Demystifying the acronym soup of CMMC

Gettyimages.com/ Yuichiro Chino

Find opportunities — and win them.

To prepare for the Nov. 8 CMMC Ecosystem Summit, here is an acronym cheat sheet to follow along in the conversation about the defense industrial base's new cybersecurity standard.

As we gear up for our second annual CMMC Ecosystem Summit on Nov. 8, I find myself drowning deep in acronyms and know I'm not the only one.

The Cybersecurity Maturity Model Certification ecosystem has many elements – trainers, certifiers and assessors.

One group of organizations certifies the people and entities that play those roles in rolling out this new cybersecurity standard for the defense industrial base. A second group organizations sets the standards and organize the market.

Our Nov. 8 event will provide the latest developments on CMMC. We are poised to pivot quickly if the proposed rule comes out before the summit or even the day of.

But there is still plenty to talk about regardless of when the rule is released. There are resources to share and training that needs to be done, as well insights on how the rule will affect different parts of the market.

To register to attend, click here.

To get ready for the day, I’ve created a cheat sheet of the acronyms I know we will hear. Please let me know what I’m missing or where my definitions are off.

CMMC – Cybersecurity Maturity Model Certification. This is why we are working so hard of course. This is the process and certification to prove that your systems holding controlled unclassified information are secure and meet standards set by the National Institute of Standards and Technology.

CUI – Controlled unclassified information

Cyber AB – The Cyber Advisory Board is the accreditation body for the CMMC ecosystem and the only Defense Department-approved organization to implement and oversee CMMC compliance. They were previously called CMMC AB.

C3PAO – CMMC Third-Party Assessment Organizations. These are entities authorized by CyberAB to conduct CMMC assessments and offer guidance to defense contractors working to comply with CMMC standards.

CAICO -- The Cybersecurity Assessor and Instructor Certification Organization is a subsidiary of CyberAB that facilitates training and certification of individuals in the ecosystem.

CCA -- Certified CMMC Assessor, a person who is trained and certified to assess adherence to CMMC rules through Level 2.

CCI – Certified CMMC Instructor, a person who is trained and certified to train assessors.

CCP – CMMC Certified Professional, a person trained and certified to assess adherence to CMMC rules through Level 1.

RP and RPA – Registered Practitioner and Registered Practitioner Advanced, a person who provides CMMC consulting services

RPO – Registered Practitioner Organization, an entity that is authorized to market itself as a provider of CMMC consulting services.

DIBCAC -- Defense Industrial Base Cybersecurity Assessment Center, a DOD organization that leads contractor cybersecurity risk mitigation efforts.

NIST – National Institutes of Standards and Technology, a government agency that leads standards writing efforts such as NIST 800-171, the standard that is the heart of CMMC.

OIRA – Office of Information and Regulatory Affairs, a part of the Office of Management and Budget. OIRA is the last stop before the draft final rule for CMMC is issued.

CyberAB also has a terminology page that is helpful.

The CMMC Summit is Nov. 8 at the Ritz Carlton in Tysons, Virginia. Click here to register.