Acronyms, regulations, and roles you'll run into across CMMC 2.0 assessments.
32 CFR § 170
32 CFR Part 170 is the regulatory codification of the CMMC Program, published as the program's final rule in October 2024. Key provisions include § 170.14 on the CMMC model, § 170.19 on assessment scoping, § 170.21 on limited POA&M use, and § 170.22 on affirmations of continuous compliance. Contractors, assessors, and CMMC ecosystem participants all work from its definitions and CMMC Status rules.
3PAO
Third-Party Assessment Organization
3PAO is the FedRAMP term for an independent organization recognized to assess cloud service offerings for FedRAMP authorization or equivalency. CMMC uses a separate role, C3PAO, for CMMC Level 2 certification assessments. A FedRAMP 3PAO is not automatically a C3PAO, and the two authorizations are program-specific.
ATO
Authority to Operate
An Authority to Operate is the formal risk-acceptance decision a designated Authorizing Official makes to allow a federal information system to operate in production. The ATO is supported by the system's SSP, POA&M, security control assessment, and continuous-monitoring posture. FedRAMP issues ATOs for cloud service offerings; individual agencies issue system-level ATOs for the systems they operate. ATO gaps frequently surface in DOJ Civil Cyber-Fraud Initiative cases and inspector-general reports when systems are deployed without one.
BOD
Binding Operational Directive
A Binding Operational Directive is a compulsory direction issued by CISA under 44 U.S.C. § 3553(b) requiring federal civilian agencies (FCEB) to safeguard their information systems against specific known or reasonably suspected threats. The most frequently referenced directive is BOD 22-01 (November 2021), which requires FCEB agencies to remediate vulnerabilities on the KEV catalog within CISA-specified deadlines, typically two weeks for items with evidence of active exploitation and six months otherwise. Other recent directives include BOD 23-01 on asset visibility, BOD 23-02 on management-interface exposure, and BOD 25-01 on Microsoft 365 secure configuration baselines.
C3PAO
CMMC Third-Party Assessment Organization
A C3PAO is the CMMC-specific third-party organization authorized to conduct official CMMC Level 2 certification assessments that result in Conditional or Final Level 2 (C3PAO) status. The Cyber AB, as the DoD-approved Accreditation Body, authorizes or accredits and oversees C3PAOs. CMMC Level 3 certification assessments are conducted by DCMA DIBCAC, not by C3PAOs. Industry shorthand sometimes expands the acronym as "Certified 3rd Party Assessor Organization"; the formal expansion in the federal regulation (32 CFR § 170.4) and on The Cyber AB's official C3PAO page is "CMMC Third-Party Assessment Organization."
CAGE Code
Commercial and Government Entity Code
A CAGE Code is a five-character identifier assigned through the Defense Logistics Agency's CAGE Program to identify a business location doing business with the U.S. government. Contractors obtain and maintain CAGE information through SAM.gov workflows. CMMC and SPRS submissions are associated with CAGE codes, so contractors with multiple entities, divisions, or assessed environments need to map each relevant CAGE code to the correct assessment scope.
CAICO
Cybersecurity Assessor and Instructor Certification Organization
CAICO (Cybersecurity Assessor and Instructor Certification Organization) is the organization responsible for training, testing, authorizing, certifying, and recertifying assessors, instructors, and professionals across the CMMC ecosystem — CCP, CCA, LCCA, and CCI. CAICO was originally a wholly-owned nonprofit subsidiary of The Cyber AB. In December 2025 ISACA was designated the new CAICO; ISACA assumed full management of CMMC practitioner credentials effective April 1, 2026, with The Cyber AB retaining oversight of the role.
CCA
Certified CMMC Assessor
A Certified CMMC Assessor is an individual credentialed to participate on a C3PAO assessment team conducting Level 2 certification assessments. CCAs perform examine, interview, and test activities against NIST SP 800-171A objectives during the assessment itself. The credential requires holding the CCP first and meeting the relevant prerequisites. Effective April 1, 2026, ISACA — the global professional association that administers CISA, CISM, and CRISC — took over administration of CCP, CCA, Lead Certified CMMC Assessor (LCCA), and Certified CMMC Instructor (CCI) credentials from The Cyber AB / CAICO.
CCI
Certified CMMC Instructor
A Certified CMMC Instructor is authorized to deliver official CMMC training courses and exam-preparation materials within the CMMC ecosystem. CCIs are the educators who prepare future CCPs, CCAs, and LCCAs. Effective April 1, 2026, ISACA took over administration of CCI along with the other CMMC practitioner credentials previously managed by The Cyber AB / CAICO.
CCP
Certified CMMC Professional
A Certified CMMC Professional has passed the CCP exam covering the CMMC ecosystem, NIST SP 800-171, scoping, evidence, and assessment process. CCPs commonly work at RPOs, MSPs, C3PAOs, or in-house compliance teams supporting readiness and assessment preparation. The credential is the prerequisite for the more senior CCA. Effective April 1, 2026, ISACA took over administration of CCP, CCA, LCCA, and CCI credentials from The Cyber AB / CAICO.
