Cybersecurity Center For Business
Dod WIsecured Grant
Dod WIsecured Grant
  1. College of Business and Economics (CoBE)
  2. Cybersecurity Center for Business (CCB)
  3. CMMC Terms

CMMC Terms

GLOSSARY OF TERMS

Access Control
The process of granting or denying specific requests for or attempts to: 1) obtain and use information and related information processing services; and 2) enter specific physical facilities

Advanced Persistent Threat (APT)
An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception).

Air Gap
To physically separate or isolate a system from other systems or networks.

Attack Path
The steps that an adversary takes or may take to plan, prepare for, and execute an attack.

Attack Pattern
Similar cyber events or behaviors that may indicate an attack has occurred or is occurring, resulting in a security violation or a potential security violation.

Attack Signature
A characteristic or distinctive pattern that can be searched for or that can be used in matching to previously identified attacks.

Authentication
The process of verifying the identity or other attributes of an entity (user, process, or device).

Authorization
A process of determining, by evaluating applicable access control information, whether a subject is allowed to have the specified types of access to a particular resource.

Backdoor
A backdoor is a tool installed after a compromise to give an attacker easier access to the compromised system around any security mechanisms that are in place.

Behavior Monitoring
Observing activities of users, information systems, and processes and measuring the activities against organizational policies and rule, baselines of normal activity, thresholds, and trends.

Black List
A list of entities that are blocked or denied privileges or access.

Blue Team
A group that defends an enterprise’s information systems when mock attackers (i.e., the Red Team) attack, typically as part of an operational exercise conducted according to rules established and monitored by a neutral group (i.e., the White Team).

Bot
A computer connected to the Internet that has been surreptitiously / secretly compromised with malicious logic to perform activities under the command and control of a remote administrator.

Bug
An unexpected and relatively small defect, fault, flaw, or imperfection in an information system or device.

Carnegie Mellon University Software Engineering Institute (SEI)
The Software Engineering Institute (SEI), along with Johns Hopkins Applied Physics Laboratory (APL), lead the development of the CMMC.

In layman’s terms,  this group directly worked with the DoD to flesh out CMMC concepts and create the official documents hosted on the  DoD’s CMMC website.

As authors, SEI and APL have quite a bit of authority in interpreting the CMMC model.

Checksum
A value that is computed by a function that is dependent on the contents of a data object and is stored or transmitted together with the object, for the purpose of detecting changes in the data.

CIP
Critical Infrastructure Protection. The North American Electric Reliability Corporation (NERC), which FERC directed to develop Critical Infrastructure Protection (CIP) cyber security reliability standards.

CIphertext
Data or information in its encrypted form.

Cloud Computing
A model for enabling on-demand network access to a shared pool of configurable computing capabilities or resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

CMMC (Major players)

  • Department of Defense (specifically the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S))

  • CMMC Accreditation Body (CMMC-AB)

  • Carnegie Mellon University Software Engineering Institute (SEI)

  • CMMC-Center of Excellence (CMMC-COE) / IT Acquisition Advisory Council (IT-AAC)

CMMC Model (the model)
The CMMC Model refers to official documents published by the DoD which describe requirements for maturity and secure practices. Over time, more official documents which identify assessment scope and assessment pass/fail criteria are expected to be published.

CMMC Accreditation Body (CMMC-AB)
The  CMMC Accreditation Body (CMMC-AB) is a private sector, non-profit organization. The DoD has granted the CMMC-AB  official responsibility for some aspects of the CMMC rollout. It has the following  mission:

“The CMMC-AB establishes and oversees a qualified, trained, and high-fidelity community of assessors that can deliver consistent and informative assessments to participating organizations against a defined set of controls/best practices within the Cybersecurity Maturity Model Certification (CMMC) Program.”

In layman’s terms:

  • The CMMC-AB was granted authority by the DoD to manage and accredit private-sector trainers and auditors for the CMMC.

  • The CMMC-AB is not responsible for the CMMC model (the DoD has that), but for building the infrastructure to roll it out to Defense Contractors.

  • The CMMC-AB is expected to fund itself via fees from assessments, training, and certification programs.

