The 2019 DFARS Glossary: Cybersecurity Acronyms for Government Contractors

FYI: For your information

It’s 2019 and our updated DFARS glossary is here. With our expanded DFARS glossary, Sera-Brynn defines key terms for cybersecurity compliance in the government space. There are many key terms you need to know – especially if you’re part of the DIB (see below), working through the DFARS cyber regulation, using cloud services, or responsible for incident reporting.

Here are some high-frequency acronyms and terms including DFARS vs FAR and their meanings. Consider us your acronym interpreter!


Access Control – one of the 14 families of security controls (requirements) of NIST SP 800-171.


Adequate Security –  The reasonable level of data protection and security a contractor’s information system must provide under the Defense Federal Acquisition Regulation Supplement (DFARS).  The formal definition of “adequate security” is: “protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information.”


Awareness and Training – one of the 14 families of security controls (requirements) of NIST SP 800-171.


Auditing and Accountability – one of the 14 families of security controls (requirements) of NIST SP 800-171.


CDI stands for covered defense information. CDI is the class of information that triggers compliance with Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012.  As per DFARS, CDI means:

“unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry at http://www.archives.gov/cui/registry/category-list.html, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies, and is—

       (1)  Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or

       (2)  Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.”


CFR is the Code of Federal Regulations.  It’s the codification of the general and permanent rules published in the Federal Register by the departments and agencies of the U.S. Federal Government.  The Government’s unofficial version is the e-CFR. The cybersecurity clause of DFARS is found in the CFR.


CO is the Government’s  contracting officer.


Configuration Management – one of the 14 families of security controls (requirements) of NIST SP 800-171.


Contractor attributional/proprietary information, under DFARS, means information “that identifies the contractor(s), whether directly or indirectly, by the grouping of information that can be traced back to the contractor(s) (e.g., program description, facility locations), personally identifiable information, as well as trade secrets, commercial or financial information, or other commercially sensitive information that is not customarily shared outside of the company.”


COTS refers to commercially available off-the-shelf (COTS) items.


Covered contractor information system, pursuant to DFARS, means “an unclassified information system that is owned, or operated by or for, a contractor and that processes, stores, or transmits covered defense information.”


CSF is the NIST Cybersecurity Framework.  It is a subset of the NIST 800-171 controls.


C-SCRM stands for Cyber Supply Chain Risk Management.  It’s the process of identifying, assessing, and mitigating the cybersecurity risks associated with product and service supply chains.


CSP stands for cloud service provider.


CTI is Controlled Technical Information.  Under DFARS, CTI means “technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination.”


CUI is controlled unclassified information. CUI is almost synonymous with CDI.


Cyber incident, under DFARS, means “actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.


DC3 is the DoD Cyber Crime Center.  DC3 is involved in cyber incident and compromise reporting.


DCMA is the Defense Contract Management Agency


DFARS means Defense Federal Acquisition Regulation Supplement. The DFARS supplements the Federal Acquisition Regulation (FAR) and is administered by the Department of Defense.


DFARS clause 252.204-7012 is the regulation titled, “Safeguarding Covered Defense Information and Cyber Incident Reporting.” DFARS clause 252.204-7012 requires government contractors to comply with two key information security requirements: (1) adequate security and (2) incident reporting. This clause, unlike the FAR Final Rule 52.204-21, provides for detailed implementation and reporting standards based on NIST guidelines. More of our analysis on the DFARS cybersecurity clause can be found here.


DIB refers to the DoD’s Defense Industrial Base.


DIBNet is the DoD’s online portal for incident reporting.


DoD means “Department of Defense.” As used in DFARS, DoD includes the Department of Defense, the military departments, and the defense agencies.


DoD CIO refers to the United States Department of Defense (DoD) Chief Information Officer. The DoD CIO is a reporting authority under the DFARS clause 252.204-7012.


DSS is Defense Security Service, an agency of the Department of Defense. 


Enhanced Security Controls refers to a set of controls that go beyond those in NIST SP 800-171; they are imposed by the Government on contractors in certain situations.  Read our blog on the Navy’s enhanced security controls for more information.


FAR stands for Federal Acquisition Regulation and is the set of regulations governing all acquisitions and contracting procedures in the Federal government.


FAR Final Rule 52.204-21 is the regulation titled “Basic Safeguarding of Contractor Information Systems.” The FAR Final Rule 52.204-21 addresses 15 provisions that mandate minimum controls. It was published in 2016. This clause does not reference any NIST standard, however the controls align with the basic controls in NIST SP 800-171 revision 1.  These 15 controls are a minimum cybersecurity baseline for U.S. government contractors.


FCA is the False Claims Act. A contractor is at risk of significant liability under the False Claims Act if it is not DFARS compliant, yet invoices for payment under a contract that requires DFARS compliance. The FCA is enforced by the U.S. Department of Justice (DOJ) The DOJ’s FCA Primer explains the types of conduct that can result in FCA liability.


