This next section will help you navigate the vast and complex world of CMMC compliance. We will overview the key terms, answer some of the most frequently asked questions about the framework, and provide access to resources that are sure to make a valuable addition to your CMMC toolkit.
Controlled unclassified information (CUI): Data that requires protection or specific security measures according to regulations defined by federal policies. CUI may exist in the following categories:
- Critical infrastructure
- Financial services
- Law enforcement
- National defense
- Natural resources
- Nuclear weapons
- Statistical analysis
CMMC Accreditation Body (CMMC-AB): The certification body the US Department of Defense has empowered as the lone authority in the management of CMMC assessments and training procedures.
CMMC Third-party Assessor Organization (C3PAO): A third-party service provider authorized by the CMMC-AB to facilitate the assessment process for CMMC certification. CMMC certification can only be obtained by passing an audit conducted by an official C3PAO.
Defense industrial base (DIB): The community of prime contractors and subcontractors that service the Department of Defense.
Contractor: A non-government individual or organization that receives a contract to provide goods or services to the Department of Defense.
Defense Federal Acquisition Regulation Supplement (DFARS): A set of IT security standards the Department of Defense administers to third-party suppliers. DFARS encompasses specific data handling requirements, product procurement methods, employee policies, and procedures for safeguarding critical information.
Maturity Level: A clearly defined benchmark within an established evolutionary model. In the case of CMMC, each level represents a step in the road to continuous progression.
Maturity Model: A framework or system that charts improvement and progression. This model evaluates an organization’s practices, processes, and methodologies against a set of predetermined requirements. In addition to accessing the current degree of effectiveness, a maturity model helps determine what the organization needs to progress to higher tiers within the model.
National Institute of Standards and Technology Special Publication (NIST SP) 800-171: A set of guidelines that dictate how non-government IT systems are to process, transmit, store, and secure controlled unclassified information (CUI). Although CMMC, which is based on many of the same core principals, has been designed to replace it, NIST SP 800-171 compliance is a current requirement for select DOD contracts.
Registered Provider Organization (RPO): RPOs are authorized by the CMMC-AB to provide consultation and recommendations to clients seeking guidance on CMMC. While they can help organizations prepare for the process, RPOs are not authorized to provide CMMC assessments.
Subcontractor: An individual or organization that works partially or wholly under a primary DOD contractor. Under CMMC, subcontractors are liable to the same rules and regulations mandated to the prime contractors above them.
Supplier Performance Risk System (SPRS): A software system the DOD uses to house and manage the performance data of its suppliers. A virtual risk assessment platform, the SPRS assigns a risk score to suppliers based on past performance. The DOD takes those results into consideration when awarding contracts valued at $1 million or less.