As with lots of government programs, there are a lot of unique terms and acronyms relevant to CMMC. This CMMC glossary will cover all the most important ones for you to know.
The terms here are sorted alphabetically.
32 CFR and 48 CFR
Citations from the Code of Federal Regulations.
- 32 CFR establishes the CMMC program and related security requirements.
- 48 CFR integrates those requirements into federal acquisition rules so that compliance becomes part of contract law.
Assessment
The evaluation performed by a Certified Third Party Assessment Organization that has been formally authorized under the CMMC ecosystem. During this process, the C3PAO conducts an objective review of the contractor’s systems, documentation, and security practices to verify full and proper implementation of all required controls. The assessment results in an official CMMC certification decision, which is recorded in the CMMC Enterprise Mission Assurance Support System and used by the DoD to determine eligibility for contract award and continued performance.
C3PAO – Certified Third-Party Assessor Organization
An accredited external organization authorized by the Cyber AB (formerly the CMMC Accreditation Body) to conduct official CMMC Level 2 and Level 3 assessments.
CMMC – Cybersecurity Maturity Model Certification
The Department of Defense’s standardized framework for measuring and certifying the cybersecurity posture of companies in the Defense Industrial Base (DIB). It ensures that contractors and subcontractors handling government information maintain consistent and verified security practices.
CUI – Controlled Unclassified Information
Sensitive information that requires safeguarding but is not classified. Examples include technical drawings, system specifications, or project documentation shared with defense partners. Handling CUI triggers CMMC Level 2 or higher obligations.
The Cyber AB (Accreditation Body)
The nonprofit organization authorized by the DoD to manage CMMC assessments and oversee the accreditation of assessors (C3PAOs) and training providers.
DFARS – Defense Federal Acquisition Regulation Supplement
The DoD’s specific supplement to the Federal Acquisition Regulation (FAR). It adds clauses and conditions unique to defense contracts, including cybersecurity and CMMC requirements.
DIB – Defense Industrial Base
The ecosystem of commercial organizations that help the U.S. military design, build, secure, and sustain its systems and capabilities.
FCI – Federal Contract Information
Information that is not intended for public release and is provided or generated under a contract with the government to develop or deliver a product or service. FCI typically applies to CMMC Level 1 requirements.
NIST SP 800-171
A set of cybersecurity controls published by the National Institute of Standards and Technology (NIST) that outlines how to protect CUI in non-federal systems. CMMC Level 2 directly aligns with these controls.
POA&M – Plan of Action and Milestones
A living document that tracks any gaps identified in your security program and the plan for closing them. It demonstrates accountability and progress toward compliance.
Prime Contractor
A company that holds a direct contract with the Department of Defense. The prime is responsible for ensuring that its subcontractors comply with CMMC and other DFARS requirements.
Scope
The defined boundary of systems, processes, and people included in your CMMC certification. Scope determines what must meet CMMC requirements and what can be excluded. Properly defining scope is one of the most critical steps in compliance planning.
Self-Assessment
An internal evaluation performed either by the organization itself or with the assistance of an external consulting firm that helps prepare the organization for compliance. It is not performed by a Certified Third Party Assessment Organization (C3PAO) and does not result in a certification. Instead, the company reviews each required control, documents its level of implementation, calculates the appropriate score, and submits the results to the Supplier Performance Risk System as an attestation of its own compliance.
SSP – System Security Plan
A document describing how your organization implements each required control, the systems in scope, and how those systems are secured and maintained. It is a core artifact required for CMMC and NIST 800-171 compliance.
Subcontractor (or “Sub”)
A company that performs work for a prime contractor under a DoD contract. Subcontractors may be required by their primes to meet CMMC standards, even if they do not handle CUI directly.
Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.
