Definitions & Acronyms

Here is the alphabetized list of cybersecurity-related terms and acronyms:

Anti-virus (A/V) – also known as Anti-virus software: Antivirus software detects various forms of malware, generates alerts, and prevents the malware from infecting hosts. Current antivirus products are effective at stopping many instances of malware if their signatures are kept up to date. Antispam software is used to detect spam and prevent it from reaching users’ mailboxes. Spam may contain malware, phishing attacks, and other malicious content, so alerts from antispam software may indicate attack attempts. NIST SP 800-61 r2

CAGE Code: Commercial and Government Entity Code A CAGE code is a 5 position alphanumeric identifier issued by Defense Logistics Agency (DLA). It is created and issued primarily as the last step in a company’s SAM registration process. The CAGE code is public information and has an expiration date of five years from the date of the last SAM registration or renewal.

CAM – The Contractor Administrator (CAM) is the Electronic Business point of contact (EBPOC) for the company listed in SAM or a designee. CAMs request the ‘Administrator User’ role in PIEE. Once the CAM has received access, they can then grant access to other company users and request additional roles for themselves. If there is only one CAM, the CAM will require PIEE to activate the CAM request and any additional roles.

CMMC: Cybersecurity Maturity Model Certification CMMC – The CMMC Program aligns with the DoD’s existing information security requirements for the DIB. It is designed to enforce the protection of sensitive unclassified information shared by the Department with its contractors and subcontractors. The program provides the DoD with increased assurance that contractors and subcontractors are meeting the cybersecurity requirements for nonfederal systems processing controlled unclassified information.

CMMC is a tiered model with cybersecurity requirements based on the type/sensitivity of information included in contracts, assessments are required to document contractor cybersecurity programs meet specific requirements and the program will be implemented through contracts and FAR/DFAR provisions and clauses.

Controlled Unclassified Information (CUI): As outlined in Title 32 CFR 2002.4(h), CUI is “information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.” For more information regarding specific CUI categories and subcategories, see the DoD CUI Registry website.

Cyber Incident Reporting: after discovering a reportable cyber incident, conduct a review for evidence of compromise of covered defense information, including, but not limited to, identifying compromised computers, servers, specific data, and user accounts. This review shall also include analyzing covered contractor information system(s) that were part of the cyber incident, as well as other information systems on the Contractor’s network(s), that may have been accessed as a result of the incident in order to identify compromised covered defense information, or that affect the Contractor’s ability to provide operationally critical support; and Rapidly report cyber incidents to DoD at https://dibnet.dod.mil Rapidly report means within 72 hours of discovery of any cyber incident. DFARS 252.204-7012

Cyber incident report: The cyber incident report shall be treated as information created by or for DoD and shall include, at a minimum, the required elements at https://dibnet.dod.mil. Reporting requires the contractor to have acquired a DoD-approved medium assurance certificate. See: https://public.cyber.mil/eca/ for more information on how to obtain a certificate.

Damage Assessment Reporting: When a Contractor discovers a cyber incident has occurred, the Contractor shall preserve and protect images of all known affected information systems identified in the cyber incident report (see paragraph (d) of this clause) and all relevant monitoring/packet capture data for at least 90 days from the submission of the cyber incident report to allow DoD to request the media or decline interest. This information is provided when requested by the contracting officer. DFARS 252.204-7012 (h) and (f)

DFARS Defense Federal Acquisition Regulation Supplement: Policies, procedures, solicitation provisions and contract clauses specific to Department of Defense acquisitions. DFARS are used in conjunction with the Federal Acquisition Regulations for DoD acquisitions. https://www.acquisition.gov/dfars

DFARS 252.204-7008 – Defense Federal Acquisition Regulation Supplement (Provision): Identifies cybersecurity requirements and obligations created when a contractor submits the offer. Detailed information on the requirements is provided in DFARS 252.204-7012.

DFARS 252.204-7012 – Safeguarding Covered Defense Information and Cyber Incident Reporting: Foundation clause for safeguarding of Controlled Unclassified Information (CUI). This clause specifies safeguarding and dissemination controls identified to protect information systems. Controls include both the 110 requirements listed in NIST SP 800-171 r2 and paragraphs (b) – (m) of this clause.

DFARS 252.204-7019 – Defense Federal Acquisition Regulation Supplement (Provision): Defines eligibility requirements for award of contracts when the offeror is required to implement NIST 800-171 r2. To be eligible, offerors must have a current assessment (less than 3 years old) using DoD’s Assessment Methodology.  For a copy of the methodology see: https://www.acq.osd.mil/asda/dpc/cp/cyber/docs/safeguarding/NIST-SP-800-171-Assessment-Methodology-Version-1.2.1-6.24.2020.pdf. For assistance with implementing the specified controls or conducting an assessment please contact WPI at 414-270-3600 or Apexaccelerator@wispro.org

DFARS 252.204-7020 – Defense Federal Acquisition Regulation Supplement: Defines NIST 800-171 r2 Assessments and Assessment Requirements. This clause lists three key requirements:

1. 1. Government access to its facilities, systems, and personnel necessary for the t conduct a Medium or High NIST SP 800–171 DoD Assessment.
   2. Posting requirements and information for summary level scores for all assessments.
   3. Subcontract flowdown requirements and applicability

DIB: Defense Industrial Base: The Department of Defense, government, and private sector worldwide industrial complex with capabilities to perform research and development, design, produce, and maintain military weapon systems, subsystems, components, or parts to meet military requirements. Department of Defense, DOD Dictionary of Military and Associated Terms, February 2023, p. 55

DDTC: Directorate of Defense Trade Controls: The Department of State’s Directorate of Defense Trade Controls (DDTC) is charged with controlling the export and temporary import of defense articles and defense services described on the USML, in accordance with the AECA and the ITAR.  https://www.pmddtc.state.gov/ddtc_public/ddtc_public?id=ddtc_public_portal_about_us_landing

DoD Department of Defense: The executive department of the U.S. federal government charged with coordinating and supervising all agencies and functions of the government directly related to national security and the United States Armed Forces. The components of DoD are: Army, Marine Corps, Navy, Air Force, Space Force, Coast Guard, and the National Guard.

DoD Basic Assessment – Department of Defense Basic Assessment:  a contractor’s self-assessment of the contractor’s implementation of NIST SP 800-171 that—

1. 1. Is based on the Contractor’s review of their system security plan(s) (SSP) associated with covered contractor information system(s);
   2. Is conducted in accordance with the NIST SP 800-171 DoD Assessment Methodology; and
   3. Results in a confidence level of “Low” in the resulting score, because it is a self-generated score.

Executive Order 13556: This order establishes an open and uniform program for managing information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies, excluding information that is classified under Executive Order 13526 of December 29, 2009, or the Atomic Energy Act, as amended. This order establishes a program for managing this information, hereinafter described as Controlled Unclassified Information. https://obamawhitehouse.archives.gov/the-press-office/2010/11/04/executive-order-13556-controlled-unclassified-information

FAR: Federal Acquisition Regulations outlines procurement policies and procedures that are used by members of the Acquisition Team. In addition to including policies and procedures, the FAR includes Solicitation Provisions and Contract Clauses. Both provisions and clauses apply to contractors. Provisions apply to solicitations and clauses can apply both to solicitations and to contracts. https://www.acquisition.gov

FAR 52.204-21 – Basic Safeguarding of Covered Contractor Information Systems: Applicable to all FAR-based solicitations/contracts. Specifies 15 cyber safeguards to protect Federal Contract Information (FCI). Includes flowdown requirement for subcontracts.

Federal Contract Information (FCI) As defined in section 4.1901 of the Federal Acquisition Regulation (FAR), FCI is “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, excluding information provided by the Government to the public (such as that on public websites) or simple transactional information, such as that necessary to process payments.” FAR 4.1901

FIPS 140-2: A standard that specifies the security requirements that will be satisfied by a cryptographic module utilized within a security system protecting sensitive but unclassified information. Referenced as a requirement for the digital transmission of Technical Data covered by § 120.54 Activities that are not exports, reexports, retransfers, or temporary imports. See also NIST 800-171 r2 3.13.11 – Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.

Forensic Access: When a Contractor discovers a cyber incident has occurred, the Contractor shall preserve and protect images of all known affected information systems identified in paragraph (c)(1)(i) of this clause and all relevant monitoring/packet capture data for at least 90 days from the submission of the cyber incident report to allow DoD to request the media or decline interest. Upon request by DoD, the Contractor shall provide DoD with access to additional information or equipment that is necessary to conduct a forensic analysis. DFARS 252.204-7012 para (e) and (f)

ITAR: International Traffic in Arms Regulations – The ITAR (22 CFR parts 120-130) governs the manufacture, export, and temporary import of defense articles, the furnishing of defense services, and brokering activities involving items described on the USML (ITAR section 121.1). The ITAR is regularly updated and revised to reflect changes in technological developments and in U.S. national security and foreign policy interests.

