CMMC Terminology: Key Terms and Definitions

The CMMC ecosystem uses specific terminology defined by the DoD and the Cyber AB. This reference covers the key roles, designations, and concepts you'll encounter during the certification process.

A

Accreditation

The process of issuance of certificate(s) of accreditation by the Cyber AB to an entity that has demonstrated it meets the requirements to operate within the CMMC ecosystem.

Accreditation Body Board of Directors

The governing body of the Cyber AB. Directors are responsible for overseeing the organization's activities, meeting periodically to discuss and vote on the affairs of the organization, and focusing on the mission, strategy, and goals as defined in the bylaws.

Advisory Councils

Groups that operate at the discretion of, but independently from, the Cyber AB board. They inform and advise the board from the perspective of their membership. Advisory council leaders participate in the board as non-voting members.

Affiliates

Business concerns, organizations, or individuals that control each other or that are controlled by a common third party. Control may consist of shared management or ownership, common use of facilities or employees, or family interest.

Assessment

A formal process of evaluating the implementation and reliable use of security controls using interviews, document reviews, and observations. In the context of CMMC, assessments are performed against the requirements set forth in the CMMC for the OSC's desired level.

Assessment Appeals Process

A formal process managed by the Cyber AB to seek resolution of a disagreement regarding an assessment result.

Assessment Objective

As defined in 32 CFR § 170.4, a set of determination statements that, taken together, expresses the desired outcome for the assessment of a security requirement. Successful implementation requires meeting all applicable assessment objectives defined in NIST SP 800-171A.

Assessment Scope

The defined boundary of an OSA's environment that will be assessed against CMMC security requirements. The scope includes all assets that process, store, or transmit CUI or FCI, as well as security protection assets and contractor risk-managed assets that support or connect to those systems.

C

CAICO (CMMC Accreditation and Instructor Certification Organization)

The entity authorized by the Cyber AB to develop and manage certification programs for CMMC instructors and training materials. The CAICO approves training content and oversees the credentialing of CMMC Certified Instructors.

CAICO Approved Training Materials (CATM)

Training content developed by a Licensed Publishing Partner and approved by the CAICO. CATM is used by Licensed Training Providers to deliver official CMMC training.

C3PAO (CMMC 3rd Party Assessment Organization)

An entity certified by the Cyber AB to conduct official CMMC Level 2 certification assessments. C3PAOs may also provide consultative services to help contractors prepare for assessment, though assessors may not consult on an environment they will later assess.

Certificate

A record issued to an OSC upon successful completion of an assessment, evidencing the CMMC level against which the OSC has been successfully assessed.

Certification

The process of receiving a certificate upon successful completion of all requirements mandated for earning a specified CMMC level.

CCA (CMMC Certified Assessor)

A person who has successfully completed all certification program requirements for becoming a Level 2 CMMC assessor. A Provisional Assessor becomes a CCP and then a CCA by passing the associated certification exams.

CCI (CMMC Certified Instructor)

A person who has successfully completed all certification program requirements for becoming a CMMC instructor, authorized to teach official CMMC training curricula.

CCP (CMMC Certified Professional)

A person who has successfully completed all certification program requirements for becoming a Level 1 CMMC assessor. This credential is a prerequisite for advancing to the CCA designation.

CMMC (Cybersecurity Maturity Model Certification)

A framework established by the DoD to verify that defense contractors have implemented required cybersecurity practices to protect FCI and CUI. CMMC defines three levels of requirements, with Level 1 covering basic cyber hygiene and Level 3 representing advanced protections assessed by DIBCAC.

CMMC Assessment Process (CAP)

The procedures and guidance document that C3PAOs follow when conducting official CMMC assessments of organizations seeking certification.

CMMC Certified Organization

An organization whose cybersecurity program has received a CMMC Certificate from the Cyber AB following a successful assessment.

CMMC eMASS

The Enterprise Mission Assurance Support System used by the DoD to record and track CMMC assessment results, POA&M status, and certification status for OSCs. Assessment findings are officially stored and finalized in eMASS.

CMMC Status

As defined in 32 CFR § 170.4, the result of meeting or exceeding the minimum required score for the corresponding assessment. An OSC's CMMC Status is officially stored in SPRS and, if assessed by a C3PAO or DIBCAC, is also issued on a Certificate of CMMC Status.

CMMC Unique Identifier (UID)

A unique identifier assigned to a specific CMMC assessment scope within SPRS. CAGE codes are used for metrics purposes and to enforce authorized data access in SPRS, but the UID identifies the scope tied to a specific assessment.

Code of Professional Conduct (CoPC)

The performance standards by which roles in the CMMC ecosystem are held accountable, along with the procedures for addressing violations of those standards.

Conditional CMMC Status

A temporary certification status granted when an OSC completes an assessment with one or more non-critical requirements marked NOT MET and documented in a POA&M. The OSC has 180 days to close out the POA&M and achieve Final CMMC Status, or the Conditional Status expires.

