How well do you know Department of Defense Acronyms?

The Department of Defense (DoD) will begin writing CMMC requirements into contracts in May 2023. That’s only 7 months away and companies are hustling to get up to code in time. But many organizations are bumping up against a big roadblock: DoD’s alphabet soup.

CMMC is a world awash in acronyms. To achieve compliance, you’ll first need to understand the language of CMMC. This blog will define some of the most common CMMC terms and provide you a context for their use.
First, what’s CMMC? From there, we’ll go in alphabetical order.


CMMC is the Cybersecurity Maturity Model Certification framework created by the DoD in response to increasing cyberthreats. CMMC is designed to unify standards for the implementation of cybersecurity practices throughout the DIB. One of DoD’s top goals for CMMC is to better protect Controlled Unclassified Information (CUI). Unlike previous programs, CMMC ensures rigorous, objective enforcement of these standards. In 2021, CMMC was updated to CMMC 2.0 from version 1.0 in order to streamline the program.
CMMC has 3 security levels. Each level details security controls and procedures the contractor must follow based on the sensitivity of the information the defense contractor is handling. CMMC Level 1 demonstrates Foundational security. Level 2 demonstrates Advanced Security. Level 3 demonstrates Expert security.


A C3PAO (CMMC Third Party Assessment Organization) is an IT service organization that has undergone training with CyberAB and were assessed by DIBCAC to ensure their own organization was able to meet CMMC Level 2 standards.
Until CMMC is codified into law in 2023, C3PAOs will provide voluntary assessments in coordination with DIBCAC for defense contractors seeking to have their compliance with NIST 800-171 assessed.


The CAP (CMMC Assessment Process) stipulates the procedures and guidance for C3PAOs on how to conduct CMMC Level 2 assessments. The CAP ensures that CMMC is assessed uniformly throughout the Defense Industrial Base, regardless of which C3PAO is conducting the assessment.
The CAP is currently in draft mode, seeking comments. A final version should be issued by March 2023.


The Civil Cyber-Fraud Initiative (CCFI) aims to hold government contractors and grant recipients accountable under the False Claims Act for violations involving cybersecurity-related fraud. Specifically, the CCFI is looking to put pressure on individuals and entities that knowingly provide deficient cybersecurity products or services and misrepresent their cybersecurity practices.
In March 2022, the CCFI settled its first case. Comprehensive Health Services of Cape Canaveral, Florida, agreed to pay $930,000 to resolve allegations that it falsely represented compliance with the provision of medical services to soldiers at State Department and Air Force facilities in Iraq and Afghanistan.


A CRM (Customer Responsibility Matrix) is a document that clearly defines how a company will meet its responsibilities for protecting CUI and FCI and what responsibilities are met by the vendor and what responsibilities are shared by both. It outlines how a company’s software and/or protocols satisfy the 110 NIST 800 171 controls.
A CRM helps companies maintain clear oversight of their responsibilities and demonstrate how the company meets them.


A CSP (Cloud Service Provider) is a third-party company offering a cloud-based platform, infrastructure, application, or storage services. CSPs require companies to pay only for the amount of cloud services they use, following a utility model like that used for electricity or gas consumption.
CSPs, like PreVeil, Dropbox and G Suite, can make sharing and storing data more accessible to organizations. CSPs save organizations the cost and effort of designing their own system from scratch. It is important, however, to ensure that the CSP’s cybersecurity is up to standard before using it to process sensitive information.


CUI (Controlled Unclassified Information) is information that requires safeguarding or dissemination controls pursuant to and consistent with federal law, regulations, and government-wide policies. FCI (Federal Contract Information) is information not intended for public release and is provided by or generated for the government under a contract to develop or deliver a product or service to the government.
Contractors that handle FCI will need to achieve CMMC Level 1. Contractors that handle CUI will need to achieve CMMC Level 2.

Cyber AB

The Cyber AB (Cyber Accreditation Board), formerly known as the CMMC AB (Cybersecurity Maturity Model Certification Accreditation Board) authorizes and accredits C3PAOs. The Cyber AB acts as the only non-governmental party of the DoD in the oversight and implementation of the CMMC standard.
The Cyber AB is the only channel for CMMC certification.


The DIB (Defense Industrial Base) is the vast network of companies that provide goods and services to the DoD. The DIB includes more than 220,000 companies and their subcontractors, who contract with the DoD.
If you’re reading this, chances are you’re in the DIB.


The DIBCAC (Defense Industrial Base Cybersecurity Assessment Center) is the ultimate authority on DoD cybersecurity standards and compliance. The DIBCAC defines and carries out CMMC level 3 assessments. They also provide assessments for C3PAOs


The DFARS (Defense Federal Acquisition Regulation Supplement) was released by the DoD in 2015. The DFARS 252.204-7012 memorandum requires contractors to comply with NIST 800-171.
DFARS 252.204-7012 was released to protect CUI. Due to slow and inconsistent adoption, the DoD released the CMMC program. The CMMC program largely follows the security standards set by NIST 800-171 and DFARS 252.204-7012, but buckles down on enforcement.

FedRAMP Moderate

FedRAMP (Federal Risk in Authorization Management Program) is a government-wide program that provides a standardized approach to security authorizations for Cloud Service Offerings. It has three levels – low, moderate, and high.
Cloud Service Providers (CSPs) that handle CUI will need to achieve either FedRAMP Moderate ATO or Equivalent. Those that have an Authority to Operate (ATO) can work directly with the government.

