CMMC Glossary
The CMMC terms
every DoD contractor should know
Plain-English definitions written by a Lead CMMC Certified Assessor. Bookmark this page — you'll reference it from your first GAP analysis through certification.
CMMCCybersecurity Maturity Model Certification
- The Department of Defense's framework for verifying that contractors handling federal information meet required cybersecurity controls. CMMC 2.0 has three levels; Level 2 aligns with all 110 NIST SP 800-171 controls and is required for any contractor handling CUI.
CUIControlled Unclassified Information
- Government-created or -owned information that is sensitive but not classified. Under DFARS 252.204-7012, contractors must protect CUI to NIST SP 800-171 standards. Handling CUI is what pushes most contractors to CMMC Level 2.
FCIFederal Contract Information
- Information provided by or generated for the government under contract, not intended for public release. Contractors that handle only FCI (no CUI) need CMMC Level 1 — 17 basic safeguards from FAR 52.204-21.
SPRSSupplier Performance Risk System
- The DoD system where contractors post their NIST SP 800-171 self-assessment score (–203 to 110). A current SPRS score is a prerequisite for DoD contract award under DFARS 252.204-7019/7020, and misrepresenting it triggers False Claims Act exposure.
SSPSystem Security Plan
- The living document that describes your system boundary, how each of the 110 NIST SP 800-171 controls is implemented, who is responsible, and what evidence supports it. A complete, accurate SSP is required — and is the first artifact any assessor asks for.
POA&MPlan of Action & Milestones
- A tracked list of unmet controls with owners, remediation steps, and target closure dates. Under CMMC 2.0 a limited POA&M is allowed at Level 2 (only lower-weighted controls, closed within 180 days), and your SPRS score must still meet the minimum threshold at assessment time.
C3PAOCMMC Third-Party Assessor Organization
- The Cyber-AB–authorized organization that conducts the official CMMC Level 2 certification assessment resulting in your CMMC status in SPRS. A C3PAO cannot also provide consulting on the same engagement — readiness and certification are separated by design.
RPORegistered Practitioner Organization
- A Cyber-AB–listed firm that provides CMMC consulting and readiness services but does not certify. RPOs employ RPs (Registered Practitioners) trained on the CMMC model.
CCPCertified CMMC Professional
- An individual credential from the Cyber-AB verifying foundational knowledge of the CMMC model, NIST SP 800-171, and assessment process. Prerequisite for the CCA credential.
CCACertified CMMC Assessor
- An individual authorized to serve on a C3PAO assessment team for Level 2. Requires the CCP credential plus additional training, exam, and experience.
LCCALead CMMC Certified Assessor
- The senior-level assessor credential authorized to lead a Level 2 certification assessment. LCCAs judge evidence sufficiency and sign off on final scoring. Solnetek is led by an LCCA (Juan Velasquez, LCCA-63045).
DFARSDefense Federal Acquisition Regulation Supplement
- The DoD supplement to the FAR. The cybersecurity clauses that matter for CMMC are 252.204-7012 (safeguard CUI + report incidents), 7019 (post SPRS score), 7020 (allow government access), and 7021 (require CMMC certification at contract level).
NIST SP 800-171Protecting CUI in Nonfederal Systems
- The 110-control catalog that defines what it means to protect CUI. CMMC Level 2 requires full implementation of all 110 controls across 14 families (Access Control, Awareness & Training, Audit & Accountability, and so on).
NIST SP 800-172Enhanced Security Requirements
- A supplemental control set designed to defend against advanced persistent threats. A subset applies at CMMC Level 3, reserved for the highest-priority DoD programs.
Cyber-ABThe CMMC Accreditation Body
- The independent body that authorizes and oversees C3PAOs, RPOs, and individual assessor credentials. The Cyber-AB Marketplace is the source of truth for verifying any CMMC service provider.
FCAFalse Claims Act
- The federal statute the DOJ's Civil Cyber-Fraud Initiative uses to pursue contractors that misrepresent their cybersecurity posture. Exposure includes treble damages, per-claim penalties, and whistleblower qui tam actions.
Need help applying these to your environment?
Book a free CMMC readiness call with an LCCA and walk out with a clear next step.
Book a Free CMMC Readiness Call