Glossary
The CMMC glossary
Every CMMC, NIST 800-171, and DFARS term you’ll run into — defined in plain English, no acronym soup.
- CMMC
- Cybersecurity Maturity Model Certification — the DoD program that verifies defense contractors protect FCI and CUI to a required level.
- DIB
- Defense Industrial Base — the network of companies that supply the U.S. military, from primes to small subcontractors. CMMC applies across it.
- CUI
- Controlled Unclassified Information — sensitive but unclassified government information that requires protection. Handling it typically triggers CMMC Level 2.
- FCI
- Federal Contract Information — non-public information provided or generated under a federal contract. Handling only FCI typically triggers CMMC Level 1.
- NIST SP 800-171
- The NIST publication defining 110 security controls for protecting CUI in non-federal systems. It is the basis for CMMC Level 2.
- NIST SP 800-172
- Enhanced security requirements that supplement 800-171 for the highest-priority programs. It underpins CMMC Level 3.
- DFARS 252.204-7012
- The Defense Federal Acquisition Regulation Supplement clause requiring contractors to safeguard covered defense information and implement NIST 800-171.
- FAR 52.204-21
- The Federal Acquisition Regulation clause establishing 15 basic safeguarding requirements for FCI — the foundation of CMMC Level 1.
- C3PAO
- Certified Third-Party Assessment Organization — an organization authorized by the Cyber AB to conduct official CMMC Level 2 assessments.
- Cyber AB
- The Accreditation Body that oversees the CMMC ecosystem, including C3PAOs, assessors, and Registered Practitioner Organizations.
- RPO / RP
- Registered Provider Organization and Registered Practitioner — advisors authorized to help contractors prepare for CMMC (consulting, not certifying).
- SSP
- System Security Plan — the document describing how your organization meets each security requirement. A foundational assessment artifact.
- POA&M
- Plan of Action & Milestones — the tracked plan for closing any security gaps not yet remediated, with owners and target dates.
- SPRS
- Supplier Performance Risk System — the DoD system where contractors report their NIST 800-171 self-assessment score.
- DIBCAC
- Defense Industrial Base Cybersecurity Assessment Center — the government body that conducts higher-level (Level 3) and certain government-led assessments.
- Enclave
- A separated, controlled portion of your environment built to hold CUI, reducing how much of your business falls within CMMC scope.
- GCC High
- Microsoft's Government Community Cloud High — a cloud environment many contractors use to meet CUI and ITAR requirements.
- Assessment objective
- A specific, testable statement an assessor checks to confirm a control is met. NIST 800-171A defines 320 objectives across the 110 controls.
Free 30-minute readiness call
Ready to put the terms into practice?
Book a 30-minute readiness call. We'll translate the acronyms into a concrete path to CMMC certification for your business.
- Confirm which CMMC level your contracts actually require
- Pinpoint the gaps most likely to fail your assessment
- Leave with a clear, prioritized path to certification
One-on-one with a CMMC advisor · No obligation · We never store your CUI
