CMMC compliance citations resolve to four primary regulatory sources. The program rule is 32 CFR Part 170, codified at the end of 2024. The contract clauses are FAR 52.204-21 (Federal Contract Information safeguarding) and the DFARS 252.204 series: -7012 (CUI handling and incident reporting), -7019 and -7020 (DoD assessment requirements), -7021 (CMMC compliance as condition of award). The technical control catalog is NIST SP 800-171, with assessment procedures in NIST SP 800-171A and enhanced requirements for Level 3 in NIST SP 800-172. The ecosystem-behavior rules are the Certified Professional Code of Conduct maintained by the Cyber AB. When CMMC practitioner terminology diverges from regulatory terms (LPDP, OSC, ATP, LTP, C3PAO), the regulatory citation is the source of truth.
This page answers the questions CMMC practitioners ask each other when the room goes quiet and someone admits they aren’t sure. The questions about which clause to cite, what an acronym officially stands for, who owns what in the assessment ecosystem, and where the regulatory authority actually lives.
Every answer cites the source document. When the rule answers the question, the answer points at the rule. When the question hinges on a community convention that isn’t in the rule, the answer says so. The goal is a single reference that resolves the conversation without further debate.
The page is organized in three parts. First, twelve frequently asked questions, each answered in a few sentences with the citation embedded inline. Second, an alphabetized glossary of every acronym a CMMC practitioner is likely to encounter, including the current regulatory term, the source citation, and a note when the community uses a different term. Third, a short note on how to use this page over time.
The citations point at the public regulatory text. 32 CFR Part 170, codified at the end of 2024, is the program rule. The FAR and DFARS clauses are the contract clauses that incorporate the security requirements. NIST SP 800-171 is the technical control catalog. The Certified Professional Code of Conduct (COPC), maintained by the Cyber AB, governs ecosystem behavior. When in doubt, the source documents answer the question.
What’s the difference between FAR and DFARS?
A: FAR is the Federal Acquisition Regulation, the government-wide acquisition rulebook published in Title 48 of the Code of Federal Regulations, Chapter 1. DFARS is the Defense Federal Acquisition Regulation Supplement, the DoD-specific overlay published in Title 48, Chapter 2. DFARS supplements but does not replace FAR. A DoD contract typically incorporates both. For deeper coverage of the citation conventions, see our forthcoming regulatory citation field guide.
Are “FAR 52.204-21” and “48 CFR 52.204-21” the same regulation?
A: Yes. They are two valid citation formats for the same clause. FAR 52.204-21 is the short-form contracting reference. 48 CFR 52.204-21 is the formal Code of Federal Regulations citation pointing at the exact same section of Title 48. The text, requirements, and legal authority are identical. The same dual-format convention applies to DFARS clauses (e.g., DFARS 252.204-7012 and 48 CFR 252.204-7012 are the same clause).
What does OUSD stand for?
A: OUSD stands for Office of the Under Secretary of Defense. In CMMC contexts the relevant office is OUSD(A&S), the Office of the Under Secretary of Defense for Acquisition and Sustainment, which holds acquisition policy authority for the DFARS clauses. The CMMC program management office historically reported up through OUSD(A&S); per the 32 CFR Part 170 rulemaking, management oversight of the CMMC Program was realigned to the DoD CIO. Reference: 32 CFR § 170.6 (CMMC PMO).
What’s the difference between OSA and OSC?
A: OSA stands for Organization Seeking Assessment. OSC stands for Organization Seeking Certification. Per 32 CFR § 170.4, OSA is the umbrella term covering any organization undergoing a CMMC assessment, while OSC specifically refers to organizations pursuing a Level 2 (C3PAO-led) or Level 3 certification. A Level 1 self-assessment organization is an OSA but is not typically called an OSC. Community materials sometimes use the terms interchangeably, but the rule distinguishes them. A full ecosystem-roles guide is forthcoming.
Is the CMMC AB the same as Cyber AB?
A: Yes, with a name change announced June 7, 2022. The accreditation body was originally branded as the CMMC Accreditation Body (CMMC AB). It now does business as The Cyber AB to reflect a broader cybersecurity mandate beyond CMMC alone. The official legal corporate name remains Cybersecurity Maturity Model Certification Accreditation Body, Inc. — “The Cyber AB” is the public DBA. The ecosystem authority and accreditation function did not change. Many older training decks, blog posts, and contract templates still reference “CMMC AB,” which is the same organization.
What happened to Provisional Assessors?
A: The Provisional Assessor designation was a transitional role used during the standup of the CMMC ecosystem. It was retired and replaced by the Certified CMMC Assessor (CCA) credential under the formal training and certification scheme administered by CAICO (the Cyber AB’s Certified Assessor and Instructor Certification Organization). Provisional Assessors had a defined window to convert to CCA by completing required training and the assessor exam. The current credential for performing C3PAO-led Level 2 assessments is CCA.
What’s the difference between LTP and ATP?
A: ATP, Approved Training Provider, is the current term, introduced through the 32 CFR Part 170 rulemaking. LTP, Licensed Training Provider, is a legacy community term that predates the codified program rule. Many training decks, marketing materials, and forum posts still use LTP. The rule itself uses ATP. When writing for regulatory or contract contexts, use ATP. When reading older community material, recognize that LTP refers to the same role.
Is the CoPC principle “Objectivity” or “Impartiality”?
A: The current Cyber AB Code of Professional Conduct (CoPC v2.0, in force since 16 December 2024) names Impartiality — not “Objectivity” — as one of its eight guiding principles, defined as avoiding conflicts of interest and maintaining unbiased decision-making. It aligns with ISO/IEC 17011:2017(E), the accreditation standard the CMMC Accreditation Body must comply with under 32 CFR § 170.8(b)(17); in the related ISO/IEC 17020 framework, impartiality is defined as the “presence of objectivity.” So the two ideas are linked — objectivity is the substance, impartiality the named principle — but the current CoPC’s guiding-principle name is Impartiality. Materials that label it “Objectivity” are using legacy or informal terminology; work from the v2.0 name. A CoPC decision-tree guide is forthcoming.
What’s the False Claims Act and when does it apply to CMMC?
A: The False Claims Act, codified at 31 U.S.C. §§ 3729-3733, imposes liability on any party that knowingly submits false claims for payment to the federal government. In CMMC contexts it applies when a contractor misrepresents its compliance posture, attestation status, or assessment results to win or retain a federal contract. Damages can include treble damages plus per-claim civil penalties, and individuals (not just companies) can be held personally liable. The DOJ’s Civil Cyber-Fraud Initiative, announced in October 2021, explicitly targets cybersecurity misrepresentation under the FCA.
Who oversees CMMC now, OUSD or DoD CIO?
A: Program policy authority sits with the DoD CIO (Office of the DoD Chief Information Officer), which published 32 CFR Part 170. OUSD(A&S) holds the acquisition policy authority and is responsible for the DFARS clauses that incorporate CMMC requirements into contracts. In practice, both offices are involved. The DoD CIO owns the program rule. OUSD(A&S) owns the contract implementation. Reference: 32 CFR § 170.6 and DFARS Subpart 204.75.
What is the “Limited Practice Deficiency Program” and where is it in the rule?
A: The Limited Practice Deficiency Program (LPDP) is a community-coined term and does not appear in 32 CFR Part 170. It maps to the security requirement re-evaluation provisions at 32 CFR § 170.17(c)(2) for Level 2 assessments and 32 CFR § 170.18(c)(2) for Level 3 assessments, which describe a 10-business-day re-evaluation window following the active assessment period. This is a separate mechanism from the 180-day POA&M closure clock under § 170.21. When writing for regulatory contexts, cite the section numbers rather than the community label. See our LPDP re-evaluation guide for the full mechanic.