CIRCIA
Cyber Incident Reporting for Critical Infrastructure Act
CIRCIA, enacted in March 2022, requires covered entities across 16 critical-infrastructure sectors to report substantial cyber incidents to CISA within 72 hours and ransomware payments within 24 hours. CISA published the implementing NPRM on April 4, 2024; the statutory deadline for the final rule was October 2025, but CISA extended the timeline to May 2026 in response to industry feedback on the proposed scope and burden. As of mid-2026 the final rule remains pending amid additional stakeholder town halls and disruption from a DHS funding lapse.
CIS Benchmarks
CIS Benchmarks are consensus-developed configuration hardening guides covering Windows, Linux distributions, cloud services (AWS, Azure, GCP, M365), databases, and network devices. Contractors frequently reference applicable CIS Benchmarks in their SSPs as the documented baseline supporting NIST SP 800-171 configuration-management requirements (3.4.1, 3.4.2) and several system-and-communications-protection controls. The Center for Internet Security publishes the benchmarks under a free-for-non-commercial-use license and sells the CIS-CAT Pro tool for automated assessment.
CISA
Cybersecurity and Infrastructure Security Agency
CISA is the operational cybersecurity arm of the federal civilian government, established within DHS in November 2018 by the Cybersecurity and Infrastructure Security Agency Act. Its responsibilities include issuing Binding Operational Directives to FCEB agencies, maintaining the Known Exploited Vulnerabilities (KEV) catalog, coordinating federal incident response, implementing the CIRCIA reporting regime, and publishing ICS/OT advisories. CISA also runs voluntary programs that affect defense contractors and critical-infrastructure operators, including the Continuous Diagnostics and Mitigation (CDM) program, the Joint Cyber Defense Collaborative (JCDC), and information-sharing channels with state and local government.
CMMC 2.0
CMMC 2.0 (Cybersecurity Maturity Model Certification) is the Department of Defense's framework for assessing whether defense contractors and subcontractors implement the cybersecurity requirements needed to protect federal contract information (FCI) and controlled unclassified information (CUI). The program is codified in 32 CFR Part 170; DFARS 252.204-7021 implements contract-level CMMC Status requirements, while DFARS 252.204-7012 remains the underlying safeguarding and incident-reporting clause for covered defense information. CMMC has three levels: Level 1 (15 FAR 52.204-21 requirements for FCI), Level 2 (110 NIST SP 800-171 Rev. 2 requirements for CUI), and Level 3 (Level 2 plus 24 selected NIST SP 800-172 Feb. 2021 requirements).
CMMC Level 1
CMMC Level 1 applies to contractors that handle FCI but not CUI. It requires implementation of the 15 basic safeguarding requirements in FAR 52.204-21 and is verified by an annual self-assessment plus an affirmation submitted in SPRS. POA&Ms and third-party assessments are not permitted at Level 1.
CMMC Level 2
CMMC Level 2 is the tier required when contractor information systems process, store, or transmit CUI under a DoD contract requiring Level 2 status. It aligns one-for-one with NIST SP 800-171 Rev. 2's 110 security requirements, assessed against NIST SP 800-171A June 2018 objectives. A solicitation may require either Level 2 (Self) or Level 2 (C3PAO); Final Level 2 status is valid for three years if annual affirmations remain current.
CMMC Level 3
CMMC Level 3 applies to CUI environments requiring higher-level protection against advanced persistent threats. It requires a prerequisite Final Level 2 (C3PAO) status for the same CMMC assessment scope, then assessment against the 24 selected NIST SP 800-172 Feb. 2021 requirements listed in 32 CFR § 170.14(c)(4). Level 3 assessments are conducted by DCMA DIBCAC, the government's assessor, not by a commercial C3PAO.
CMMC Self-Assessment
A CMMC self-assessment is one the OSA performs internally against the applicable requirements, submits in SPRS, and affirms through an affirming official. Level 1 is always self-assessed annually. Level 2 self-assessment is used only when the solicitation permits Level 2 (Self); Level 2 (C3PAO) and Level 3 require independent assessment. Self-assessment does not relieve a contractor of False Claims Act exposure if claims of compliance are inaccurate.
Control Inheritance
Control inheritance allows an OSA to satisfy a requirement by relying on implementation by another part of the enterprise or by an ESP/CSP, rather than implementing the entire requirement locally. The OSA remains accountable for documenting and evidencing inherited controls in the SSP and CRM or shared-responsibility artifacts. For cloud services handling CUI, inherited controls generally depend on FedRAMP Moderate authorization or DoD-recognized equivalency plus evidence of the customer's own configuration.
CPRT
Cybersecurity and Privacy Reference Tool
CPRT is the centralized NIST tool at csrc.nist.gov/projects/cprt that publishes machine-readable versions of NIST cybersecurity and privacy reference data, including SP 800-53, SP 800-171, the Cybersecurity Framework, and crosswalks between them. It exposes the data in JSON, spreadsheet (XLSX), and OSCAL formats, making it the canonical source for tooling that needs current control text and mappings. NIST is increasingly publishing control updates through CPRT in parallel with the formal PDF publications.
CRM
Customer Responsibility Matrix
A Customer Responsibility Matrix is the contractor-maintained document that walks through each applicable requirement and identifies which party — the OSA/OSC, a cloud service provider, an MSP/ESP, or a combination — is responsible for implementation and evidence. Provider CRMs and shared-responsibility matrices are starting points; the contractor still has to map them to its own CMMC assessment scope and configurations. A complete CRM is functionally required for any contractor depending on cloud or ESP services.
CRQC
Cryptographically Relevant Quantum Computer
A Cryptographically Relevant Quantum Computer is the term used by NSA and NIST for a quantum computer with sufficient capability to break currently deployed public-key cryptography (RSA, elliptic-curve DH and signatures, classical Diffie-Hellman). PQC migration plans treat the CRQC as the triggering threat event and explicitly assume one may exist before its existence is publicly disclosed. That assumption underpins the 'harvest now, decrypt later' threat model: adversaries may already be storing encrypted traffic against future CRQC-enabled decryption, which is why federal and DIB cryptographic migration is happening years before any confirmed CRQC.
CSP
Cloud Service Provider
A Cloud Service Provider delivers infrastructure, platform, or software services on demand. For CMMC purposes, the distinction that matters is whether the cloud service offering stores, processes, or transmits CUI: if yes, DFARS 252.204-7012 and DoD guidance require FedRAMP Moderate authorization or a documented FedRAMP Moderate equivalency body of evidence. CSPs handling CUI are typically in-scope ESPs that share the contractor's CMMC assessment responsibilities through a CRM.
CUI
Controlled Unclassified Information
Controlled Unclassified Information is the government-wide category of unclassified information that law, regulation, or government-wide policy requires or permits agencies to protect with safeguarding or dissemination controls. CUI is the data trigger for CMMC Level 2: contractor systems that process, store, or transmit CUI under a covered DoD contract must meet NIST SP 800-171 Rev. 2 requirements unless a different CMMC status is specified. The CUI Registry, maintained by NARA, enumerates the approved categories and subcategories.
CUI Registry
The CUI Registry, maintained by NARA, is the authoritative catalog of CUI categories and subcategories. Each entry identifies the underlying authority, category marking, safeguarding or dissemination controls, sanctions, and decontrol procedures. Contractors use the Registry, together with contract markings and agency guidance, to determine which CUI category applies to information they receive or generate for the government.
CUI Specified vs. CUI Basic
CUI Basic is the default for CUI whose authorizing law, regulation, or government-wide policy does not set out specific handling or dissemination controls. CUI Specified applies when the source authority requires or permits controls beyond the CUI Basic baseline; examples can include Export Controlled, Nuclear, or critical-infrastructure categories. Contractors must check the Registry entry because Specified categories may impose additional marking, access, dissemination, or storage constraints.
CVE
Common Vulnerabilities and Exposures
Common Vulnerabilities and Exposures is the public catalog of disclosed software vulnerabilities, each assigned a unique CVE identifier in the format CVE-YYYY-NNNN. The program is operated by MITRE under CISA sponsorship; CVE Numbering Authorities (CNAs) including vendors, coordinators, and bug-bounty programs assign CVE IDs to vulnerabilities they discover or coordinate. Every advisory, patch note, KEV entry, NVD record, and SBOM vulnerability reference keys off CVE identifiers, making CVE the foundational identifier across the vulnerability-management ecosystem.
The Cyber AB
The Cyber AB (formally the Cybersecurity Maturity Model Certification Accreditation Body) is the Accreditation Body recognized by DoD for the CMMC ecosystem. Its 2026 mandate is concentrated on accreditation work: authorizing and overseeing C3PAOs, publishing and maintaining the CMMC Assessment Process (CAP), enforcing the Code of Professional Conduct (CoPC), and adjudicating elevated appeals. Practitioner training and credentialing (CCP, CCA, LCCA, CCI) transitioned to ISACA effective April 1, 2026; engagement, marketplace, education, and DIB outreach work moved to the newly-spun-out Cyber EF subsidiary.
The Cyber EF
The Cyber EF (Cyber Engagement Forum) is a 501(c)(3) wholly-owned subsidiary of The Cyber AB, announced at the April 2026 CMMC Town Hall. Its mandate covers the parts of the CMMC ecosystem that aren't accreditation: the overhauled Practitioner Program, CMMC Marketplace 2.0 (powered by RAMPxchange), the CMMC Book of Knowledge, support to External Service Providers, broader DIB engagement, the CMMC Town Halls themselves, and support to the SCF Program. The split lets The Cyber AB focus on its core accreditation role while the EF handles engagement, education, and market facilitation.
DFARS 252.204-7012
DFARS 252.204-7012 ("Safeguarding Covered Defense Information and Cyber Incident Reporting") is the contract clause that requires covered contractor information systems to implement NIST SP 800-171 when they process, store, or transmit covered defense information. The clause also requires reporting covered cyber incidents within 72 hours via the DIBNet portal and flowing the clause to applicable subcontractors. CMMC builds on top of this safeguarding obligation by adding CMMC Status requirements through DFARS 252.204-7021.
DFARS 252.204-7021
DFARS 252.204-7021 ("Contractor Compliance With the Cybersecurity Maturity Model Certification Level Requirements") is the acquisition clause used to put CMMC status requirements into DoD solicitations and contracts. It requires contractors to have and maintain the specified current CMMC status for covered information systems that process, store, or transmit FCI or CUI, to use only systems with the required status for contract performance, and to flow down CMMC requirements as required. It works alongside DFARS 252.204-7012, which remains the underlying safeguarding and incident-reporting clause.
