CMMC Glossary

The CMMC terms
every DoD contractor should know

Plain-English definitions written by a Lead CMMC Certified Assessor. Bookmark this page — you'll reference it from your first GAP analysis through certification.

CMMCCybersecurity Maturity Model Certification

The Department of Defense's framework for verifying that contractors handling federal information meet required cybersecurity controls. CMMC 2.0 has three levels; Level 2 aligns with all 110 NIST SP 800-171 controls and is required for any contractor handling CUI.

CUIControlled Unclassified Information

Government-created or -owned information that is sensitive but not classified. Under DFARS 252.204-7012, contractors must protect CUI to NIST SP 800-171 standards. Handling CUI is what pushes most contractors to CMMC Level 2.

FCIFederal Contract Information

Information provided by or generated for the government under contract, not intended for public release. Contractors that handle only FCI (no CUI) need CMMC Level 1 — 17 basic safeguards from FAR 52.204-21.

SPRSSupplier Performance Risk System

The DoD system where contractors post their NIST SP 800-171 self-assessment score (–203 to 110). A current SPRS score is a prerequisite for DoD contract award under DFARS 252.204-7019/7020, and misrepresenting it triggers False Claims Act exposure.

SSPSystem Security Plan

The living document that describes your system boundary, how each of the 110 NIST SP 800-171 controls is implemented, who is responsible, and what evidence supports it. A complete, accurate SSP is required — and is the first artifact any assessor asks for.

POA&MPlan of Action & Milestones

A tracked list of unmet controls with owners, remediation steps, and target closure dates. Under CMMC 2.0 a limited POA&M is allowed at Level 2 (only lower-weighted controls, closed within 180 days), and your SPRS score must still meet the minimum threshold at assessment time.

C3PAOCMMC Third-Party Assessor Organization

The Cyber-AB–authorized organization that conducts the official CMMC Level 2 certification assessment resulting in your CMMC status in SPRS. A C3PAO cannot also provide consulting on the same engagement — readiness and certification are separated by design.

RPORegistered Practitioner Organization

A Cyber-AB–listed firm that provides CMMC consulting and readiness services but does not certify. RPOs employ RPs (Registered Practitioners) trained on the CMMC model.

CCPCertified CMMC Professional

An individual credential from the Cyber-AB verifying foundational knowledge of the CMMC model, NIST SP 800-171, and assessment process. Prerequisite for the CCA credential.

CCACertified CMMC Assessor

An individual authorized to serve on a C3PAO assessment team for Level 2. Requires the CCP credential plus additional training, exam, and experience.

LCCALead CMMC Certified Assessor

The senior-level assessor credential authorized to lead a Level 2 certification assessment. LCCAs judge evidence sufficiency and sign off on final scoring. Solnetek is led by an LCCA (Juan Velasquez, LCCA-63045).

DFARSDefense Federal Acquisition Regulation Supplement

The DoD supplement to the FAR. The cybersecurity clauses that matter for CMMC are 252.204-7012 (safeguard CUI + report incidents), 7019 (post SPRS score), 7020 (allow government access), and 7021 (require CMMC certification at contract level).

NIST SP 800-171Protecting CUI in Nonfederal Systems

The 110-control catalog that defines what it means to protect CUI. CMMC Level 2 requires full implementation of all 110 controls across 14 families (Access Control, Awareness & Training, Audit & Accountability, and so on).

NIST SP 800-172Enhanced Security Requirements

A supplemental control set designed to defend against advanced persistent threats. A subset applies at CMMC Level 3, reserved for the highest-priority DoD programs.

Cyber-ABThe CMMC Accreditation Body

The independent body that authorizes and oversees C3PAOs, RPOs, and individual assessor credentials. The Cyber-AB Marketplace is the source of truth for verifying any CMMC service provider.

FCAFalse Claims Act

The federal statute the DOJ's Civil Cyber-Fraud Initiative uses to pursue contractors that misrepresent their cybersecurity posture. Exposure includes treble damages, per-claim penalties, and whistleblower qui tam actions.

Need help applying these to your environment?

Book a free CMMC readiness call with an LCCA and walk out with a clear next step.

Book a Free CMMC Readiness Call