  • The CMMC-AB is responsible for performing quality control on C3PAOs and assessments.

CMMC Assessors and Instructors Certification Organization (CAICO)
CAICO stands for the CMMC Assessors and Instructors Certification Organization. This is an organization that will coordinate training and ensure quality among CMMC professionals (individuals). This organization is still in extremely early stages (just planning, mostly) as of February 2021.

Learn more about the  CAICO here.

CMMC Body of Knowledge (CMMC-BOK)
The CMMC-BOK is information on standards, practices, implementation, scenarios, best practices, and exam-specific learning objectives.  The CMMC-AB expects to maintain this official knowledge set.

The CMMC Assessment Guides
The CMMC Assessment Guides (version 1.10) were published in late December 2020. A significant update is expected in March-April 2021.

These guides are the most relevant source of information to understand CMMC practice requirements and whether implementation scenarios would pass a CMMC assessment.

CMMC Certified Practitioner (CP)
Certified Practitioner is a cybersecurity professional who has been  sanctioned to work on an assessment team (but not lead an assessment) by the CMMC-AB. This is the entry level assessor qualification.

Learn more about  Certified Professional and Certified Assessors here.

CMMC Certified Assessor Level 1-5 (CA#)
Certified Assessor (CA) is a cybersecurity professional who has been  sanctioned to lead CMMC assessments. The CA# corresponds to the highest ML# that the professional is authorized to assess.

Learn more about  Certified Professional and Certified Assessors here.

CMMC Maturity Level 1-5 (ML#)
ML stands for Maturity Level. This term is used to describe the security practices successfully implemented by a CMMC-assessed Defense Contractor and  verified during an audit sanctioned by the CMMC-AB

In casual use, “CMMC Level #” is synonymous with “CMMC ML#”

CMMC Registered Practitioner (RP)
Registered Practitioner is a person who has  completed training about the CMMC, passed a background check, and signed the CMMC-AB’s code of conduct. The CMMC-AB does not warrant their skills or abilities, but will revoke their badge if they violate the code of conduct.

Learn more about the  RP program here.

CMMC Third-Party Assessor Organization (C3PAO)
C3PAO refers to organizations (generally cybersecurity or accounting firms) which have CPs and CAs on staff to perform assessments. The C3PAO is the  entity that contracts with Defense Contractors seeking CMMC Maturity Level certification. The C3PAO is the first line of quality control for audits.

Learn more about  C3PAOs here.

CMMC Licensed Partner Publisher (LPP)
CMMC Licensed Partner Publishers (LPPs) are  approved by the CMMC-AB to develop and publish CMMC training materials.

CMMC Licensed Training Provider (LTP)
CMMC Licensed Training Providers (LTPs) are approved by the CMMC-AB to…

Actually, there isn’t an official page on this topic yet. Per webinars published by the  CMMC-AB, the intent seems to be that LTPs will be organizations that are authorized to offer CMMC training courses using CMMC official curriculum.

CMMC Licensed Instructor (LI)
CMMC Licensed Instructors (LIs) are approved by the CMMC-AB to…

Actually, there isn’t an official page on this topic yet. Per webinars published by the CMMC-AB, the intent seems to be that LIs will be the only people authorized to actually teach CMMC classes (generally these will be classes to prepare for certified professional or certified assessor). LIs will need to meet requirements for the equivalent CMMC CA level that they are teaching.

Q&A video about status of training:  CAICO and current state of CMMC training – Ben Tchoubineh (CMMC-AB)

Computer (digital) forensics
The processes and tools to create a bit by bit copy of a an electronic device (collection and acquisition) for the purpose of analyzing and reporting evidence; gather and preserve evidence that is legally defensible and does not alter the original device or data.

Continuity of operations plan
A document that sets forth procedures for the continued performance of core capabilities and critical operations during any disruption or potential disruption.

Controlled Unclassified Information (CUI)
Controlled Unclassified Information (CUI) is information that the government creates or possesses, or that an entity creates or possesses for or on-behalf of the government. It also needs to fit into a category that the United States Federal Government identifies as  needing special safeguarding or dissemination controls.

