CMMC Terms
GLOSSARY OF TERMS
Access Control
The process of granting or denying specific requests for or attempts to: 1) obtain and use information and related information processing services; and 2) enter specific physical facilities
Advanced Persistent Threat (APT)
An adversary possesses sophisticated levels of expertise and significant resources that allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception).
Air Gap
To physically separate or isolate a system from other systems or networks.
Attack Path
The steps that an adversary takes or may take to plan, prepare for, and execute an attack.
Attack Pattern
Similar cyber events or behaviors may indicate an attack has occurred or is occurring, resulting in a security violation or a potential security violation.
Attack Signature
A characteristic or distinctive pattern that can be searched for or that can be used in matching to previously identified attacks.
Authentication
The process of verifying the identity or other attributes of an entity (user, process, or device).
Authorization
A process of determining, by evaluating applicable access control information, whether a subject is allowed to have the specified types of access to a particular resource.
Backdoor
A backdoor is a tool installed after a compromise to give an attacker easier access to the compromised system around any security mechanisms that are in place.
Behavior Monitoring
Observing activities of users, information systems, and processes and measuring the activities against organizational policies and rules, baselines of normal activity, thresholds, and trends.
Black List
A list of entities that are blocked or denied privileges or access.
Blue Team
A group that defends an enterprise’s information systems when mock attackers (i.e., the Red Team) attack, typically as part of an operational exercise conducted according to rules established and monitored by a neutral group (i.e., the White Team).
Bot
A computer connected to the Internet that has been surreptitiously / secretly compromised with malicious logic to perform activities under the command and control of a remote administrator.
Bug
An unexpected and relatively small defect, fault, flaw, or imperfection in an information system or device.
Carnegie Mellon University Software Engineering Institute (SEI)
The Software Engineering Institute (SEI), along with the Johns Hopkins Applied Physics Laboratory (APL), led the development of the CMMC.
In layman’s terms, this group directly worked with the DoD to flesh out CMMC concepts and create the official documents hosted on the DoD’s CMMC website.
As authors, SEI and APL have quite a bit of authority in interpreting the CMMC model.
Checksum
A value that is computed by a function that is dependent on the contents of a data object and is stored or transmitted together with the object, for the purpose of detecting changes in the data.
CIP
Critical Infrastructure Protection. The North American Electric Reliability Corporation (NERC), which FERC directed to develop Critical Infrastructure Protection (CIP) cyber security reliability standards.
CIphertext
Data or information in its encrypted form.
Cloud Computing
A model for enabling on-demand network access to a shared pool of configurable computing capabilities or resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
CMMC (Major players)
-
Department of Defense (specifically the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S))
-
CMMC Accreditation Body (CMMC-AB)
-
Carnegie Mellon University Software Engineering Institute (SEI)
-
CMMC-Center of Excellence (CMMC-COE) / IT Acquisition Advisory Council (IT-AAC)
CMMC Model (the model)
The CMMC Model refers to official documents published by the DoD that describe requirements for maturity and secure practices. Over time, more official documents that identify assessment scope and assessment pass/fail criteria are expected to be published.
CMMC Accreditation Body (CMMC-AB)
The CMMC Accreditation Body (CMMC-AB) is a private-sector, non-profit organization. The DoD has granted the CMMC-AB official responsibility for some aspects of the CMMC rollout. It has the following mission:
“The CMMC-AB establishes and oversees a qualified, trained, and high-fidelity community of assessors that can deliver consistent and informative assessments to participating organizations against a defined set of controls/best practices within the Cybersecurity Maturity Model Certification (CMMC) Program.”
In layman’s terms:
-
The CMMC-AB was granted authority by the DoD to manage and accredit private-sector trainers and auditors for the CMMC.
-
The CMMC-AB is not responsible for the CMMC model (the DoD has that), but for building the infrastructure to roll it out to Defense Contractors.
-
The CMMC-AB is expected to fund itself via fees from assessments, training, and certification programs.
-
The CMMC-AB is responsible for performing quality control on C3PAOs and assessments.
