Cybersecurity

Common Acronyms

Common acronyms that contractors need to know.

CMMC. DIBCAC. DFARS. Are you a contractor having a tough time keeping up with acronyms? We're put together a list of acronyms contractors in the defense industrial base will see.

1. Authorized C3PAO = Authorized CMMC 3rd Party Assessment Organization.

“A C3PAO is an organization that has successfully passed a rigorous series of requirements to become acknowledged by the CMMC Accreditation Body on behalf of the DoD, as being objective and competent to perform assessments on OSC’s”

2. CMMC = Cybersecurity Maturity Model Certification.

“The Cybersecurity Maturity Model Certification (CMMC) program is aligned to DoD’s information security requirements for DIB partners. It is designed to enforce protection of sensitive unclassified information that is shared by the Department with its contractors and subcontractors.” 

3. CAP = CMMC Assessment Process.

“The CMMC Assessment Process (CAP), by comparison, is the CMMC doctrine providing the overarching procedures and guidance for CMMC Third-Party Assessment Organizations (C3PAOs) conducting official CMMC Assessments of organization seeking CMMC Certification.”

4. CTI = Controlled Technical Information.

“Controlled Technical Information (CTI) means technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination.  Controlled technical information is to be marked with one of the distribution statements B through F, in accordance with the Department of Defense instruction 5230.24, ‘Distribution Statements of Technical Documents.”

5. CUI = Controlled Unclassified Information.

“Controlled Unclassified Information (CUI) is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide  policy requires or permits an agency to handle using safeguarding or dissemination controls.”

6. DFARS = Defense Federal Acquisition Regulation Supplement.

“The Defense Federal Acquisition Regulation Supplement (DFARS) to the Federal Acquisition Regulation (FAR) is administered by the Department of Defense (DoD). The DFARS implements and supplements the FAR.  The DFARS contains requirements of law, DoD wide policies, delegations of FAR authorities, deviations from FAR requirements, and policies/procedures that have a significant effect on the public.”

7. DIB = Defense Industrial Base.

“The defense industrial base (DIB) encompasses all organizations and facilities that provide DoD with materials, products, and services.”

8. DIBCAC = Defense Industrial Base Cybersecurity Assessment Center.

“DIBCAC assesses DoD contractor’s compliance with the Defense Federal Acquisition Regulation Supplement (DFARS) clauses 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, and National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, ‘Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations,’ as well as the DFARS clause 252.204-7020’s NIST SP 800-171 DoD Assessment Requirements.”

9. DoD = Department of Defense.

“The Department of Defense is America’s largest government agency. With our military tracing its roots back to pre-Revolutionary times, the department has grown and evolved with our nation.  Our mission is to provide the military forces needed to deter war and ensure our nation’s security.”

10. DoDAM = Department of Defense Assessment Methodology.

“The NIST SP 800-171 DoD Assessment Methodology, Version 1.2 documents a standard methodology that enables a strategic assessment of a contractor’s implementation of NIST SP 800-171, a requirement for compliance with DFARS clause 252.204-7012.”

11. FAR = Federal Acquisition Regulation.

“The Federal Acquisition Regulation (FAR) is the primary regulation for use by all executive agencies in their acquisition of supplies and services with appropriated funds.”

12. FCI = Federal Contract Information.

“Federal contract information means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided but the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.”

13. FedRAMP = Federal Risk and Authorization Management Program.

“FedRAMP is a government-wide program that promotes the adoption of secure cloud services across the federal government by providing a standardized approach to security and risk assessment for cloud technologies and federal agencies.”

14. FIPS = Federal Information Processing Standards.

“A standard for adoption and use by federal departments and agencies that has been developed within the Information Technology Laboratory and published by NIST, a part of the U.S. Department of Commerce. A FIPS covers some topic in information technology to achieve a common level of quality or some level of interoperability.”

15. ISOO = Information Security Oversight Office.

“As part of that responsibility, ISOO is issuing this rule to establish policy for agencies on designating, safeguarding, disseminating, marking, decontrolling, and disposing of CUI, self-inspection and oversight requirements, and other facets of the Program.” 

16. NARA = National Achieves and Record Administration.

“The National Achieves and Records Administration (NARA) serves as the Controlled Unclassified Information (CUI) Program’s Executive Agent and has delegated CUI Executive Agent responisbilities to the Director of the Information Security Oversight Office (ISOO).”

17. NIST = National Institute of Standards and Technology.

“NIST’s mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.”

18. OIRA = Office of Information and Regulatory Affairs.

“OIRA is the United States Government’s central authority for the review of Executive Branch regulations, approval of Government information collections, establishment of Government statistical practices, and coordination of Federal privacy policy.”

19. OMB = Office of Management and Budget.

“The office of Management and Budget (OMB) serves the President of the United States in overseeing the implementation of his or her vision across the Executive Branch. OMB’s Mission is to assist the President in meeting policy, budget, management, and regulatory objectives and to fulfil the agency’s statutory responsibilities.”

20. OSC = Organization Seeking Certification.

“The entity that is going through the CMMC assessment process to receive a level of certification for a given environment.”

21. OT = Operation Technology.

“Hardware and software that detects or causes a change through the direct monitoring and/or control of physical devices, processes and events in the enterprise.”

22. SCRM = Supply Chain Risk Management.

“A systematic process for managing supply chain risk by identifying susceptibilities, vulnerabilities, and threats throughout the supply chain and developing mitigation strategies to combat those threats whether presented by the supplier, the supplied product and its subcomponents, or the supply chain (e.g., initial production, packaging, handling, storage, transport, mission operation, and disposal).”

23. SPRS = Supplier Performance Risk Sysytem.

“Supplier Performance Risk System (SPRS) “…is the authoritative source to retrieve supplier and product PI [performance information] assessments for the DoD [Department of Defense] acquisition community to use in identifying, assessing, and monitoring unclassified performance.”

24. SSP = System Security Plan.

“The formal document prepared by the information system owner (or common security controls owner for inherited controls) that provides an overview of the security requirements for the system and describes the security controls in place or planned for meeting those requirements. The plan can also contain as supporting appendices or as references, other key security-related documents such as a risk assessment, privacy impact assessment, system interconnection agreements, contingency plan, security configurations, configuration management plan, and incident response plan.” 

Have questions?  Contact us!

Tags: