The CMMC vocabulary, in one place.

32 CFR Part 170 is the regulatory codification of the CMMC Program, published as the program's final rule in October 2024. Key provisions include § 170.14 on the CMMC model, § 170.19 on assessment scoping, § 170.21 on limited POA&M use, and § 170.22 on affirmations of continuous compliance. Contractors, assessors, and CMMC ecosystem participants all work from its definitions and CMMC Status rules.

3PAO is the FedRAMP term for an independent organization recognized to assess cloud service offerings for FedRAMP authorization or equivalency. CMMC uses a separate role, C3PAO, for CMMC Level 2 certification assessments. A FedRAMP 3PAO is not automatically a C3PAO, and the two authorizations are program-specific.

A C3PAO is the CMMC-specific third-party organization authorized to conduct official CMMC Level 2 certification assessments that result in Conditional or Final Level 2 (C3PAO) status. The Cyber AB, as the DoD-approved Accreditation Body, authorizes or accredits and oversees C3PAOs. CMMC Level 3 certification assessments are conducted by DCMA DIBCAC, not by C3PAOs. Industry shorthand sometimes expands the acronym as "Certified 3rd Party Assessor Organization"; the formal expansion in the federal regulation (32 CFR § 170.4) and on The Cyber AB's official C3PAO page is "CMMC Third-Party Assessment Organization."

A CAGE Code is a five-character identifier assigned through the Defense Logistics Agency's CAGE Program to identify a business location doing business with the U.S. government. Contractors obtain and maintain CAGE information through SAM.gov workflows. CMMC and SPRS submissions are associated with CAGE codes, so contractors with multiple entities, divisions, or assessed environments need to map each relevant CAGE code to the correct assessment scope.

CAICO (Cybersecurity Assessor and Instructor Certification Organization) is the organization responsible for training, testing, authorizing, certifying, and recertifying assessors, instructors, and professionals across the CMMC ecosystem — CCP, CCA, LCCA, and CCI. CAICO was originally a wholly-owned nonprofit subsidiary of The Cyber AB. In December 2025 ISACA was designated the new CAICO; ISACA assumed full management of CMMC practitioner credentials effective April 1, 2026, with The Cyber AB retaining oversight of the role.

A Certified CMMC Assessor is an individual credentialed to participate on a C3PAO assessment team conducting Level 2 certification assessments. CCAs perform examine, interview, and test activities against NIST SP 800-171A objectives during the assessment itself. The credential requires holding the CCP first and meeting the relevant prerequisites. Effective April 1, 2026, ISACA — the global professional association that administers CISA, CISM, and CRISC — took over administration of CCP, CCA, Lead Certified CMMC Assessor (LCCA), and Certified CMMC Instructor (CCI) credentials from The Cyber AB / CAICO.

A Certified CMMC Instructor is authorized to deliver official CMMC training courses and exam-preparation materials within the CMMC ecosystem. CCIs are the educators who prepare future CCPs, CCAs, and LCCAs. Effective April 1, 2026, ISACA took over administration of CCI along with the other CMMC practitioner credentials previously managed by The Cyber AB / CAICO.

A Certified CMMC Professional has passed the CCP exam covering the CMMC ecosystem, NIST SP 800-171, scoping, evidence, and assessment process. CCPs commonly work at RPOs, MSPs, C3PAOs, or in-house compliance teams supporting readiness and assessment preparation. The credential is the prerequisite for the more senior CCA. Effective April 1, 2026, ISACA took over administration of CCP, CCA, LCCA, and CCI credentials from The Cyber AB / CAICO.

CMMC 2.0 (Cybersecurity Maturity Model Certification) is the Department of Defense's framework for assessing whether defense contractors and subcontractors implement the cybersecurity requirements needed to protect federal contract information (FCI) and controlled unclassified information (CUI). The program is codified in 32 CFR Part 170; DFARS 252.204-7021 implements contract-level CMMC Status requirements, while DFARS 252.204-7012 remains the underlying safeguarding and incident-reporting clause for covered defense information. CMMC has three levels: Level 1 (15 FAR 52.204-21 requirements for FCI), Level 2 (110 NIST SP 800-171 Rev. 2 requirements for CUI), and Level 3 (Level 2 plus 24 selected NIST SP 800-172 Feb. 2021 requirements).

CMMC Level 1 applies to contractors that handle FCI but not CUI. It requires implementation of the 15 basic safeguarding requirements in FAR 52.204-21 and is verified by an annual self-assessment plus an affirmation submitted in SPRS. POA&Ms and third-party assessments are not permitted at Level 1.

CMMC Level 2 is the tier required when contractor information systems process, store, or transmit CUI under a DoD contract requiring Level 2 status. It aligns one-for-one with NIST SP 800-171 Rev. 2's 110 security requirements, assessed against NIST SP 800-171A June 2018 objectives. A solicitation may require either Level 2 (Self) or Level 2 (C3PAO); Final Level 2 status is valid for three years if annual affirmations remain current.

CMMC Level 3 applies to CUI environments requiring higher-level protection against advanced persistent threats. It requires a prerequisite Final Level 2 (C3PAO) status for the same CMMC assessment scope, then assessment against the 24 selected NIST SP 800-172 Feb. 2021 requirements listed in 32 CFR § 170.14(c)(4). Level 3 assessments are conducted by DCMA DIBCAC, the government's assessor, not by a commercial C3PAO.

A CMMC self-assessment is one the OSA performs internally against the applicable requirements, submits in SPRS, and affirms through an affirming official. Level 1 is always self-assessed annually. Level 2 self-assessment is used only when the solicitation permits Level 2 (Self); Level 2 (C3PAO) and Level 3 require independent assessment. Self-assessment does not relieve a contractor of False Claims Act exposure if claims of compliance are inaccurate.

Control inheritance allows an OSA to satisfy a requirement by relying on implementation by another part of the enterprise or by an ESP/CSP, rather than implementing the entire requirement locally. The OSA remains accountable for documenting and evidencing inherited controls in the SSP and CRM or shared-responsibility artifacts. For cloud services handling CUI, inherited controls generally depend on FedRAMP Moderate authorization or DoD-recognized equivalency plus evidence of the customer's own configuration.

A Customer Responsibility Matrix is the contractor-maintained document that walks through each applicable requirement and identifies which party — the OSA/OSC, a cloud service provider, an MSP/ESP, or a combination — is responsible for implementation and evidence. Provider CRMs and shared-responsibility matrices are starting points; the contractor still has to map them to its own CMMC assessment scope and configurations. A complete CRM is functionally required for any contractor depending on cloud or ESP services.

A Cloud Service Provider delivers infrastructure, platform, or software services on demand. For CMMC purposes, the distinction that matters is whether the cloud service offering stores, processes, or transmits CUI: if yes, DFARS 252.204-7012 and DoD guidance require FedRAMP Moderate authorization or a documented FedRAMP Moderate equivalency body of evidence. CSPs handling CUI are typically in-scope ESPs that share the contractor's CMMC assessment responsibilities through a CRM.

Controlled Unclassified Information is the government-wide category of unclassified information that law, regulation, or government-wide policy requires or permits agencies to protect with safeguarding or dissemination controls. CUI is the data trigger for CMMC Level 2: contractor systems that process, store, or transmit CUI under a covered DoD contract must meet NIST SP 800-171 Rev. 2 requirements unless a different CMMC status is specified. The CUI Registry, maintained by NARA, enumerates the approved categories and subcategories.

The CUI Registry, maintained by NARA, is the authoritative catalog of CUI categories and subcategories. Each entry identifies the underlying authority, category marking, safeguarding or dissemination controls, sanctions, and decontrol procedures. Contractors use the Registry, together with contract markings and agency guidance, to determine which CUI category applies to information they receive or generate for the government.

CUI Basic is the default for CUI whose authorizing law, regulation, or government-wide policy does not set out specific handling or dissemination controls. CUI Specified applies when the source authority requires or permits controls beyond the CUI Basic baseline; examples can include Export Controlled, Nuclear, or critical-infrastructure categories. Contractors must check the Registry entry because Specified categories may impose additional marking, access, dissemination, or storage constraints.

The Cyber AB (formally the Cybersecurity Maturity Model Certification Accreditation Body) is the Accreditation Body recognized by DoD for the CMMC ecosystem. Its 2026 mandate is concentrated on accreditation work: authorizing and overseeing C3PAOs, publishing and maintaining the CMMC Assessment Process (CAP), enforcing the Code of Professional Conduct (CoPC), and adjudicating elevated appeals. Practitioner training and credentialing (CCP, CCA, LCCA, CCI) transitioned to ISACA effective April 1, 2026; engagement, marketplace, education, and DIB outreach work moved to the newly-spun-out Cyber EF subsidiary.