DHS
Department of Homeland Security
The Department of Homeland Security is a Cabinet-level executive department established in 2002 after the September 11 attacks. Among its 22+ components, the ones most relevant to cybersecurity policy and operations are CISA (federal civilian cybersecurity and critical-infrastructure protection), the Transportation Security Administration (TSA's pipeline and aviation cybersecurity directives), the Coast Guard (maritime cybersecurity), and the Secret Service (financial and critical-infrastructure investigations). DHS budget and policy decisions cascade into BOD activity, CIRCIA implementation, and state-and-local cybersecurity programs.
DIB
Defense Industrial Base
The Defense Industrial Base is the worldwide ecosystem of companies that supply DoD with products and services. It spans primes (Lockheed Martin, Northrop Grumman, RTX, General Dynamics, Boeing Defense), thousands of mid-tier subcontractors, hundreds of thousands of small manufacturers and service providers, plus the MSPs, ESPs, and software vendors that support them. CMMC and DFARS 252.204-7012 apply across the DIB based on the information types handled rather than company size, so even tier-3 and tier-4 suppliers can be in scope.
DIBCAC
Defense Industrial Base Cybersecurity Assessment Center
DIBCAC is DCMA's Defense Industrial Base Cybersecurity Assessment Center, the government's cybersecurity assessment arm for the defense industrial base. It conducts CMMC Level 3 certification assessments for DIB companies, performs CMMC Level 2 assessments of C3PAOs, and conducts DoD NIST SP 800-171 assessments such as High Assessments that can be reflected in SPRS. For Level 3 contracts, DIBCAC is the assessor of record.
DLP
Data Loss Prevention
DLP technologies classify data and enforce policy on how it can move — blocking or alerting on attempts to send CUI to personal email, upload to non-approved cloud services, write to USB media, or print without authorization. DLP is not a named CMMC requirement, but it commonly supports AC.L2-3.1.3 (Control CUI Flow), AC.L2-3.1.21 (Portable Storage Use), media protection, and system communications controls. DLP is commonly deployed via Microsoft Purview, Symantec, Forcepoint, or cloud-native CASB tooling.
EDR
Endpoint Detection and Response
EDR platforms instrument endpoints to capture behavioral telemetry, detect suspicious activity, and enable rapid investigation and containment. The NIST SP 800-171 system and information integrity family requires malicious-code protection, security alert handling, scanning, updates, and monitoring for attacks; modern EDR is one common way to support those requirements. Common DIB-deployed EDR includes Microsoft Defender for Endpoint, CrowdStrike Falcon, SentinelOne, and Sophos.
Equivalency
DFARS 252.204-7012 requires a cloud service offering that stores, processes, or transmits covered defense information to meet security requirements equivalent to the FedRAMP Moderate baseline unless it is already FedRAMP Moderate authorized. DoD's equivalency guidance requires a body of evidence assessed by a FedRAMP-recognized 3PAO against the FedRAMP Moderate baseline; the result does not confer a FedRAMP authorization. CMMC assessors review the equivalency evidence and customer responsibility artifacts when the OSA relies on the service.
ESP
External Service Provider
An External Service Provider is external people, technology, or facilities used for IT or cybersecurity services where CUI or Security Protection Data is processed, stored, or transmitted on the provider's assets. Common ESPs include MSPs, MSSPs, CSPs, SOC providers, and specialized application vendors. Under CMMC, the OSA must include in-scope ESP dependencies in scoping, CRM/shared-responsibility documentation, and evidence collection; CSPs handling CUI also need FedRAMP Moderate authorization or DoD-recognized equivalency.
FAR
Federal Acquisition Regulation
The Federal Acquisition Regulation is the principal set of rules governing the acquisition process for all executive agencies, codified in 48 CFR Chapter 1. It is jointly maintained by GSA, DoD, and NASA through the FAR Council. Agencies layer their own supplements on top of the FAR (DFARS for DoD, DEAR for Energy, AFARS for Army, NASA FAR Supplement for NASA, etc.). Most cybersecurity contract clauses that affect non-DoD contractors will arrive through the pending FAR CUI rulemaking, which will create FAR-level analogs to DFARS 252.204-7012 and 7021.
FCA
False Claims Act
The False Claims Act (31 U.S.C. §§ 3729-3733) imposes treble damages and per-claim penalties on contractors that knowingly submit false claims for payment, including false certifications of cybersecurity compliance. The DOJ's Civil Cyber-Fraud Initiative, launched in 2021, prioritizes FCA cases involving misrepresented cybersecurity obligations such as NIST SP 800-171 implementation or incident reporting. CMMC affirmations and contract representations can create FCA exposure when they are inaccurate.
FCEB
Federal Civilian Executive Branch
FCEB encompasses the executive-branch agencies of the federal government other than DoD and the Intelligence Community. It is the audience for whom CISA-issued Binding Operational Directives are mandatory, the population covered by the CDM program and EDR/SIEM modernization efforts, and the segment most often referenced in vulnerability-management requirements such as BOD 22-01's KEV remediation timelines. Contractors serving FCEB agencies are typically affected indirectly when their customer agencies pass through cybersecurity requirements in contracts.
FCI
Federal Contract Information
FCI is information not intended for public release that is provided by or generated for the government under a contract to develop or deliver a product or service, excluding public information and simple transactional information such as payment processing data. Handling FCI is the trigger for CMMC Level 1, which requires the 15 basic safeguarding requirements in FAR 52.204-21. FCI is a less restrictive category than CUI, but it is still nonpublic contract information that must be safeguarded.
FedRAMP
FedRAMP (Federal Risk and Authorization Management Program) is the federal government's standardized approach for assessing, authorizing, and continuously monitoring cloud services. Authorizations use impact baselines such as Low, Moderate, and High, each tied to a different potential effect on agency operations, assets, or individuals. For CMMC purposes, FedRAMP Moderate is the minimum baseline DFARS 252.204-7012 cites for cloud services handling covered defense information, with FedRAMP High also acceptable when appropriate.
FedRAMP 20X
FedRAMP 20X is the program announced in 2025 to overhaul the FedRAMP authorization process. Goals include shifting from documentation-driven to evidence-driven assessment, expanding continuous monitoring, adopting machine-readable controls via OSCAL, and reducing the time and cost of achieving Moderate or High baselines. For DIB contractors, 20X reshapes how the FedRAMP-authorized cloud services they rely on prove and maintain authorization while handling CUI.
FedRAMP Moderate
FedRAMP Moderate is the FedRAMP authorization baseline for cloud systems where loss of confidentiality, integrity, or availability could have a serious adverse effect on agency operations, assets, or individuals. DFARS 252.204-7012 requires any cloud service that stores, processes, or transmits covered defense information to be FedRAMP Moderate authorized or meet DoD-defined equivalent security. Most DIB cloud architectures route CUI through a FedRAMP Moderate or High enclave.
FIPS 140
FIPS 140-2 / FIPS 140-3
FIPS 140-2 and its successor FIPS 140-3 are federal standards for validating cryptographic modules — the underlying libraries and hardware that perform encryption, hashing, and key management. For CMMC Level 2, NIST SP 800-171 Rev. 2 requirement 3.13.11 requires FIPS-validated cryptography when cryptography is used to protect the confidentiality of CUI. Vendors must be on the NIST Cryptographic Module Validation Program (CMVP) list to make a validated-module claim.
GCC High
Microsoft 365 GCC High
GCC High is Microsoft's segregated Microsoft 365 environment built for U.S. government and defense industrial base customers with higher compliance requirements. It is designed to support FedRAMP High and DoD Impact Level 5 workloads, is operated by screened U.S. persons, and is commonly used in architectures intended to handle CUI and certain export-controlled data. GCC High is common among CMMC Level 2 contractors that need a Microsoft 365 productivity suite suitable for CUI.
GovCloud
AWS GovCloud (US)
AWS GovCloud (US) is a pair of AWS regions (US-East and US-West) physically and logically isolated from commercial AWS regions and operated by screened U.S. persons. AWS GovCloud services are commonly authorized at FedRAMP High and support DoD Cloud Computing SRG impact levels used by defense workloads. Defense contractors use GovCloud to host CUI workloads — applications, databases, and file shares — that need a FedRAMP-authorized cloud environment.
GovRAMP
GovRAMP is the rebrand of StateRAMP announced February 14, 2025, reflecting an expanded 'whole-of-state' mission across state, local, tribal, and educational government. The legal entity name remains StateRAMP doing business as GovRAMP, so older statutes, contracts, and policy documents will continue to use 'StateRAMP' indefinitely. The GovRAMP Authorized Vendor List, certifications, and authorization processes carry over without disruption. GovRAMP is the cloud authorization program most relevant to state and local government (SLED) buyers and to vendors selling into state IT environments.
ICS
Industrial Control Systems
Industrial Control Systems is the OT subset covering process control. It includes Programmable Logic Controllers (PLCs), Distributed Control Systems (DCS), Supervisory Control and Data Acquisition (SCADA), and the human-machine interfaces and engineering workstations that interact with them. CISA publishes ICS advisories on a near-daily cadence covering vulnerabilities and exploitable conditions in products from Siemens, Rockwell Automation, ABB, Schneider Electric, Honeywell, Mitsubishi Electric, and dozens of other vendors. NIST SP 800-82 is the federal guidance baseline for ICS security.
IR
Incident Response
Incident response covers preparation, detection, analysis, containment, eradication, recovery, and post-incident review of cybersecurity events. NIST SP 800-171 § 3.6 requires a documented IR capability and tested IR plans. Separately, DFARS 252.204-7012(c) requires cyber incidents affecting covered defense information to be reported to DoD Cyber Crime Center (DC3) at dibnet.dod.mil within 72 hours of discovery.
ISACA
ISACA (originally the Information Systems Audit and Control Association) is a global professional association for IT governance, audit, and risk, serving 165,000+ members worldwide. It administers well-known credentials including CISA, CISM, CRISC, and CGEIT. In December 2025 ISACA was designated the new CAICO for the CMMC program; ISACA assumed sole management of CMMC practitioner credentials — CCP, CCA, LCCA, and CCI — effective April 1, 2026.
ISSO
Information System Security Officer
An Information System Security Officer is the NIST 800-53 and Risk Management Framework role responsible for the day-to-day security posture of a specific information system. Typical ISSO responsibilities include incident response coordination, vulnerability tracking, POA&M maintenance, continuous-monitoring inputs, configuration-management oversight, and interfacing with auditors and assessors. On the agency side, the ISSO is usually the practitioner contractors interact with on questions about system controls, an ATO, or a reauthorization.
