By in large if you run in Defense and/or Cyber Security circles. You’ll think people are speaking a foreign language and not one that makes sense. That’s mainly because people tend to bring up the many abbreviations, acronyms and designations for different systems and use them in everyday conversations. While that is all well and good for insiders or “in-the-know” for anyone on the outside looking in or someone new to the conversation, you for sure feel left or more confused. To help out we listed a few major terms and acronyms specific to the NIST 800-171 and CMMC discussions to help clear up some of that muddy water you’ve waded into. A lot of the acronyms we will cover tend to cross paths within the conversation so if you need more information please reach out to us and we can dive deeper on this topic with you. Also we have gone into a bit more depth on a few of the topics discussed below, so please feel free to review those articles as well.
No not the camping bed, Commercial Of The Shelf items or COTS are items used during government contracts that are unchanged from their usage in the commercial space, potential examples could be sheet metal for a basic HVAC system, gas for the motorpool, three strand electrical wires. Within CMMC there is an exemption for COTS products that will enable a supplier to not be required to have a CMMC cerifcation. Word of warning, as it stands now If any of those items need to be modified then your COTS may not be exempt. The current view is, do not rely on an expectation of receiving a COTS exemption, we discuss this more in depth on our COTS blog here.
CUI/CDI and FCI
CUI and CDI stand for Controlled Unclassified Information and Controlled Defense information respectively. This is government generated or regulated information that needs to be secured and protected it can be generated based off any of these areas below.
Defense Federal Acquisition Requirement Supplement or DFARS. Is the set of regulations administered by the DoD and discusses all requirements you need to comply to in order to bid on Defense contracts. It’s lengthy it’s in depth and it can be found here < https://www.acquisition.gov/dfars>. If you are looking at or currently bidding on a Defense contract, three is a good chance you will be required to comply with DFARS and it will be listed within the contract.
The list of what is and is not CUI/CDI is updated from time to time. A current list can be found here< https://www.archives.gov/cui> , and is typically spelled out in the contracts.
FCI or Federal Contract Information, while similar is any information required to be stored when reviewing and bidding on a federal contract and is not intended for the public. Under the current discussions according to the DoD if you are in possession of a contract with the DoD you are probably in possesion of some form of FCI.
In short ALL CUI is FCI, but not all FCI is CUI.
FedRAMP and CMMC
These are the two biggest acronyms that you’ll hear tossed around and are a pair of standards dealing with technology and Federal contracting. While there are similarities to both, they are very different, and both focus on very important but different areas. Federal Risk and Authorization Management or FedRAMP, according to the government page Is a government wide program that “provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.”, that last portion is important, as it is one of the defining differences between CMMC and FedRAMP. Cybersecurity Maturity Model Certification or CMMC, on the other hand is a DoD specific standard that covers the “maintenance control and protection of CUI/CDI”. While it is not officially rolled out, CMMC was based of the NIST 800-171 standard which is currently a requirement as stated in DFARS clause 7012.
We could write an entire article on the difference between the two, in fact we did . The short of it is FedRAMP has broad reach on a specific technology, CMMC is more specific in who it pertains to, but is broader in what it is in reference to. One other major takeaway is currently, there is no reciprocity between the two at this time.
POA&M and SSP
System Security Plan or SSP and Plan Of Actions and Milestones. Go hand-in-hand and are the outputs of a NIST 800-171 assessment. Both are required to complete the Security risk assessment as per the newest DFARS rules change . The SSP is the current design of your Cybersecurity infrastructure, and should you have any gaps your POA&M is your plan to fill those gaps. Both should be an ever updating document, as you complete items on your POA&M it will shrink, and your SSP will grow. For a bit more detail see our article on SSP vs POA&M link to blog
How can Summit help?
Hopefully we were able to spell out some of this out for you and at least break down some of the definitions so you can start to get some clarity around the current cybersecurity discussions. As we mentioned a bit higher in the article, there is a lot of information and a lot of uncertanity regarding the timeline and the requirements. We have written a number of articles on the subject so please take a look at our artciles. If you still have more questions and/or are curious about how we can help you in becoming compliant to the current NIST 800-171 standard. Contact us either by email or by phone and our team of specialists can discuss our process with you and shed a bit more light on the subject.