How many domains does CMMC have at Level 1 vs Level 2?
A: Level 1 covers 15 basic safeguarding requirements from FAR 52.204-21, mapped to 17 NIST 800-171 control IDs, across 6 domains (Access Control, Identification and Authentication, Media Protection, Physical Protection, System and Communications Protection, System and Information Integrity). The cardinality difference (15 vs 17) comes from the FAR-to-NIST mapping granularity, not from a substantive expansion of Level 1. Level 2 covers all 110 security requirements across 14 domains from NIST SP 800-171 Revision 2 (AC, AT, AU, CA, CM, IA, IR, MA, MP, PE, PS, RA, SC, SI). The Level 2 domain set is the full NIST 800-171 control family map. Reference: 32 CFR § 170.14 (CMMC Model) with FAR 52.204-21 (the L1 baseline) and NIST SP 800-171 Rev 2 (the L2 baseline).
Glossary
The following entries cover the acronyms a CMMC practitioner is likely to encounter. Each entry lists the current regulatory term, a brief definition, the source citation, and a note when the community uses a different term.
ATP, Approved Training Provider. Organization licensed by CAICO to deliver CMMC training curricula. Source: 32 CFR § 170.10. Community materials may still use the legacy term “LTP” (Licensed Training Provider).
C3PAO, Certified Third-Party Assessment Organization. Organization authorized to perform Level 2 CMMC certification assessments. Source: 32 CFR § 170.9.
CAICO, Certified Assessor and Instructor Certification Organization. Subsidiary of the Cyber AB that administers the certification scheme for CCAs, CCPs, and CCIs. Source: Cyber AB governance documents.
CCA, Certified CMMC Assessor. Individual credentialed to perform Level 2 assessments under a C3PAO. Source: 32 CFR § 170.11. Replaces the legacy “Provisional Assessor” role.
CCI, Certified CMMC Instructor. Individual credentialed to deliver ATP-licensed CMMC training. Source: 32 CFR § 170.12. Replaces the legacy “Provisional Instructor” role.
CCP, Certified CMMC Professional. Foundational individual credential for CMMC practitioners, prerequisite for CCA. Source: 32 CFR § 170.13.
Cyber AB. The accreditation body for the CMMC ecosystem. Originally named the CMMC Accreditation Body (CMMC AB); name change to The Cyber AB announced June 7, 2022. Source: 32 CFR § 170.8.
CUI, Controlled Unclassified Information. Information requiring safeguarding or dissemination controls under federal law, regulation, or government-wide policy. Source: 32 CFR Part 2002 (CUI program rule) and 32 CFR § 170.4. FCI vs CUI and CUI banner-markings guides are forthcoming.
DFARS, Defense Federal Acquisition Regulation Supplement. DoD-specific overlay to the FAR, published in 48 CFR Chapter 2. The DFARS 252.204-7012 clause incorporates NIST 800-171 into DoD contracts.
FAR, Federal Acquisition Regulation. Government-wide acquisition rulebook published in 48 CFR Chapter 1. FAR 52.204-21 establishes the basic safeguarding requirements that map to CMMC Level 1.
FCI, Federal Contract Information. Information not intended for public release that is provided by or generated for the government under a contract. Source: FAR 52.204-21 and 32 CFR § 170.4.
Impartiality (CoPC v2.0) / Objectivity (underlying concept). The current Cyber AB CoPC v2.0 names Impartiality as one of its eight guiding principles, requiring CMMC professionals to avoid conflicts of interest and maintain unbiased decision-making. Objectivity is the substance beneath it — in ISO/IEC 17020, impartiality is defined as the “presence of objectivity” — and ISO/IEC 17011:2017(E) sets the impartiality requirements at the accreditation-body layer. Older or informal materials sometimes call the principle “Objectivity”; the current CoPC name is Impartiality. Source: Cyber AB CoPC v2.0; ISO/IEC 17011:2017(E).