ITAR
International Traffic in Arms Regulations
ITAR (22 CFR 120-130) governs export of U.S. defense articles, services, and technical data controlled by the State Department's Directorate of Defense Trade Controls. ITAR-controlled technical data can also be CUI, often under the Export Controlled category, when the information is created or possessed by or for the government and the applicable CUI authority applies. ITAR adds export-control duties such as avoiding unauthorized foreign-person access or deemed exports; GCC High and GovCloud are commonly used in architectures intended to support both CMMC and ITAR constraints.
KEV
Known Exploited Vulnerabilities
The Known Exploited Vulnerabilities catalog is CISA's authoritative list of CVEs with evidence of active exploitation in the wild. CISA established the catalog in November 2021 alongside BOD 22-01, which requires FCEB agencies to remediate KEV-listed vulnerabilities within CISA-specified deadlines (typically two weeks for items with active exploitation and six months otherwise). Outside the federal government, KEV inclusion is treated as a high signal by cyber insurers, primes, MSPs, and vulnerability-management programs because it reflects observed adversary use rather than theoretical risk.
LCCA
Lead Certified CMMC Assessor
A Lead Certified CMMC Assessor is the senior assessor on a C3PAO assessment team. The Lead designation indicates the practitioner has the requisite experience and credentials to direct examine, interview, and test activities for a Level 2 certification assessment of record. The CCA credential is a prerequisite. Effective April 1, 2026, ISACA took over administration of LCCA along with the other CMMC practitioner credentials.
MFA
Multi-Factor Authentication
Multi-Factor Authentication combines something you know (password), have (token, smart card), or are (biometric) to authenticate an identity. NIST SP 800-171 Rev. 2 requirement 3.5.3 requires MFA for both local and network access to privileged accounts and for network access to non-privileged accounts. CMMC assessments routinely flag MFA gaps; phishing-resistant MFA such as FIDO2 or PIV is increasingly preferred for high-value and privileged access.
MSP
Managed Service Provider
A Managed Service Provider delivers ongoing IT or cybersecurity services to its customers. For CMMC, the scoping question is whether the MSP's people, technology, or facilities process, store, or transmit the contractor's CUI or Security Protection Data — if yes, those assets are in scope as an ESP dependency. MSPs supporting the defense industrial base increasingly invest in their own CMMC readiness because their evidence can directly affect customer assessments.
NARA
National Archives and Records Administration
NARA, through its Information Security Oversight Office, is the executive agent for the CUI program established by Executive Order 13556. NARA defines what counts as CUI, maintains the CUI Registry, sets marking and dissemination standards, and issues policy guidance that agencies (including DoD) implement. CMMC enforces controls on a subset of CUI — the portion that flows from DoD contracts.
NIST
National Institute of Standards and Technology
NIST is a non-regulatory agency of the Department of Commerce that develops measurement standards, technology standards, and federal guidance. In cybersecurity, NIST publishes the Special Publication (SP) 800-series (including 800-53, 800-171, 800-172, 800-82), Federal Information Processing Standards (FIPS 140, FIPS 203/204/205 for PQC), the Cybersecurity Framework, and the AI Risk Management Framework. The Computer Security Resource Center (CSRC) at csrc.nist.gov is the canonical publishing surface, and the Cybersecurity and Privacy Reference Tool (CPRT) provides machine-readable versions of the control catalogs.
NIST AI RMF
NIST AI Risk Management Framework
The NIST AI Risk Management Framework (NIST AI 100-1), released in January 2023, is a voluntary framework for managing risks associated with AI systems. It organizes practices into four functions: Govern (culture, accountability, policy), Map (context and risk identification), Measure (analysis and assessment of risks), and Manage (prioritization and mitigation). OMB M-24-10 requires federal agencies to use the NIST AI RMF when managing AI risks, which cascades into ATO conditions for AI-enabled federal systems and into contract terms for AI-enabled tools sold to agencies.
NIST SP 800-171
NIST Special Publication 800-171, "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations," defines security requirements for protecting CUI in nonfederal systems. NIST SP 800-171 Rev. 3 is the current NIST publication, but 32 CFR Part 170 incorporates Rev. 2 for CMMC Level 2, so CMMC assessments currently map to Rev. 2’s 110 requirements. Contractors prove CMMC implementation through the assessment procedures in NIST SP 800-171A June 2018 until DoD changes the incorporated version.
NIST SP 800-171 Rev 2 vs Rev 3
NIST SP 800-171 Revision 2 is the version CMMC 2.0 currently references: 110 requirements organized into 14 families. Revision 3, published in May 2024, restructures the catalog into 17 families with 97 security requirements, tightens alignment to NIST SP 800-53 Rev. 5, and introduces Organization-Defined Parameters (ODPs). As of May 2026, CMMC still assesses against Rev. 2 because 32 CFR Part 170 incorporates NIST SP 800-171 Rev. 2; DoD has published Rev. 3 ODP values in preparation for future use, but contractors preparing for CMMC today still need to cover all Rev. 2 requirements.
NIST SP 800-171A
NIST SP 800-171A specifies the assessment objectives and procedures used to determine whether each NIST SP 800-171 requirement is in place and operating as intended. For CMMC today, 32 CFR Part 170 incorporates the June 2018 800-171A companion for assessment against NIST SP 800-171 Rev. 2. C3PAO assessors and self-assessing contractors both use the examine, interview, and test methods to structure evidence.
