CMMC Glossary & Acronym Index — Methodical Security

A

AC Access Control: NIST SP 800-171 control family 3.1, the largest family with 22 requirements covering account management, least privilege, remote access, wireless, and mobile. The most-cited family in C3PAO findings.
AO Authorizing Official: The senior official who accepts the residual risk of operating an information system at a given security posture. In CMMC contexts, the AO is typically the senior official who signs the SPRS attestation.
AT Awareness and Training: NIST SP 800-171 control family 3.2 — three requirements covering security awareness training, role-based training, and insider threat awareness.
AU Audit and Accountability: NIST SP 800-171 control family 3.3 — nine requirements covering audit logging, log retention, log protection, time synchronization, and audit log review.
AUP Acceptable Use Policy: The organizational policy defining how personnel may use information systems and information. Typically signed by all personnel on hire and periodically reaffirmed.

B

BIS Bureau of Industry and Security: The Department of Commerce agency that administers the EAR. Responsible for the Commerce Control List and EAR licensing decisions. See the ITAR/EAR guide.
BYOD Bring Your Own Device: The pattern of employees using personally-owned devices for work purposes. Under CMMC, BYOD access to in-scope systems must meet the same controls as corporate-owned devices, which is rarely operationally feasible.

C

C3PAO Certified Third-Party Assessment Organization: An organization authorized by the Cyber AB to perform CMMC Level 2 assessments and recommend certification. See Choosing a C3PAO.
CA Security Assessment: NIST SP 800-171 control family 3.12 — four requirements covering control assessment, POA&M maintenance, continuous monitoring, and the SSP.
CAGE Code Commercial and Government Entity Code: A five-character identifier assigned to organizations doing business with the US government. Used as the contractor identifier in SPRS and across DoD systems.
CAP CMMC Assessment Process: The Cyber AB's documented assessment methodology that C3PAOs follow during fieldwork. The current public version is CAP v2.0.
CCA Certified CMMC Assessor: An individual certified by the Cyber AB to lead CMMC assessments on behalf of a C3PAO. CCA candidates must hold an active CCP certification, hold a certification from the DoD 8140 list, complete the CAICO-approved CCA training, pass the CCA exam, be a US citizen, and have a favorable Tier 3 background determination.
CCL Commerce Control List: The list of items, software, and technology subject to EAR. Items are identified by Export Control Classification Number (ECCN). See the ITAR/EAR guide.
CCP Certified CMMC Professional: An individual certified by the Cyber AB at the practitioner level — supports CMMC assessments and consulting work, but does not lead assessments at the CCA level.
CDI Covered Defense Information: The DFARS-specific term for CUI received under or generated in support of a DoD contract. All CDI is CUI; not all CUI is CDI. See the CUI scoping guide.
CIS Benchmarks: Configuration baselines published by the Center for Internet Security. Commonly referenced as the configuration management baseline standard for CMMC compliance.
CM Configuration Management: NIST SP 800-171 control family 3.4 — nine requirements covering baseline configuration, change control, software allowlisting, and security impact analysis.
CMMC Cybersecurity Maturity Model Certification: The DoD's framework for assessing and certifying cybersecurity maturity of defense contractors. Currently in version 2.0; built primarily on NIST SP 800-171 Rev 2 (Level 2) and SP 800-172 (Level 3).
CMVP Cryptographic Module Validation Program: The NIST program that validates cryptographic modules against FIPS 140 standards. Required for cryptography used to protect CUI.
CRM Customer Responsibility Matrix: A document published by a cloud service provider mapping each NIST or FedRAMP control to the responsibility split — inherited, shared, or customer-responsible. See the vendor oversight guide.
CSP Cloud Service Provider: An entity that provides cloud computing services. Under CMMC, CSPs storing or processing CUI must meet the FedRAMP Moderate baseline or equivalent.
CTI Controlled Technical Information: A CUI category — technical information with military or space application that is subject to controls on access, use, and dissemination. The most common CUI category for engineering and manufacturing contractors.
CUI Controlled Unclassified Information: Government-created or government-owned information requiring safeguarding under a law, regulation, or government-wide policy. Categories are enumerated in the NARA CUI Registry. Triggers DFARS 252.204-7012 and CMMC Level 2.
Cyber AB Cyber Accreditation Body: The organization (formerly the CMMC-AB) that accredits C3PAOs and certifies individual assessors (CCAs, CCPs). Maintains the Marketplace directory.

D

DC3 DoD Cyber Crime Center: The DoD entity to which malicious software identified during a cyber incident is submitted, per DFARS 252.204-7012.
DCSA Defense Counterintelligence and Security Agency: DoD agency responsible for industrial security oversight, including operating DIBCAC for higher-level NIST 800-171 assessments.
DDTC Directorate of Defense Trade Controls: The State Department office that administers the ITAR. Operates the USML and ITAR registration and licensing.
DFARS Defense Federal Acquisition Regulation Supplement: The DoD-specific supplement to the Federal Acquisition Regulation. Contains the contract clauses (252.204-7012, -7019, -7020, -7021) that drive CMMC obligations.
DIB Defense Industrial Base: The collective of contractors and subcontractors that supply the Department of Defense. DoD's published estimate puts the DIB at approximately 220,000 organizations, of which roughly 140,000 will need only Level 1 self-assessment (handling FCI but no CUI) and approximately 80,000 will need Level 2 third-party (C3PAO) certification for handling CUI.
DIBCAC Defense Industrial Base Cybersecurity Assessment Center: The DCSA-operated entity that conducts higher-level NIST 800-171 assessments under DFARS 252.204-7020 and Level 3 CMMC assessments.
DIBNet: The DoD portal through which contractors submit cyber incident reports under DFARS 252.204-7012(c). Requires a DoD-issued external certificate and account, both of which must be obtained before an incident occurs.
DLP Data Loss Prevention: Technology that monitors and controls movement of sensitive data — commonly deployed at the email gateway, on endpoints, and at network egress points to prevent CUI from leaving the authorized environment.
DoD Department of Defense: The US executive department under which CMMC, DFARS 7012, and the bulk of defense contracting authority operate.

E

EAR Export Administration Regulations: The Commerce Department's regulatory framework controlling export of dual-use items, software, and technology. See the ITAR/EAR guide.
ECCN Export Control Classification Number: The 5-character identifier assigned to items on the EAR Commerce Control List. Determines license requirements by item, destination country, end-user, and end-use.
EDR Endpoint Detection and Response: A class of endpoint security tools that combine antivirus, behavioral monitoring, and incident response capabilities. Often the implementation of multiple SI family requirements.
Entra ID: Microsoft's identity and access management platform (formerly Azure Active Directory). The IAM layer for Microsoft 365 and Azure environments, including GCC High.
ESP External Service Provider: An entity providing services that affect a contractor's CMMC compliance. CMMC Final Rule places oversight obligations on contractors with respect to ESPs and may require ESPs themselves to be CMMC certified. See the vendor oversight guide.

F

FAR Federal Acquisition Regulation: The primary regulation governing federal government acquisition. Contains FAR 52.204-21, the basic safeguarding clause that triggers CMMC Level 1.
FCI Federal Contract Information: Information not intended for public release that is provided by or generated for the government under a contract. The trigger for FAR 52.204-21 and CMMC Level 1.
FedRAMP Federal Risk and Authorization Management Program: The US government's authorization program for cloud services. CSPs holding CUI must meet the FedRAMP Moderate baseline or be demonstrably equivalent. See the enclave architecture guide.
FIPS Federal Information Processing Standards: NIST-published standards covering federal computing requirements. FIPS 140-2 and FIPS 140-3 govern cryptographic module validation; required for cryptography protecting CUI.
FOCI Foreign Ownership, Control, or Influence: The DoD assessment of whether a contractor is subject to foreign control that could affect its ability to safeguard classified or sensitive information. Relevant for contractors with non-US ownership or significant foreign business relationships.

