Access Control: Security measures implemented to regulate who or what can view, use, or modify resources in a computing environment. For aerospace manufacturers handling CUI, access control requirements specified in NIST 800-171 must be implemented to ensure only authorized personnel can access sensitive information.

Assessment: The process of measuring an organization's security controls against a specific framework or standard, such as CMMC or NIST 800-171. Aerospace manufacturers seeking DoD contracts must undergo assessments to verify their cybersecurity posture meets required standards for protecting CUI.

Assessment Objective: Specific statement from a security requirement that must be assessed to determine if the requirement has been implemented correctly. In CMMC assessments for aerospace manufacturers, each practice has associated assessment objectives that must be satisfied.

Assessment Plan: A documented approach detailing how an organization will conduct a cybersecurity assessment against frameworks like CMMC or NIST 800-171. Aerospace manufacturers should develop assessment plans to prepare for formal CMMC certification evaluations.

Assessor: An individual or organization authorized to evaluate a company's implementation of security controls against standards like CMMC. For aerospace manufacturers, only CMMC Third-Party Assessment Organizations (C3PAOs) can conduct official CMMC assessments for certification.

Asset Management: The process of identifying, tracking, and managing an organization's IT assets throughout their lifecycle. Aerospace manufacturers must implement robust asset management practices to maintain CMMC compliance and properly secure systems handling CUI.

Authentication: The process of verifying the identity of a user, device, or system before granting access to resources. NIST 800-171 and CMMC require aerospace manufacturers to implement multi-factor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.

Authorization: The process of granting or denying access rights to users, programs, or processes. Aerospace manufacturers must implement proper authorization controls to meet CMMC and NIST 800-171 requirements for protecting CUI.

ATO (Authority to Operate): A formal declaration by a Designated Approving Authority that authorizes operation of a system and explicitly accepts the risk to agency operations. Aerospace manufacturers working on DoD contracts may need to obtain an ATO for systems processing CUI or connecting to DoD networks.

Baseline Configuration: A documented set of specifications for a system that has been formally reviewed and agreed upon, and serves as the basis for future builds, releases, and changes. CMMC requires aerospace manufacturers to establish baseline configurations as part of configuration management practices.

Breach: An incident where unauthorized access to data, applications, services, networks, or devices bypasses their underlying security mechanisms. Aerospace manufacturers must report breaches involving CUI to the DoD within 72 hours as required by DFARS 252.204-7012.

Boundary Protection: Security measures that protect the external boundary of an information system and key internal boundaries. For aerospace manufacturers, NIST 800-171 requires implementing subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

C3PAO (CMMC Third Party Assessment Organization): Organizations authorized by the CMMC Accreditation Body to conduct CMMC assessments and certifications. Aerospace manufacturers seeking CMMC certification must engage with a C3PAO to evaluate their cybersecurity practices.

CIA Triad: The three fundamental principles of information security: Confidentiality, Integrity, and Availability. Aerospace manufacturers implementing CMMC must ensure their cybersecurity program addresses these three core principles to adequately protect CUI.

CIO (Chief Information Officer): The executive responsible for managing, implementing, and using information technologies within an organization. In aerospace manufacturing companies, the CIO often plays a key role in ensuring CMMC and NIST 800-171 compliance.

CISO (Chief Information Security Officer): The executive responsible for an organization's information and data security. For aerospace manufacturers handling CUI, the CISO typically oversees compliance with CMMC, NIST 800-171, and other security frameworks.

Cloud Computing: A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources. Aerospace manufacturers using cloud services for CUI must ensure their cloud providers meet FedRAMP requirements and implement required CMMC and NIST 800-171 controls.

CMMC (Cybersecurity Maturity Model Certification): A unified standard for implementing cybersecurity across the Defense Industrial Base (DIB). Aerospace manufacturers working with the DoD must achieve the appropriate CMMC level (typically Level 2) to bid on and maintain contracts involving CUI.

CMMC-AB (CMMC Accreditation Body): The organization responsible for accrediting CMMC Third Party Assessment Organizations (C3PAOs) and certifying CMMC assessors. The CMMC-AB works in conjunction with the DoD to oversee the CMMC ecosystem that affects aerospace manufacturers and other defense contractors.

CMMC Level 1: The first level of CMMC certification, focusing on basic cyber hygiene practices to protect Federal Contract Information (FCI). Aerospace manufacturers handling only FCI but no CUI may only require Level 1 certification for certain contracts.

