Personally Identifable Information (PII)
PII, as defined by the Department of Homeland Security (DHS), is personally identifiable information that permits the identity of an individual to be directly or indirectly inferred, including any information that is linked or linkable to that individual, regardless of whether the individual is a U.S. citizen, lawful permanent resident, visitor to the U.S., or employee or contractor to the Department.
Protected Health Information (PHI)
PHI is defined as information, including demographic data, that can be used to identify an individual. It can exist in any medium and can relate to an individual’s past, present, or future physical or mental health condition, to the provision of health care to the individual, or to past, present or future payment for the provision of health care to the individual. PHI includes common identifiers such as an individual’s name, address, date of birth, or Social Security Number.
Electonic Protected Health Information (EPHI)
EPHI is defined as information, including demographic data, that can be used to identify an individual. It can exist in any medium and can relate to an individual’s past, present, or future physical or mental health condition, to the provision of health care to the individual, or to past, present or future payment for the provision of health care to the individual. PHI includes common identifiers such as an individual’s name, address, date of birth, or Social Security Number.
Civil Monetary Penalties (CMP)
CMP refers to a fine imposed on entities that violate certain laws and regulations. Penalties are adjusted yearly to adjust to inflation pursuant to the Federal Civil Penalties Inflation Adjustment Act of 1990, as amended by the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015. These laws required the head of each agency to adjust its CMPs for inflation.
Controlled Unclassified Information (CUI)
CUI is information the government creates or possesses that a law, regulation, or governmentwide policy requires to be safeguarded. CUI information can only be handled only when using appropriate security controls.
Federal Control Information (FCI)
FCI is information provided by or generated for the Government under contract that has not or will not be publicly released (within a reasonable period of time). Unlike CUI, FCI and its protection requirements are defined in the Federal Acquisition Regulation (FAR) rather than National Archives and Records Administration (NARA) documents and NIST 800-171 / DFARS 7012.
Covered Defense Information (CDI)
CDI Covered defense information is used to describe information that requires protection under DFARS Clause 252.204-7012.
Controlled Technical Information (CTI)
CTI means technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination.
Sensitive But Unclassified (SBU)
DFARs detail the terms and conditions for DoD procurement contracts. CMMC builds upon certain DFAR Supplement (DFARS) clauses that subject contractors to CMMC requirements.
CMMC Third-Party Assessor Organization (C3PAO)
C3PAO is an entity that is authorized and accredited by the government to perform CMMC assessments. The C3PAO also issues CMMC certificates based on the results of the assessments.
Registered Provider Organization (RPO)
Registered Provider Organizations house Registered Practitioners and ensure that they receive the required basic CMMC-AB training and adhere to the CMMC-AB Code of Professional Conduct.
Office of the Under Secretary of Defense for Acquisition and Sustainment – OUSD (A&S)
The Office of the Under Secretary of Defense for Acquisition and Sustainment is a DoD organization that led the development of the CMMC program.
NIST Special Publication 800-171
NIST SP 800-171 catalogs a comprehensive set of security controls that CUI requires. CMMC includes these controls in addition to practices, processes, and references from many other standards and sources.