CMMC Assessors and Instructors Certification Organization (CAICO)
CAICO stands for the CMMC Assessors and Instructors Certification Organization. This is an organization that will coordinate training and ensure quality among CMMC professionals (individuals). This organization is still in extremely early stages (just planning, mostly) as of February 2021.
Learn more about the CAICO here.
CMMC Body of Knowledge (CMMC-BOK)
The CMMC-BOK is information on standards, practices, implementation, scenarios, best practices, and exam-specific learning objectives. The CMMC-AB expects to maintain this official knowledge set.
The CMMC Assessment Guides
The CMMC Assessment Guides (version 1.10) were published in late December 2020. A significant update is expected in March-April 2021.
These guides are the most relevant source of information to understand CMMC practice requirements and whether implementation scenarios would pass a CMMC assessment.
CMMC Certified Practitioner (CP)
A certified Practitioner is a cybersecurity professional who has been sanctioned to work on an assessment team (but not lead an assessment) by the CMMC-AB. This is the entry-level assessor qualification.
Learn more about Certified Professional and Certified Assessors here.
CMMC Certified Assessor Level 1-5 (CA#)
Certified Assessor (CA) is a cybersecurity professional who has been sanctioned to lead CMMC assessments. The CA# corresponds to the highest ML# that the professional is authorized to assess.
Learn more about Certified Professional and Certified Assessors here.
CMMC Maturity Level 1-5 (ML#)
ML stands for Maturity Level. This term is used to describe the security practices successfully implemented by a CMMC-assessed Defense Contractor and verified during an audit sanctioned by the CMMC-AB
In casual use, “CMMC Level #” is synonymous with “CMMC ML#”
CMMC Registered Practitioner (RP)
A registered Practitioner is a person who has completed training about the CMMC, passed a background check, and signed the CMMC-AB’s code of conduct. The CMMC-AB does not warrant their skills or abilities but will revoke their badge if they violate the code of conduct.
Learn more about the RP program here.
CMMC Third-Party Assessor Organization (C3PAO)
C3PAO refers to organizations (generally cybersecurity or accounting firms) that have CPs and CAs on staff to perform assessments. The C3PAO is the entity that contracts with Defense Contractors seeking CMMC Maturity Level certification. The C3PAO is the first line of quality control for audits.
Learn more about C3PAOs here.
CMMC Licensed Partner Publisher (LPP)
CMMC Licensed Partner Publishers (LPPs) are approved by the CMMC-AB to develop and publish CMMC training materials.
CMMC Licensed Training Provider (LTP)
CMMC Licensed Training Providers (LTPs) are approved by the CMMC-AB to…
There isn’t an official page on this topic yet. Per webinars published by the CMMC-AB, the intent seems to be that LTPs will be organizations that are authorized to offer CMMC training courses using CMMC's official curriculum.
CMMC Licensed Instructor (LI)
CMMC Licensed Instructors (LIs) are approved by the CMMC-AB to…
Actually, there isn’t an official page on this topic yet. Per webinars published by the CMMC-AB, the intent seems to be that LIs will be the only people authorized to actually teach CMMC classes (generally these will be classes to prepare for certified professionals or certified assessors). LIs will need to meet requirements for the equivalent CMMC CA level that they are teaching.
Q&A video about the status of training: CAICO and current state of CMMC training – Ben Tchoubineh (CMMC-AB)
Computer (digital) forensics
The processes and tools to create a bit-by-bit copy of an electronic device (collection and acquisition) for the purpose of analyzing and reporting evidence; gather and preserve evidence that is legally defensible and does not alter the original device or data.
Continuity of operations plan
A document that sets forth procedures for the continued performance of core capabilities and critical operations during any disruption or potential disruption.
Controlled Unclassified Information (CUI)
Controlled Unclassified Information (CUI) is information that the government creates or possesses, or that an entity creates or possesses for or on behalf of the government. It also needs to fit into a category that the United States Federal Government identifies as needing special safeguarding or dissemination controls.