CMMC Level 2: The second level of CMMC certification, encompassing 110 practices aligned with NIST SP 800-171 to protect CUI. Most aerospace manufacturers handling CUI will need to achieve CMMC Level 2 certification to qualify for DoD contracts.

CMMC Level 3: The highest level of CMMC certification, requiring 110+ practices focusing on the protection of CUI and reducing the risk of Advanced Persistent Threats (APTs). Aerospace manufacturers working on highly sensitive programs may need to achieve this level of certification.

CMMC Assessment Guide: Official documentation providing guidance on how to prepare for and undergo CMMC assessments. Aerospace manufacturers should use this guide to understand the specific evidence required to demonstrate compliance with each CMMC practice. Configuration Management: The process of establishing and maintaining consistency of a product's performance, functional, and physical attributes with its requirements, design, and operational information throughout its life. CMMC and NIST 800-171 require aerospace manufacturers to implement configuration management to protect the integrity of systems handling CUI.

Controlled Technical Information (CTI): Technical information with military or space application that is subject to controls on access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Aerospace manufacturers frequently handle CTI, which is a subset of CUI requiring protection under DFARS 252.204-7012.

Controlled Unclassified Information (CUI): Information that requires safeguarding or dissemination controls according to law, regulation, or government-wide policy. Aerospace manufacturers handling technical specifications, engineering data, and contract information for DoD projects must protect CUI according to NIST 800-171 and CMMC requirements.

COTS (Commercial Off-The-Shelf): Software or hardware products that are commercially available to the general public. Aerospace manufacturers should assess COTS products for security vulnerabilities before implementing them in environments that process or store CUI.

Covered Defense Information (CDI): Unclassified controlled technical information or other information described in the CUI Registry that requires safeguarding or dissemination controls. Aerospace manufacturers must protect CDI according to DFARS 252.204-7012 and implement NIST 800-171 controls.

Cyber Incident: Actions taken through the use of computer networks that result in an actual or potentially adverse effect on an information system or the information residing therein. Aerospace manufacturers must report cyber incidents affecting covered contractor information systems to the DoD within 72 hours per DFARS 252.204-7012.

Cyber Incident Response: The process of detecting, reporting, and responding to cybersecurity incidents. CMMC and NIST 800-171 require aerospace manufacturers to establish incident response capabilities to effectively address and mitigate security incidents involving CUI.

Cybersecurity: The practice of protecting systems, networks, and programs from digital attacks aimed at accessing, changing, or destroying sensitive information. For aerospace manufacturers, robust cybersecurity practices are essential for CMMC compliance and protecting CUI in accordance with NIST 800-171.

DAR (Data-at-Rest): Data that is stored on media and not actively moving through networks. CMMC and NIST 800-171 require aerospace manufacturers to encrypt CUI when stored on mobile devices, mobile computing platforms, and portable storage media.

DIT (Data-in-Transit): Data actively moving through a network. Aerospace manufacturers must implement encryption for CUI transmitted across external networks to meet NIST 800-171 and CMMC requirements.

DIU (Data-in-Use): Data that is actively being processed by applications and is typically stored in a non-persistent state. Aerospace manufacturers must implement appropriate controls to protect CUI while it is being processed by applications and systems.

DFARS (Defense Federal Acquisition Regulation Supplement): A set of regulations that governs acquisitions by the DoD. Aerospace manufacturers must comply with DFARS clauses, particularly DFARS 252.204-7012, when handling CUI under DoD contracts.

DFARS 252.204-7012: The clause that requires contractors and subcontractors to safeguard covered defense information and report cyber incidents. Aerospace manufacturers must implement NIST 800-171 security requirements and report cyber incidents within 72 hours to comply with this clause.

DFARS 252.204-7019: The clause that requires contractors to complete a NIST 800-171 self-assessment and submit the results to the Supplier Performance Risk System (SPRS) prior to award of a contract. Aerospace manufacturers must maintain a current assessment score in SPRS to be eligible for DoD contracts involving CUI.

DFARS 252.204-7020: The clause that requires contractors to provide access to facilities, systems, and personnel for the government to conduct CMMC assessments. Aerospace manufacturers must permit government representatives or certified third-party assessors to conduct CMMC assessments under this clause.

DIB (Defense Industrial Base): The worldwide industrial complex that enables research and development, production, delivery, and maintenance of military weapons systems and components. Aerospace manufacturers are a critical part of the DIB and must implement cybersecurity measures to protect the supply chain.

DoD Assessment Methodology: A scoring methodology used to assess the implementation of NIST SP 800-171 security requirements. Aerospace manufacturers must conduct self-assessments using this methodology and submit scores to the Supplier Performance Risk System (SPRS).

Encryption: The process of converting information or data into a code to prevent unauthorized access. Aerospace manufacturers must implement FIPS-validated encryption for CUI to meet NIST 800-171 and CMMC requirements.

Endpoint Protection: Security measures implemented on endpoint devices like laptops, desktops, and mobile devices to prevent threats and malicious activities. CMMC and NIST 800-171 require aerospace manufacturers to implement endpoint protection to safeguard devices that process or store CUI.

Enterprise Security Plan: A documented set of system security controls, policies, and procedures. Aerospace manufacturers should develop and maintain an enterprise security plan to guide their implementation of CMMC and NIST 800-171 requirements.

FCI (Federal Contract Information): Information not intended for public release that is provided by or generated for the Government under a contract to develop or deliver a product or service. Aerospace manufacturers must provide at least basic safeguards for FCI, which is the focus of CMMC Level 1.

FedRAMP (Federal Risk and Authorization Management Program): A government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. Aerospace manufacturers using cloud services to process or store CUI should ensure their providers have the appropriate FedRAMP authorization.

FIPS (Federal Information Processing Standards): Standards and guidelines for federal computer systems developed by NIST. Aerospace manufacturers must use FIPS-validated cryptographic modules when implementing encryption for CUI to meet NIST 800-171 and CMMC requirements.

Firmware: Software that provides low-level control for a device's specific hardware. Aerospace manufacturers must manage firmware updates and security as part of their configuration management and vulnerability management processes under CMMC and NIST 800-171.

Hardware Asset Management: The process of tracking and managing the physical components of computers and computer networks. Aerospace manufacturers must maintain an inventory of hardware assets as part of their CMMC and NIST 800-171 compliance efforts.

Incident Response Plan: A documented set of instructions that outline the organization's response to cybersecurity incidents. Aerospace manufacturers must develop and periodically test incident response plans to comply with CMMC and NIST 800-171 requirements.

Information Flow Control: Mechanisms to regulate where information is allowed to travel within an information system and between interconnected systems. Aerospace manufacturers must implement information flow controls to protect CUI in accordance with NIST 800-171 and CMMC requirements.

Information Protection Procedures: Documented processes for the protection of sensitive information throughout its lifecycle. Aerospace manufacturers must develop and implement information protection procedures to safeguard CUI as required by NIST 800-171 and CMMC.

Information Security Continuous Monitoring (ISCM): The process of maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. CMMC and NIST 800-171 require aerospace manufacturers to implement continuous monitoring of their security controls.

Information System: A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. Aerospace manufacturers must identify and protect information systems that process or store CUI in accordance with NIST 800-171 and CMMC.

Inheritance (of Controls): The process of leveraging security controls that are implemented by another system or service provider. Aerospace manufacturers using cloud services may inherit some security controls from their providers but remain responsible for ensuring all CMMC and NIST 800-171 requirements are met.

ITAR (International Traffic in Arms Regulations): U.S. regulatory controls on the export and import of defense-related articles, services, and technical data. Aerospace manufacturers handling ITAR-controlled technical data, which is a subset of CUI, must implement cybersecurity controls to prevent unauthorized foreign access or export.

Least Privilege: The principle of limiting access rights for users, accounts, and computing processes to only those resources absolutely required to perform routine, legitimate activities. Aerospace manufacturers must implement least privilege access controls to meet CMMC and NIST 800-171 requirements for protecting CUI.

Logical Access Control: The use of software to control and monitor access to computers, networks, and information. Aerospace manufacturers must implement logical access controls to restrict system access to authorized users and processes as required by NIST 800-171 and CMMC.

Malware: Software designed to disrupt, damage, or gain unauthorized access to computer systems. Aerospace manufacturers must implement malware protection mechanisms to prevent malicious code from affecting systems that process or store CUI as required by NIST 800-171 and CMMC.

Media Protection: Safeguards for both digital and non-digital information system media containing CUI. Aerospace manufacturers must implement controls to protect media throughout its lifecycle, including access, marking, storage, transport, and sanitization as required by NIST 800-171 and CMMC.

Media Sanitization: The process of removing data from storage media with a level of assurance that the data cannot be reconstructed. Aerospace manufacturers must implement media sanitization procedures for media containing CUI before disposal, release, or reuse.

Memorandum of Understanding (MOU): A formal agreement documenting the terms of a working relationship between parties. Aerospace manufacturers should establish MOUs with external entities accessing their systems or CUI to define security responsibilities and requirements.

