Dictionary

A Glossary of Cybersecurity Maturity Model Certification (CMMC) Terms

January 27, 2025

This comprehensive Cybersecurity Maturity Model Certification (CMMC) Glossary provides an extensive list of terms and definitions pertinent to the CMMC framework.

Glossary of Terms

  • Access: Ability to make use of any information system (IS) resource.
  • Access Authority: An entity responsible for monitoring and granting access privileges for other authorized entities.
  • Access Control (AC): The process of granting or denying specific requests to obtain and use information and related information processing services; and to enter specific physical facilities (e.g., federal buildings, military establishments, border crossing entrances).
  • Access Control Policy (Access Management Policy): The set of rules that define the conditions under which an access may take place.
  • Access Profile: Association of a user with a list of protected objects the user may access.
  • Accountability: The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity. This supports nonrepudiation, deterrence, fault isolation, intrusion detection and prevention, and after-action recovery and legal action.
  • Activity / Activities: Set of actions that are accomplished within a practice in order to make it successful. Multiple activities can make up a practice. Practices may have only one activity or a set of activities.
  • Administrative Safeguards: Administrative actions and policies and procedures to manage the selection, development, implementation, and maintenance of security measures to protect any electronic information that is by definition “protected information” (e.g., protected health information) and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.
  • Advanced Persistent Threat (APT): An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltrating information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future. The advanced persistent threat: pursues its objectives repeatedly over an extended period of time; adapts to defenders’ efforts to resist it; and is determined to maintain the level of interaction needed to execute its objectives.
  • Adversary: Individual, group, organization, or government that conducts or has the intent to conduct detrimental activities.
  • Adversarial Assessment: Assesses the ability of an organization equipped with a system to support its mission while withstanding cyber threat activity representative of an actual adversary.
  • Air Gap: An interface between two systems that: are not connected physically and do not have any logical connection automated (i.e., data is transferred through the interface only manually, under human control).
  • Alert: An internal or external notification that a specific action has been identified within an organization’s information systems.
  • Anti-Malware Tools: Tools that help identify, prevent execution, and reverse engineer malware.
  • Anti-Spyware Software: A program that specializes in detecting both malware and non-malware forms of spyware.
  • Anti-Tamper: Systems engineering activities intended to deter and/or delay exploitation of technologies in a system in order to impede countermeasure development, unintended technology transfer, or alteration of a system.
  • Anti-Virus Software: A program that monitors a computer or network to identify all major types of malware and prevent or contain malware incidents.
  • Assessment: The testing or evaluation of security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for a system or organization.
  • Assessor: An individual or team authorized to conduct CMMC assessments.
  • Baseline Configuration: A documented set of specifications for an information system or configuration item within a system that has been formally reviewed and agreed on at a given point in time, which can be changed only through change control procedures.
  • Blacklisting: A process used to identify software programs that are not authorized to execute on a system or network.
  • Boundary Protection: Monitoring and control of communications at the external boundary and key internal boundaries of an information system to prevent and detect malicious and other unauthorized communication.
  • Capability: A set of related security requirements and activities within a given domain of the CMMC model.
  • Certification: Formal attestation that an organization meets CMMC requirements.
  • Change Control: Process of managing updates to system components to prevent unauthorized changes.
  • Cloud Computing: A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
  • Compensating Security Controls: The management, operational, and technical controls (i.e., safeguards or countermeasures) employed by an organization in lieu of the recommended controls in the NIST SP 800-53 or NIST SP 800-171 baselines that provide equivalent or comparable protection for an information system.
  • Component: A discrete identifiable information technology asset that represents a building block of a system and may include hardware, software, and firmware.
  • Configuration Control: Process for controlling modifications to hardware, firmware, software, and documentation to ensure the information system is protected against improper modifications before, during, and after system implementation.
