Glossary Flashcards
(27 cards)
CUI Asset
Anything or anyone that processes, stores, or transmits CUI.
Security Protection Asset (SPA)
Anything or anyone that provides protections to the CUI assets
Contractor Risk Managed Asset (CRMA)
Anything or anyone that CAN access (touch, reach, see) CUI but are not authorized.
Specialized Asset
This is generally IoT, OT or test equipment
Out of Scope Asset
Anything or anyone that can’t access (touch, reach, see) CUI
People
Any human
Technology
Every device (CSP, VPN, router, printer, workstation, etc.)
Facility
Any place that hosts the above
Organization
An entity of any size, complexity, or positioning within an organizational structure (e.g. a federal agency, or, as appropriate any of its operational elements).
Headquarters (HQ) Organization is the legal entity that will deliver services or products under the terms of a DoD contract. The HQ Organization could be the OSC or it could designate a Host Unit as the OSC.
Process
A procedural activity that is performed to implement a defined objective.
Out-of-Scope Asset
Out-of-scope assets cannot process, store, or transmit CUI because they are physically or logically separated from CUI Assets or are inherently unable to do so.
Specialized Assets
The following are considered specialized assets for CMMC: Government Property, Internet of Things (IoT) or Industrial Internet of Things (IIoT), Operational Technology (OT) and Restricted Information Systems.
Government Property
All property owned or leased by the Government. Government property includes both government-furnished and contractor-acquired property. Government property includes material, equipment, special tooling, special test equipment, and real property. Government property does not include intellectual property or software.
Internet of Things (IoT)
Interconnected devices having physical or virtual representation in the digital world, sensing/actuation capability, and programmability features. They are uniquely identifiable and may include smart electric grids, lighting, heating air conditioning, and fire and smoke detectors.
Operational Technology (OT)
Hardware and software that detects or causes a change through the direct monitoring and/or control of physical devices, processes, and events in the enterprise.
Restricted Information Systems
Systems (and associated IT components comprising the system) that are configured based on government requirements (i.e. connected to something that was required to support a functional requirement), and are used to support a contract (e.g. fielded systems, obsolete systems, and product deliverable replicas).
Test Equipment
Hardware and/or associated IT components used in the testing of products, system components, and contract deliverables (e.g., oscilloscopes, spectrum analyzers, power meters, and special test equipment).
Host Unit
The specific people, processes, and technology within an HQ Organization that would be applied to the DoD contract and that are to be considered the OSC for the CMMC Assessment purposes.
A specific host unit and their associated networks and systems may be the only part of the OSC that requires a CMMC assessment and certification.
Supporting Units
The people, processes, and technology that support the Host Unit. These resources need to be included as part of the Assessment but would normally NOT receive a CMMC certification. Supporting units may include subcontractors, external service providers (ESPs), third-party service providers (TSPs), and managed service providers (MSPs).
Process
Using or manipulating FCI. Examples include editing, printing, manipulating, accessing, entering, or generating FCI, such as;
• databases, laptops, printers, a workstation that writes FCI onto paper, applications that load FCI into memory so that it can be displayed to the user, and antivirus programs that compare FCI files to known malicious signatures.
Store
FCI exists on an asset when it is not actively processed. Examples include:
• Laptops or file servers storing FCI on their hard drives
• Documents with FCI written or printed on them
• CDs or other portable storage with FCI written to it
• Cloud systems that allow FCI to be uploaded or downloaded from them.
• Backups to external media or to cloud systems
• Email server that holds copies of users’ mailboxes
• Facilities that contain unencrypted FCI in computers, portable storage, or documents
• Multi-function machines that keep the last imaging jobs stored on an internal disk
• Cameras used to take pictures of contract deliverables or samples.
Transmit
FCI passes through an asset while it is being transferred from a source to a destination. Example include;
• A user carrying a sensitive document to a client meeting
• A switch passing FCI in clear-text on network cables between a file server and a manufacturing system.
• Wireless signal used to move FCI between a file server and a user laptop
• Email server that transmits FCI between a sender and recipient.
Section 4.1901 of the Federal Acquisition Regulation (FAR)
Federal Contract Information (FCI) as “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information such as necessary to process payments.”
Part 2002 of Title 32 CFR “implementing directive” for the overall federal CUI program
Controlled Unclassified Information (CUI) is information the Government creates or processes, or that an entity creates or processes for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.
