CMMC Compliance Glossary

The largest NIST SP 800-171 control family with 22 controls governing who can access systems and data. Includes account management, separation of duties, least privilege, remote access, and wireless access restrictions.

A specific, testable requirement defined in NIST SP 800-171A. The 110 controls expand into 320 assessment objectives. C3PAO assessors verify each objective individually; all objectives for a control must be met for it to be scored as implemented.

A chronological record of system activities sufficient to reconstruct and examine security-relevant events. NIST SP 800-171 Audit & Accountability (AU) controls require creating, protecting, retaining, and reviewing audit logs.

The complete set of documentation a contractor presents during a C3PAO assessment. Typically includes the SSP, POA&M, network diagrams, policies, procedures, audit logs, configuration screenshots, and training records.

An organization authorized by The Cyber AB to conduct CMMC Level 2 assessments. C3PAOs employ certified assessors who verify that contractors have implemented all 110 NIST SP 800-171 controls. There are fewer than 100 authorized C3PAOs as of 2026.

A five-character alphanumeric identifier assigned to entities doing business with the federal government. Required for SPRS score submission and CMMC assessment registration. Obtained through SAM.gov registration.

An individual certified by The Cyber AB to conduct CMMC assessments as part of a C3PAO team. CCAs must complete training, pass exams, and maintain continuing education requirements.

An individual certified by The Cyber AB who can advise organizations on CMMC readiness but cannot conduct official assessments. CCPs often work as consultants helping contractors prepare for C3PAO assessments.

A DoD verification framework that measures a defense contractor's cybersecurity posture across three levels. Level 2 requires implementation of all 110 NIST SP 800-171 controls and is verified by a C3PAO third-party assessment.

The foundational CMMC tier requiring implementation of 15 basic cybersecurity practices from FAR 52.204-21. Verified through annual self-assessment. Applies to contractors handling Federal Contract Information (FCI) but not CUI.

The advanced CMMC tier requiring implementation of all 110 NIST SP 800-171 Rev 2 controls. Contractors handling CUI must pass a C3PAO third-party assessment. Phase 2 enforcement begins November 2026.

The highest CMMC tier requiring all Level 2 controls plus 24 additional controls from NIST SP 800-172. Assessed by DIBCAC (government assessors). Required for contracts involving the highest-priority CUI.

The second phase of CMMC rollout beginning November 10, 2026. DoD solicitations will more broadly require CMMC Level 2 C3PAO assessments for contracts involving CUI.

A CMMC assessment result where a contractor meets most but not all requirements and has a credible plan (POA&M) to close remaining gaps within 180 days. Conditional status allows contract award while the contractor completes remediation.

The process of maintaining secure baseline configurations for all systems in the CUI scope. NIST SP 800-171 CM family requires documented baselines, change control, least functionality, and restriction of unauthorized software.

An ongoing process to maintain awareness of security posture, vulnerabilities, and threats. Required by NIST SP 800-171 Security Assessment (CA) family. Includes periodic control assessments, system monitoring, and risk reassessment.

A logical grouping of related security controls in NIST SP 800-171. There are 14 families: Access Control (AC), Awareness & Training (AT), Audit & Accountability (AU), Configuration Management (CM), Identification & Authentication (IA), Incident Response (IR), Maintenance (MA), Media Protection (MP), Personnel Security (PS), Physical Protection (PE), Risk Assessment (RA), Security Assessment (CA), System & Communications Protection (SC), and System & Information Integrity (SI).

Government-created or owned information that requires safeguarding controls per law, regulation, or government-wide policy. CUI is not classified but must be protected from unauthorized disclosure. Common categories include technical data, export-controlled information, and critical infrastructure data.

A segmented network environment specifically designed to process, store, and transmit CUI. By isolating CUI into an enclave, contractors reduce the number of systems in scope for CMMC, lowering both implementation cost and assessment complexity.

An action taken through computer networks that compromises the security of an information system or the information it processes, stores, or transmits. Under DFARS 252.204-7012, contractors must report cyber incidents to DoD within 72 hours.

The DoD agency responsible for contract administration and oversight. DCMA's DIBCAC division conducts CMMC Level 3 assessments and oversees the assessment ecosystem.