The Cyber EF (Cyber Engagement Forum) is a 501(c)(3) wholly-owned subsidiary of The Cyber AB, announced at the April 2026 CMMC Town Hall. Its mandate covers the parts of the CMMC ecosystem that aren't accreditation: the overhauled Practitioner Program, CMMC Marketplace 2.0 (powered by RAMPxchange), the CMMC Book of Knowledge, support to External Service Providers, broader DIB engagement, the CMMC Town Halls themselves, and support to the SCF Program. The split lets The Cyber AB focus on its core accreditation role while the EF handles engagement, education, and market facilitation.

DFARS 252.204-7012 ("Safeguarding Covered Defense Information and Cyber Incident Reporting") is the contract clause that requires covered contractor information systems to implement NIST SP 800-171 when they process, store, or transmit covered defense information. The clause also requires reporting covered cyber incidents within 72 hours via the DIBNet portal and flowing the clause to applicable subcontractors. CMMC builds on top of this safeguarding obligation by adding CMMC Status requirements through DFARS 252.204-7021.

DFARS 252.204-7021 ("Contractor Compliance With the Cybersecurity Maturity Model Certification Level Requirements") is the acquisition clause used to put CMMC status requirements into DoD solicitations and contracts. It requires contractors to have and maintain the specified current CMMC status for covered information systems that process, store, or transmit FCI or CUI, to use only systems with the required status for contract performance, and to flow down CMMC requirements as required. It works alongside DFARS 252.204-7012, which remains the underlying safeguarding and incident-reporting clause.

DIBCAC is DCMA's Defense Industrial Base Cybersecurity Assessment Center, the government's cybersecurity assessment arm for the defense industrial base. It conducts CMMC Level 3 certification assessments for DIB companies, performs CMMC Level 2 assessments of C3PAOs, and conducts DoD NIST SP 800-171 assessments such as High Assessments that can be reflected in SPRS. For Level 3 contracts, DIBCAC is the assessor of record.

DLP technologies classify data and enforce policy on how it can move — blocking or alerting on attempts to send CUI to personal email, upload to non-approved cloud services, write to USB media, or print without authorization. DLP is not a named CMMC requirement, but it commonly supports AC.L2-3.1.3 (Control CUI Flow), AC.L2-3.1.21 (Portable Storage Use), media protection, and system communications controls. DLP is commonly deployed via Microsoft Purview, Symantec, Forcepoint, or cloud-native CASB tooling.

EDR platforms instrument endpoints to capture behavioral telemetry, detect suspicious activity, and enable rapid investigation and containment. The NIST SP 800-171 system and information integrity family requires malicious-code protection, security alert handling, scanning, updates, and monitoring for attacks; modern EDR is one common way to support those requirements. Common DIB-deployed EDR includes Microsoft Defender for Endpoint, CrowdStrike Falcon, SentinelOne, and Sophos.

DFARS 252.204-7012 requires a cloud service offering that stores, processes, or transmits covered defense information to meet security requirements equivalent to the FedRAMP Moderate baseline unless it is already FedRAMP Moderate authorized. DoD's equivalency guidance requires a body of evidence assessed by a FedRAMP-recognized 3PAO against the FedRAMP Moderate baseline; the result does not confer a FedRAMP authorization. CMMC assessors review the equivalency evidence and customer responsibility artifacts when the OSA relies on the service.

An External Service Provider is external people, technology, or facilities used for IT or cybersecurity services where CUI or Security Protection Data is processed, stored, or transmitted on the provider's assets. Common ESPs include MSPs, MSSPs, CSPs, SOC providers, and specialized application vendors. Under CMMC, the OSA must include in-scope ESP dependencies in scoping, CRM/shared-responsibility documentation, and evidence collection; CSPs handling CUI also need FedRAMP Moderate authorization or DoD-recognized equivalency.

The False Claims Act (31 U.S.C. §§ 3729-3733) imposes treble damages and per-claim penalties on contractors that knowingly submit false claims for payment, including false certifications of cybersecurity compliance. The DOJ's Civil Cyber-Fraud Initiative, launched in 2021, prioritizes FCA cases involving misrepresented cybersecurity obligations such as NIST SP 800-171 implementation or incident reporting. CMMC affirmations and contract representations can create FCA exposure when they are inaccurate.

FCI is information not intended for public release that is provided by or generated for the government under a contract to develop or deliver a product or service, excluding public information and simple transactional information such as payment processing data. Handling FCI is the trigger for CMMC Level 1, which requires the 15 basic safeguarding requirements in FAR 52.204-21. FCI is a less restrictive category than CUI, but it is still nonpublic contract information that must be safeguarded.

FedRAMP (Federal Risk and Authorization Management Program) is the federal government's standardized approach for assessing, authorizing, and continuously monitoring cloud services. Authorizations use impact baselines such as Low, Moderate, and High, each tied to a different potential effect on agency operations, assets, or individuals. For CMMC purposes, FedRAMP Moderate is the minimum baseline DFARS 252.204-7012 cites for cloud services handling covered defense information, with FedRAMP High also acceptable when appropriate.

FedRAMP Moderate is the FedRAMP authorization baseline for cloud systems where loss of confidentiality, integrity, or availability could have a serious adverse effect on agency operations, assets, or individuals. DFARS 252.204-7012 requires any cloud service that stores, processes, or transmits covered defense information to be FedRAMP Moderate authorized or meet DoD-defined equivalent security. Most DIB cloud architectures route CUI through a FedRAMP Moderate or High enclave.

FIPS 140-2 and its successor FIPS 140-3 are federal standards for validating cryptographic modules — the underlying libraries and hardware that perform encryption, hashing, and key management. For CMMC Level 2, NIST SP 800-171 Rev. 2 requirement 3.13.11 requires FIPS-validated cryptography when cryptography is used to protect the confidentiality of CUI. Vendors must be on the NIST Cryptographic Module Validation Program (CMVP) list to make a validated-module claim.

GCC High is Microsoft's segregated Microsoft 365 environment built for U.S. government and defense industrial base customers with higher compliance requirements. It is designed to support FedRAMP High and DoD Impact Level 5 workloads, is operated by screened U.S. persons, and is commonly used in architectures intended to handle CUI and certain export-controlled data. GCC High is common among CMMC Level 2 contractors that need a Microsoft 365 productivity suite suitable for CUI.

AWS GovCloud (US) is a pair of AWS regions (US-East and US-West) physically and logically isolated from commercial AWS regions and operated by screened U.S. persons. AWS GovCloud services are commonly authorized at FedRAMP High and support DoD Cloud Computing SRG impact levels used by defense workloads. Defense contractors use GovCloud to host CUI workloads — applications, databases, and file shares — that need a FedRAMP-authorized cloud environment.

Incident response covers preparation, detection, analysis, containment, eradication, recovery, and post-incident review of cybersecurity events. NIST SP 800-171 § 3.6 requires a documented IR capability and tested IR plans. Separately, DFARS 252.204-7012(c) requires cyber incidents affecting covered defense information to be reported to DoD Cyber Crime Center (DC3) at dibnet.dod.mil within 72 hours of discovery.

ISACA (originally the Information Systems Audit and Control Association) is a global professional association for IT governance, audit, and risk, serving 165,000+ members worldwide. It administers well-known credentials including CISA, CISM, CRISC, and CGEIT. In December 2025 ISACA was designated the new CAICO for the CMMC program; ISACA assumed sole management of CMMC practitioner credentials — CCP, CCA, LCCA, and CCI — effective April 1, 2026.

ITAR (22 CFR 120-130) governs export of U.S. defense articles, services, and technical data controlled by the State Department's Directorate of Defense Trade Controls. ITAR-controlled technical data can also be CUI, often under the Export Controlled category, when the information is created or possessed by or for the government and the applicable CUI authority applies. ITAR adds export-control duties such as avoiding unauthorized foreign-person access or deemed exports; GCC High and GovCloud are commonly used in architectures intended to support both CMMC and ITAR constraints.

A Lead Certified CMMC Assessor is the senior assessor on a C3PAO assessment team. The Lead designation indicates the practitioner has the requisite experience and credentials to direct examine, interview, and test activities for a Level 2 certification assessment of record. The CCA credential is a prerequisite. Effective April 1, 2026, ISACA took over administration of LCCA along with the other CMMC practitioner credentials.

