CMMC & NIST
Glossary.

CMMC Third-Party Assessment Organization. An organization authorized by the Cyber AB to conduct official CMMC Level 2 assessments and issue certification recommendations. C3PAOs employ assessment teams consisting of a Lead CCA and one or more CCAs who evaluate an Organization Seeking Certification (OSC) against all applicable CMMC practices. C3PAOs must themselves pass a rigorous accreditation process including a financial review, FOCI screening, and a DIBCAC-conducted CMMC Level 2 assessment of their own organization. A C3PAO cannot help you prepare for your assessment — that is the role of an advisory firm like Flagship Cyber Defense Advisors.

Certified CMMC Assessor. An individual trained, examined, and authorized to conduct official CMMC Level 2 assessments as part of a C3PAO assessment team. CCAs can make final compliance determinations — they evaluate evidence, interview personnel, and determine whether specific practices are met, met with conditions, or not met. The CCA credential requires passing both CCP and CCA examinations, a favorable Tier 3 background investigation, three years of cybersecurity experience, one year of assessment or audit experience, and a qualifying DoD 8140.3 baseline certification. When a CMMC advisory firm has CCAs on their team, it means they hold the same credential as the people who will be evaluating you on assessment day.

CMMC Certified Professional. The entry-level individual credential in the CMMC assessment ecosystem. A CCP can participate on a CMMC Level 2 assessment team but is limited to verifying only Level 1 practices. CCPs cannot make final compliance determinations at Level 2 — those determinations can only be made by a CCA or Lead CCA. The CCP credential is a prerequisite for becoming a CCA. When evaluating a CMMC advisory firm, understanding whether their team holds CCP or CCA credentials tells you the depth of assessment expertise they bring to your engagement.

An interim change to FAR or DFARS regulatory text that takes effect immediately without the standard notice-and-comment rulemaking process. Class deviations are authorized by agency heads and serve as temporary regulatory text until formal rulemaking catches up. The Revolutionary FAR Overhaul Phase 1 was implemented entirely through class deviations, which is why the changes took effect so quickly. Contractors should monitor class deviations closely because they can change compliance obligations overnight.

Cybersecurity Maturity Model Certification. The Department of Defense framework for verifying that defense contractors actually implement the cybersecurity controls they claim to have in place. CMMC 2.0 has three levels: Level 1 (Foundational, 17 practices, self-assessed), Level 2 (Advanced, 110 practices aligned to NIST 800-171, third-party assessed), and Level 3 (Expert, government-assessed). The required level depends on the sensitivity of information a contractor handles. CMMC 2.0 replaced the original CMMC 1.0 model, which had five levels and was widely criticized for complexity and cost. Enforcement began appearing in DoD contracts in late 2025.

Controlled Unclassified Information. Government-created or -provided information that requires safeguarding under federal law but is not classified. In the CMMC context, handling CUI triggers CMMC Level 2 requirements and the full 110 NIST 800-171 controls. Examples include technical drawings and specifications for defense systems, engineering data shared under contract, test and evaluation results, vulnerability assessments, export-controlled technical data (ITAR/EAR), operations security information, and personnel records related to DoD programs. If your contract contains DFARS 252.204-7012, you are almost certainly handling CUI.

Safeguarding Covered Defense Information and Cyber Incident Reporting. The foundational DFARS cybersecurity clause, in effect since 2017. Requires defense contractors who handle Controlled Unclassified Information (CUI) to implement the 110 security controls in NIST SP 800-171 and report cyber incidents to the DoD within 72 hours. The presence of this clause in your contract is what triggers NIST 800-171 compliance requirements and, ultimately, CMMC certification. Unchanged by the February 2026 Revolutionary FAR Overhaul.

Notice of NIST SP 800-171 DoD Assessment Requirements. This provision previously required contractors to conduct a basic self-assessment of their NIST SP 800-171 implementation and upload their score to SPRS as a condition of contract award. Deleted effective February 1, 2026, as part of the Revolutionary FAR Overhaul. The basic self-assessment requirement was eliminated because it was redundant with the CMMC assessment framework. Contractors now fulfill assessment obligations through CMMC under DFARS 252.204-7021. If your compliance program was built around getting a score into SPRS under this clause, it is time to shift focus to CMMC certification readiness.

Cybersecurity Maturity Model Certification Requirements. The CMMC clause. First appearing in new solicitations on November 10, 2025, this clause requires contractors to hold a specific CMMC certification level as a condition of contract award. The required level (1, 2, or 3) depends on the type of information handled and the sensitivity of the contract. When this clause appears in a solicitation, you must hold the specified certification before award. Unchanged by the February 2026 Revolutionary FAR Overhaul.