In layman’s terms: CUI is sensitive (but not classified) information that the U.S. government wants to keep private. Examples are weapons test data or information about military personnel.
The National Archives (archives.gov) maintains a list of the categories of information that are considered CUI.
Defense Contractors are required to safeguard CUI on their networks according to DFARS 252.204-7012.
This PowerPoint released by the DoD has additional training about CUI and the difference between it and other data types like Classified and FOUO.
This “Mandatory CUI Training” from the DoD is also available for free.
Covered Defense Information (CDI)
Covered Defense Information is defined in DFARS 252.204-7012 as “unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry…” and is either marked and provided by the DoD, or generated by the contractor during a contract.
In layman’s terms: CDI is synonymous with CUI.
Controlled Technical Information (CTI)
Controlled Technical Information is a sub-category of CUI specific to Defense. As a sub-category of CUI, it is affected by requirements that apply to CUI.
Critical Infrastructure or Essential Critical Infrastructure
The systems and assets, whether physical or virtual, are so vital to society that the incapacity or destruction of such may have a debilitating impact on the security, economy, public health or safety, environment, or any combination of these matters.
Per a March 20, 2020 memo from the Under Secretary of Defense for Acquisition and Sustainment, Ellen Lord:
“If your contract or subcontract supports the development, production, testing, fielding, or sustainment of our weapon systems/software systems, or the infrastructure to support those activities. If your efforts support manning, training, equipping, deploying, or supporting our military forces, your work is considered Essential Critical Infrastructure.”
This term is important because vulnerability data for Critical Infrastructure is a category of CUI. This means that cybersecurity vendors that provide compliance portals, security vulnerability assessments, consulting, and audits for Critical Infrastructure companies will be creating, storing, and/or processing CUI.
CSRT
Cybersecurity Incident Response Team
Cyber munitions
Technology systems have the purpose of causing harm and destruction by altering the running state of another system without permission. Cybersecurity Maturity Model Certification (CMMC)
The CMMC was spearheaded by Ms. Katie Arrington, the chief information security officer for the Department of Defense’s Acquisition and Sustainment office.
Per the DoD’s CMMC website, “The CMMC will encompass multiple maturity levels that range from “Basic Cybersecurity Hygiene” to “Advanced/Progressive”. The intent is to incorporate CMMC into Defense Federal Acquisition Regulation Supplement (DFARS) and use it as a requirement for contract award.”
Cryptanalysis
The operations performed in defeating or circumventing cryptographic protection of information by applying mathematical techniques and without initial knowledge of the key employed in providing the protection.
Cybersecurity Summit
Comprehending information about the current and developing security posture and risks, based on information gathered, observation and analysis, and knowledge or experience.
Data Breach
The unauthorized movement or disclosure of sensitive information to a party, usually outside the organization, that is not authorized to have or see the information.
Data Loss Prevention
A set of procedures and mechanisms to stop sensitive data from leaving a security boundary.
Data Mining
The process or techniques used to analyze large sets of existing information to discover previously unrevealed patterns or correlations.
Defense Federal Acquisition Regulation Supplement (DFARS)
DFARS is a published supplement to the Federal Acquisition Regulation (FAR) which adds additional guidance and requirements for DoD contracts.
Defense Contractor
Defense Contractors are organizations that provide products or services to the Department of Defense. They are generally privately owned companies that have at least one contract with the Department of Defense. Note: while most Defense Contractors are located and operated within the United States, there are many overseas and multinational companies that provide products and services to the DoD.
Denial of Service
An attack that prevents or impairs the authorized use of information system resources or services.
Department of Defense (DoD)
The Department of Defense is an executive branch of the United States Federal Government. Its mission is to provide combat-credible military forces needed to deter war and protect the security of our nation. With a budget of $718.3 billion (2020), of which 9.6 billion is for cyber, over a million active duty service members and over 700,000 civilians, it is America’s largest employer.
The Department of Defense (specifically the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) is the government agency that is responsible for creating the CMMC model.
