List of some of the acronym's involved in CMMC compliance and how they may apply to your business
CMMC: cybersecurity maturity model certification
CMMC stands for the "cybersecurity maturity model certification". The CMMC was established in part by the Department of Defense (DOD) to create an enforceable compliance model to make sure that private contractors working inside the Defense Industrial Base (DIB) are effectively protecting controlled unclassified information (CUI). The framework that the CMMC is based off of is NIST 800-171 which consists of 110 controls divided among 14 control families.
ITAR: International Traffic in Arms Regulations
The International Traffic in Arms Regulations (ITAR) is a set of U.S. government regulations that control the export, import, and transfer of defense-related articles, services, and technical data. ITAR aims to protect U.S. national security and foreign policy interests by restricting access to sensitive military and defense information to authorized U.S. persons and approved foreign entities.
FedRAMP: Federal Risk and Authorization Management Program
FedRAMP is a U.S. government program that provides a standardized approach to security assessment, authorization, and continuous monitoring of cloud services. FedRAMP ensures that cloud service providers meet stringent security requirements to protect federal information and data. By establishing a consistent framework for security and risk management, FedRAMP allows federal agencies to confidently adopt and use secure cloud technologies while maintaining compliance with federal security standards.
C3PAO: CMMC Third Party Assessment Organization
C3PAO stands for "CMMC Third Party Assessment Organization". These organizations are responsible for delivering CMMC assessments and confirms compliance with CMMC regulations. These organizations are authorized by CyberAB so audit these organizations seeking certifications (OSC).
CRM/SRM: Customer Responsibility Matrix, known formally as Shared Responsibility Matrix
When working with an MSP/ESP, your organization should be given an SRM or "shared responsibility matrix". This document outlines what practices of CMMC are the responsibility of your organization to cover and which ones pertain to your service provider. Some of these may be entirely on the shoulders of your team while others are the sole responsibility of the MSP. In some cases, the responsibility may be shared between the two.
CUI: Controlled Unclassified Information
Controlled Unclassified Information (CUI) refers to information that is not classified but still requires protection due to legal, regulatory, or policy requirements. CUI is typically sensitive in nature, such as privacy-related data, proprietary business information, or certain government-related information, and must be safeguarded to prevent unauthorized access, ensuring it is shared and handled responsibly.
FCI: Federal Contract Information
The CyberAB group is responsible for overseeing qualified, trained, and trustworthy assessors who are able to audit an organization for CMMC compliance. They provide the necessary resources for organizations to become CMMC compliant and capable of assessing others compliance levels.
CorpInfoTech is a certified Registered Provider Organization (RPO) under the CyberAB. This allows us to offer our services to contractors seeking compliance.
DIB: Defense Industrial Base
DIB is the abbreviation for the Defense Industrial Base. The DIB is a collection of organizations from various industries that work together with the Department of Defense on various projects. The DIB contains over 30,000 organizations and demands a lot in terms of security. The CMMC model is directly applicable to any organization within the DIB. The DIB contains some of the largest and most profitable defense companies, so it is no wonder that security is so important.
DFARS: Defense Federal Acquisition Regulation Supplement
The Defense Federal Acquisition Regulation Supplement (DFARS) is a set of regulations that supplements the Federal Acquisition Regulation (FAR) specifically for the Department of Defense (DoD). DFARS outlines additional requirements and guidelines for contractors working with the DoD, including standards for cybersecurity, reporting incidents, safeguarding controlled unclassified information (CUI), and ensuring compliance with various defense-related policies and procedures.
GRC: Governance, Risks Management, Compliance
For contractors, GRC represents a framework that management plan for ensures proper governance, risk management, and compliance (hence the name). This framework includes policies and procedures, what steps are being taken to actively find and mitigate risk, and compliance data.
NIST 800-171: National Institute of Standards and Technology
NIST 800-171 is a security framework developed by the National Institute of Standards and Technology (NIST) and is the framework in which the CMMC is rooted. NIST 800-171 contains 110 security controls divided into 14 control families. Each of these controls work together to create layered defense in order to better protect CUI from bad actors. This framework specifically provides guidance on the storage, protection, and transmission of CUI between the private sector and the federal government.
MSSP: Managed Security Services Provider
An MSSP or Managed Security Services Provider is an organization that provides support in making sure that an organization is compliant and secure in their IT endeavors. CorpInfoTech specializes in provides premier managed services that both protect organizations from bad actors as well as make sure they are compliant with security regulations that they need to conduct their business. We offer full and co-managed services that include firewall management, vulnerability management as well as compliance support and guidance!
While these abbreviations are not all encompassing, they provide a baseline knowledge for terms you are likely to hear when beginning your CMMC compliance journey! Education on security is important to staying compliant and protecting your business!
MSP/ESP: Managed Service Provider / External Service Provider
A managed service provider (MSP) offers IT and cybersecurity services to organizations on a contract basis. Many SMBs will hire an MSP to help them with their overall cybersecurity posture. However, contractors should note that your MSP must also be CMMC compliant in order to assist with CMMC security data -- CorpInfoTech is slotted to be audited for CMMC certification within four weeks of CMMC finalization.
Under the CMMC rule, the DoD uses the term "ESP" to describe external service providers that offer their services to contractors. This term can be used interchangeably with MSP in this context.
RMP: Risk Management Program
Every organization should have a risk management program in place to consistently root our vulnerabilities and gaps in your security. This is especially important for CMMC, as it's required that contractors uphold consistent compliance even as technology shifts and threats evolve
SSP: Systems Security Plan
Your Systems Security Plan (SSP) is simply the plan of how your organization plans to implement the required practices for CMMC. It describes how you plan to protect the FCI and CUI present in your organization and what technologies you will use to accomplish this. Every contractor must have an SSP to start the compliance process. This document includes the hardware and software that will be in scope of CMMC and what security measures are in place.
Learn more about CMMC Compliance Acronyms on our index of terms and definitions webpage
CorpInfoTech is a CMMC Level 2 (C3PAO) certified MSP that has passed our audit with a perfect 110, making us one of the first MSPs to achieve level 2 compliance.