Multi-Factor Authentication combines something you know (password), have (token, smart card), or are (biometric) to authenticate an identity. NIST SP 800-171 Rev. 2 requirement 3.5.3 requires MFA for both local and network access to privileged accounts and for network access to non-privileged accounts. CMMC assessments routinely flag MFA gaps; phishing-resistant MFA such as FIDO2 or PIV is increasingly preferred for high-value and privileged access.

A Managed Service Provider delivers ongoing IT or cybersecurity services to its customers. For CMMC, the scoping question is whether the MSP's people, technology, or facilities process, store, or transmit the contractor's CUI or Security Protection Data — if yes, those assets are in scope as an ESP dependency. MSPs supporting the defense industrial base increasingly invest in their own CMMC readiness because their evidence can directly affect customer assessments.

NARA, through its Information Security Oversight Office, is the executive agent for the CUI program established by Executive Order 13556. NARA defines what counts as CUI, maintains the CUI Registry, sets marking and dissemination standards, and issues policy guidance that agencies (including DoD) implement. CMMC enforces controls on a subset of CUI — the portion that flows from DoD contracts.

NIST Special Publication 800-171, "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations," defines security requirements for protecting CUI in nonfederal systems. NIST SP 800-171 Rev. 3 is the current NIST publication, but 32 CFR Part 170 incorporates Rev. 2 for CMMC Level 2, so CMMC assessments currently map to Rev. 2’s 110 requirements. Contractors prove CMMC implementation through the assessment procedures in NIST SP 800-171A June 2018 until DoD changes the incorporated version.

NIST SP 800-171 Revision 2 is the version CMMC 2.0 currently references: 110 requirements organized into 14 families. Revision 3, published in May 2024, restructures the catalog into 17 families with 97 security requirements, tightens alignment to NIST SP 800-53 Rev. 5, and introduces Organization-Defined Parameters (ODPs). As of May 2026, CMMC still assesses against Rev. 2 because 32 CFR Part 170 incorporates NIST SP 800-171 Rev. 2; DoD has published Rev. 3 ODP values in preparation for future use, but contractors preparing for CMMC today still need to cover all Rev. 2 requirements.

NIST SP 800-171A specifies the assessment objectives and procedures used to determine whether each NIST SP 800-171 requirement is in place and operating as intended. For CMMC today, 32 CFR Part 170 incorporates the June 2018 800-171A companion for assessment against NIST SP 800-171 Rev. 2. C3PAO assessors and self-assessing contractors both use the examine, interview, and test methods to structure evidence.

NIST SP 800-172 defines enhanced security requirements for CUI associated with critical programs, high-value assets, or advanced persistent threat risk. NIST published SP 800-172 Rev. 3 in May 2026, but 32 CFR Part 170 still incorporates NIST SP 800-172 February 2021 for CMMC. Under CMMC Level 3, the incremental assessment is against the 24 selected 800-172 Feb. 2021 requirements listed in 32 CFR § 170.14(c)(4), after the contractor has Final Level 2 (C3PAO) status for the same scope.

NIST SP 800-53 Rev. 5 is the comprehensive catalog of security and privacy controls used across federal information systems. NIST SP 800-171 and SP 800-172 are tailored nonfederal CUI publications derived from selected SP 800-53 controls, while FedRAMP Low, Moderate, and High baselines are built from SP 800-53 control baselines and FedRAMP tailoring. For CMMC practitioners, SP 800-53 usually matters through those downstream standards rather than as a direct Level 2 checklist.

An Organization-Defined Parameter is a configurable value inside a security requirement that an agency or organization must define, such as the number of failed login attempts before lockout or the time period for audit-log retention. NIST SP 800-171 Rev. 3 introduced ODPs into the 800-171 catalog, and DoD published its own 800-171 Rev. 3 ODP values in April 2025 for future use. CMMC today still assesses Level 2 against Rev. 2, but CMMC Level 3 already uses DoD-defined parameters for selected NIST SP 800-172 Feb. 2021 requirements in 32 CFR Part 170.

OSA (Organization Seeking Assessment) is the umbrella term defined in 32 CFR § 170.4 for any entity undergoing a CMMC assessment of an information system, whether by self-assessment or by certification through a C3PAO or DCMA DIBCAC. Every OSC is also an OSA; an OSA performing only a Level 1 or Level 2 self-assessment is not an OSC. Use OSA when discussing the assessed organization across all CMMC levels and assessment types.