Supplemental regulations to the FAR that apply specifically to DoD acquisitions. DFARS clause 252.204-7012 requires contractors to implement NIST SP 800-171 controls and report cyber incidents within 72 hours.

The contract clause titled "Safeguarding Covered Defense Information and Cyber Incident Reporting." It mandates that contractors implement NIST SP 800-171, report cyber incidents to DoD within 72 hours, and flow down requirements to subcontractors.

The contract clause requiring contractors to have a current NIST SP 800-171 assessment on record in SPRS. Mandates self-assessment scoring and submission before contract award.

The contract clause requiring CMMC certification at the level specified in the solicitation. This is the clause that makes CMMC a contract requirement and includes flow-down to subcontractors.

The global network of companies, universities, and research labs that designs, builds, and sustains U.S. defense systems. Over 100,000 companies and their subcontractors make up the DIB. Contractors who handle CUI are required to achieve CMMC Level 2.

A division of DCMA responsible for conducting CMMC Level 3 assessments (government-led) and overseeing the C3PAO ecosystem for Level 2 assessments. DIBCAC assessors are government employees.

Technologies and processes that prevent sensitive information (including CUI) from being transmitted outside authorized boundaries. DLP is a key technical control for Media Protection (MP) and System & Communications Protection (SC) families.

Security software that continuously monitors endpoints (workstations, servers, mobile devices) for suspicious activity. EDR supports multiple NIST SP 800-171 control families including System & Information Integrity (SI) and Audit & Accountability (AU).

A specific document, screenshot, log, or configuration export that demonstrates implementation of a security control. C3PAO assessors review evidence artifacts for each of the 320 assessment objectives. Common artifacts include policy documents, audit log exports, configuration screenshots, and training completion records.

The primary regulation governing all federal government acquisitions. FAR 52.204-21 defines the 15 basic safeguarding requirements for FCI that form the basis of CMMC Level 1.

Information provided by or generated for the government under a contract that is not intended for public release. FCI requires basic protection (CMMC Level 1). It is distinct from CUI, which requires the stronger Level 2 controls.

A government-wide program providing a standardized approach to security assessment, authorization, and monitoring for cloud services. Using a FedRAMP Moderate authorized cloud service satisfies many NIST SP 800-171 controls and simplifies CMMC assessment scope.

A U.S. government standard for cryptographic modules. NIST SP 800-171 requires FIPS-validated encryption for protecting CUI in transit and at rest. Common FIPS 140-2 validated algorithms include AES-256 and TLS 1.2+.

"Standards for Security Categorization of Federal Information and Information Systems." Defines three impact levels (low, moderate, high) for confidentiality, integrity, and availability. CUI is categorized as moderate confidentiality, which drives the 800-171 control selection.

The requirement for prime contractors to pass CMMC and DFARS cybersecurity obligations to their subcontractors. If a subcontractor handles CUI, they must meet the same CMMC level as the prime for that information.

A systematic evaluation of the difference between a contractor's current security posture and the requirements of NIST SP 800-171. Gap analysis identifies unimplemented or partially implemented controls and prioritizes remediation by SPRS weight impact.

A documented set of procedures for detecting, responding to, and recovering from security incidents. Required by NIST SP 800-171 Incident Response (IR) family. Must include preparation, detection, containment, eradication, recovery, and lessons learned phases.

A security control that is provided by an external entity (e.g., a cloud service provider) rather than implemented directly by the contractor. CSPs on the FedRAMP Moderate baseline satisfy many 800-171 controls, but the contractor remains responsible for documenting the inheritance.

An authentication method requiring two or more verification factors: something you know (password), something you have (token), or something you are (biometric). Required by NIST SP 800-171 control IA.L2-3.5.3 for all network access to privileged and non-privileged accounts.

"Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations." A NIST special publication defining 110 security controls across 14 families. Rev 2 is the current CMMC Level 2 baseline. Rev 3 was published in 2024 but CMMC still references Rev 2.

"Assessing Security Requirements for CUI." The companion assessment guide to 800-171 defining 320 assessment objectives that C3PAOs use to evaluate control implementation. Each control has 1-5 objectives, and all must be met.