G

GCC High Government Community Cloud High: Microsoft 365's CUI-eligible cloud environment, operated in US-only data centers with US-person personnel and FedRAMP High authorization. Suitable for ITAR-controlled CUI. Distinct from GCC (lower-tier) and commercial Microsoft 365 (not CUI-eligible). See the enclave architecture guide.
GovCloud: AWS GovCloud (US) — Amazon Web Services' CUI-eligible cloud region, operated by US-person personnel in US-only data centers. The AWS analog to Microsoft GCC High.

I

IA Identification and Authentication: NIST SP 800-171 control family 3.5 — eleven requirements covering user identification, MFA, password policy, and credential management.
IAM Identity and Access Management: The platform and processes by which users are identified, authenticated, and authorized to access information systems. Common implementations include Microsoft Entra ID, Okta, and Active Directory.
IR Incident Response: NIST SP 800-171 control family 3.6 — three requirements covering IR plan, IR capability, and IR plan testing. Closely tied to the DFARS 7012(c) 72-hour incident reporting obligation.
ISA Interconnection Security Agreement: A formal agreement between two organizations governing the security requirements of a system-to-system connection. Documented in SSP Section 8.
ISSO Information System Security Officer: The role responsible for day-to-day security operations of an information system. For small organizations, often the same person as the IT lead, but the role itself must be defined and named.
ITAR International Traffic in Arms Regulations: The State Department's regulatory framework controlling export of defense articles, services, and technical data. See the ITAR/EAR guide.

L

LMS Learning Management System: Software for managing security awareness training assignments, tracking completion, and producing the training records required for AT family evidence.

M

MA Maintenance: NIST SP 800-171 control family 3.7 — six requirements covering authorized maintenance, remote maintenance controls, sanitization before maintenance, and maintenance personnel supervision.
MDM Mobile Device Management: Technology for centrally managing mobile devices — common implementations include Microsoft Intune, Jamf, and VMware Workspace ONE. Often the enforcement layer for AC family mobile device controls.
MFA Multi-Factor Authentication: Authentication using two or more independent factors. Required by IA family controls for privileged access and remote access in CMMC Level 2 environments.
MFT Managed File Transfer: A platform pattern for secure file exchange between organizations. Common implementations for CUI workflows include Kiteworks, Axway, and Globalscape. See the enclave architecture guide.
MP Media Protection: NIST SP 800-171 control family 3.8 — nine requirements covering CUI marking, media handling, transport, sanitization, and destruction.
MSP Managed Service Provider: An external organization that operates and administers IT infrastructure on behalf of the contractor. Almost always falls in CMMC scope when the contractor handles CUI. See the vendor oversight guide.

N

NARA National Archives and Records Administration: The federal agency that maintains the authoritative CUI Registry — the official list of CUI categories.
NDA Non-Disclosure Agreement: A contractual mechanism for protecting confidential information shared between parties. Note that NDAs do not override the DFARS 7012 obligation to report cyber incidents to DoD within 72 hours.
NIST National Institute of Standards and Technology: The Department of Commerce agency that publishes the SP 800 series of cybersecurity standards, including SP 800-171, SP 800-172, and SP 800-53.
NISPOM National Industrial Security Program Operating Manual: The DoD manual governing protection of classified information by contractors. Operates parallel to but distinct from CMMC; CMMC governs CUI, NISPOM governs classified.

O

OSC Organization Seeking Certification: The contractor pursuing CMMC certification. Used in Cyber AB documentation to refer to the organization being assessed.
OSCAL Open Security Controls Assessment Language: A NIST-published machine-readable format (XML, JSON, YAML) for representing security control catalogs, profiles, SSPs, and assessment results. Increasingly relevant for compliance automation.