LPDP, Limited Practice Deficiency Program. Community term, not in 32 CFR Part 170. Maps to the security requirement re-evaluation provisions at 32 CFR §§ 170.17(c)(2) and 170.18(c)(2). When citing the rule, use the section numbers, not the community label.
OSA, Organization Seeking Assessment. Umbrella term for any organization undergoing a CMMC assessment at any level. Source: 32 CFR § 170.4.
OSC, Organization Seeking Certification. Subset of OSAs pursuing Level 2 (C3PAO-led) or Level 3 certification. Source: 32 CFR § 170.4.
OUSD(A&S), Office of the Under Secretary of Defense for Acquisition and Sustainment. DoD office holding acquisition policy authority for the DFARS clauses that incorporate CMMC into contracts. Program rule authority sits with the DoD CIO.
PI, Provisional Instructor. Transitional role used during the ecosystem standup. Holders had a defined window to convert to CCI under the Cyber AB credential framework. The current instructor credential is CCI.
POA&M, Plan of Action and Milestones. A documented plan to remediate deficient security requirements within a fixed window. Source: 32 CFR § 170.21. The closure window for CMMC POA&Ms is 180 days.
RP, Registered Practitioner. Individual credentialed through an RPO to provide CMMC consulting services. Source: Cyber AB credential framework.
RPA, Registered Practitioner Advanced. Senior consulting credential for individuals working through an RPO. Source: Cyber AB credential framework.
RPO, Registered Provider Organization. Organization registered with the Cyber AB to provide consulting services to OSCs and OSAs. RPOs cannot perform certification assessments. Source: Cyber AB credential framework.
How to Use This Page
When a CMMC conversation hinges on a citation, an acronym, or a role boundary, this page should resolve it in under a minute. When the answer here disagrees with a slide deck, a forum post, or a colleague’s memory, the source documents are authoritative. Open the cited section and confirm.
For deeper coverage of any specific topic, the inline cross-links point at full articles. A verified-corrections piece, an ecosystem-roles guide, and a regulatory citation field guide are forthcoming.
This page will get longer as the program matures. Send corrections to the source-document level. If the rule changes, the answers change.
References · 11 official sources
| Source | What it covers | Type |
|---|---|---|
| 32 CFR Part 170 (CMMC Program Rule) | 32 CFR Part 170 — the CMMC Program Rule, codified at the end of 2024 | Regulation |
| FAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems) | FAR 52.204-21 — Federal Contract Information safeguarding (the Level 1 baseline) | Regulation |
| DFARS 252.204-7012 (Safeguarding Covered Defense Information) | DFARS 252.204-7012 — Covered Defense Information handling and 72-hour cyber incident reporting | Regulation |
| DFARS 252.204-7019 (Notice of NIST SP 800-171 DoD Assessment Requirements) | DFARS 252.204-7019 — Notice clause anchoring annual NIST 800-171 score submission to SPRS | Regulation |
| DFARS 252.204-7020 (NIST SP 800-171 DoD Assessment Requirements) | DFARS 252.204-7020 — DoD-conducted Medium and High Assessments authority | Regulation |
| DFARS 252.204-7021 (CMMC Level Requirements) | DFARS 252.204-7021 — CMMC level requirements as a condition of award | Regulation |
| NIST SP 800-171 Rev 2 | NIST SP 800-171 Revision 2 — the 110 security requirements (CMMC Level 2 baseline) | Standard |
| NIST SP 800-171A (Assessment Procedures) | NIST SP 800-171A — the 320 assessment objectives | Standard |
| NIST SP 800-172 (Enhanced Security Requirements) | NIST SP 800-172 — 24 enhanced requirements (CMMC Level 3 baseline) | Standard |
| The Cyber AB | The Cyber AB — accreditation body authoring the Certified Professional Code of Conduct | Directory |
| NARA CUI Registry | NARA CUI Registry — the authoritative list of CUI categories | Guidance |