<!-- Markdown mirror of https://eagleridge.io/glossary -->

# Glossary | Eagle Ridge Advisory

# Glossary

Plain-language definitions of the CMMC, NIST 800-171, and cybersecurity compliance terms we use across this site and in client work. Written for small defense contractors and the buyers evaluating them.

## CMMC core

CMMC (Cybersecurity Maturity Model Certification)
:   The U.S. Department of Defense program that verifies a contractor's cybersecurity practices before it can handle sensitive defense information. Required across the defense supply chain under the CMMC 2.0 framework.

CMMC Level 1
:   The baseline tier: 15 basic safeguarding requirements for companies handling only Federal Contract Information (FCI). Met through annual self-assessment.

CMMC Level 2
:   The tier for companies handling Controlled Unclassified Information (CUI): the 110 security requirements of NIST SP 800-171. Most contracts require a third-party (C3PAO) assessment every three years.

CMMC Level 3
:   The highest tier, adding requirements from NIST SP 800-172 for the most sensitive programs. Assessed by the government (DIBCAC).

## Information types

CUI (Controlled Unclassified Information)
:   Government information that is sensitive but not classified — for example technical drawings, specifications, or program data. Handling CUI triggers CMMC Level 2 obligations.

FCI (Federal Contract Information)
:   Information provided by or generated for the government under a contract that is not intended for public release. Handling FCI triggers CMMC Level 1.

SPD (Security Protection Data)
:   Configuration and security data about the systems that protect CUI — for example log data, vulnerability scan results, or encryption settings. Increasingly relevant when external tools or AI systems touch the protected environment.

## Standards and regulations

NIST SP 800-171
:   The catalog of 110 security requirements protecting CUI in non-federal systems. It is the technical backbone of CMMC Level 2.

NIST SP 800-53
:   The broader federal control catalog used by government systems and FedRAMP. NIST 800-171 is derived from a subset of these controls.

DFARS 252.204-7012
:   The contract clause requiring contractors to safeguard covered defense information and report cyber incidents within 72 hours.

DFARS 252.204-7019 / 7020
:   Clauses requiring contractors to post a current NIST 800-171 self-assessment score in SPRS (7019) and to allow government verification (7020).

DFARS 252.204-7021
:   The clause that makes CMMC certification a condition of contract award once the program is fully phased in.

## Assessment and evidence

C3PAO (Certified Third-Party Assessment Organization)
:   An organization authorized by the Cyber AB to conduct official CMMC Level 2 assessments. A C3PAO certifies; it does not perform the readiness work that precedes the assessment.

SSP (System Security Plan)
:   The document describing how an organization meets each of the 110 requirements — system boundary, responsibilities, and implementation detail. The central artifact in any assessment.

POA&M (Plan of Action and Milestones)
:   A tracked list of unmet requirements with remediation steps and dates. Under CMMC only a limited set of lower-weight controls are POA&M-eligible, and they must be closed within 180 days.

SPRS (Supplier Performance Risk System)
:   The DoD system where contractors post their NIST 800-171 self-assessment score (out of a maximum of 110, using the official weighted methodology).

Conditional vs. Final certification
:   A Conditional status is granted when an organization meets the score threshold but still has open POA&M items; Final status is granted once those items are closed and verified.

## Adjacent frameworks

SOC 2
:   An attestation report on a service organization's controls for security, availability, and related criteria — common for SaaS vendors and often requested in commercial due diligence.

ISO 27001
:   An international standard for an Information Security Management System (ISMS), certified by an accredited body.

FedRAMP
:   The U.S. government program standardizing security assessment and authorization for cloud services sold to federal agencies.

DIB (Defense Industrial Base)
:   The network of companies that supply the U.S. military — from primes to the small contractors several tiers down who are most affected by CMMC.

RPO / RP (Registered Provider Organization / Registered Practitioner)
:   Advisors authorized by the Cyber AB to provide CMMC readiness consulting (not assessment). Eagle Ridge operates in the readiness lane.