Defense Industrial Base (DIB)
The Defense Industrial Base is defined as “the worldwide industrial complex that enables research and development, as well as design, production, delivery, and maintenance of military weapons systems/software systems, subsystems, and components or parts, as well as purchased services to meet US Military requirements.”
Many (most?) (almost all?) Defense Contractors are considered to be part of the Defense Industrial Base.
The DIB is identified as a Critical Infrastructure Sector by the Department of Homeland Security.
DFARS 252.204-7021 Cybersecurity Maturity Model Certification
This section of the Defense Federal Acquisition Regulation Supplement has been proposed as an Interim Rule, to go into effect on November 30, 2020.
For contracts that include the 252.204-7021 clause, at the time of award, the contractor will need to provide evidence of holding a CMMC certification. The specific CMMC certification level will be identified on a contract-by-contract basis.
After November 30, 2025, all DoD contracts are expected to include the 252.204-7021 clause. In other words, after 2025, all DoD contractors will need at least CMMC level 1 in order to participate in contracts.
Defense Industrial Base Cybersecurity Program (DIBNet)
The Defense Industrial Base Cybersecurity Program (DIBNet) is meant to “enhance and supplement DIB participants’ capabilities to safeguard DoD information that resides on or transits DIB unclassified networks or information systems. This public-private cybersecurity partnership is designed to improve DIB network defenses, reduce damage to critical programs, and increase DoD and DIB cyber situational awareness.”
Defense contractors subject to DFARS 252.204-7012 are required to report cyber incidents to DIBNet.
DFARS 252.204-7012 Safeguarding Covered Defense Information
This is a small section of the Defense Federal Acquisition Regulation Supplement.
DFARS 252.204-7012 is a roughly 3-page contract clause currently required in all contracts with the Department of Defense, except those that are solely for the purchase of Commercial-Off-The-Shelf (COTS) products. (COTS products are sold to the public and are not customized before delivery).
In other words, if a defense contractor provides services or customization as part of a DoD contract, their contract will include this requirement. Reference: defense – “Safeguarding Covered Defense Information – The Basics”
The requirements in DFARS 252.204-7012 are very tough to implement for most companies. Key terms included in it are:
-
Controlled Unclassified Information (CUI)
-
Controlled Technical Information (CTI)
-
NIST Special Publication 800-171 (NIST SP 800-171)
-
Defense Industrial Base (DIB)
-
Defense Industrial Base Cybersecurity Program (DIBNet)
-
Federal Risk and Authorization Management Program (FedRAMP)
-
Medium Assurance Certificate
-
DoD Cyber Crime Center (DC3)
Resource: The DoD Procurement Toolbox hosts a FAQ document that addresses questions about DFARS 252.204-7012 and other regulations.
Digital Forensics
The processes and specialized techniques for gathering, retaining, and analyzing system-related data (digital evidence) for investigative purposes.
Digital Rights Management (DRM)
A form of access control technology to protect and manage the use of digital content or devices in accordance with the content or device provider's intentions.
Digital signature
A value is computed with a cryptographic process using a private key and then appended to a data object, thereby digitally signing the data.
Distributed Denial of Service (DDOS)
A denial of service technique that uses numerous systems to perform the attack simultaneously.
DMZ
De-Militarized Zone. A physical or logical subnetwork where publicly facing internet connections occur; a subnetwork where an organization’s external-facing services are exposed to an untrusted network (i.e. internet).
DoD Cyber Crime Center (DC3)
The DoD Cyber Crime Center (DC3) is listed in DFARS 252.204-7012 as the point of contact for sending malware samples. The DC3 also operates the cyber incident report portion of the DIBNet portal.
Doxing
The process or technique of gathering personal information on a target or subject, and building a dossier with the intent to cause harm.
Dynamic Attack Surface
The automated, on-the-fly changes of an information system’s characteristics to thwart the actions of an adversary.