In layman’s terms: CUI is sensitive (but not classified) information that the U.S Government wants to keep private. Examples are weapons test data or information about military personnel.

The National Archives (archives.gov) maintains a  list of the categories of information that are considered CUI.

Defense Contractors are required to safeguard CUI on their networks according to DFARS 252.204-7012.

This  PowerPoint released by the DoD has additional training about CUI and the difference between it and other data types like Classified and FOUO.

This  “Mandatory CUI Training” from the DoD is also available for free.

Covered Defense Information (CDI)
Covered Defense Information is defined in  DFARS 252.204-7012 as “unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry…” and is either marked and provided by the DoD, or generated by the contractor during a contract.

In layman’s terms: CDI is synonymous with CUI.

Controlled Technical Information (CTI)
Controlled Technical Information is a sub-category of CUI specific to Defense. As a sub-category of CUI, it is affected by requirements that apply to CUI.

Critical Infrastructure or Essential Critical Infrastructure
The systems and assets, whether physical or virtual, so vital to society that the incapacity or destruction of such may have a debilitating impact on the security, economy, public health or safety, environment, or any combination of these matters.

Per a  March 20, 2020 memo from the Under Secretary of Defense for Acquisition and Sustainment, Ellen Lord:

“If your contract or subcontract supports the development, production, testing, fielding, or sustainment of our weapon systems/software systems, or the infrastructure to support those activities. If your efforts support manning, training, equipping, deploying, or supporting our military forces, your work is considered Essential Critical Infrastructure.”

This term is important because  vulnerability data for Critical Infrastructure is a category of CUI. This means that cybersecurity vendors that provide compliance portals, security vulnerability assessments, consulting, and audits for Critical Infrastructure companies will be creating, storing, and/or processing CUI.

CSRT
Cyber Security Incident Response Team

Cyber munitions
Technology system that has a purpose of causing harm and destruction by altering the running state of another system without permission. Cybersecurity Maturity Model Certification (CMMC)

The CMMC was spearheaded by Ms. Katie Arrington, the chief information security officer for the Department of Defense’s Acquisition and Sustainment office.

Per the  DoD’s CMMC website, “The CMMC will encompass multiple maturity levels that ranges from “Basic Cybersecurity Hygiene” to “Advanced/Progressive”. The intent is to incorporate CMMC into Defense Federal Acquisition Regulation Supplement (DFARS) and use it as a requirement for contract award.”

Cryptanalysis
The operations performed in defeating or circumventing cryptographic protection of information by applying mathematical techniques and without an initial knowledge of the key employed in providing the protection.

Cybersecurity Summit
Comprehending information about the current and developing security posture and risks, based on information gathered, observation and analysis, and knowledge or experience.

Data Breach
The unauthorized movement or disclosure of sensitive information to a party, usually outside the organization, that is not authorized to have or see the information.

Data Loss Prevention
A set of procedures and mechanisms to stop sensitive data from leaving a security boundary.

Data Mining
The process or techniques used to analyze large sets of existing information to discover previously unrevealed patterns or correlations.

Defense Federal Acquisition Regulation Supplement (DFARS)
DFARS is a published supplement to the Federal Acquisition Regulation (FAR) which adds additional guidance and requirements for DoD contracts.

Defense Contractor
Defense Contractors are organizations which provide products or services to the Department of Defense. They are generally privately-owned companies who have at least one contract with the Department of Defense. Note: while most Defense Contractors are located and operated within the United States, there are many overseas and multinational companies which provide products and services to the DoD.

Denial of Service
An attack that prevents or impairs the authorized use of information system resources or services.

Department of Defense (DoD)
The  Department of Defense is an executive branch of the United States Federal Government. Its mission is to provide combat-credible military forces needed to deter war and protect the security of our nation. With a budget of $718.3 billion (2020), of which 9.6 billion for cyber, over a million active duty service members, and over 700,000 civilians, it is America’s largest employer.

The Department of Defense (specifically the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) is the  government agency that is responsible for creating the CMMC model.