Multi-Factor Authentication (MFA): An authentication method that requires two or more verification factors to gain access to a resource. Aerospace manufacturers must implement MFA for local and network access to privileged accounts and for network access to non-privileged accounts that access CUI to meet NIST 800-171 and CMMC requirements.

NARA (National Archives and Records Administration): The agency responsible for establishing and overseeing the CUI program. Aerospace manufacturers handling CUI should be familiar with NARA's CUI Registry, which categorizes and provides handling guidance for different types of CUI.

Network Segmentation: The practice of splitting a computer network into subnetworks to improve security and performance. Aerospace manufacturers should implement network segmentation to isolate systems handling CUI from the general network as part of their boundary protection strategy.

NIST (National Institute of Standards and Technology): A federal agency that develops cybersecurity frameworks, guidelines, and standards. Aerospace manufacturers must implement the security requirements specified in NIST Special Publication 800-171 to protect CUI when working on DoD contracts.

NIST 800-171: The publication titled "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations" that specifies security requirements for protecting CUI. Aerospace manufacturers handling CUI must implement all 110 security requirements in NIST 800-171 to comply with DFARS 252.204-7012 and achieve CMMC Level 2.

NIST 800-171 DoD Assessment Methodology: A standard methodology to assess contractor implementation of NIST SP 800-171 security requirements. Aerospace manufacturers must conduct a self-assessment using this methodology and submit the results to SPRS to be eligible for DoD contracts involving CUI.

NIST Cybersecurity Framework (CSF): A voluntary framework consisting of standards, guidelines, and best practices to manage cybersecurity risk. Aerospace manufacturers can use the NIST CSF as a foundation for developing their cybersecurity program alongside CMMC and NIST 800-171 compliance efforts.

Non-Federal Organization: A state, local, or tribal government, or a private organization. Aerospace manufacturers are considered non-federal organizations subject to NIST 800-171 requirements when handling CUI under government contracts.

OSY (Organizational Security Awareness and Training): Security awareness and training policies and procedures, security awareness training, and role-based training. Aerospace manufacturers must provide security awareness training to personnel as required by NIST 800-171 and CMMC.

PAO (Processor Access Overflow): A vulnerability which allows a malicious process to gain access to memory outside its allocated space. Aerospace manufacturers must implement secure development practices and regularly apply security patches to mitigate such vulnerabilities in systems handling CUI.

Patch Management: The process of acquiring, testing, and applying updates to software. Aerospace manufacturers must implement timely security patching for systems handling CUI to address known vulnerabilities as required by NIST 800-171 and CMMC.

Penetration Testing: A method of evaluating the security of an information system by simulating an attack from a malicious source. Aerospace manufacturers may conduct penetration testing as part of their security assessment process to identify vulnerabilities in systems handling CUI.

Physical Access Control: Measures implemented to restrict physical access to information systems, equipment, and operating environments. Aerospace manufacturers must implement physical access controls to protect systems handling CUI from unauthorized physical access.

Physical Protection: Safeguards implemented to protect information systems, equipment, and the facility housing those systems from physical threats. Aerospace manufacturers must implement physical protection controls for facilities where CUI is processed or stored.

Plan of Action and Milestones (POA&M): A document that identifies tasks needing to be accomplished to resolve security weaknesses. Aerospace manufacturers must develop and maintain POA&Ms to track progress in addressing gaps in NIST 800-171 and CMMC compliance.

Primary Gathering Entity (PGE): A federal agency that designates information as CUI and shares it with a non-federal entity. Aerospace manufacturers receive CUI from DoD or prime contractors like Lockheed Martin, Raytheon, and Northrop Grumman who act as PGEs.

Privileged Account: A user account with elevated permissions beyond those of standard user accounts. Aerospace manufacturers must implement strict controls for privileged accounts, including multi-factor authentication and access restrictions, to meet NIST 800-171 and CMMC requirements.

Privileged User: A user authorized to perform security-relevant functions that ordinary users are not authorized to perform. Aerospace manufacturers must provide specialized security training for privileged users who administer systems handling CUI.

Recovery Planning: The process of restoring information systems to normal operations after a disruption. Aerospace manufacturers must develop and periodically test recovery plans for systems handling CUI to comply with NIST 800-171 and CMMC requirements.

Remote Access: Access to an organization's nonpublic information systems from an external network. Aerospace manufacturers must implement security controls for remote access to systems handling CUI, including encryption and multi-factor authentication.

Risk Assessment: The process of identifying, estimating, and prioritizing risks to organizational operations, assets, individuals, and other organizations. Aerospace manufacturers must conduct regular risk assessments to identify threats to systems handling CUI as required by NIST 800-171 and CMMC.