NIST SP 800-171 DoD Assessment Requirements. Formerly numbered DFARS 252.204-7020, renumbered effective February 1, 2026, under the Revolutionary FAR Overhaul. Governs Medium and High assessments conducted by DIBCAC. The basic self-assessment tier that previously existed under 7020 was removed. Medium and High assessments, conducted by DCMA DIBCAC auditing teams in accordance with NIST SP 800-171A, remain unchanged. New solicitations will reference this number; existing contracts may still reference 252.204-7020 until modified.

Defense Industrial Base. The network of over 300,000 private-sector companies and their subcontractors that provide products, services, and capabilities to the United States Department of Defense. The DIB includes prime contractors, subcontractors at all tiers, suppliers, and service providers across sectors including manufacturing, shipbuilding, aerospace, construction, IT services, engineering, and professional services. Any company in the DIB that handles FCI or CUI is subject to CMMC requirements. In San Diego, the DIB is heavily concentrated around installations such as NAVWAR, MCB Camp Pendleton, MCAS Miramar, NAS North Island, NAB Coronado, and 32nd Street Naval Station.

Defense Industrial Base Cybersecurity Assessment Center. The DCMA organization responsible for conducting Medium and High NIST SP 800-171 assessments of defense contractors, as well as CMMC Level 3 (Expert) assessments. DIBCAC also assesses C3PAOs seeking accreditation and has the authority to conduct assessments of any DIB contractor at any time to verify compliance with DFARS 7012 requirements, independent of the CMMC certification process.

A segmented portion of a network specifically configured, hardened, and secured to handle Controlled Unclassified Information (CUI), isolated from the rest of the organization’s general IT environment. Creating a CUI enclave reduces the scope of a CMMC assessment by limiting the number of systems, users, and physical locations that must meet the full 110 NIST 800-171 controls. Enclave strategies can significantly reduce compliance cost and complexity, but they require careful network architecture, access controls, and data flow management to maintain effective boundary separation.

A federal law (31 U.S.C. §§ 3729–3733) imposing civil liability on persons and companies who knowingly submit false claims to the United States government. In the CMMC context, the False Claims Act is directly relevant because a corporate officer must legally attest to the accuracy of the organization’s SPRS self-assessment score. Submitting an inflated or inaccurate score — even through negligence rather than intent — can constitute a false claim, exposing the organization and its officers to significant financial penalties, treble damages, and potential debarment from federal contracting. This is why an honest, defensible SPRS score matters more than a high one.

Basic Safeguarding of Covered Contractor Information Systems. Formerly numbered FAR 52.204-21, renumbered effective February 1, 2026, under the Revolutionary FAR Overhaul. Establishes 15 basic cybersecurity requirements for all federal contractors, not just defense. Applies to any contract involving Federal Contract Information (FCI). The requirements themselves did not change, only the clause number. During the transition period, existing contracts will reference 52.204-21 while new solicitations will reference 52.240-93.

Federal Contract Information. Information not intended for public release that is provided by or generated for the government under contract. FCI triggers CMMC Level 1 requirements — 17 basic security practices with annual self-assessment. Examples include contract performance reports, delivery schedules, invoices and billing data submitted to the government, internal project management documents related to a federal contract, and procurement correspondence. FCI is less sensitive than CUI but still requires protection. Many contractors who believe they only handle FCI discover during a data flow analysis that CUI is also present in their environment.

Federal Information Processing Standard Publication 140-3. The current U.S. government standard for validating the security of cryptographic modules — the hardware and software components that perform encryption, decryption, hashing, and digital signature operations. CMMC requires that encryption used to protect CUI be FIPS-validated, meaning the specific cryptographic module has been tested and certified by an accredited laboratory. This affects your choice of VPN solutions, disk encryption, email encryption, and wireless security. Using encryption that is not FIPS-validated is a common compliance gap that can result in assessment findings.

A systematic assessment that compares an organization’s current cybersecurity posture against the specific controls required for their target CMMC level. A thorough gap analysis evaluates all applicable NIST 800-171 controls, documents which are fully implemented, partially implemented, or not implemented, and produces a prioritized remediation roadmap with realistic effort and cost estimates. The gap analysis is typically the first step in a CMMC engagement and establishes your baseline SPRS score. A gap analysis conducted by a credentialed practitioner with assessor-level expertise will identify issues that a generic checklist review would miss.

Lead Certified CMMC Assessor. The senior assessor who leads a C3PAO assessment team during an official CMMC Level 2 assessment. The Lead CCA oversees the assessment process, manages the assessment team, ensures consistency and fairness in evaluation criteria, and is ultimately responsible for the assessment report and certification recommendation. Lead CCA requirements include meeting all CCA prerequisites plus additional DoD experience and 8140.3 qualification requirements verified through a separate application process.