Electronic signature
Any mark in electronic form associated with an electronic document is applied with the intent to sign the document.
eMASS
Enterprise Mission Assurance Support Service (eMASS) is a web-based Government solution designed to support cybersecurity management. This is the Compliance Platform that DoD programs use internally to manage their cybersecurity compliance.
eMASS is used for DoD mission networks and historically has not been associated with Defense Contractor compliance. Access to the private sector is restricted. However, the CMMC will need to record assessments and hold certification status for thousands of companies in a central place. eMASS is the most likely solution.
Enterprise risk management
A comprehensive approach to risk management that engages people, processes, and systems across an organization to improve the quality of decision-making for managing risks that may hinder an organization’s ability to achieve its objectives.
Event logs
The computer-based documentation log of all events occurring within a system.
Exfiltration
The unauthorized transfer of information from an information system.
Exploit
A technique to breach the security of a network or information system in violation of security policy.
Exposure
The condition of being unprotected, thereby allowing access to information or access to capabilities that an attacker can use to enter a system or network.
FAR 52.204-21
This is one small section of the Federal Acquisition Regulation.
The Federal Acquisition Regulation 52.204-21 Basic Safeguarding of Covered Contractor Information applies to any Federal contractor that processes Federal Contract Information (FCI). This rule also applies to DoD contracts.
This rule states that contractors are required to apply 15 cybersecurity and facilities security best practices to protect their information systems. These best practices are known as the FAR Critical 15 or FAR Critical 17 and are re-stated in the CMMC Level 1 requirements.
Federal Acquisition Regulation (FAR)
The Federal Acquisition Regulation is an almost 2000-page document (as of 2019) used to standardize policies and procedures for any contract made with the United States Federal Government (including the Department of Defense).
Federal contractors have to follow this regulation during bidding and performance on contracts.
Federal Contract Information (FCI)
Federal Contract Information is defined as “ information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.”
Examples of FCI: Emails between a contractor company and government personnel. Order quantities and arrangements. Pretty much any document or file that is provided by the government during a contract that isn’t public information.
Related: FCI and scope discussion
Federal Risk and Authorization Management Program (FedRAMP)
The Federal Risk and Authorization Management Program (FedRAMP) promotes the adoption of secure cloud services across the Federal Government by providing a standardized approach to security and risk assessment.
DFARS 252.204-7012 says that if an external cloud provider is used to store, process, or transmit any Covered Defense Information (aka CUI), the cloud provider needs to meet security requirements equivalent to the FedRAMP Moderate baseline.
Firewall
A physical appliance or software designed to control inbound and/or outbound electronic access.
Hash value
A numeric value results from applying a mathematical algorithm against a set of data such as a file.
Hashing
A process of applying a mathematical algorithm against a set of data to produce a numeric value (a “hash value”) that represents the data. The result of hashing is a value that can be used to validate if a file has been altered. Frequently used hash functions are MD5, SHA1 and SHA2
Identity and access management
The methods and processes used to manage subjects and their authentication and authorizations to access specific objects.
Incident
An occurrence that actually or potentially results in adverse consequences of an information system or the information that the system processes, stores, or transmits and that may require a response action to mitigate the consequences.
Incident handler (cyber security)
The person assigned to lead a team of subject-matter experts in cybersecurity and how to respond to adverse security events.
Industrial control system
An information system is used to control industrial processes such as manufacturing, product handling, production, and distribution or to control infrastructure assets.
Integrity
The property whereby information, an information system, or a component of a system has not been modified or destroyed in an unauthorized manner.
Intrusion detection
The process and methods for analyzing information from networks and information systems to determine if a security breach or security violation has occurred.
Keylogger
Software or hardware that tracks keystrokes and keyboard events, usually surreptitiously / secretly, to monitor actions by the user of an information system.
Macro virus
A type of malicious code that attaches itself to documents and uses the macro programming capabilities of the document’s application to execute, replicate, and spread or propagate itself.
Malware
Software that compromises the operation of a system by performing an unauthorized function or process.