Defense Industrial Base (DIB)
The Defense Industrial Base is  defined as “the worldwide industrial complex that enables research and development, as well as design, production, delivery and maintenance of military weapons systems/software systems, subsystems, and components or parts, as well as purchased services to meet US Military requirements.”

Many (most?) (almost all?) Defense Contractors are considered to be part of the Defense Industrial Base.

The DIB is  identified as a Critical Infrastructure Sector by the Department of Homeland Security.

DFARS 252.204-7021 Cybersecurity Maturity Model Certification
This section of the Defense Federal Acquisition Regulation Supplement has been proposed as an  Interim Rule, to go into effect on November 30, 2020.

For contracts which include the 252.204-7021 clause, at the time of award, the contractor will need to provide evidence of holding a CMMC certification. The specific CMMC certification level will be identified on a contract-by-contract basis.

After November 30, 2025, all DoD contracts are expected to include the 252.204-7021 clause. In other words, after 2025, all DoD contractors will need at least CMMC level 1 in order to participate in contracts.

Defense Industrial Base Cybersecurity Program (DIBNet)
The Defense Industrial Base Cybersecurity Program (DIBNet) is meant to “enhance and supplement DIB participants’ capabilities to safeguard DoD information that resides on or transits DIB unclassified networks or information systems. This public-private cybersecurity partnership is designed to improve DIB network defenses, reduce damage to critical programs, and increase DoD and DIB cyber situational awareness.”

Defense contractors subject to DFARS 252.204-7012 are required to report cyber incidents to DIBNet.

The DIBNet portal can be reached at:  https://dibnet.dod.mil/

DFARS 252.204-7012 Safeguarding Covered Defense Information
This is a small section of the Defense Federal Acquisition Regulation Supplement.

DFARS  252.204-7012 is a roughly 3-page contract clause  currently required in all contracts with the Department of Defense, except those that are solely for the purchase of Commercial-Off-The-Shelf (COTS) products. (COTS products are sold to the general public and are not customized before delivery).

In other words, if a defense contractor provides services or customization as part of a DoD contract, their contract will include this requirement. Reference:  defense.gov – “Safeguarding Covered Defense Information – The Basics”

The requirements in  DFARS 252.204-7012 are very tough to implement for most companies. Key terms included in it are:

  • Controlled Unclassified Information (CUI)

  • Controlled Technical Information (CTI)

  • NIST Special Publication 800-171 (NIST SP 800-171)

  • Defense Industrial Base (DIB)

  • Defense Industrial Base Cybersecurity Program (DIBNet)

  • Federal Risk and Authorization Management Program (FedRAMP)

  • Medium Assurance Certificate

  • DoD Cyber Crime Center (DC3)

Resource: The  DoD Procurement Toolbox hosts a FAQ document which addresses questions about DFARS 252.204-7012 and other regulations.

Digital Forensics
The processes and specialized techniques for gathering, retaining, and analyzing system-related data (digital evidence) for investigative purposes.

Digital Rights Management (DRM)
A form of access control technology to protect and manage use of digital content or devices in accordance with the content or device providers intentions.

Digital signature
A value computed with a cryptographic process using a private key and then appended to a data object, thereby digitally signing the data.

Distributed Denial of Service (DDOS)
A denial of service technique that uses numerous systems to perform the attack simultaneously.

DMZ
De-Militarized Zone. A physical or logical subnetwork where publicly facing internet connections occur; a subnetwork where an organization’s external- facing services are exposed to an untrusted network (i.e. internet).

DoD Cyber Crime Center (DC3)
The DoD Cyber Crime Center (DC3) is listed in DFARS 252.204-7012 as the point of contact to send malware samples to. The DC3 also operates the cyber incident report portion of the DIBNet portal.

Their contact information can be found here:  https://dibnet.dod.mil/portal/intranet/

Doxing
The process or technique of gathering personal information on a target or subject, and building a dossier with the intent to cause harm.

Dynamic Attack Surface
The automated, on-the-fly changes of an information system’s characteristics to thwart actions of an adversary.