FedRAMP stands for the Federal Risk and Authorization Management Program. It is a U.S. Government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. The provision of cloud services to the Federal Government may be evaluated under the FedRAMP program.


Government data, as defined in the DFARS means “any information, document, media, or machine readable material regardless of physical form or characteristics, that is created or obtained by the Government in the course of official Government business.”


Identification and Authentication – one of the 14 families of security controls (requirements) of NIST SP 800-171.


Incident Response – one of the 14 families of security controls (requirements) of NIST SP 800-171.


IRP is an Incident Response Plan. Having one is a DFARS cybersecurity clause requirement. Sera-Brynn recommends that your IRP include specific actions for reporting and handling incidents that may affect Covered Defense Information.


Maintenance – one of the 14 families of security controls (requirements) of NIST SP 800-171.


Media Protection – one of the 14 families of security controls (requirements) of NIST SP 800-171.


MFA is “Multi-factor authentication,” which is when an information system uses two or more methods of authentication involving something you know (e.g., password); something you have (e.g., a One-Time Password (OTP) generating device like a fob, smart-card, or a mobile app on a smart-phone); and something you are (e.g., a biometric like a fingerprint or iris).


NARA stands for National Archives and Records Administration. NARA is the agency that implements the Federal Government-wide CUI Program. Identifying CDI involves an analysis of the information and how it is classified by NARA.


NIST stands for the National Institute of Standards and Technology. NIST is part of the U.S. Department of Commerce.


NIST 800 is the series of documents that sets forth the U.S. Government’s computer security policies, procedures and guidelines.


NIST SP 800-53 is the NIST Special Publication titled “Security and Privacy Controls for Federal Information Systems and Organizations.” NIST 800-53 is the guidance for securing Federal information systems. The current version of 800-53 is revision 4.


NIST SP 800-171 is the NIST Special Publication titled, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.” NIST 800-171 is the publication that contains the final version of its guidance for federal agencies to ensure that sensitive federal information remains confidential when stored in nonfederal information systems and organizations. The current version of 800-171 is revision 1. DFARS clause 252.204-7012 maps to NIST SP 800-171.


OCS stands for ‘‘operationally critical support,’’ which DFARS defines as “supplies or services designated by the Government as critical for airlift, sealift, intermodal transportation services, or logistical support that is essential to the mobilization, deployment, or sustainment of the Armed Forces in a contingency operation.”


Personnel Security – one of the 14 families of security controls (requirements) of NIST SP 800-171.


PGI is “Procedures, Guidance, and Information,” which is the companion resource to the DFARS that contains mandatory internal DoD procedures. The PGI is available electronically here.


Physical Protection – one of the 14 families of security controls (requirements) of NIST SP 800-171.


POA&M means “Plan of Action & Milestones.” The POA&M is another document you should be ready to give to your contracting officer. This document should be prepared in conjunction with the System Security Plan and address any of the NIST SP 800-171 controls that are not fully implemented. In the Plan of Action & Milestones, a remediation plan and timeline for implementation should be provided. There are templates available for this document (including this NIST 800-171 POA&M template provided by NIST), and remember it should be updated regularly. At a minimum, include the control, compliance status, the expected compliance date, and resources needed to fix it.


Rapidly report under the DFARS cybersecurity clause means within 72 hours of discovery of any cyber incident.


Risk Assessment – one of the 14 families of security controls (requirements) of NIST SP 800-171.


RMF means the Risk Management Framework. The RMF is the common information security framework for the federal government and its contractors. 


SCRM stands for Supply Chain Risk Management. 


Security Assessment – one of the 14 families of security controls (requirements) of NIST SP 800-171.


SSP is a System Security Plan. The SSP is the document a contractor should be prepared to provide to its contracting officer in order to be compliant with the DFARS cybersecurity clause. There is not a set format for the System Security Plan, but it must describe how each of the 110 NIST SP 800-171 controls has been implemented as well as the system environment and boundaries, and any interconnections.  The System Security Plan is a living document and should be updated regularly. There is a CUI SSP example posted on the NIST 800-171 webpage.


System and Communication Protection – one of the 14 families of security controls (requirements) of NIST SP 800-171.


System and Information Integrity – one of the 14 families of security controls (requirements) of NIST SP 800-171.


USG means United States Government.


Additional Reading

Learn more about NIST SP 800-171 and DFARS by reviewing our archives.To speak to one of our team members about DFARs/NIST 800-171 assessments or advisory services, contact us at info@sera-brynn.com or visit www.sera-brynn.com.

© Sera-Brynn 2019. 


About Sera-Brynn

Sera-Brynn logo

Founded in 2011 by former members of the U.S. intelligence community, Sera-Brynn is an international, top-ranked cybersecurity firm.

Sera-Brynn is a Payment Card Industry (PCI) Qualified Security Assessor (QSA) and a certified FedRAMP assessor. Their security engineers all hail from the National Intelligence and Military Information Security sector.

To speak to a team members about DFARS/NIST 800-171 assessments or advisory services, contact us at info@sera-brynn.com or visit www.sera-brynn.com.

View Sera-Brynn