Managed Detection and Response. An advanced cybersecurity service that provides continuous 24/7 threat monitoring, detection, investigation, and response capabilities. MDR services combine human security analysts with automated detection technology to identify and respond to threats in real time. In the CMMC context, MDR services help satisfy multiple NIST 800-171 control families including Audit and Accountability (AU), Incident Response (IR), and System and Information Integrity (SI). When a C3PAO assessor asks how you detect and respond to security incidents, an MDR service provides the documented, auditable answer.

Multi-Factor Authentication. A security method requiring two or more independent verification factors to authenticate a user: something you know (password), something you have (hardware token, phone), or something you are (biometric). CMMC requires MFA for all access to systems handling CUI, and specifically requires phishing-resistant MFA — methods that cannot be defeated by social engineering attacks such as credential phishing. Phishing-resistant MFA typically means FIDO2 hardware security keys or certificate-based authentication, not SMS codes or push notifications alone. MFA implementation is one of the most impactful controls for reducing unauthorized access risk.

National Institute of Standards and Technology Special Publication 800-171. The 110 security controls required to protect Controlled Unclassified Information (CUI) in non-federal systems. These controls span 14 families: Access Control, Awareness and Training, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System and Communications Protection, and System and Information Integrity. NIST 800-171 is the technical foundation for CMMC Level 2. If your contract requires CMMC Level 2, you are implementing these 110 controls.

Organization Seeking Certification. The formal term for a defense contractor undergoing the CMMC assessment process. As an OSC, your organization will engage a C3PAO to conduct your official assessment, provide evidence of control implementation, make personnel available for assessor interviews, and grant assessors access to your facilities and systems. The OSC is responsible for maintaining its certified status through ongoing compliance monitoring and, for Level 2, triennial reassessment.

Plan of Action and Milestones. A formal document identifying specific security gaps that have not yet been remediated, the tasks required to close each gap, responsible parties, and target completion dates. Under CMMC, a POAM allows an organization to receive a conditional certification for up to 180 days while remediating a limited number of non-critical findings. Not all practices are eligible for POAM treatment — certain controls must be fully implemented at the time of assessment. The POAM is a living document that must be actively managed and updated as remediation progresses.

The largest single update to the Federal Acquisition Regulation in its 40-year history, launched under Executive Order 14275 in April 2025. Phase 1, effective February 1, 2026, consisted of 31 class deviations to the FAR and DFARS that restructured, renumbered, and in some cases deleted acquisition clauses. The stated goal is to rewrite the FAR in plain language and remove non-statutory rules. For cybersecurity specifically, the RFO deleted DFARS 252.204-7019, renumbered DFARS 252.204-7020 to 252.240-7997, and renumbered FAR 52.204-21 to 52.240-93. The core CMMC clauses (7012 and 7021) were not changed. Phase 2, involving formal notice-and-comment rulemaking, is expected throughout 2026. The RFO is an administrative restructuring, not a rollback of cybersecurity requirements.

Registered Practitioner. An individual certified by the Cyber AB to provide CMMC consulting, advisory, and pre-assessment readiness services to defense contractors. RPs help Organizations Seeking Certification (OSCs) understand CMMC requirements, identify gaps, build remediation plans, and prepare documentation. An RP can guide your implementation but cannot conduct your official C3PAO assessment. When evaluating a CMMC advisory firm, verify that their practitioners hold active RP credentials listed on the Cyber AB Marketplace.

Supplier Performance Risk System. The DoD database where contractor self-assessment scores are recorded and made available to contracting officers. Your SPRS score reflects your current implementation status against the 110 NIST 800-171 controls, on a scale from -203 to 110. A score of 110 means full implementation. Contracting officers can view your score when evaluating bids. Submitting an inaccurate SPRS score carries significant legal liability under the False Claims Act — a corporate officer must legally attest to the accuracy of the submission. We generate a defensible SPRS score based on your actual security posture, not an optimistic estimate.

System Security Plan. The foundational compliance document that describes in detail how an organization implements each of the applicable NIST 800-171 security controls within its information system boundary. The SSP documents your network architecture, data flows, system boundaries, hardware and software inventory, personnel roles, and the specific technical and procedural measures in place for each control. It is typically the first document a C3PAO assessment team requests. An incomplete, inaccurate, or template-based SSP is one of the most common reasons organizations fail assessments. Your SSP must reflect your actual environment, not a generic template with your company name inserted.

Formerly the CMMC Accreditation Body (CMMC-AB). The official organization authorized by the Department of Defense to oversee the entire CMMC ecosystem. The Cyber AB accredits C3PAOs, credentials individual practitioners (CCP, CCA, Lead CCA), certifies Registered Practitioners (RPs), approves training providers (ATPs), and maintains the CMMC Marketplace where certified organizations and credentialed individuals are listed. The Cyber AB operates independently from the DoD but under its authorization.