Glossary

Plain-language definitions of the CMMC, NIST 800-171, and cybersecurity compliance terms we use across this site and in client work. Written for small defense contractors and the buyers evaluating them.

CMMC core

CMMC (Cybersecurity Maturity Model Certification): The U.S. Department of Defense program that verifies a contractor's cybersecurity practices before it can handle sensitive defense information. Required across the defense supply chain under the CMMC 2.0 framework.
CMMC Level 1: The baseline tier: 15 basic safeguarding requirements for companies handling only Federal Contract Information (FCI). Met through annual self-assessment.
CMMC Level 2: The tier for companies handling Controlled Unclassified Information (CUI): the 110 security requirements of NIST SP 800-171. Most contracts require a third-party (C3PAO) assessment every three years.
CMMC Level 3: The highest tier, adding requirements from NIST SP 800-172 for the most sensitive programs. Assessed by the government (DIBCAC).

Information types

CUI (Controlled Unclassified Information): Government information that is sensitive but not classified — for example technical drawings, specifications, or program data. Handling CUI triggers CMMC Level 2 obligations.
FCI (Federal Contract Information): Information provided by or generated for the government under a contract that is not intended for public release. Handling FCI triggers CMMC Level 1.
SPD (Security Protection Data): Configuration and security data about the systems that protect CUI — for example log data, vulnerability scan results, or encryption settings. Increasingly relevant when external tools or AI systems touch the protected environment.

Standards and regulations

NIST SP 800-171: The catalog of 110 security requirements protecting CUI in non-federal systems. It is the technical backbone of CMMC Level 2.
NIST SP 800-53: The broader federal control catalog used by government systems and FedRAMP. NIST 800-171 is derived from a subset of these controls.
DFARS 252.204-7012: The contract clause requiring contractors to safeguard covered defense information and report cyber incidents within 72 hours.
DFARS 252.204-7019 / 7020: Clauses requiring contractors to post a current NIST 800-171 self-assessment score in SPRS (7019) and to allow government verification (7020).
DFARS 252.204-7021: The clause that makes CMMC certification a condition of contract award once the program is fully phased in.

Assessment and evidence

C3PAO (Certified Third-Party Assessment Organization): An organization authorized by the Cyber AB to conduct official CMMC Level 2 assessments. A C3PAO certifies; it does not perform the readiness work that precedes the assessment.
SSP (System Security Plan): The document describing how an organization meets each of the 110 requirements — system boundary, responsibilities, and implementation detail. The central artifact in any assessment.
POA&M (Plan of Action and Milestones): A tracked list of unmet requirements with remediation steps and dates. Under CMMC only a limited set of lower-weight controls are POA&M-eligible, and they must be closed within 180 days.
SPRS (Supplier Performance Risk System): The DoD system where contractors post their NIST 800-171 self-assessment score (out of a maximum of 110, using the official weighted methodology).
Conditional vs. Final certification: A Conditional status is granted when an organization meets the score threshold but still has open POA&M items; Final status is granted once those items are closed and verified.

Adjacent frameworks

SOC 2: An attestation report on a service organization's controls for security, availability, and related criteria — common for SaaS vendors and often requested in commercial due diligence.
ISO 27001: An international standard for an Information Security Management System (ISMS), certified by an accredited body.
FedRAMP: The U.S. government program standardizing security assessment and authorization for cloud services sold to federal agencies.
DIB (Defense Industrial Base): The network of companies that supply the U.S. military — from primes to the small contractors several tiers down who are most affected by CMMC.
RPO / RP (Registered Provider Organization / Registered Practitioner): Advisors authorized by the Cyber AB to provide CMMC readiness consulting (not assessment). Eagle Ridge operates in the readiness lane.