Your Guide to
DOD Compliance

There are a lot of terms related to NIST 800-171 and CMMC that are important to know. Here are some of the most important terms and brief descriptions for each:

Controlled Unclassified Information (CUI)

CUI is defined by the Office of the Undersecretary of Defense Acquisition and Sustainment as:

“Information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order.”

In other words, it’s information that isn’t considered classified under any specific government mandate but still needs to be protected from illicit access. This is often because CUI includes sensitive information that may be useful to foreign intelligence agencies.

Federal Contract Information (FCI)

FCI is a catch-all term for any information that the U.S. government provides
or generates under a contract that isn’t intended to be released to the public.

Personally Identifiable Information (PII)

A general term for any information that an organization stores or processes that can be used to identify an individual. Many data privacy standards reference PII and the need to protect it from illicit access.

If stolen, PII can be used to commit fraud that can be financially devastating—both for the organization whose data is stolen and the individuals identified through their PII.

Media

In cybersecurity and compliance circles, the word “media” carries a different meaning
from the usual. When mentioned in CMMC and NIST documentation, “media” typically is a reference to storage media, meaning assets like USB drives, hard disk drives (HDDs), solid-state drives (SSDs), CDs, DVDs, floppy disks—basically anything that can hold data on it for future retrieval.

Defense Federal Acquisition Regulation Supplement (DFARS)

A supplement to the Federal Acquisition Regulation (FAR) that is administered by the Department of Defense. According to the Federal Register, DFARS “contains requirements of the law, DoD-wide policies, delegations of FAR authorities, deviations from FAR requirements, and policies/procedures that have a significant effect on the public.”

As one of the security standards that the DoD administers, it is important for companies working with the DoD to meet DFARS requirements.

Defense Industrial Base (DIB)

The defense industrial base is the collection of all the businesses that participate in the national (or global) defense industry. Consisting of hundreds of thousands of companies, the DIB enables research and development for military weapons and IT systems, components, and parts as well as managing the supply chain for various military-related applications.

This is sometimes referred to as the national technology and industrial base (NTIB) when talking about both domestic and global portions of the DIB.

Companies within the DIB are often a target for espionage by foreign agencies looking to learn more about America’s defense industry and capabilities.

Advanced Persistent Threat (APT)

A specific category of cybersecurity threat that attempts to hide its presence in infected systems as it collects sensitive data to send off to an attacker. APTs are often defined by their difficulty to detect and their ability to steal a lot of information over a long period of time.

In some cases, APTs may go undetected for weeks or even months as they
infiltrate systems. This makes them extremely dangerous tools.

Request for Proposal (RFP)

A document issued by government agencies to try to get potential vendors to issue bids. This document generally includes various criteria for the project to be completed or work to be done so companies can generate a realistic bid.

Request for Information (RFI)

A document that requests information about a given industry that the government uses to inform its purchase decisions. This document is often used to gather info that is later used to generate a “request for proposal” document.  

Cybersecurity

A general term for the policies, procedures, and tools that an organization uses to protect its data from being stolen or lost. Strong cybersecurity helps protect businesses from modern cyber threats like phishing attacks, malware, APTs, ransomware, DDoS attacks, and the like.

Some cybersecurity tools, such as disaster recovery solutions, can also help prevent data loss from accidental deletions or damage to critical infrastructure.

Security Control

Security control is a tool, procedure, or another safeguard that helps an organization
to detect, avoid, counter, or minimize the impact of a security risk or threat.

The DoD and other government agencies may require businesses to use specific security controls to counteract or protect against certain cyber threats. For example, NIST 800-171 specifies the use of access controls to limit the types of transactions users, processes, and devices can make—and to verify identities before allowing transactions to take place.

Examples of security controls can range from firewalls to antimalware tools, security incident and event management (SIEM) software, employee security awareness training, multi-factor authentication (MFA), and more.

System Security Plan (SSP)

A system security plan is, as noted by SANS, used to “provide an overview of the security requirements of the system and describe the controls in place or planned, responsibilities and expected behavior of all individuals who access the system.” 

