Skip to content
Glossary

The CMMC glossary

Every CMMC, NIST 800-171, and DFARS term you’ll run into — defined in plain English, no acronym soup.

CMMC
Cybersecurity Maturity Model Certification — the DoD program that verifies defense contractors protect FCI and CUI to a required level.
DIB
Defense Industrial Base — the network of companies that supply the U.S. military, from primes to small subcontractors. CMMC applies across it.
CUI
Controlled Unclassified Information — sensitive but unclassified government information that requires protection. Handling it typically triggers CMMC Level 2.
FCI
Federal Contract Information — non-public information provided or generated under a federal contract. Handling only FCI typically triggers CMMC Level 1.
NIST SP 800-171
The NIST publication defining 110 security controls for protecting CUI in non-federal systems. It is the basis for CMMC Level 2.
NIST SP 800-172
Enhanced security requirements that supplement 800-171 for the highest-priority programs. It underpins CMMC Level 3.
DFARS 252.204-7012
The Defense Federal Acquisition Regulation Supplement clause requiring contractors to safeguard covered defense information and implement NIST 800-171.
FAR 52.204-21
The Federal Acquisition Regulation clause establishing 15 basic safeguarding requirements for FCI — the foundation of CMMC Level 1.
C3PAO
Certified Third-Party Assessment Organization — an organization authorized by the Cyber AB to conduct official CMMC Level 2 assessments.
Cyber AB
The Accreditation Body that oversees the CMMC ecosystem, including C3PAOs, assessors, and Registered Practitioner Organizations.
RPO / RP
Registered Provider Organization and Registered Practitioner — advisors authorized to help contractors prepare for CMMC (consulting, not certifying).
SSP
System Security Plan — the document describing how your organization meets each security requirement. A foundational assessment artifact.
POA&M
Plan of Action & Milestones — the tracked plan for closing any security gaps not yet remediated, with owners and target dates.
SPRS
Supplier Performance Risk System — the DoD system where contractors report their NIST 800-171 self-assessment score.
DIBCAC
Defense Industrial Base Cybersecurity Assessment Center — the government body that conducts higher-level (Level 3) and certain government-led assessments.
Enclave
A separated, controlled portion of your environment built to hold CUI, reducing how much of your business falls within CMMC scope.
GCC High
Microsoft's Government Community Cloud High — a cloud environment many contractors use to meet CUI and ITAR requirements.
Assessment objective
A specific, testable statement an assessor checks to confirm a control is met. NIST 800-171A defines 320 objectives across the 110 controls.
Free 30-minute readiness call

Ready to put the terms into practice?

Book a 30-minute readiness call. We'll translate the acronyms into a concrete path to CMMC certification for your business.

  • Confirm which CMMC level your contracts actually require
  • Pinpoint the gaps most likely to fail your assessment
  • Leave with a clear, prioritized path to certification

One-on-one with a CMMC advisor · No obligation · We never store your CUI