CMMC Acronym's and What They Mean for Your Business
There are dozens on acronym's and abbreviations within the cybersecurity world and CMMC acronym’s are just part of the list. This can make security overwhelming and confusing to organizations simply trying to increase their security posture. With increased legislation regarding security controls and implementation it is important now more than ever that your business familiarizes themselves with some of the terms and acronym's that may apply to their organization and business continuity.
List of some of the acronym's involved in CMMC compliance and how they may apply to your business
CMMC: cybersecurity maturity model certification
CMMC stands for the "cybersecurity maturity model certification". The CMMC was established in part by the Department of Defense(DOD) to create an enforceable compliance model to make sure that private contractors working inside the Defense Industrial Base(DIB) are effectively protecting controlled unclassified information(CUI). The framework that the CMMC is based off of is NIST 800-171 which consists of 110 controls divided among 14 control families.
CyberAB: cybersecurity maturity model certification - accreditation body
The CyberAB group is responsible for overseeing qualified, trained, and trustworthy assessors who are able to audit an organization for CMMC compliance. They provide the necessary resources for organizations to become CMMC compliant and capable of assessing others compliance levels.
CorpInfoTech is a certified Registered Provider Organization (RPO) under the CyberAB. This allows us to offer our services to contractors seeking compliance.
DIB: Defense Industrial Base
DIB is the abbreviation for the Defense Industrial Base. The DIB is a collection of organizations from various industries that work together with the Department of Defense on various projects. The DIB contains over 30,000 organizations and demands a lot in terms of security. The CMMC model is directly applicable to any organization within the DIB. The DIB contains some of the largest and most profitable defense companies so it is no wonder that security is so important.
NIST 800-171: National Institute of Standards and Technology
NIST 800-171 is a security framework developed by the National Institute of Standards and Technology (NIST) and is the framework in which the CMMC is rooted. NIST 800-171 contains 110 security controls divided into 14 control families. Each of these controls work together to create layered defense in order to better protect CUI from bad actors. This framework specifically provides guidance on the storage, protection, and transmission of CUI between the private sector and the federal government.
MSSP: Managed Security Services Provider
An MSSP or Managed Security Services Provider is an organization that provides support in making sure that an organization is compliant and secure in their IT endeavors. CorpInfoTech specializes in provides premier managed services that both protect organizations from bad actors as well as make sure they are compliant with security regulations that they need to conduct their business. We offer full and co-managed services that include firewall management, vulnerability management as well as compliance support and guidance!
While these abbreviations are not all encompassing they provide a baseline knowledge for terms you are likely to hear when beginning your CMMC compliance journey! Education on security is important to staying compliant and protecting your business!
C3PAO: CMMC Third Party Assessment Organization
C3PAO stands for "CMMC Third Party Assessment Organization". These organizations are responsible for delivering CMMC assessments and confirms compliance with CMMC regulations. These organizations are authorized by CyberAB so audit these organizations seeking certifications (OSC).
MSP/ESP: Managed Service Provider / External Service Provider
A managed service provider (MSP) offers IT and cybersecurity services to organizations on a contract basis. Many SMBs will hire an MSP to help them with their overall cybersecurity posture. However, contractors should note that your MSP must also be CMMC compliant in order to assist with CMMC security data -- CorpInfoTech is slotted to be audited for CMMC certification within four weeks of CMMC finalization.
Under the CMMC rule, the DoD uses the term "ESP" to describe external service providers that offer their services to contractors. This term can be used interchangeably with MSP in this context.
SRM: Shared Responsibility Matrix
When working with an MSP/ESP, your organization should be given an SRM or "shared responsibility matrix". This document outlines what practices of CMMC are the responsibility of your organization to cover and which ones pertain to your service provider. Some of these may be entirely on the shoulders of your team while others are the sole responsibility of the MSP. In some cases, the responsibility may be shared between the two.
SSP: Systems Security Plan
Your Systems Security Plan (SSP) is simply the plan of how your organization plans to implement the required practices for CMMC. It describes how you plan to protect the FCI and CUI present in your organization and what technologies you will use to accomplish this. Every contractor must have an SSP to start the compliance process. This document includes the hardware and software that will be in scope of CMMC and what security measures are in place.
GRC: Governance, Risks Management, Compliance
For contractors, GRC represents a framework that management plan for ensures proper governance, risk management, and compliance (hence the name). This framework includes policies and procedures, what steps are being taken to actively find and mitigate risk, and compliance data.
RMP: Risk Management Program
Every organization should have a risk management program in place to consistently root our vulnerabilities and gaps in your security. This is especially important for CMMC, as it's required that contractors uphold consistent compliance even as technology shifts and threats evolve.
CorpInfoTech (Corporate Information Technologies) provides small to mid-market organizations with expert I.T. services including compliance assessment, cybersecurity penetration tests, and comprehensive business continuity planning services. CorpInfoTech can help organizations, quantify, create, refine, and mitigate the risks presented by business threatening disasters in whatever form they may be disguised.