Cybersecurity Maturity Model Certification (CMMC) Assessment Process Vocabulary

Vocabulary terms and definitions from the Cybersecurity Maturity Model Certification (CMMC) Assessment Process (CAP) version 5.6.1 transcript.

CMMC

Cybersecurity Maturity Model Certification; the Department of Defense’s (DoD) unifying standard for the implementation of cybersecurity measures within the Defense Industrial Base (DIB).

CAP

CMMC Assessment Process; the CMMC doctrine providing the overarching procedures and guidance for C3PAOs conducting official CMMC Assessments.

The Cyber AB

Cybersecurity Maturity Model Certification Accreditation Body, Inc.; the entity responsible for administering the CMMC Marketplace and the CMMC Assessment Process.

CCP

Certified CMMC Professional; a trained individual eligible for roles in the CMMC Assessment ecosystem.

CCA

Certified CMMC Assessor; a certified individual who conducts CMMC Assessments and manages Assessment Teams.

OSC

Organization Seeking Certification; the DIB company, university, or legal entity pursuing CMMC Certification by contracting with a C3PAO.

OSC Assessment Official

The most senior representative of an OSC who has decision-making authority and is directly responsible for leading the OSC’s engagement in the Assessment; must be an employee of the organization.

OSC Point of Contact (OSC POC)

The individual within the OSC who provides daily coordination and liaison support; could be an employee, contractor, consultant, or Registered Practitioner (RP).

C3PAO

CMMC Third-Party Assessment Organization; an independent conformity-Assessment body authorized to conduct CMMC Assessments and issue certifications.

Lead Assessor

The CMMC Certified Assessor (CCA) who oversees and manages a dedicated CMMC Assessment Team for an OSC Assessment.

CQAP

CMMC Quality Assurance Professional; the formally trained individual responsible for ensuring Assessment documentation completeness, accuracy, and procedural integrity.

Assessment framing

The practice of identifying the size, scale, date, time, place, manner, resources, and level-of-effort associated with a prospective CMMC Assessment.

CMMC Assessment Scope

The official and technical term for the boundaries within an organization’s networked environment that contain all the assets to be assessed.

HQ Organization

The legal entity that will be delivering services or products under a DoD contract; can be the OSC itself or designate a Host Unit as the OSC.

Host Unit

The specific people, procedures, and technology within an HQ Organization that are applied to a DoD contract and considered the OSC for Assessment purposes.

Enclave

A set of system resources operating within the same security domain that share a single, common, and continuous security perimeter.

Supporting Organizations

External entities (people, procedures, and technology) that support the Host Unit; their assets may be in scope, but they do not receive a certificate during the OSC's Assessment.

CAGE code

Commercial and Government Entity code; a mandatory identifier issued by the Department of Defense for organizations undergoing Assessment.

UEI

Unique Entity Identifier; a number issued by GSA's SAM.gov system required for the organization's corporate structure.

Adequacy

The criteria used to determine if a given artifact or response demonstrates the performance of a CMMC practice; answers the question: "Does the Assessment Team have the right Evidence?"

Sufficiency

The criteria needed to verify that the CMMC domain and practice coverage is enough to rate against each practice based on scope; answers the question: "Does the Assessment Team have enough of the right Evidence?"

MET

A finding where the contractor successfully meets the practice and conforms to all objectives.

NOT MET

A finding where the contractor does not conform fully to all of the objectives of a practice.

NOT APPLICABLE (N/A)

A finding indicating a practice does not apply to the assessment, such as publicly accessible systems requirements when none exist.

Examine method

The process of reviewing, inspecting, observing, or analyzing Assessment objects such as specifications, mechanisms, or activities to obtain Evidence.

Interview method

The process of holding discussions with individuals or groups to facilitate understanding or achieve clarification of practice implementation.

Test method

The process of exercising Assessment objects under specified conditions to compare actual behavior with expected behavior.

CMMC eMASS

The official repository system and application into which authorized C3PAO representatives must upload Assessment Packages and Pre-Assessment Forms.

Limited Practice Deficiency Correction

An accommodation allowing OSCs to resolve minor documentation or implementation discrepancies within a restricted timeframe (usually 5 business days) to achieve a "MET" score.

POA&M

Plan of Action and Milestones; a time-bound document (maximum 180 days) used to identify and monitor corrective efforts for security weaknesses.

CMMC Level 2 Conditional Certification

A certification status requiring at least 80% (88/110) of practices to be "MET" and all remaining items to be on a valid, authorized POA&M.

JSON

JavaScript Object Notation; the specific data format required for structuring Pre-Assessment information for export into CMMC eMASS.