Glossary

Question 1

CUI Asset

Answer 1

Anything or anyone that processes, stores, or transmits CUI.

Question 2

Security Protection Asset (SPA)

Answer 2

Anything or anyone that provides protections to the CUI assets

Question 3

Contractor Risk Managed Asset (CRMA)

Answer 3

Anything or anyone that CAN access (touch, reach, see) CUI but are not authorized.

Question 4

Specialized Asset

Answer 4

This is generally IoT, OT or test equipment

Question 5

Out of Scope Asset

Answer 5

Anything or anyone that can’t access (touch, reach, see) CUI

Question 6

People

Answer 6

Any human

Question 7

Technology

Answer 7

Every device (CSP, VPN, router, printer, workstation, etc.)

Question 8

Facility

Answer 8

Any place that hosts the above

Question 9

Organization

Answer 9

An entity of any size, complexity, or positioning within an organizational structure (e.g. a federal agency, or, as appropriate any of its operational elements).

Headquarters (HQ) Organization is the legal entity that will deliver services or products under the terms of a DoD contract. The HQ Organization could be the OSC or it could designate a Host Unit as the OSC.

Question 10

Process

Answer 10

A procedural activity that is performed to implement a defined objective.

Question 11

Out-of-Scope Asset

Answer 11

Out-of-scope assets cannot process, store, or transmit CUI because they are physically or logically separated from CUI Assets or are inherently unable to do so.

Question 12

Specialized Assets

Answer 12

The following are considered specialized assets for CMMC: Government Property, Internet of Things (IoT) or Industrial Internet of Things (IIoT), Operational Technology (OT) and Restricted Information Systems.

Question 13

Government Property

Answer 13

All property owned or leased by the Government. Government property includes both government-furnished and contractor-acquired property. Government property includes material, equipment, special tooling, special test equipment, and real property. Government property does not include intellectual property or software.

Question 14

Internet of Things (IoT)

Answer 14

Interconnected devices having physical or virtual representation in the digital world, sensing/actuation capability, and programmability features. They are uniquely identifiable and may include smart electric grids, lighting, heating air conditioning, and fire and smoke detectors.

Question 15

Operational Technology (OT)

Answer 15

Hardware and software that detects or causes a change through the direct monitoring and/or control of physical devices, processes, and events in the enterprise.

Question 16

Restricted Information Systems

Answer 16

Systems (and associated IT components comprising the system) that are configured based on government requirements (i.e. connected to something that was required to support a functional requirement), and are used to support a contract (e.g. fielded systems, obsolete systems, and product deliverable replicas).

Question 17

Test Equipment

Answer 17

Hardware and/or associated IT components used in the testing of products, system components, and contract deliverables (e.g., oscilloscopes, spectrum analyzers, power meters, and special test equipment).

Question 18

Host Unit

Answer 18

The specific people, processes, and technology within an HQ Organization that would be applied to the DoD contract and that are to be considered the OSC for the CMMC Assessment purposes.

A specific host unit and their associated networks and systems may be the only part of the OSC that requires a CMMC assessment and certification.

Question 19

Supporting Units

Answer 19

The people, processes, and technology that support the Host Unit. These resources need to be included as part of the Assessment but would normally NOT receive a CMMC certification. Supporting units may include subcontractors, external service providers (ESPs), third-party service providers (TSPs), and managed service providers (MSPs).

Question 20

Process

Answer 20

Using or manipulating FCI. Examples include editing, printing, manipulating, accessing, entering, or generating FCI, such as;

• databases, laptops, printers, a workstation that writes FCI onto paper, applications that load FCI into memory so that it can be displayed to the user, and antivirus programs that compare FCI files to known malicious signatures.

Question 21

Store

Answer 21

FCI exists on an asset when it is not actively processed. Examples include:

• Laptops or file servers storing FCI on their hard drives
• Documents with FCI written or printed on them
• CDs or other portable storage with FCI written to it
• Cloud systems that allow FCI to be uploaded or downloaded from them.
• Backups to external media or to cloud systems
• Email server that holds copies of users’ mailboxes
• Facilities that contain unencrypted FCI in computers, portable storage, or documents
• Multi-function machines that keep the last imaging jobs stored on an internal disk
• Cameras used to take pictures of contract deliverables or samples.

Question 22

Transmit

Answer 22

FCI passes through an asset while it is being transferred from a source to a destination. Example include;
• A user carrying a sensitive document to a client meeting
• A switch passing FCI in clear-text on network cables between a file server and a manufacturing system.
• Wireless signal used to move FCI between a file server and a user laptop
• Email server that transmits FCI between a sender and recipient.

Question 23

Section 4.1901 of the Federal Acquisition Regulation (FAR)

Answer 23

Federal Contract Information (FCI) as “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information such as necessary to process payments.”

Question 24

Part 2002 of Title 32 CFR “implementing directive” for the overall federal CUI program

Answer 24

Controlled Unclassified Information (CUI) is information the Government creates or processes, or that an entity creates or processes for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.

Question 25

Executive Order 13556

Answer 25

“Controlled Unclassified Information” establishes a program for managing all unclassified information in the Executive branch that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies. The Executive Order outlines the Purpose for the program as well as the CUI designations; it also designated NARA as the oversight agency and orders a review of current designations within 180 days.

Question 26

32 Code of Federal Regulations, Part 2002 (Implementing Directive)

Answer 26

The Executive Order is implemented through 32 CFR Part 2002. It describes the executive branch’s Controlled Unclassified Information Program and establishes policy for designating, handling, and decontrolling information that qualifies as CUI. It applies to all executive branch agencies that designate or handle information that meets the standards for CUI, and it overrides agency-specific or ad hoc requirements when they conflict.

Question 27

DoD Instruction 5200.48 Controlled Unclassified Information

Answer 27

DoDI 5200.48 establishes policy, assigns responsibilities, and prescribes procedures for CUI throughout the DoD in accordance with the Executive Order 13556, 32 CFR 2002, and DFARS Sections 252.204-7008 and 252.204-7012. DoDI 5200.48 also established the DoD CUI Registry: an official list of the indexes and categories used to identify the various types of DoD CUI. It expands upon the National CUI Registry maintained by NARA. DoD 5200.48 is the documented source that determines what DoD considers CUI. However, a contractor should clarify with the contracting officer or prime contractor to determine what information is CUI.

While the DoD has established a CUI program, DoD 5200.48 makes it clear that the CUI Executive Agent is NARA and their guidance takes precedence.