Senior Consultant, Information Security Services
United StatesContact Robert
During the August CyberAB town hall meeting a question arose regarding whether a glossary of acronyms would be released as an industry resource. As it happens, a project of this nature was already underway here at Smithers.
Cybersecurity as an industry is rife with acronyms. It can be difficult to understand what is expected of your organization or even where you stand if you do not have a solid grasp on some of the most important acronyms being used today. To that end, here is a “cheat sheet” of commonly used acronyms and what they mean. If there is one that should be added, let us know.
C3PAO: CMMC Third Party Assessor Organization
A C3PAO is an organization that is accredited to assess organizations and award CMMC certifications (see acronym for CMMC below). C3PAO’s are accredited by CyberAB, which is the rulemaking body for CMMC.
CISA: Cybersecurity Infrastructure Security Agency
The CISA operates as part of Homeland Security. It is responsible for cybersecurity as per its name, but it is not involved directly in NIST 800-171 or CMMC.
CMMC: Cybersecurity Maturity Model Certification
CMMC has been a topic of much discussion since version 1 was released in 2020. On July 24, 2023, CMMC 2.0 was sent by the Department of Defense to the OMB and OIRA (see acronym definitions below). The CMMC rule is expected to go into effect in late 2024 or the first quarter of 2025. CMMC is a certification of NIST 800-171 compliance.
CUI: Controlled Unclassified Information
CUI is a type of information in the defense and aerospace industry sectors. The information is not classified, as per the name, but it is important enough to warrant special protection. Contractors that work directly with government agencies (prime contractors) or contractors who work with prime contractors need to understand whether or not they handle and/or store CUI. If an organization is involved with CUI, they must be NIST 800-171 certified. This rule went into effect on January 1, 2018.
DFARS: Defense Federal Acquisition Regulation Supplement
This acronym is a case where decoding the abbreviation does not really explain the concept. DFARS is established in title 48 of the Code of Federal Regulations. The DFAR actually implements and supplements the FAR (Federal Acquisition Regulation). DFARS consists of 252 contract clauses. The 252.204-7012 clause covers CUI and is what incorporated NIST 800-171 compliance in 2018.
DIB: Defense Industrial Base
There are often references to “the DIB” when CMMC or NIST 800-171 is discussed (along with other myriad defense and aerospace topics). DIB stands for Defense Industrial Base. It is also a term used in political science circles. CISA (Cybersecurity & Infrastructure Security Agency) defines DIB as “ the worldwide industrial complex that enables research and development, as well as design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts, to meet U.S. military requirements.”
DIBCAC: Defense Industrial Base Cybersecurity Assessment Center
The full name of this agency is quite a mouthful so having an acronym is beneficial. The primary role of DIBCAC is to assess how DoD contractors are doing in terms of complying with DFARS 252.204.7012 and NIST 800-171. Currently DIBCAC is offering joint surveillances with C3PAOs for early CMMC letters of conformance.
DOD: Department of Defense
It is easy to think of the Department of Defense as “just” the over-arching body covering armed services, but, in reality, that is just the beginning of this sprawling federal agency. Several branches of the Department of Defense are involved in cybersecurity, so it is important to learn the infrastructure as you continue or start to work as a defense contractor. The DOD has an exhaustive list of its services on its website.
DODCIO: Department of Defense Chief Information Officer
The Chief Information Officer for the Department of Defense has many responsibilities, as you might expect. They are the primary advisor to both the Secretary of Defense and the Deputy Secretary of Defense for issues relating to information technology. In addition to cybersecurity, they are responsible for communications and many other areas of operation. For defense contractors, the DODCIO is primarily significant as the authority for cybersecurity for the Department of Defense.
FedRAMP: Federal Risk and Authorization Management Program
FEDRAMP may affect you peripherally as your organization strives for NIST/CMMC compliance. If your organization is a CSP (Cloud Service Provider) it will impact you in a significant way. FedRAMP was created in 2011 with the idea of creating secure cloud environments for government data.
At times there are references to “FedRAMP equivalent” or “FedRAMP Ready.” These terms show up especially in conversations about NIST/CMMC and DFARS 252.204-7012. Defining “equivalent” has been a commonly voiced bone of contention during the conversations about NIST 800-171 rev 3 and CMMC 2.0. FedRAMP was created by the OMB (Office of Management and Budget).
FIPS: Federal Information Processing Standards
FIPS is the creation of NIST. NIST defines FIPs as:
standards and guidelines for federal computer systems that are developed by National Institute of Standards and Technology (NIST) in accordance with the Federal Information Security Management Act (FISMA) and approved by the Secretary of Commerce. These standards and guidelines are developed when there are no acceptable industry standards or solutions for a particular government requirement. Although FIPS are developed for use by the federal government, many in the private sector voluntarily use these standards.
There are FIPS requirements in NIST 800-171, and many companies find this a major obstacle to overcome on their way to compliance.
ISMS: Information Security Management System
An ISMS is a management system for important data. It should not be confused with CUI, mentioned above. It also is different from the types of personal information managed by standards like GDPR. An ISMS will include documented policies, procedures, and testing with continuous improvement. ISO 27001 is the standard that measures the quality of an ISMS.
NARA: National Archives and Records Administration
What does NARA have to do with cybersecurity? NARA defines what qualifies as CUI and indicates how CUI should be properly marked for proper protection. If you are not sure if your organization handles or stores CUI, the NARA CUI category list is a great place to start.
NIST: National Institute of Standards and Technology
The National Institute of Standards and Technology was created in 1901 and is now under the umbrella of the Department of Commerce. The agency was created because at the time, the US did not have high-quality measurement standards. Today, NIST is far-reaching and is involved in many different industries and standards. For cybersecurity, NIST is important as the creator of key standards like NIST 800-53 and NIST 800-171, mentioned in the DFARS section above.
NIST is not a part of the Department of Defense or the Cyber-AB.
NIST CSF: NIST Cybersecurity Framework
You may encounter this acronym as you work toward compliance with NIST SP 800-171/CMMC, but do not get confused. The Cybersecurity Framework merely offers guidelines that will help your organization increase its security. Complying with the NIST CSF does not equate to complying with NIST 800-171 or CMMC.
ODP: Organization-Defined Parameter
ODPs are defined by NIST as “The variable part of a control or control enhancement that is instantiated by an organization during the tailoring process by either assigning an organization-defined value or selecting a value from a predefined list provided as part of the control or control enhancement.” Some agencies find ODPs confusing as they work to comply with NIST SP 800-171 standards.
OIRA: Office of Information and Regulatory Affairs
OIRA is under the umbrella of the OMB (see below). Its responsibility is to review executive regulations, approve information collections, and more. The CMMC rule was sent to OIRA for review as a major step in the rule-making process.
OMB: Office of Management and Budget
The OMB exists under the office of the President. The OMB oversees federal agencies and also is responsible for administering the federal budget. OIRA, mentioned above, is under the OMB’s umbrella of responsibilities.
OSC: Organization Seeking Certification
If you are an auditor or certifying body, you may refer to contractors as an organization seeking certification, or OSC. If you see OSC in a contract with a C3PAO, OSC simply is referring to your organization as the organization seeking certification.
OTS: Other Than Satisfied
When working toward ISO certification, there are areas of nonconformance that can often be fixed in order to complete the process. NIST SP 800-171 is different. A company can either pass a control group or it can be marked as “other than satisfied,” which is a polite way to say that your company did not pass this section. In NIST 800-171, missing one part of a control group means you have not complied with the entire group, even if everything else was completed.
POAM: Plan of Action and Milestones
You will come across this acronym often during the journey to comply with NIST SP 800-171/CMMC. A POAM outlines tasks that need to be completed in order to get the organization into compliance.
PII: Personally Identifiable Information
PII is mostly a term that comes up in GDPR or ISO 27701. Personally identifiable information is data that can easily be traced or tied to a specific individual.
SPRS: Supplier Performance Risk System
DFARS 252.204-7019 requires companies to self-assess for NIST SP 800-171 compliance. These scores then must be entered into a website platform called SPRS. The Department of Defense can use the information in SPRS to help determine whether or not an agency should be awarded a contract.
SSP: System Security Plan
The System Security Plan is used by an organization pursuing NIST SP 800-171 compliance. Its purpose is to describe and document how an agency is planning to meet the requirements of the standard or how it is already meeting those standards.
As was mentioned above, if there are acronyms you have come across that you do not see here, please inform us and we will add to the resource. We hope this is helpful over the coming months and years.