Electronic signature
Any mark in electronic form associated with an electronic document, applied with the intent to sign the document.

eMASS
Enterprise Mission Assurance Support Service (eMASS) is a web-based Government solution which is designed to support cybersecurity management. This is the Compliance Platform that DoD programs use internally to manage their cybersecurity compliance.

eMASS is used for DoD mission networks and historically has not been associated with Defense Contractor compliance. Access to private sector is restricted. However, the CMMC will need to record assessments and hold certification status for thousands of companies in a central place. eMASS is the  most likely solution.

Enterprise risk management
A comprehensive approach to risk management that engages people, processes, and systems across an organization to improve the quality of decision making for managing risks that may hinder an organization’s ability to achieve its objectives.

Event logs
The computer-based documentation log of all events occurring within a system.

Exfiltration
The unauthorized transfer of information from an information system.

Exploit
A technique to breach the security of a network or information system in violation of security policy.

Exposure

The condition of being unprotected, thereby allowing access to information or access to capabilities that an attacker can use to enter a system or network.

FAR 52.204-21
This is one small section of the Federal Acquisition Regulation.

The Federal Acquisition Regulation  52.204-21 Basic Safeguarding of Covered Contractor Information applies to any Federal contractor that processes Federal Contract Information (FCI). This rule also applies to DoD contracts.

This rule states that contractors are required to apply 15 cyber security and facilities security best practices to protect their information systems. These best practices are known as the FAR Critical 15 or FAR Critical 17 and are re-stated in the CMMC Level 1 requirements.

Federal Acquisition Regulation (FAR)
The Federal Acquisition Regulation is an almost  2000 page document (as of 2019) which is used to standardize policies and procedures for any contract made with the United States Federal Government (including Department of Defense).

Federal contractors have to follow this regulation during bidding and performance on contracts.

Federal Contract Information (FCI)
Federal Contract Information is defined as “ information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.”

Examples of FCI: Emails between a contractor company and government personnel. Order quantities and arrangements. Pretty much any document or file that is provided by the government during a contract that isn’t public information.

Related:  FCI and scope discussion

Federal Risk and Authorization Management Program (FedRAMP)
The  Federal Risk and Authorization Management Program (FedRAMP) promotes the adoption of secure cloud services across the Federal Government by providing a standardized approach to security and risk assessment.

DFARS 252.204-7012 says that if an external cloud provider is used to store, process, or transmit any Covered Defense Information (aka CUI), the cloud provider needs to meet security requirements equivalent to the FedRAMP Moderate baseline.

Firewall
A physical appliance or software designed to control inbound and/or outbound electronic access.

Hash value
A numeric value resulting from applying a mathematical algorithm against a set of data such as a file.

Hashing
A process of applying a mathematical algorithm against a set of data to produce a numeric value (a “hash value”) that represents the data. The result of hashing is a value that can be used to validate if a file has been altered. Frequently used hash functions are MD5, SHA1 and SHA2

Identity and access management
The methods and processes used to manage subjects and their authentication and authorizations to access specific objects.

Incident
An occurrence that actually or potentially results in adverse consequences to an information system or the information that the system processes, stores, or transmits and that may require a response action to mitigate the consequences.

Incident handler (cyber security)
The person assigned to lead a team of subject matter experts in cyber security and how to respond to adverse security events.

Industrial control system
An information system used to control industrial processes such as manufacturing, product handling, production, and distribution or to control infrastructure assets.

Integrity
The property whereby information, an information system, or a component of a system has not been modified or destroyed in an unauthorized manner.

Intrusion detection
The process and methods for analyzing information from networks and information systems to determine if a security breach or security violation has occurred.

Keylogger
Software or hardware that tracks keystrokes and keyboard events, usually surreptitiously / secretly, to monitor actions by the user of an information system. 

Macro virus
A type of malicious code that attaches itself to documents and uses the macro programming capabilities of the document’s application to execute, replicate, and spread or propagate itself.

Malware
Software that compromises the operation of a system by performing an unauthorized function or process.

Medium Assurance Certificate
In order to report a cyber incident to DIBNet, you need to have been issued a Medium Assurance Certificate. In layman’s terms, this is a digital ID which only provides “medium assurance” of your identity (because they don’t verify your identity in person).

