Reference

CMMC glossary — terms, acronyms, definitions.

Plain-English definitions for the terminology that comes up in CMMC documentation work. Maintained as a reference, not marketing copy. Linked from the rest of the site whenever a term first appears.

Most CMMC literature is written for people who already know the terminology. This glossary is the opposite: short, plain definitions for the words a compliance manager actually has to translate for their team. If something is missing or wrong, tell us.

CMMC Cybersecurity Maturity Model Certification: A Department of Defense program that requires defense contractors to certify a defined cybersecurity posture as a condition of contract award. Three levels of increasing rigor — Level 1 protects FCI, Level 2 protects CUI, Level 3 addresses advanced threats.
CMMC Level 1: Protects Federal Contract Information (FCI). 17 basic safeguarding controls drawn from FAR 52.204-21. Annual self-attestation; no third-party assessment required.
CMMC Level 2: Protects Controlled Unclassified Information (CUI). 110 controls from NIST SP 800-171. Most contractors require a C3PAO-led assessment every three years. The level where Poliato's documentation matters most.
CMMC Level 3: Protects against advanced persistent threats (APTs). Adds a subset of NIST SP 800-172 controls on top of Level 2. Government-led assessment. Rare — limited to contractors handling the most sensitive CUI.
NIST SP 800-171: The National Institute of Standards and Technology publication that defines 110 security requirements for protecting CUI in non-federal systems. The technical backbone of CMMC Level 2.
NIST SP 800-172: Enhanced security requirements for protecting CUI against advanced persistent threats. A subset is incorporated into CMMC Level 3.
CUI Controlled Unclassified Information: Government information that is not classified but requires safeguarding under applicable laws and policies. Subject to the categories listed in the CUI Registry. Handling CUI is what triggers a CMMC Level 2 requirement.
FCI Federal Contract Information: Information not intended for public release, provided by or generated for the government under a contract to develop or deliver a product or service. Handling FCI but not CUI puts a contractor at CMMC Level 1.
C3PAO CMMC Third-Party Assessment Organization: An organization authorized by the Cyber AB to conduct CMMC Level 2 assessments. C3PAOs employ Certified CMMC Assessors who perform the formal evaluation.
CCA Certified CMMC Assessor: An individual credentialed by the Cyber AB to perform CMMC assessments under a C3PAO. Poliato's policy library is authored and validated by CCAs.
CCP Certified CMMC Professional: An individual credentialed to advise on CMMC readiness but not (yet) authorized to perform formal assessments. Commonly the role of a CMMC consultant.
RPO Registered Practitioner Organization: An organization authorized to deliver CMMC consulting services through credentialed Registered Practitioners (RPs). RPOs prepare contractors for assessment; they do not perform the formal assessment itself.
POA&M Plan of Action and Milestones: A formal document tracking outstanding security gaps and the schedule for remediating them. CMMC permits limited use of POA&Ms for some controls at assessment, with closure required within a defined window.
SSP System Security Plan: A document describing the system in scope for CMMC — boundary, components, data flows, and how each NIST 800-171 control is implemented. The SSP is the single most reviewed document in any CMMC assessment.
SPRS Supplier Performance Risk System: A DoD information system where defense contractors submit their self-assessed NIST 800-171 score. Required for contracts subject to DFARS 252.204-7019/7020.
DFARS 252.204-7012: Defense Federal Acquisition Regulation Supplement clause that requires contractors handling CUI to implement NIST SP 800-171 and to report cyber incidents to DoD within 72 hours.
DFARS 252.204-7019: Requires contractors handling CUI to perform a NIST 800-171 self-assessment, score it using the DoD Assessment Methodology, and post the score to SPRS before contract award.
DFARS 252.204-7020: Authorizes DoD to perform medium- or high-assurance assessments of a contractor's NIST 800-171 implementation. The basis for DIBCAC assessments.
DFARS 252.204-7021: The CMMC clause itself. Requires contractors to maintain the CMMC level specified in the contract throughout performance and to flow the requirement down to applicable subcontractors.
DIBCAC Defense Industrial Base Cybersecurity Assessment Center: The DoD organization that conducts high-assurance assessments of contractor cybersecurity programs under DFARS 252.204-7020. Distinct from C3PAO-led CMMC assessments.
Cyber AB: The CMMC Accreditation Body (formerly CMMC-AB). The non-government organization that authorizes C3PAOs, RPOs, and individual assessor credentials.
Compliance Boundary: The defined perimeter of systems, users, and data that the CMMC assessment will examine. Setting a tight, accurate boundary is one of the highest-leverage decisions in any CMMC engagement — a sloppy boundary multiplies the work and the cost.
Enclave: A logically- or physically-separated environment used to isolate CUI from the rest of an organization's network. A common CMMC strategy: handle CUI inside an enclave and keep the rest of the business out of CMMC scope.
Asset: In CMMC, anything that processes, stores, or transmits CUI — or that protects something that does. The CMMC Scoping Guide categorizes assets into types (CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, etc.).
Policy Acknowledgement: A timestamped record that a specific individual read and agreed to a specific version of a policy. CMMC requires evidence of personnel acknowledgement; Poliato treats this as a first-class workflow with C3PAO-defensible reporting.
Tabletop Exercise: A facilitated walkthrough of how an organization would respond to a security incident scenario. CMMC effectively requires periodic incident-response rehearsal. Poliato runs guided tabletops with NIST scenarios, automated transcription, and an exercise artifact for the audit binder.
Annual Review: A scheduled re-examination of each policy to verify it still reflects the current environment and to record the review outcome. Most CMMC policy controls require periodic review — typically annually — with documented evidence.
CUI Spillage: An incident where CUI is transmitted, stored, or processed in a system not authorized to handle it. Spillage is a reportable event under DFARS 252.204-7012 and triggers mandatory containment and notification workflows.
Conditional Acceptance: An outcome where a contractor passes a CMMC assessment with limited open POA&M items. The contractor is conditionally certified pending closure of the items within the allowed timeframe (typically 180 days).
Flow-Down: The CMMC requirement to impose equivalent cybersecurity obligations on subcontractors that handle the same FCI or CUI. The prime contractor is responsible for verifying subcontractor compliance — which is what Poliato's subcontractor portal addresses.