Lesson 5 Definitions Flashcards
Scope
The scale or extent of what will be evaluated for conformity, which includes those assets (people, facilities, technology) within the OSC’s environment that are targeted for CMMC Assessment because they interact with sensitive information - for example, by containing it, touching it in transit, or operating on the same network as it.
Scoping
The process of setting or determining the scope.
Headquarters (HQ) Organization
The legal entity that will be delivering services or products under the terms of a DoD contract
Host Unit
The specific people, procedures, and technology within an HQ Organization that would be applied to the DoD contract and that are to be considered as the OSC for CMMC Assessment purposes
Supporting Organization/Units
The people, procedures, and technology external to the HQ Organization that support the Host Unit. The affiliated asset may need to be included as part of the CMMC Assessment Scope
Out-of-Scope Assets
Assets that cannot process, store or transmit FCI or CUI because they are physically or logically separated from CUI assets or are inherently unable to do so.
System
A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.
Shared Responsibility Matrix
A mechanism that identifies the person(s) or team(s) in the OSC or the ESP responsible for the implementation and sustainment of the technical controls, as reflected in the terms of service between the EST as provider and the OSC as customer.
Security Control Inheritance
A situation in which an information system or application receives protection from security controls (or portions of security controls) that are developed, implemented, assessed, authorized, and monitored by entities other than those responsible for the system or application; either internal or external to the organization where the system or application resides.
CMMC Certification Boundary
Defines the assets to which an assessor will evaluate conformity with applicable CMMC practices. This is the boundary to which a CMMC Certificate will be applied.
Assessment Boundary
Identifies all assets in the contractor’s environment for the Assessment engagement. Assets within the Assessment Boundary can be part of the CMMC Certification Boundary or Enabling Assets.
System Security Plan
The formal document prepared by the information system owner (or common security controls owner for inherited controls) that provides an overview of the security requirements for the system and describes the security controls in place or planned for meeting those requirements. The plan can also contain as supporting appendices or as references, other key security-related documents such as a risk assessment, privacy impact assessment, system interconnection agreements, contingency plan, security configuration management plan, and incident response plan.
Enclave
A segmentation of an organization’s network or data that is intended to “wall off” that network or database from all other networks or systems. A CMMC Assessment scope can be within the Assessment scope of an enclave.