  • Configuration Item: An aggregation of information system components that is designated for configuration management and treated as a single entity in the configuration management process.
  • Configuration Management (CM): A collection of activities focused on establishing and maintaining the integrity of information technology products and systems, through control of processes for initializing, changing, and monitoring the configurations of those products and systems throughout the system development life cycle.
  • Controlled Unclassified Information (CUI): Information requiring safeguarding or dissemination controls, as per law, regulations, or policies, excluding classified information.
  • Corrective Action Plan (CAP): A documented plan to address identified deficiencies or vulnerabilities.
  • Credential: Evidence attesting to an entity's claimed identity.
  • Data Breach: The unauthorized access and retrieval of sensitive information.
  • Data Encryption: The process of converting data into a coded format to prevent unauthorized access.
  • Data Loss Prevention (DLP): A strategy to prevent unauthorized sharing, transmission, or loss of sensitive data.
  • Defense Industrial Base (DIB): The Department of Defense (DoD) sector responsible for designing, producing, and maintaining military weapons systems, subsystems, and components.
  • Denial of Service (DoS): An attack that prevents authorized users from accessing a system or network.
  • Encryption: The process of encoding data to protect it from unauthorized access.
  • Enterprise Risk Management (ERM): A comprehensive approach to managing risks across an organization.
  • Event: An observable occurrence in a system or network.
  • Exfiltration: Unauthorized transfer of data from a system.
  • Firewall: A security system that monitors and controls incoming and outgoing network traffic based on predefined security rules.
  • Forensics: The process of analyzing systems to identify the causes and impacts of incidents.
  • Framework: A structured set of guidelines for implementing and managing security practices.
  • Governance: The processes and policies used to direct and control an organization’s operations and activities.
  • Guideline: A suggested method for achieving compliance with standards or best practices.
  • Hardening: Strengthening a system’s security by reducing vulnerabilities.
  • Honeypot: A decoy system designed to attract and analyze potential attackers.
  • Incident: A cybersecurity event that disrupts or threatens to disrupt a system or network.
  • Incident Response (IR): Actions taken to detect, manage, and mitigate the effects of incidents.
  • Insider Threat: A risk posed by individuals within an organization who misuse access for malicious purposes.
  • Just-In-Time Access: A security model where access permissions are granted only when needed and revoked after use.
  • Key Management: The management of cryptographic keys to ensure their secure creation, distribution, use, and storage.
  • Least Privilege: Limiting user access rights to the minimum required for their tasks.
  • Log Management: The process of collecting, storing, and analyzing system logs to identify issues or anomalies.
  • Malware: Malicious software designed to damage, disrupt, or gain unauthorized access to systems.
  • Mitigation: Steps taken to reduce or eliminate a security risk.
  • Network Security: Practices and technologies used to protect the integrity and usability of a network.
  • Non-Repudiation: Assurance that a sender cannot deny sending a message and a recipient cannot deny receiving it.
  • Operational Security (OPSEC): A process to identify and protect sensitive information from adversaries.
  • Outsourcing: Delegating specific tasks or functions to third-party organizations.
  • Patch Management: The process of deploying updates to systems to fix vulnerabilities or improve functionality.
  • Penetration Testing: Simulated attacks to identify vulnerabilities in systems or networks.
  • Policy: A formal statement of principles or rules guiding behavior and decisions.
  • Quality Assurance (QA): Processes to ensure systems meet performance and security requirements.
  • Risk Management (RM): Strategies to identify, assess, and mitigate risks to an organization.
  • Role-Based Access Control (RBAC): A method of restricting system access based on user roles.
  • Security Incident: An event compromising the confidentiality, integrity, or availability of systems or data.
  • System Security Plan (SSP): A document outlining an organization’s cybersecurity policies and controls.
  • Threat Actor: An individual or group responsible for malicious cyber activities.
  • Two-Factor Authentication (2FA): A security method requiring two forms of verification to access a system.
  • User Privilege: The level of access granted to a user based on their role and responsibilities.
  • Vulnerability: A weakness in a system or network that can be exploited.
  • Vulnerability Assessment: A systematic review to identify and address vulnerabilities.
  • Whitelist: A list of approved applications, services, or IP addresses.
  • Wireless Security: Safeguards to protect wireless networks from unauthorized access.
  • Zero-Day Vulnerability: A previously unknown vulnerability for which no patch or fix is available.
  • Zero Trust: A security model assuming no implicit trust, requiring verification for all users and devices.