In other words, it’s a document that organizations use to describe their current and planned security tools, procedures, and role-based responsibilities for system users. An SSP can be an integral part of security compliance efforts.

Plan of Action and Milestones (POA&M)

A document that details specific tasks that need to be accomplished. It includes any resources required to accomplish the plan, specific milestones for different tasks, and scheduled completion dates. 

As noted in the FedRAMP Plan of Actions and Milestones (POA&M) Template Completion Guide, “The purpose of the POA&M is to facilitate a disciplined and structured approach to tracking risk-mitigation activities in accordance with the [cloud service provider’s] priorities.”

Supplier Performance Risk System (SPRS)

A database meant for DoD acquisition agents that serve as “the authoritative source to retrieve supplier and product PI [performance information] assessments for the DoD [Department of Defense] acquisition community to use in identifying, assessing, and monitoring unclassified performance.”

SPRS supports acquisition professionals from the DoD by providing numerous pieces of information, including delivery scores and quality classifications, procurement risk data and assessments, company exclusion statuses, and the National Security System Restricted List, among other pieces of data.

Procurement Integrated Enterprise Environment (PIEE)

An enterprise procure-to-pay (P2P) application for the DoD and supporting agencies. PIEE provides a variety of features that help automate the procurement process, reduce risk, and promote collaboration. Some of these features include:

• Purchase Request Data Standard (PRDS)-compliant tools for writing procurement requirements.
• Tools for assisting with the award process for contracts.
• Post-award administration functions.
• Payment management tools.
• Property management solutions.
• The National Industrial Security Program (NISP) Contract Classification System (NCCS).
• Reporting and document retrieval tools.

Microsoft Government Community Cloud

A government cloud service from Microsoft that is meant to “meet the unique and evolving requirements of the United States Federal, State, Local, and Tribal governments, as well as contractors holding or processing data on behalf of the US Government.”

Also referred to as Office 365 Government, this tool is an overlay for the regular Office 365 service that “supports the Federal Risk and Authorization Management Program (FedRAMP) accreditation at a High Impact level.” Users are screened via background checks to help maintain security compliance standards.

Managed Service Provider (MSP)

An organization that provides managed IT services on the behalf of other people or companies. MSPs can assume responsibility for a variety of IT functions for an organization—often for a fraction of the cost of having to hire an IT team to do the same things internally.

The specific services provided may vary from one MSP to the next, so it’s important to ask MSPs what services they offer before entering into an agreement. When government contractors work with MSPs, the MSP will need to be compliant with CMMC and NIST 800-171 guidelines.

Managed Security Service Provider (MSSP)

Similar to an MSP, a managed security service provider offers outsourced services. However, their specific focus is typically on the monitoring, maintenance, and management of security tools, procedures, and systems.

MSSPs help organizations identify and close gaps in their security architecture to minimize data breach/loss risks, meet regulatory compliance standards, and keep security tools streamlined to reduce bloat that might interfere with business operations.

Department of Defense (DoD)

A department of the executive branch of the United States (and the largest U.S. government agency). The DoD’s mandate is to “provide the military forces needed to deter war and ensure our nation’s security.”

To this end, the Department of Defense works with numerous organizations to secure technologies, tools, and systems that enhance the effectiveness of America’s armed forces and can help prevent attacks against American interests.

Because of the sensitive nature of the DoD’s work, the department has enacted several data security standards, guidelines, and certifications that their contractors need to be compliant with.

Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S))

The Office of the Secretary of Defense (OSD) is a part of the DoD that “is responsible for policy development, planning, resource management, and program evaluation” for the DoD. The Office
of the Under Secretary of Defense for Acquisition and Sustainment is a sub-department of this office specifically responsible for enabling the “Delivery and Sustainment of Secure and Resilient Capabilities to the Warfighter and International Partners Quickly and Cost-Effectively.”

The OUSD(A&S) worked alongside key stakeholders in the DoD and the defense industry to develop the CMMC framework. CMMC specifically helps to address key resiliency and safety goals held by the OUSD(A&S).

