise environment, and a clear, concise, timely process for adding exceptions when required for mission accomplishments.
Comments
0 comments
Please sign in to leave a comment.