NIST SP 800-172
NIST SP 800-172 defines enhanced security requirements for CUI associated with critical programs, high-value assets, or advanced persistent threat risk. NIST published SP 800-172 Rev. 3 in May 2026, but 32 CFR Part 170 still incorporates NIST SP 800-172 February 2021 for CMMC. Under CMMC Level 3, the incremental assessment is against the 24 selected 800-172 Feb. 2021 requirements listed in 32 CFR § 170.14(c)(4), after the contractor has Final Level 2 (C3PAO) status for the same scope.
NIST SP 800-53
NIST SP 800-53 Rev. 5 is the comprehensive catalog of security and privacy controls used across federal information systems. NIST SP 800-171 and SP 800-172 are tailored nonfederal CUI publications derived from selected SP 800-53 controls, while FedRAMP Low, Moderate, and High baselines are built from SP 800-53 control baselines and FedRAMP tailoring. For CMMC practitioners, SP 800-53 usually matters through those downstream standards rather than as a direct Level 2 checklist.
NPRM
Notice of Proposed Rulemaking
A Notice of Proposed Rulemaking is the Administrative Procedure Act step where a federal agency publishes a proposed rule in the Federal Register and opens a public comment period, typically 30, 60, or 90 days. Most compliance rules of interest to defense contractors (CMMC, CIRCIA, the pending FAR CUI rule, FedRAMP modernization) progress through one or more NPRMs before a final rule. The comment record from an NPRM often shapes the final rule's scope, definitions, and effective dates, so it is the practical leverage point for industry input.
ODP
Organization-Defined Parameter
An Organization-Defined Parameter is a configurable value inside a security requirement that an agency or organization must define, such as the number of failed login attempts before lockout or the time period for audit-log retention. NIST SP 800-171 Rev. 3 introduced ODPs into the 800-171 catalog, and DoD published its own 800-171 Rev. 3 ODP values in April 2025 for future use. CMMC today still assesses Level 2 against Rev. 2, but CMMC Level 3 already uses DoD-defined parameters for selected NIST SP 800-172 Feb. 2021 requirements in 32 CFR Part 170.
OMB
Office of Management and Budget
OMB sits within the Executive Office of the President and issues policy memoranda (such as M-22-09 on zero trust and M-23-02 on cryptographic migration) that direct federal agencies and flow down to contractors through DFARS, FAR, and contract clauses. OMB guidance typically precedes NIST publications and FedRAMP rule changes by 12 to 24 months, making it a leading indicator for what defense contractors will be required to demonstrate next.
OSA
Organization Seeking Assessment
OSA (Organization Seeking Assessment) is the umbrella term defined in 32 CFR § 170.4 for any entity undergoing a CMMC assessment of an information system, whether by self-assessment or by certification through a C3PAO or DCMA DIBCAC. Every OSC is also an OSA; an OSA performing only a Level 1 or Level 2 self-assessment is not an OSC. Use OSA when discussing the assessed organization across all CMMC levels and assessment types.
OSC
Organization Seeking Certification
OSC (Organization Seeking Certification) is the narrower term defined in 32 CFR § 170.4 for the subset of OSAs seeking certification — Level 2 through a C3PAO or Level 3 through DCMA DIBCAC. The OSC engages the assessor, presents the SSP and evidence package, and ultimately holds the resulting CMMC status. Every OSC is also an OSA, but an OSA performing only a self-assessment is not an OSC.
OSCAL
Open Security Controls Assessment Language
OSCAL is a NIST-developed family of standardized, machine-readable formats expressing security control catalogs, baselines, profiles, system security plans (SSPs), component definitions, assessment plans, assessment results, and plans of action and milestones (POA&Ms). The formats are available in JSON, XML, and YAML. FedRAMP is moving toward OSCAL submission for authorization packages under the FedRAMP 20X program, and most modern GRC and compliance automation tooling produces or consumes OSCAL natively.
OT
Operational Technology
Operational Technology covers hardware and software that monitors and controls physical processes, devices, and infrastructure. It is distinct from IT in that consequences of failure are physical: loss of view, loss of control, equipment damage, environmental release, or safety impact. OT spans industrial control systems (ICS), building automation, medical devices, transportation systems, and energy infrastructure. CISA's ICS advisory program and NIST SP 800-82 (Guide to Operational Technology Security) are the principal federal guidance touchpoints; OT-specific incident reporting under CIRCIA is a continuing area of industry concern.
POA&M
Plan of Action and Milestones
A POA&M (Plan of Action and Milestones) is a document that tracks requirements or objectives that are not yet implemented, along with the resources, milestones, owners, and scheduled completion dates for closing each gap. Under CMMC and 32 CFR § 170.21, assessment POA&Ms are not permitted for Level 1 and are permitted only in limited Level 2 and Level 3 cases; all allowed assessment POA&M items must be closed within 180 days to reach Final status. Operational POA&Ms may exist outside the assessment POA&M process, but they do not excuse unmet CMMC requirements during assessment.
PQC
Post-Quantum Cryptography
Post-Quantum Cryptography (PQC) is the next generation of public-key cryptography standardized by NIST in August 2024: FIPS 203 (ML-KEM) for key establishment, FIPS 204 (ML-DSA) and FIPS 205 (SLH-DSA) for digital signatures. PQC replaces RSA and elliptic-curve algorithms that quantum computers could eventually break. National Security Memorandum 10 and OMB M-23-02 direct federal agencies and their contractors to inventory cryptographic systems and migrate to PQC, with timelines that will reach CMMC-affected contractors through future DFARS and NIST SP 800-171 updates.