FIPS 140-2

FIPS (Federal Information Processing Standards) are a set of standards used to validate that the cryptographic modules produced by private sector companies meet National Institute of Standards and Technologies (NIST) security standards. Cybersecurity companies looking to sell into regulated industries such as the defense industry implement these standards. NIST provides a certification to companies who have successfully gone through the FIPS 140-2 validation process.
FIPS 140-2 will apply if you need to encrypt anything at rest and in transit. FIPS 140-2 validation is mandatory for organizations managing sensitive but unclassified information such as CUI and ITAR. Contractors are responsible for ensuring that their service providers, including network and cloud service providers, are FIPS 140-2 certified as well.


GRC (Governance, Risk, and Compliance) is a platform that provides a set of processes and procedures that a business needs to follow in its everyday operations.
GRC can support a unified company-wide approach to cybersecurity and risk, as well as build collaboration for faster incident response. GRC can also help a company achieve CMMC compliance by improving its resource use efficiency.


ITAR (International Traffic and Arms Regulations) is a regulatory regime used to restrict and control the export of defense and military related technologies to safeguard U.S. national security and further U.S. foreign policy objectives.
ITAR is relevant to anyone who distributes defense and space related services and goods. ITAR is also relevant to companies these organizations.


An MSP (Managed Service Provider) is a third-party company that provides services. Technical support services and subscription services are two common examples of MSPs.
An MSP can remotely manage a customer’s information technology (IT) infrastructure and end-user systems, freeing the company to focus their resources elsewhere. Using an MSP can help companies avoid service interruptions or extended system downtimes.

NIST 800-171

NIST (National Institute of Standards and Technologies) created the 800-171 standard to regulate how CUI is handled. CMMC Level 2 will mirror the 110 controls of NIST 800-171- the difference is simply in enforcement. NIST 800-171 allowed more self-reporting, while CMMC will require external verification to ensure accuracy of compliance scores.
If you handle CUI, you need to be NIST 800-171 compliant. Becoming compliant will also set you up for CMMC compliance.


An OSC (organization seeking certification) is a company undergoing a CMMC compliance journey and seeks to be assessed. If you’re a defense contractor handling any sort of sensitive information, chances are you’re an OSC.


A POA&M (Plan of Action & Milestones) is a document that identifies security tasks that still need to be accomplished. It details what resources will be required, what milestones must be met, and what the completion dates for those milestones will be.
POA&Ms are a useful tool in a CMMC journey. They can buy companies a limited amount of extra time to meet certain NIST 800-171 controls. POA&Ms are not a loophole out of compliance as they are time-limited.


A RP (Registered Practitioner) / RPO (Registered Provider Organization) is a consultant that has successfully completed a Cyber-AB training program. The Cyber AB officially defines an RP as a “consultant, coach, or implementer that completes basic CMMC training and testing, passes a criminal background check, signs the Code of Professional Conduct, and is listed on the CMMC Marketplace.”
There are 1,300+ RPs and 400+ RPOs, all offering different services, at different price points, and with different track records. Look for experience and proven past successes when selecting an RP/RPO.


An SSP (System Security Plan) is a document that details the policies and procedures a defense contractor has in place to meet the 110 NIST 800-171 controls required for CMMC compliance. This is a foundational document that should be put in place as a first step in an organization’s CMMC journey.
An SSP serves as a roadmap for compliance, giving companies oversight of where they are and what they still need to accomplish. A well-executed SSP also makes it easy for organizations to demonstrate compliance to their eventual assessors.


SPRS (Supplier Performance Risk System) is the DoD’s single authorized application for gathering supplier performance information. Under the DFARS Interim Rule, companies are required to file their NIST 800-171 self-assessment scores in SPRS by the time of the contract award.
The DoD is cracking down on overstated self assessment scores. Going forward, the Department of Justice (DOJ)’s False Claims Act can and will be applied to organizations misrepresenting themselves through inflated scores. Penalties can include high fines, as well as exclusion from contracts.


CMMC is a big step towards standardizing cybersecurity in the DIB. While it may seem initially overwhelming, it should not box resource-conscious SMBs out of defense contracts. In fact, the DoD released CMMC 2.0, featuring significant revisions to the original CMMC program, in November 2021. This revamped framework was designed specifically to make the program more accessible and transparent.
If you haven’t begun your CMMC journey this is your sign to do so. With less than a year until Interim Rule goes into effect there is no time to waste. Start by educating yourself on program terminology and requirements, then conduct a NIST 800-171 self-assessment to see where you are and what you still need to do.
Need help? We’re here for you.

About PreVeil

PreVeil is a state-of-the-art encrypted file sharing and email platform that offers uncompromising security for storing and sharing CUI. Organizations can easily add PreVeil to their existing IT environments (including Microsoft 365 Commercial), dramatically reducing the time and expense required to achieve compliance.

  • Find out more about PreVeil and how it complies with DoD cybersecurity mandates here on this one-page, two-minute read.
  • Schedule a free 15-minute consultation with one of our compliance experts to answer your questions about DFARS, NIST and CMMC requirements.

Read PreVeil’s briefs:

The post How well do you know Department of Defense Acronyms? appeared first on PreVeil.

*** This is a Security Bloggers Network syndicated blog from Blog Archive - PreVeil authored by Orlee Berlove. Read the original post at: