Quick Guide to Cyber Security Compliance Terms

If you’ve been looking into being a government contractor, you’ve likely come across a great deal of information and more acronyms than you can keep up with.

You want to get it right, but sometimes, research can confuse you more than it helps – especially if it’s spread out among many different sources. This guide is intended to provide a reference for the acronyms you run across, in hopes of simplifying the information you need.

CUI: Controlled Unclassified Information

Contractors for the DoD can sometimes leave you in possession of certain information – information that needs to be protected. This information isn’t the top-tier information that the government manages, but it is important. Once labeled “Sensitive but Unclassified,” this information is not referred to as “Controlled Unclassified Information.” The DoD wants to know that you have a way to protect this information prior to contracting your products and services.

CMMC: Cybersecurity Maturity Model Certification

This is a method through which the government determines whether you meet the requirements to protect the CUI. It’s a certification system based on five different levels of compliance. Level 1 means that your system meets the minimum cybersecurity requirements. Level 5 is the highest level of requirements.

The type of work and contracts you are seeking from the government will dictate which level of CMMC compliance you need to meet. If you’ve previously looked into CMMC requirements, it’s important that you take a fresh look. There have been updates made and requirements are now based on CMMC Version 2.0.

DFARS: Defense Federal Acquisition Regulation Supplement

DFARS is another set of regulations for contractors set up prior to CMMC. A DFARS compliance audit covers 14 different areas that must be in compliance. These include but are not limited to audit and accountability, awareness and training, incident response, media protection, physical protection, risk assessment, maintenance, and system and information integrity.

NIST: National Institute of Science and Technology

NIST is an organization that helps develop standards for technology, security, and more. You’ll see this term a great deal while researching CMMC compliance and government contracts. NIST published a set of regulations that apply directly to how CUI should be protected and distributed in a document referred to as NIST 800-171.

This document came to be due to several breaches in federal databases and has been updated as needed. Being awarded government contracts requires that your systems and protocols are in compliance with NIST 800-171.

SSP: System Security Plan

An SSP is your company’s documented plan for cybersecurity. It explains your security system and how you implement the required security protocols. Before being awarded a government contract, you’ll need to show your SSP. If you don’t have one, you’re not likely to be working with the government.

Ideally, this guide will simplify the information necessary for you to attain CMMC compliance, but it’s not always an ideal world. If you still feel lost and over your head, there are several companies available that can help you.