Organization Defined Parameter
Also known as: ODP
An Organization Defined Parameter (ODP) is a value that a security requirement leaves for the organization to set, such as a password length, a lockout threshold, or a review frequency. NIST SP 800-171 uses ODPs so requirements can be tailored, and a contractor must define and document each ODP consistently in its System Security Plan for a CMMC Level 2 assessment.
Related terms
- NIST SP 800-171
NIST SP 800-171 is the National Institute of Standards and Technology publication that defines 110 security controls for protecting Controlled Unclassified Information (CUI) on non-federal systems. It is the controls catalog used at CMMC Level 2, but is not used at Level 1, which is based on the 15 safeguarding requirements in FAR 52.204-21.
- System Security Plan
A System Security Plan (SSP) is the written document that describes the boundary of a contractor's information system, the security controls implemented to protect it, and how each applicable requirement is satisfied. NIST SP 800-171 control 3.12.4 requires an SSP at Level 2; at Level 1 an SSP is not regulation-required but is considered a best-practice evidence artifact.
- Assessment Objective
An assessment objective is a discrete, atomic statement an assessor uses to determine whether a security requirement has been satisfied. NIST SP 800-171A breaks each of the 110 NIST 800-171 controls into multiple assessment objectives (approximately 320 in total), the CMMC Level 1 Assessment Guide breaks each of the 15 requirements into a smaller set of objectives.
- CMMC Level 2
CMMC Level 2 is the middle CMMC certification tier, covering contractors who handle Controlled Unclassified Information (CUI). It requires implementing all 110 controls of NIST SP 800-171 and undergoing either a self-assessment or a triennial assessment by a CMMC Third-Party Assessment Organization (C3PAO) depending on the program's prioritization.