JCP:  The Joint Certification Program (JCP) certifies Canadian and United States (U.S.) contractors for access to unclassified military technical data belonging to Canada’s Department of National Defense (DND) and to the U.S. Department of Defense (DOD). This Program helps to protect controlled Unclassified Militarily Critical Technical Data (MCTD) and technology from common adversaries but allows it to flow to certified Canadian and U.S. companies that have a legitimate need-to-know for business purposes. This program is effective in protecting the competitive edge of North American companies by ensuring that only eligible companies are provided with this data. https://www.dla.mil/Logistics-Operations/Services/JCP/#faq

Malicious Software (MALWARE): “Malicious software” means computer software or firmware intended to perform an unauthorized process that will have adverse impact on the confidentiality, integrity, or availability of an information system. This definition includes a virus, worm, Trojan horse, or other code-based entity that infects a host, as well as spyware and some forms of adware. DFARS 252.204-7012

Malware Isolation: Containment of malware has two major components: stopping the spread of the malware and preventing further damage to hosts. Nearly every malware incident requires containment actions. In addressing an incident, it is important for an organization to decide which methods of containment to employ initially, early in the response. Forms of containment include – user participation, Automated Detection, Disabling Services, and Disabling Connectivity. Because no single malware containment category or individual method is appropriate or effective in every situation, incident handlers should select a combination of containment methods that is likely to be effective in containing the current incident while limiting damage to hosts and reducing the impact that containment methods might have on other hosts. NIST SP 800-83r1

Media Protection: Media protection is a security control that addresses the defense of system media, which can be described as both digital and non-digital. Media protections can restrict access and make media available to authorized personnel only, apply security labels to sensitive information, and provide instructions on how to remove information from media such that the information cannot be retrieved or reconstructed. Media protections also include physically controlling system media and ensuring accountability, as well as restricting mobile devices capable of storing and carrying information into or outside of restricted areas. Examples of digital media include: diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Examples of non-digital media include paper or microfilm. NIST.SP.800-12r1

Medium Assurance Certificate: A DoD approved certificate required to report cyber incidents in accordance with DFARS clause 252.204-7012. For information on obtaining a DoD-approved medium assurance certificate, see https://public.cyber.mil/eca/.

NIST SP 800-171 r2 – National Institute of Standards and Technology Special Publication 800-171 Revision 2: Provides agencies with recommended security requirements for protecting the confidentiality of CUI when the information is resident in nonfederal systems and organizations; when the nonfederal organization is not collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency; and where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or governmentwide policy for the CUI category listed in the CUI Registry.

NOFORN: NO FOREIGN DISSEMINATION (NOFORN) – Information may not be disseminated in any form to foreign governments, foreign nationals, foreign or international organizations, or non-U.S. citizens.  https://www.dodcui.mil/NOFORN/

Plan of Action (POA) The plan of action is a key document in the information security program. Organizations develop plans of action that describe how any unimplemented security requirements will be met and how any planned mitigations will be implemented. Organizations can document the system security plan and plan of action as separate or combined documents and in any chosen format. NIST SP 800-171 r2

SAM POCs – SAM Points of Contacts are individuals designated by an entity to manage their SAM registration and related activities. These POCs typically include:

1. 1. Entity Administrator: Responsible for maintaining the entity’s registration, including updates and renewals.
   2. Electronic Business (E-Business) POC: Manages electronic business transactions and communications.
   3. Government Business POC: Handles interactions and communications with government agencies.
   4. Past Performance POC: Manages past performance information and references.
   5. Alternate POCs: Additional contacts who can assist with the responsibilities of the primary POCs

Supplier Performance Risk System (SPRS): Supplier Performance Risk System (SPRS) “…is the authoritative source to retrieve supplier and product PI [performance information] assessments for the DoD [Department of Defense] acquisition community to use in identifying, assessing, and monitoring unclassified performance.” (DoDI 5000.79) It is also the site where DoD suppliers post the scores of their DoD Cyber Self-Assessments. https://www.sprs.csd.disa.mi

System Security Plan (SSP) The system security plan describes: the system boundary; operational environment; how security requirements are implemented; and the relationships with or connections to other systems. NIST SP 800-171 r2