Contractor Risk Managed Assets (CRMA)

Assets that can, but are not intended to, process, store, or transmit CUI. These assets are included in the CMMC Assessment Scope, and the contractor must document and manage the risk associated with them through the SSP.

Cloud Service Provider (CSP)

A vendor that delivers computing services over the internet, including storage, processing, and networking. When a CSP handles CUI on behalf of an OSC, its services become part of the CMMC Assessment Scope and must meet applicable CMMC requirements or be covered by a FedRAMP authorization.

CUI (Controlled Unclassified Information)

Information that requires safeguarding or dissemination controls under law, regulation, or government-wide policy, but that has not been classified under Executive Order 13526 or the Atomic Energy Act. CUI protection is a core driver of CMMC Level 2 requirements.

Cyber AB

The official accreditation body for the CMMC ecosystem, formerly known as the CMMC Accreditation Body. The Cyber AB authorizes and oversees C3PAOs, RPOs, and individual credentialed practitioners, and manages the marketplace of accredited organizations.

D

DCMA (Defense Contract Management Agency)

The DoD agency responsible for administering defense contracts, including oversight of contractor performance and compliance. DCMA houses DIBCAC, which conducts Level 3 CMMC assessments.

DFARS (Defense Federal Acquisition Regulation Supplement)

A set of regulations that supplement the Federal Acquisition Regulation (FAR) for DoD contracts. Key DFARS clauses related to cybersecurity include 252.204-7012, which requires safeguarding of CUI and cyber incident reporting, and 252.204-7021, which implements CMMC requirements in contracts.

DIB (Defense Industrial Base)

The worldwide industrial complex that enables research, development, design, production, and maintenance of military weapons systems and components. DIB contractors are the primary audience for CMMC requirements.

DIBCAC (Defense Industrial Base Cybersecurity Assessment Center)

A component of DCMA that conducts official CMMC Level 3 certification assessments on behalf of the DoD. DIBCAC assessments apply to contractors handling the most sensitive CUI under Level 3 requirements.

Digital Signature

An electronic file used to authenticate other electronic files and to encrypt files at rest or in transit. Digital signatures are relevant in the CMMC context for verifying the authenticity of assessment documentation and affirmations.

E

Enclave

A defined, isolated segment of an IT environment with controlled access and specific security controls applied. In CMMC, a CUI enclave is a common scoping strategy in which an organization restricts CUI to a bounded environment to limit the assessment scope.

Enduring Exception

A condition in which a CMMC security requirement cannot be implemented and no alternative solution is feasible. Enduring exceptions must be documented in the SSP and approved through appropriate channels; unlike POA&M items, they are not expected to be resolved within a fixed timeframe.

ESP (External Service Provider)

External people, technology, or facilities that an OSA uses to meet security requirements, including cloud service providers, managed service providers, managed security service providers, and cybersecurity-as-a-service providers. ESPs that handle CUI or provide security protection functions are part of the CMMC Assessment Scope.

F

FCI (Federal Contract Information)

Information, not intended for public release, that is provided by or generated for the government under a contract to develop or deliver a product or service. FCI protection is required at CMMC Level 1. It does not include information provided to the public or simple transactional data such as payment processing records.

FedRAMP (Federal Risk and Authorization Management Program)

A government-wide program that provides a standardized approach to security assessment and authorization for cloud services used by federal agencies. In the CMMC context, cloud service providers handling CUI are generally expected to hold a FedRAMP authorization at the Moderate or High baseline.

Final CMMC Status

The certification status achieved when an OSC meets all applicable CMMC requirements with no open POA&M items. Final Status may follow an initial assessment with no deficiencies, or may be earned after a successful POA&M closeout assessment within the 180-day remediation window.

I

Information System (IS)

As defined in NIST SP 800-171, a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. In CMMC, the boundary of an information system is a key factor in scoping an assessment.

L

LPP (Licensed Publishing Partner)

An entity authorized by the CAICO to develop official CMMC training curriculum used by Licensed Training Providers.

LTP (Licensed Training Provider)

An entity authorized to deliver official CMMC training to individuals seeking CCP, CCA, or CCI credentials.

M

MSP (Managed Service Provider)

A third-party company that manages a customer's IT infrastructure and end-user systems. In the CMMC context, MSPs that process, store, or transmit CUI on behalf of an OSA, or that provide security protection functions, are considered External Service Providers and fall within the CMMC Assessment Scope.

MSSP (Managed Security Service Provider)

A provider that delivers outsourced monitoring and management of security systems and functions, often operating a Security Operations Center on behalf of clients. MSSPs serving defense contractors are Security Protection Assets within the CMMC Assessment Scope and are assessed against applicable Level 2 requirements.

N

NIST SP 800-171

A NIST publication titled "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations." CMMC Level 2 requirements map directly to the 110 security requirements in NIST SP 800-171 Rev 2, assessed using the companion document NIST SP 800-171A. NIST finalized Revision 3 in May 2024, which reorganizes controls and reduces the total count to 97. However, the DoD issued a class deviation (2023-O0006) locking all CMMC assessments, SPRS scoring, and DFARS 252.204-7012 compliance to Rev 2 until new rulemaking formally incorporates Rev 3. Contractors should build and document their programs against Rev 2. The DoD's April 2025 memo defining organization-defined parameter values for Rev 3 is a signal that a transition is being planned, but no timeline for formal adoption has been announced.

NIST SP 800-172

An enhancement to NIST SP 800-171 providing additional security requirements for protecting CUI associated with critical programs or high-value assets. CMMC Level 3 draws on a subset of 800-172 requirements on top of the full 800-171 baseline.

O

OPA (Operational Plan of Action)

Measures implemented to manage risks or vulnerabilities on an ongoing basis, such as applying patches, addressing temporary deficiencies, or performing routine system maintenance. OPAs are not tied to a specific timeline for completion and are used to address vulnerabilities that arise after initial implementation. OPAs are distinct from POA&M items, which have a defined remediation deadline tied to certification status.

OSA (Organization Seeking Assessment)

The organization undergoing a CMMC assessment. OSA is the broader term used in official CMMC documentation and encompasses both self-assessments and third-party certification assessments.

OSC (Organization Seeking Certification)

The organization going through the CMMC assessment process to receive a level of certification for a given environment. The term OSC is used when the assessment involves a C3PAO or DIBCAC and results in a formal certificate.

P

POA&M (Plan of Action and Milestones)

A document that identifies security requirements assessed as NOT MET during a CMMC assessment, along with milestones and timelines for remediation. An OSC with a POA&M receives Conditional CMMC Status and must close out all POA&M items within 180 days to achieve Final Status. Critical requirements may not be placed on a POA&M and must be fully met at the time of assessment.

POA&M Closeout Assessment

An assessment performed after the initial CMMC certification to verify that requirements previously marked NOT MET have been resolved. For Level 2, the closeout may be a self-assessment or a C3PAO certification assessment depending on the target CMMC Status. Only the specific NOT MET requirements from the original assessment are re-evaluated.

R

RP / RPA (Registered Practitioner / Registered Practitioner Advanced)

Individual professionals authorized to provide CMMC implementation consulting services. Neither RP nor RPA credential holders may participate on formal assessment teams. The RPA designation requires additional training and experience beyond the base RP credential.

RPO (Registered Practitioner Organization)

An organization authorized by the Cyber AB to deliver non-certified CMMC consulting services. RPO status signals that the organization has agreed to the Cyber AB Code of Professional Conduct and employs credentialed practitioners. RPOs cannot conduct official CMMC assessments. STACK Cybersecurity is a Cyber AB RPO.

S

Self-Assessment

An assessment conducted by the OSA itself rather than a third-party assessor. CMMC Level 1 and certain Level 2 contracts allow for annual self-assessments with an affirmation submitted to SPRS by a senior official. Self-assessments are not accepted for contracts requiring Level 2 (C3PAO) or Level 3 (DIBCAC) certification.

SPA (Security Protection Assets)

Assets that provide security functions to protect an OSA's CUI environment, such as firewalls, SIEM platforms, and endpoint detection tools. Security Protection Assets are part of the CMMC Assessment Scope and are assessed against applicable Level 2 requirements relevant to the capabilities they provide.

SPD (Security Protection Data)

Data generated by security protection assets, such as log data, alerts, and audit records. SPD supports detection and response activities and is treated as in-scope during CMMC assessments when it relates to CUI protection functions.

SPRS (Supplier Performance Risk System)

A DoD web-based system that stores and displays supplier performance and risk information, including CMMC assessment scores and certification status. Contractors submit their self-assessment scores and affirmations to SPRS, and C3PAO or DIBCAC assessment results are also recorded there. Contracting officers use SPRS to verify a contractor's CMMC Status before award.

SSP (System Security Plan)

A document that describes how an organization implements CMMC security requirements within its environment. The SSP defines the system boundary, asset inventory, security controls in place, and how each NIST SP 800-171 requirement is addressed. Maintaining an accurate SSP is itself a CMMC requirement and is the foundation for any formal assessment.

T

Temporary Deficiency

As defined in 32 CFR § 170.4, a condition where remediation of a discovered deficiency is feasible and a known fix is available or in process. A temporary deficiency must be documented in an operational plan of action. It is distinct from a POA&M item in that it arises after initial implementation rather than during the assessment itself.

Related CMMC Resources

• What Is a CMMC RPO?
• CMMC Certification Overview
• CMMC Updates 2025
• False Claims Act and Cybersecurity
• STACK Compliance Services