To get this certificate, you need to photocopy your IDs, get a form certified, and pay a fee that is roughly $100 per year of certificate validity.

More information can be found here:  http://public.cyber.mil/eca

Mitigation
The application of one or more measures to reduce the likelihood of an unwanted occurrence and/or lessen its consequences.

Moving target defense
The presentation of a dynamic attack surface, increasing an adversary’s work factor necessary to probe, attack, or maintain presence in a cyber target.

MSSP
Managed Security Service Provider

NIST Special Publication 800-171 (NIST SP 800-171)
NIST SP 800-171 is a 113 page document published by the National Institute of Standards and Technology (NIST). It provides “recommended security requirements for protecting the  confidentiality of CUI… when the CUI is resident in a nonfederal system and organization.”

This document lists 110 security requirements with guidance on how to implement them. These requirements are re-stated in CMMC levels 1-3.

Open source
Denoting software whose original source code is made free and available with no restrictions on use, selling, distribution or modification of the code.

Open source intelligence
Intelligence collected from publicly available sources

Open source tools
Tools that are made with open source code.

Operational exercise
An action-based exercise where personnel rehearse reactions to an incident scenario, drawing on their understanding of plans and procedures, roles, and responsibilities.

Packet captures
The process of collecting, or capturing, network packets as they are being sent and received; used in diagnosing and solving network problems.

Penetration testing (Pen test)
An evaluation methodology whereby assessors actively probe for vulnerabilities and attempt to circumvent the security features of a network and/or information system.

Phishing
A digital form of social engineering to deceive individuals into providing sensitive information.

Plan of Action and Milestones (POA&M)
Note: The formal requirement statements call this a “Plan of Action” or “POA”. Most industry members use the term POA&M.

A Plan of Action and Milestones (POA&M) is normally a document created by a cybersecurity professional which identifies missing security requirements and lays out a plan to resolve them. This document is expected to contain mid-or-high level tasks and milestones to reach a certain cybersecurity goal. This goal could be full compliance with NIST SP 800-171 (currently) or in the future, it could be a goal to reach a higher level of CMMC maturity.

Creating and maintaining a POA&M is listed as one of the requirements in NIST SP 800-171. Creating and maintaining POA&M(s) is also listed as a CMMC Level 2 practice (CA.2.159).

Editor’s note: POA&Ms are one of the key ways to show process maturity. They should show that you have properly funded and allocated resources to your remediation efforts. They should show progress (completion of tasks and milestones) over time.

Private key
A cryptographic key that must be kept confidential and is used to enable the operation of an asymmetric (public key) cryptographic algorithm.

Public key
The publicly-disclosed component of a pair of cryptographic keys used for asymmetric cryptography.

RDP
Remote Desktop Protocol. A Microsoft protocol through which a desktop or server may be accessed by a remote client.

Recovery
The activities after an incident or event to restore essential services and operations in the short and medium term and fully restore all capabilities in the longer term.

Red team
A group authorized and organized to emulate a potential adversary’s attack or exploitation capabilities against an enterprise’s cybersecurity posture.

Redundancy
Additional or alternative systems, sub-systems, assets, or processes that maintain a degree of overall functionality in case of loss or failure of another system, sub-system, asset, or process.

Resilience
The ability to adapt to changing conditions and prepare for, withstand, and rapidly recover from disruption.

Response

The activities that address the short-term, direct effects of an incident and may also support short-term recovery.

Risk management
The process of identifying, analyzing, assessing, and communicating risk and accepting, avoiding, transferring or controlling it to an acceptable level considering associated costs and benefits of any actions taken.

Roaming profile
A configuration in which the user profile within the domain is stored on a server and allows authorized users to log on to any computer within a network domain and have a consistent desktop experience.

Rootkit
A set of software tools with administrator-level access privileges installed on an information system and designed to hide the presence of the tools, maintain the access privileges, and conceal the activities conducted by the tools.

Scriptkiddie
An unskilled or non-sophisticated individual using pre-made hacking techniques and software to attack networks and deface websites.