P

PE Physical Protection: NIST SP 800-171 control family 3.10 — six requirements covering facility access, visitor management, physical access logging, and alternate work site protection.
PII Personally Identifiable Information: Information that can be used to identify a specific individual. PII may itself be a CUI category and may also be subject to other privacy regimes (state breach laws, GDPR for international entities).
PKI Public Key Infrastructure: The system of certificate authorities, digital certificates, and key management that supports certificate-based authentication and encryption. Used in some IA family implementations and for some FIPS-validated cryptography.
PLM Product Lifecycle Management: A class of engineering software that manages product designs, drawings, and related technical data through their lifecycle. Common host of CUI in engineering and manufacturing organizations.
PMO CMMC Program Management Office: The DoD office that operates the CMMC program, issues certifications based on C3PAO recommendations, and publishes interpretive guidance.
POA&M Plan of Action and Milestones: The living tracker of compliance gaps and the planned remediation actions. Required by NIST SP 800-171 control 3.12.2 and a centerpiece of ongoing compliance management. See the maintenance guide.
PS Personnel Security: NIST SP 800-171 control family 3.9 — two requirements covering pre-employment screening for CUI access and personnel termination/transfer procedures.

R

RA Risk Assessment: NIST SP 800-171 control family 3.11 — three requirements covering periodic risk assessment, vulnerability scanning, and vulnerability remediation.
ROC Report on Conformity: The formal report produced by a C3PAO at the conclusion of an assessment, documenting findings and a certification recommendation. Submitted to the CMMC PMO for the certification decision.
RPO Registered Practitioner Organization: An organization that employs Registered Practitioners (RPs) — individuals trained on CMMC who provide consulting and advisory services. RPOs are not C3PAOs and cannot perform certification assessments.

S

SC System and Communications Protection: NIST SP 800-171 control family 3.13 — sixteen requirements covering network boundary protection, encryption, segmentation, and cryptographic key management.
SI System and Information Integrity: NIST SP 800-171 control family 3.14 — seven requirements covering patch management, malware protection, security alert monitoring, and system monitoring.
SIEM Security Information and Event Management: A class of platforms that aggregate, correlate, and analyze audit logs and security events across systems. Common implementations include Splunk, Microsoft Sentinel, and Elastic Security. Often the technical implementation of multiple AU and SI family requirements.
SP Special Publication: NIST's series of cybersecurity publications. The 800 series covers information security topics; 800-171, 800-172, and 800-53 are the most directly relevant to CMMC.
SPRS Supplier Performance Risk System: The DoD system that holds contractor self-assessment scores, the annual senior official affirmation, and other supplier performance data. Posting and maintaining a SPRS score is required under DFARS 252.204-7019 (notice clause) and DFARS 252.204-7020 (assessment requirements clause, which has its own subcontractor flow-down). Under the CMMC Final Rule, the annual senior official affirmation lives at 32 CFR §§ 170.16 / 170.17 and is also recorded in SPRS.
SSP System Security Plan: The authoritative document describing an information system, its boundary, the controls implemented, and the inheritance from external providers. The central artifact of CMMC compliance. See the SSP guide.
STIG Security Technical Implementation Guide: DoD-published configuration baselines for specific operating systems and applications. The higher-rigor alternative to CIS Benchmarks for many DoD-aligned environments.

T

TAA Technical Assistance Agreement: An ITAR licensing instrument that authorizes the export of ITAR-controlled defense services or technical data to a specified foreign person. Used to authorize foreign-national engineer access to ITAR data within the US.

U

USML United States Munitions List: The list of defense articles, services, and technical data subject to ITAR. Items are identified by USML category (I through XXI). Items appear on the USML or the EAR's CCL, generally not both.
US Person: Under ITAR (22 CFR 120.62): a US citizen, US lawful permanent resident, or certain protected individuals. Foreign nationals working in the US on visas (H-1B, L-1, OPT) are not US persons under ITAR. Critical for ITAR access controls. See the ITAR/EAR guide.

V

VDI Virtual Desktop Infrastructure: A pattern in which user desktops run as virtual machines in a centralized environment, with the user accessing the desktop from a thin client or local endpoint. A common CUI enclave architecture pattern. See the enclave architecture guide.
VLAN Virtual Local Area Network: A network segmentation mechanism implemented at the data link layer. Often used to separate in-scope CUI systems from general-use network segments as part of SC family boundary protection.
VPN Virtual Private Network: An encrypted tunnel for remote access or site-to-site connectivity. Common implementation of remote access requirements in the AC family.