"Enhanced Security Requirements for Protecting CUI." Defines 24 additional security controls beyond 800-171 for higher-sensitivity CUI. These form the basis of CMMC Level 3.

The formal term for a contractor undergoing a CMMC assessment. During the assessment process, the C3PAO evaluates the OSC's implementation of NIST SP 800-171 controls within the defined assessment scope.

The formal CMMC assessment engagement between a C3PAO and an OSC. The OSCA process includes pre-assessment planning, on-site/remote evaluation of controls, and final scoring.

The principal staff element of the Secretary of Defense. OSD oversees the CMMC program and publishes the CMMC rules under 32 CFR Part 170.

A document identifying security controls that are not yet fully implemented and the plan to close each gap. Each POA&M item includes the control ID, planned remediation actions, responsible parties, and target completion dates. Controls with an active POA&M are not deducted from the SPRS score.

A formal statement of management intent that defines the rules and expectations for a specific security domain (e.g., access control, incident response). NIST SP 800-171 requires documented policies for each of the 14 control families.

A company that holds a direct contract with the DoD. Primes are responsible for flowing down CMMC requirements to their subcontractors and ensuring the entire supply chain meets required cybersecurity levels.

The process of closing security gaps identified during a gap analysis or assessment. Remediation may include implementing technical controls, writing policies, training personnel, or reconfiguring systems. Effective remediation is prioritized by SPRS weight impact.

The process of identifying all systems, networks, and personnel that process, store, or transmit CUI. Scope determines which assets are subject to CMMC assessment. Smaller scope means fewer controls to implement and less C3PAO assessment time.

A specific safeguard or countermeasure prescribed by NIST SP 800-171 to protect CUI. Each control has an ID (e.g., AC.L2-3.1.1), a description, and one or more assessment objectives defined in 800-171A.

A contractor's own evaluation of their NIST SP 800-171 implementation status. Required under DFARS 252.204-7019 before contract award. The resulting score is submitted to SPRS. CMMC Level 1 and some Level 2 contracts accept self-assessments.

A framework where the cloud service provider and the contractor each bear responsibility for specific security controls. The contractor must document which controls are fully implemented, partially inherited, or fully inherited from the provider.

A system that collects, correlates, and analyzes security event data from across an organization's IT environment. SIEM supports NIST SP 800-171 audit and accountability controls (AU family) by providing centralized log management and alerting.

A DoD web application where contractors submit their NIST SP 800-171 self-assessment scores. Scores range from -203 (no controls implemented) to 110 (all controls fully implemented). Contracting officers check SPRS before awarding contracts.

A numerical value from -203 to 110 representing a contractor's NIST SP 800-171 compliance posture. The DoD assigns each of the 110 controls a weight of 1, 3, or 5 points. Fully implemented controls keep their points; unimplemented controls without a POA&M deduct their weight from 110.

A formal document describing how an organization implements each of the 110 NIST SP 800-171 security controls. The SSP defines the system boundary, describes the operating environment, and details each control's implementation. Required for CMMC Level 2 assessment.

The defined perimeter of all hardware, software, and network components that process, store, or transmit CUI. Everything inside the boundary is in scope for CMMC assessment. Reducing the boundary through enclave architecture lowers compliance cost.

Formerly the CMMC Accreditation Body (CMMC-AB). The sole authorized accreditation body for the CMMC ecosystem. The Cyber AB accredits C3PAOs, certifies individual assessors, and maintains the CMMC marketplace.

A 12-character alphanumeric identifier assigned by SAM.gov that replaced the DUNS number. Required for all federal contract registrations, SPRS submissions, and CMMC assessment records.

The automated process of probing systems for known security weaknesses. NIST SP 800-171 control RA.L2-3.11.2 requires scanning for vulnerabilities in organizational systems periodically and when new vulnerabilities are identified.

A security model that assumes no user, device, or network is inherently trusted. Every access request is verified regardless of location. While not explicitly required by CMMC Level 2, zero trust principles align with Access Control (AC) and Identification & Authentication (IA) controls.