Medium Assurance Certificate
In order to report a cyber incident to DIBNet, you need to have been issued a Medium Assurance Certificate. In layman’s terms, this is a digital ID that only provides “medium assurance” of your identity (because they don’t verify your identity in person).
To get this certificate, you need to photocopy your ID, get a form certified, and pay a fee that is roughly $100 per year of certificate validity.
Mitigation
The application of one or more measures to reduce the likelihood of an unwanted occurrence and/or lessen its consequences.
Moving target defense
The presentation of a dynamic attack surface increases an adversary’s work factor necessary to probe, attack, or maintain a presence in a cyber target.
MSSP
Managed Security Service Provider
NIST Special Publication 800-171 (NIST SP 800-171)
NIST SP 800-171 is a 113-page document published by the National Institute of Standards and Technology (NIST). It provides “recommended security requirements for protecting the confidentiality of CUI… when the CUI is resident in a nonfederal system and organization.”
This document lists 110 security requirements with guidance on how to implement them. These requirements are re-stated in CMMC levels 1-3.
Open source
Denoting software whose source code is made free and available with no restrictions on use, selling, distribution, or modification of the code.
Open-source intelligence
Intelligence collected from publicly available sources
Open source tools
Tools that are made with open-source code.
Operational exercise
An action-based exercise where personnel rehearse reactions to an incident scenario, drawing on their understanding of plans and procedures, roles, and responsibilities.
Packet captures
The process of collecting, or capturing, network packets as they are being sent and received; is used in diagnosing and solving network problems.
Penetration testing (Pen test)
An evaluation methodology whereby assessors actively probe for vulnerabilities and attempt to circumvent the security features of a network and/or information system.
Phishing
A digital form of social engineering to deceive individuals into providing sensitive information.
Plan of Action and Milestones (POA&M)
Note: The formal requirement statements call this a “Plan of Action” or “POA”. Most industry members use the term POA&M.
A Plan of Action and Milestones (POA&M) is normally a document created by a cybersecurity professional that identifies missing security requirements and lays out a plan to resolve them. This document is expected to contain mid-or-high level tasks and milestones to reach a certain cybersecurity goal. This goal could be full compliance with NIST SP 800-171 (currently) or in the future, it could be a goal to reach a higher level of CMMC maturity.
Creating and maintaining a POA&M is listed as one of the requirements in NIST SP 800-171. Creating and maintaining POA&M(s) is also listed as a CMMC Level 2 practice (CA.2.159).
Editor’s note: POA&Ms are one of the key ways to show process maturity. They should show that you have properly funded and allocated resources to your remediation efforts. They should show progress (completion of tasks and milestones) over time.
Private key
A cryptographic key that must be kept confidential and is used to enable the operation of an asymmetric (public key) cryptographic algorithm.
Public key
The publicly-disclosed component of a pair of cryptographic keys is used for asymmetric cryptography.
RDP
Remote Desktop Protocol. A Microsoft protocol through which a desktop or server may be accessed by a remote client.
Recovery
The activities after an incident or event to restore essential services and operations in the short and medium term and fully restore all capabilities in the longer term.
Red team
A group authorized and organized to emulate a potential adversary’s attack or exploitation capabilities against an enterprise’s cybersecurity posture.
Redundancy
Additional or alternative systems, sub-systems, assets, or processes that maintain a degree of overall functionality in case of loss or failure of another system, sub-system, asset, or process.
Resilience
The ability to adapt to changing conditions and prepare for, withstand, and rapidly recover from disruption.
Response
The activities that address the short-term, direct effects of an incident may also support short-term recovery.
Risk management
The process of identifying, analyzing, assessing, and communicating risk and accepting, avoiding, transferring, or controlling it to an acceptable level considering associated costs and benefits of any actions taken.
Roaming profile
A configuration in which the user profile within the domain is stored on a server and allows authorized users to log on to any computer within a network domain and have a consistent desktop experience.
Rootkit
A set of software tools with administrator-level access privileges installed on an information system and designed to hide the presence of the tools, maintain the access privileges, and conceal the activities conducted by the tools.