RP
Registered Practitioner
A Registered Practitioner has completed the CMMC RP training and is registered with The Cyber AB (engagement-related responsibilities now handled by the Cyber EF) to provide CMMC preparation services within a Registered Provider Organization. RPs work on contractor-side readiness — gap assessments, control implementation guidance, evidence collection support. The RP credential is lower-tier than CCP; many RPs progress to CCP as their CMMC work deepens.
RPA
Registered Practitioner Advanced
A Registered Practitioner Advanced holds the senior tier of the RP credential — additional experience, completed training, and qualifications beyond the entry-level RP. Like RPs, RPAs work within Registered Provider Organizations providing CMMC preparation services to contractors. RPAs typically lead larger or more complex readiness engagements.
RPO
Registered Provider Organization
An RPO is a Cyber AB-registered firm that provides CMMC consulting and readiness preparation services such as gap assessments, control implementation guidance, evidence collection support, and pre-assessment readiness checks. An RPO is distinct from a C3PAO: RPOs prepare contractors, while C3PAOs conduct official Level 2 certification assessments. Contractors should manage conflict-of-interest boundaries when the same ecosystem participants provide advisory and assessment-related services.
SCADA
Supervisory Control and Data Acquisition
SCADA is a class of industrial control system used for geographically distributed monitoring and control. SCADA systems aggregate telemetry from remote terminal units (RTUs) and PLCs over wide-area networks into a central control center, where operators monitor process state and issue control commands. SCADA is common in electric and gas utilities, water and wastewater, pipelines, rail, and other distributed infrastructures. CISA advisories frequently use the combined 'ICS/SCADA' label because the same vendor software often spans both categories.
Senior Official Affirmation
Under 32 CFR § 170.22, an affirming official submits an affirmation in SPRS confirming compliance with the applicable CMMC requirements. Level 1 affirmations are submitted at completion of the annual self-assessment; Level 2 and Level 3 affirmations are submitted after assessment and annually thereafter, and the status can lapse if annual affirmation is not maintained. An inaccurate affirmation can create False Claims Act exposure.
Shared Responsibility
Shared responsibility describes how cloud services divide security obligations between the Cloud Service Provider and the customer. The CSP handles infrastructure-level controls such as data center physical security, hypervisor hardening, and baseline patching; the customer handles configuration, identity, data handling, and many access controls. For CMMC, the contractor must document this split in a Customer Responsibility Matrix (CRM) and prove each applicable requirement is met by whichever party owns it.
SIEM
Security Information and Event Management
A SIEM is a centralized platform for log collection, event correlation, and security monitoring across endpoints, network devices, cloud services, identity systems, and applications. CMMC and NIST SP 800-171 do not require a specific SIEM product, but several controls — § 3.3.1 (audit logs), § 3.3.2 (review), § 3.3.5 (correlation), § 3.6 (incident response) — are difficult to satisfy without one. Common DIB-suited platforms include Microsoft Sentinel, Splunk, Elastic, and Devo.
SLED
State, Local, and Education
SLED is a common vendor and analyst label for the segment of public-sector buyers comprising state governments, local governments (city, county, special district, K-12 in many usages), and the higher-education sector. SLED procurement runs through state IT offices, cooperative purchasing vehicles such as NASPO ValuePoint, and individual local procurement authorities. GovRAMP (the rebrand of StateRAMP) is the cloud authorization program most relevant to SLED buyers, and MS-ISAC is the principal information-sharing organization serving SLED CISOs.
SPD
Security Protection Data
Security Protection Data is a CMMC scoping term for data stored or processed by Security Protection Assets that are used to protect the assessed environment. Examples include log data, configuration data, vulnerability scan data, incident response data, and other information that could aid an attacker if disclosed or altered. An external provider whose assets process, store, or transmit CUI or SPD can be an in-scope ESP.
SPRS
Supplier Performance Risk System
SPRS is the Department of Defense system where contractors submit self-assessment results and where DoD officials verify NIST SP 800-171 and CMMC posture for procurement. CMMC Level 1 and Level 2 self-assessment results are entered in SPRS; C3PAO and DIBCAC assessment results flow through CMMC eMASS and are reflected in SPRS. NIST SP 800-171 DoD Assessment scores range from -203 to 110, where 110 represents full implementation of all 110 Rev. 2 requirements.
SSP
System Security Plan
A System Security Plan is the foundational document a contractor maintains to describe each information system within the CMMC assessment scope. It defines the boundary, operating environment, interconnections, responsible parties, and how each applicable NIST SP 800-171 requirement is implemented or inherited. For Level 2 and Level 3 assessments, the SSP is central evidence; gaps in the SSP usually cascade into POA&M, CRM, and evidence-package issues.
StateRAMP
StateRAMP was the original name of the cloud authorization program founded in 2020 as a state-level analog to FedRAMP. On February 14, 2025, the organization announced a rebrand to GovRAMP to reflect its expanded 'whole-of-state' mission across state, local, tribal, and educational government. The legal entity name remains StateRAMP doing business as GovRAMP, and existing certifications and contracts carried over without disruption. State statutes and policies that predate the rebrand will continue to reference 'StateRAMP' indefinitely.
We use cookies to improve your experience and analyze site usage.Learn more