OSC (Organization Seeking Certification) is the narrower term defined in 32 CFR § 170.4 for the subset of OSAs seeking certification — Level 2 through a C3PAO or Level 3 through DCMA DIBCAC. The OSC engages the assessor, presents the SSP and evidence package, and ultimately holds the resulting CMMC status. Every OSC is also an OSA, but an OSA performing only a self-assessment is not an OSC.

A POA&M (Plan of Action and Milestones) is a document that tracks requirements or objectives that are not yet implemented, along with the resources, milestones, owners, and scheduled completion dates for closing each gap. Under CMMC and 32 CFR § 170.21, assessment POA&Ms are not permitted for Level 1 and are permitted only in limited Level 2 and Level 3 cases; all allowed assessment POA&M items must be closed within 180 days to reach Final status. Operational POA&Ms may exist outside the assessment POA&M process, but they do not excuse unmet CMMC requirements during assessment.

A Registered Practitioner has completed the CMMC RP training and is registered with The Cyber AB (engagement-related responsibilities now handled by the Cyber EF) to provide CMMC preparation services within a Registered Provider Organization. RPs work on contractor-side readiness — gap assessments, control implementation guidance, evidence collection support. The RP credential is lower-tier than CCP; many RPs progress to CCP as their CMMC work deepens.

A Registered Practitioner Advanced holds the senior tier of the RP credential — additional experience, completed training, and qualifications beyond the entry-level RP. Like RPs, RPAs work within Registered Provider Organizations providing CMMC preparation services to contractors. RPAs typically lead larger or more complex readiness engagements.

An RPO is a Cyber AB-registered firm that provides CMMC consulting and readiness preparation services such as gap assessments, control implementation guidance, evidence collection support, and pre-assessment readiness checks. An RPO is distinct from a C3PAO: RPOs prepare contractors, while C3PAOs conduct official Level 2 certification assessments. Contractors should manage conflict-of-interest boundaries when the same ecosystem participants provide advisory and assessment-related services.

Under 32 CFR § 170.22, an affirming official submits an affirmation in SPRS confirming compliance with the applicable CMMC requirements. Level 1 affirmations are submitted at completion of the annual self-assessment; Level 2 and Level 3 affirmations are submitted after assessment and annually thereafter, and the status can lapse if annual affirmation is not maintained. An inaccurate affirmation can create False Claims Act exposure.

Shared responsibility describes how cloud services divide security obligations between the Cloud Service Provider and the customer. The CSP handles infrastructure-level controls such as data center physical security, hypervisor hardening, and baseline patching; the customer handles configuration, identity, data handling, and many access controls. For CMMC, the contractor must document this split in a Customer Responsibility Matrix (CRM) and prove each applicable requirement is met by whichever party owns it.

A SIEM is a centralized platform for log collection, event correlation, and security monitoring across endpoints, network devices, cloud services, identity systems, and applications. CMMC and NIST SP 800-171 do not require a specific SIEM product, but several controls — § 3.3.1 (audit logs), § 3.3.2 (review), § 3.3.5 (correlation), § 3.6 (incident response) — are difficult to satisfy without one. Common DIB-suited platforms include Microsoft Sentinel, Splunk, Elastic, and Devo.

Security Protection Data is a CMMC scoping term for data stored or processed by Security Protection Assets that are used to protect the assessed environment. Examples include log data, configuration data, vulnerability scan data, incident response data, and other information that could aid an attacker if disclosed or altered. An external provider whose assets process, store, or transmit CUI or SPD can be an in-scope ESP.

SPRS is the Department of Defense system where contractors submit self-assessment results and where DoD officials verify NIST SP 800-171 and CMMC posture for procurement. CMMC Level 1 and Level 2 self-assessment results are entered in SPRS; C3PAO and DIBCAC assessment results flow through CMMC eMASS and are reflected in SPRS. NIST SP 800-171 DoD Assessment scores range from -203 to 110, where 110 represents full implementation of all 110 Rev. 2 requirements.

A System Security Plan is the foundational document a contractor maintains to describe each information system within the CMMC assessment scope. It defines the boundary, operating environment, interconnections, responsible parties, and how each applicable NIST SP 800-171 requirement is implemented or inherited. For Level 2 and Level 3 assessments, the SSP is central evidence; gaps in the SSP usually cascade into POA&M, CRM, and evidence-package issues.