CMMC Accreditation Body (CMMC-AB)

The organization authorized by the DoD to “be the sole authoritative source for the operationalization of CMMC Assessments and Training with the DOD contractor community.” If you want to achieve accreditation under CMMC, the CMMC-AB is the only DoD-approved and endorsed entity.

CMMC Third-Party Assessor Organization (C3PAO)

A C3PAO is an organization or individual that is authorized by the CMMC-AB to deliver CMMC assessments. C3PAOs need to apply for certification, a process that includes signing a license agreement, passing a background check, and passing at least a level 3 certification under CMMC standards.

National Institute of Standards and Technology (NIST)

An agency within the U.S. Department of Commerce that promotes technology and innovation that helps keep U.S. businesses competitive. It is also one of the USA’s “oldest physical science laboratories,” being founded in 1901.

The NIST often releases special publications that provide guidelines for ensuring basic cybersecurity protections in an ever-evolving threat environment. Examples include NIST 800-171 and NIST 800-53.

48 CFR 52.204-21

A rule within the Code of Federal Regulations (CFR) that is concerned with the “basic safeguarding of covered contractor information systems.” 48 CFR 52.204-21 calls on government contractors to meet 15 distinct security requirements and controls:

1. Limit information system access to authorized users, processes acting on behalf of users, or devices;
2. Limit information system access to the types of transactions and functions that authorized users are permitted to execute;
3. Verify and control/limit connections to and use of external information systems;
4. Control information posted or processed on publicly accessible information systems;
5. Identify information system users, processes acting on behalf of users, or devices;
6. Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems;
7. Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse;
8. Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals;
9. Escort visitors and monitor visitor activity; maintain audit logs of physical access; control and manage physical access devices;
10. Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems;
11. Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks;
12. Identify, report, and correct information and information system flaws in a timely manner;
13. Provide protection from malicious code at appropriate locations within organizational information systems;
14. Update malicious code protection mechanisms when new releases are available; and
15. Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

These security requirements are in addition to any other security rules that the contractor may be subject to. In other words, if your contract requires you to meet NIST 800-171 and CMMC, 48 CFR 52.204-21 doesn’t replace those requirements—you have to meet them all.

NIST 800-53

A document published by NIST defining a list of security controls for protecting sensitive information. As the Revision 5 version of the document states, NIST 800-53 “represents a multi-year effort to develop the next generation of security and privacy controls that will be needed” to accomplish objectives like making information systems more penetration-resistant and limiting the damage from cyberattacks.

NIST 800-53 defines 20 different families for security and privacy control:

• Access Control (AC)
• Awareness and Training (AT)
• Audit and Accountability (AU)
• Assessment, Authorization, and Monitoring (CA)
• Configuration Management (CM)
• Contingency Planning (CP)
• Identification and Authentication (IA)
• Incident Response (IR)
• Maintenance (MA)
• Media Protection (MP)
• Physical and Environmental Protection (PE)
• Planning (PL)
• Program Management (PM)
• Personnel Security (PS)
• PII Processing and Transparency (PT)
• Risk Assessment (RA)
• System and Services Acquisition (SA)
• System and Communications Protection (SC)
• System and Information Integrity (SI)
• Supply Chain Risk Management (SR)

If you compare this to NIST 800-171 and CMMC, you may notice significant overlap since these publications use many of the same security families. However, NIST 800-53 specifies some families for topics not found in 800-171 or CMMC.

ISO 27001

A publication from the International Organization for Standardization (ISO), an organization that is often associated with quality and process management standards like the ISO 9000 series of publications. ISO/IEC 27001 provides requirements for an information security management system (ISMS) to help organizations protect sensitive information.

Although not specific to government security requirements, ISO 27001 standards can help businesses meet certain NIST and CMMC requirements.

ISO 27032

A security guidance document from ISO that is more specifically tailored to cybersecurity. The ISO 27032 document provides an overview of cybersecurity, how it relates to other types of security, and a framework for resolving key cybersecurity issues.