Security automation
The use of information technology in place of manual processes for cyber incident response and management.

Security policy
A rule or set of rules that govern the acceptable use of an organization’s information and services to a level of acceptable risk and the means for protecting the organization’s information assets.

SIEM
System Incident and Event Management. Tools and processes that collect data generated from devices and services to perform real time and historical correlated analysis to detect security, compliance and service levels events.

Signature
A recognizable, distinguishing pattern.

Situational awareness
Comprehending information about the current and developing security posture and risks, based on information gathered, observation and analysis, and knowledge or experience. 

Software assurance
The level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at any time during its lifecycle, and that the software functions in the intended manner.

Spearphishing
An email or electronic communications scam targeted towards a specific individual, organization, or business.

Spoofing
Faking the sending address of a transmission to gain illegal or unauthorized entry into a secure system. Extended The deliberate inducement of a user or resource to take incorrect action. Note: Impersonating, masquerading, piggybacking, and mimicking are forms of spoofing.

Spyware
Software that is secretly or surreptitiously installed into an information system without the knowledge of the system user or owner.

System Security Plan (SSP)
A System Security Plan (SSP) is normally a document (or several documents) created by a cybersecurity professional which describes the information system of an organization. This document is expected to be very detailed and in-depth about the network, devices connected to the network, software in use, clouds in use, and security requirements that have been implemented (or not).

Creating and maintaining an SSP is listed as one of the requirements in NIST SP 800-171. Creating and maintaining an SSP is also listed as a CMMC Level 2 practice (CA.2.157). Per the  reporting procedures supplement to DFARS 252.204-7012, after a cyber incident, the DoD Cyber Crime Center may request a copy of the SSP for review.

SSPs are often more than 100 pages long, and should be updated regularly as the information system changes. This document may contain vulnerability information about Critical Infrastructure companies.

Training:  System Security Plan for 800-171 and CMMC

Tabletop exercise
A discussion-based exercise where personnel meet in a classroom setting or breakout groups and are presented with a scenario to validate the content of plans, procedures, policies, cooperative agreements or other information for managing an incident.

Threat agent
An individual, group, organization, or government that conducts or has the intent to conduct detrimental activities.

Threat assessment
The product or process of identifying or evaluating entities, actions, or occurrences, whether natural or man-made, that have or indicate the potential to harm life, information, operations, and/or property.

Ticket
In access control, data that authenticates the identity of a client or a service and, together with a temporary encryption key (a session key), forms a credential.

Topology diagram
A schematic diagram displaying how the various elements in a network communicate with each other. A topology diagram may be physical or logical.

Traffic light protocol
A set of designations employing four colors (RED, AMBER, GREEN, and WHITE) used to ensure that sensitive information is shared with the correct audience.

Trojan horse
A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the program.

Virus
A computer program that can replicate itself, infect a computer without permission or knowledge of the user, and then spread or propagate to another computer.

Vulnerability
A characteristic or specific weakness that renders an organization or asset (such as information or an information system) open to exploitation by a given threat or susceptible to a given hazard. Extended Characteristic of location or security posture or of design, security procedures, internal controls, or the implementation of any of these that permit a threat or hazard to occur. Vulnerability (expressing degree of vulnerability): qualitative or quantitative expression of the level of susceptibility to harm when a threat or hazard is realized.

White team
A group responsible for refereeing an engagement between a Red Team of mock attackers and a Blue Team of actual defenders of information systems.

Whitelist
A list of entities that are considered trustworthy and are granted access or privileges.

Work factor
An estimate of the effort or time needed by a potential adversary, with specified expertise and resources, to overcome a protective measure.

Worm
A self-replicating, self-propagating, self-contained program that uses networking mechanisms to spread itself 

Zero day
The Zero Day is the day a new vulnerability is made known. In some cases, a zero day exploit is referred to an exploit for which no patch is available yet. (Day one is day at which the patch is made available).


COOKIE NOTICE

We use cookies on this site. By continuing to browse without changing your browser settings to block or delete cookies you agree to the UW-Whitewater Privacy Notice.