Script kiddie
An unskilled or non-sophisticated individual uses pre-made hacking techniques and software to attack networks and deface websites.
Security automation
The use of information technology in place of manual processes for cyber incident response and management.
Security policy
A rule or set of rules that govern the acceptable use of an organization’s information and services to a level of acceptable risk and the means for protecting the organization’s information assets.
SIEM
System Incident and Event Management. Tools and processes that collect data generated from devices and services to perform real-time and historical correlated analysis to detect security, compliance, and service level events.
Signature
A recognizable, distinguishing pattern.
Situational awareness
Comprehending information about the current and developing security posture and risks, based on information gathered, observation and analysis, and knowledge or experience.
Software Assurance
The level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at any time during its lifecycle and that the software functions in the intended manner.
Spearphishing
An email or electronic communications scam targeted toward a specific individual, organization, or business.
Spoofing
Faking the sending address of a transmission to gain illegal or unauthorized entry into a secure system. Extended The deliberate inducement of a user or resource to take incorrect action. Note: Impersonating, masquerading, piggybacking, and mimicking are forms of spoofing.
Spyware
Software that is secretly or surreptitiously installed into an information system without the knowledge of the system user or owner.
System Security Plan (SSP)
A System Security Plan (SSP) is normally a document (or several documents) created by a cybersecurity professional that describes the information system of an organization. This document is expected to be very detailed and in-depth about the network, devices connected to the network, software in use, clouds in use, and security requirements that have been implemented (or not).
Creating and maintaining an SSP is listed as one of the requirements in NIST SP 800-171. Creating and maintaining an SSP is also listed as a CMMC Level 2 practice (CA.2.157). Per the reporting procedures supplement to DFARS 252.204-7012, after a cyber incident, the DoD Cyber Crime Center may request a copy of the SSP for review.
SSPs are often more than 100 pages long and should be updated regularly as the information system changes. This document may contain vulnerability information about Critical Infrastructure companies.
Training: System Security Plan for 800-171 and CMMC
Tabletop exercise
A discussion-based exercise where personnel meet in a classroom setting or breakout groups and are presented with a scenario to validate the content of plans, procedures, policies, cooperative agreements or other information for managing an incident.
Threat agent
An individual, group, organization, or government that conducts or has the intent to conduct detrimental activities.
Threat assessment
The product or process of identifying or evaluating entities, actions, or occurrences, whether natural or man-made, that have or indicate the potential to harm life, information, operations, and/or property.
Ticket
In access control, data that authenticates the identity of a client or a service and, together with a temporary encryption key (a session key), forms a credential.
Topology diagram
A schematic diagram displaying how the various elements in a network communicate with each other. A topology diagram may be physical or logical.
Traffic light protocol
A set of designations employing four colors (RED, AMBER, GREEN, and WHITE) is used to ensure that sensitive information is shared with the correct audience.
Trojan horse
A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the program.
Virus
A computer program that can replicate itself, infect a computer without permission or knowledge of the user, and then spread or propagate to another computer.
Vulnerability
A characteristic or specific weakness that renders an organization or asset (such as information or an information system) open to exploitation by a given threat or susceptible to a given hazard. Extended Characteristics of location or security posture or design, security procedures, internal controls, or the implementation of these that permit a threat or hazard to occur. Vulnerability (expressing degree of vulnerability): qualitative or quantitative expression of the level of susceptibility to harm when a threat or hazard is realized.
White team
A group is responsible for refereeing an engagement between a Red Team of mock attackers and a Blue Team of actual defenders of information systems.
Whitelist
A list of entities that are considered trustworthy and are granted access or privileges.
Work factor
An estimate of the effort or time needed by a potential adversary, with specified expertise and resources, to overcome a protective measure.
Worm
A self-replicating, self-propagating, self-contained program that uses networking mechanisms to spread itself
Zero-day
The Zero-Day is the day a new vulnerability is made known. In some cases, a zero-day exploit is referred to as an exploit for which no patch is available yet. (Day one is the day at which the patch is made available).