CMMC Terms Glossary

A practical reference for key CMMC terms, DoD compliance language, and defense-contractor security concepts.

35 terms across 6 categories

Jump to a Topic

Core Framework CMMC Levels Assessment Types Standards Security Domains Implementation

Core Framework

CMMC (Cybersecurity Maturity Model Certification)

Department of Defense framework that verifies implementation of cybersecurity controls and processes across the Defense Industrial Base.

DIB (Defense Industrial Base)

Network of DoD contractors, subcontractors, and suppliers responsible for providing products and services to support military operations.

CUI (Controlled Unclassified Information)

Sensitive government information that requires protection but is not classified. Handling CUI requires CMMC Level 2 or higher.

FCI (Federal Contract Information)

Information provided to contractors by or on behalf of the government that requires basic protection (CMMC Level 1).

C3PAO (CMMC Third Party Assessment Organization)

Authorized organizations that conduct CMMC assessments and certifications for defense contractors.

CCA (CMMC Certified Assessor)

Individual certified to conduct CMMC assessments at specific levels. Must be employed by a C3PAO.

CCP (CMMC Certified Professional)

Individual certified to assist organizations in preparing for CMMC assessments and implementing required practices.

CMMC Levels

CMMC Level 1 (Basic Cyber Hygiene)

Entry level requiring 17 basic cybersecurity practices to protect Federal Contract Information (FCI).

CMMC Level 2 (Advanced Cyber Hygiene)

Intermediate level requiring 110 practices aligned with NIST SP 800-171 to protect Controlled Unclassified Information (CUI).

CMMC Level 3 (Expert Cyber Hygiene)

Advanced level requiring 110+ practices with additional requirements for advanced persistent threats (APTs).

Assessment Types

Self-Assessment

Organization evaluates its own compliance with CMMC requirements. Required for Level 1 and some Level 2 contracts.

Third-Party Assessment

Independent evaluation by certified C3PAO. Required for most Level 2 and all Level 3 certifications.

Standards

NIST SP 800-171

NIST Special Publication providing guidelines for protecting CUI in non-federal systems. Foundation for CMMC Level 2.

NIST SP 800-172

Enhanced security requirements for protecting CUI, forms basis for additional CMMC Level 3 requirements.

DFARS (Defense Federal Acquisition Regulation Supplement)

DoD procurement regulations that include cybersecurity requirements for contractors handling CUI.

Security Domains

Access Control (AC)

CMMC domain focused on limiting system access to authorized users, processes, and devices.

Asset Management (AM)

CMMC domain focused on identifying, documenting, and managing organizational assets including systems and data.

Audit and Accountability (AU)

CMMC domain focused on creating, protecting, and retaining audit logs to enable monitoring and investigation.

Configuration Management (CM)

CMMC domain focused on establishing and maintaining system configurations and controlling changes.

Identification and Authentication (IA)

CMMC domain focused on verifying identities of users, processes, and devices accessing systems.

Incident Response (IR)

CMMC domain focused on establishing processes to detect, analyze, contain, and respond to security incidents.

Maintenance (MA)

CMMC domain focused on performing periodic and timely maintenance on systems and controlling maintenance activities.

Media Protection (MP)

CMMC domain focused on protecting digital and non-digital media containing CUI during transport and storage.

Personnel Security (PS)

CMMC domain focused on ensuring individuals accessing systems are trustworthy and meet security requirements.

Physical Protection (PE)

CMMC domain focused on limiting physical access to systems, equipment, and operating environments.

Recovery (RE)

CMMC domain focused on restoring systems and data after disruptions while maintaining security controls.

Risk Management (RM)

CMMC domain focused on identifying, assessing, and responding to organizational risk from cybersecurity threats.

Security Assessment (CA)

CMMC domain focused on developing plans to assess security controls and remediate deficiencies.

Situational Awareness (SA)

CMMC domain focused on identifying cybersecurity events and understanding their potential impact.

System and Communications Protection (SC)

CMMC domain focused on monitoring, controlling, and protecting communications and system boundaries.

System and Information Integrity (SI)

CMMC domain focused on identifying, reporting, and correcting system flaws and malicious code.

Implementation

POA&M (Plan of Action and Milestones)

Document identifying specific actions to correct deficiencies and reduce security risks with timeline and resources.

SSP (System Security Plan)

Document describing security controls in place or planned for system and how controls meet security requirements.

SPRS (Supplier Performance Risk System)

DoD database where contractors submit self-assessments of NIST SP 800-171 compliance scores.

OSC (Other Service Costs)

CMMC program costs that may be reimbursable under government contracts, including assessment and remediation expenses.

Need a Clear Plan for CMMC Readiness?

Work with CCP-certified advisors to translate CMMC requirements into a practical readiness roadmap for your environment.

Explore CMMC Services

Ready to Get Started?

Choose how you'd like to begin your journey with Pilotcore

Full Consultation

Discuss your complete cloud and security strategy with our experts. Perfect for comprehensive transformations and enterprise initiatives.

Popular Choice

Start with a Pilot

Test our expertise with a focused 1-4 week engagement. See real results before committing to larger initiatives.

View Pilot Projects →