SCAP (Security Content Automation Protocol): A method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation. Aerospace manufacturers can use SCAP-validated tools to automate security assessments of systems handling CUI.

Scope: The boundary of the assessment, defining which systems, processes, and facilities are included or excluded. Aerospace manufacturers should carefully define the scope of their CMMC assessment to include all systems and environments that process or store CUI.

Security Assessment: The testing and evaluation of the management, operational, and technical security controls in an information system. Aerospace manufacturers must conduct security assessments to evaluate the effectiveness of controls protecting CUI.

Security Control: Safeguards or countermeasures designed to protect the confidentiality, integrity, and availability of information. Aerospace manufacturers must implement the security controls specified in NIST 800-171 to protect CUI in accordance with DFARS 252.204-7012.

Security Control Assessor: An individual or team responsible for conducting a comprehensive assessment of security controls. For CMMC certification, aerospace manufacturers must engage with certified assessors from a C3PAO to evaluate their implementation of security practices.

Security Requirement: A description of the security controls required for a system, organization, or other entity. Aerospace manufacturers must implement the 110 security requirements specified in NIST 800-171 to protect CUI and achieve CMMC Level 2 certification.

Security Technical Implementation Guide (STIG): A cybersecurity methodology for standardizing security protocols within networks, servers, computers, and logical designs. Aerospace manufacturers can use STIGs as a resource for securely configuring systems that process or store CUI.

Software Asset Management: The process of tracking and managing software applications throughout their lifecycle. Aerospace manufacturers must maintain an inventory of software assets and ensure that only authorized software is installed on systems handling CUI.

SPRS (Supplier Performance Risk System): A DoD database used to track contractor and supplier performance information, including NIST 800-171 assessment scores. Aerospace manufacturers must submit their self-assessment scores to SPRS to be eligible for DoD contracts involving CUI.

SSP (System Security Plan): A document that provides an overview of the security requirements for an information system and describes the security controls in place or planned. Aerospace manufacturers must develop and maintain an SSP describing their implementation of NIST 800-171 security requirements for systems handling CUI.

Subcontractor: A supplier, distributor, vendor, or firm that supplies goods or services to a prime contractor. Aerospace subcontractors handling CUI must comply with the same DFARS clauses and implement the same cybersecurity requirements as prime contractors.

Supply Chain Risk Management (SCRM): The process of identifying, assessing, and mitigating risks associated with the global and distributed nature of product and service supply chains. Aerospace manufacturers must implement SCRM processes to protect the integrity of the defense industrial base supply chain.

Technical Security Controls: Security measures implemented through technology to protect information systems and data. Aerospace manufacturers must implement technical security controls specified in NIST 800-171 and CMMC to protect CUI from unauthorized access or disclosure.

Threat: Any circumstance or event with the potential to adversely impact organizational operations, assets, individuals, or other organizations through an information system. Aerospace manufacturers must identify and address threats to systems handling CUI as part of their risk management process.

Threat Intelligence: Evidence-based knowledge about existing or emerging threats to assets. Aerospace manufacturers should leverage threat intelligence to enhance their security posture and protect systems handling CUI from known threats.

User: Individual or system with authorized access to an information system. Aerospace manufacturers must implement controls to ensure that only authorized users can access systems processing or storing CUI.

Validation: The process of confirming that a security control is implemented correctly and operating as intended. Aerospace manufacturers must validate their implementation of security controls as part of preparing for CMMC certification assessments.

Virtual Private Network (VPN): A secure connection between two or more devices or networks across the internet. Aerospace manufacturers must use encrypted VPN connections when remotely accessing systems that process or store CUI to protect the confidentiality of transmitted information.

Vulnerability: A weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source. Aerospace manufacturers must identify and remediate vulnerabilities in systems handling CUI through regular scanning and patching.

Vulnerability Assessment: The process of identifying and quantifying vulnerabilities in a system. Aerospace manufacturers must conduct regular vulnerability assessments of systems handling CUI to identify security weaknesses that could be exploited by threats.

Vulnerability Management: The cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities. Aerospace manufacturers must implement a vulnerability management process to address security weaknesses in systems handling CUI as required by NIST 800-171 and CMMC.

Zero Trust Architecture: A security model that assumes no user or system should be inherently trusted and requires verification for anyone trying to access resources. Aerospace manufacturers may implement zero trust principles to enhance their security posture beyond baseline CMMC and NIST 800-171 requirements.