Twenty-four terms, defined the way they’re actually used in CMMC’s machinery — with why each one matters and what it commonly gets confused with. Alphabetical order; look-up, not reading order.
Living page
This glossary grows as the rest of the desk publishes. The entries below cover the desk’s core vocabulary — the machinery, the data types, the scoping categories. Family-page and assessment vocabulary arrive with a later update, with their own citations.
Acronym quick-reference
Acronym
Full term
C3PAO
CMMC Third-Party Assessment Organization
CAICO
CMMC Assessor and Instructor Certification Organization
CMMC
Cybersecurity Maturity Model Certification
COTS
Commercial Off-The-Shelf
CRMA
Contractor Risk Managed Asset
CSP
Cloud Service Provider
CUI
Controlled Unclassified Information
DCMA
Defense Contract Management Agency
DFARS
Defense Federal Acquisition Regulation Supplement
DIBCAC
Defense Industrial Base Cybersecurity Assessment Center
DIBNet
Defense Industrial Base Network
DoD
Department of Defense
eMASS
Enterprise Mission Assurance Support Service
ESP
External Service Provider
FAR
Federal Acquisition Regulation
FCI
Federal Contract Information
FedRAMP
Federal Risk and Authorization Management Program
NIST
National Institute of Standards and Technology
OSA
Organization Seeking Assessment
OSC
Organization Seeking Certification
POA&M
Plan of Action and Milestones
SPRS
Supplier Performance Risk System
SSP
System Security Plan
A
Affirmation / Affirming Official
An affirmation is a signed representation, submitted in SPRS, that an organization continues to meet the security requirements for its CMMC Status. The Affirming Official is the senior-level representative responsible for making it — someone with the authority to know whether the representation is true.
Why it matters: Affirmations are required annually at every level, and again at POA&M closeout. They are representations to the government, not just a compliance checkbox — a false one carries False Claims Act exposure.
Commonly confused with: The assessment itself. An assessment measures a point-in-time score. An affirmation is an ongoing promise that nothing has changed since.
A set of determination statements that, together, express what “meeting” a specific security requirement actually looks like. An assessor works through the applicable objectives to decide MET or NOT MET.
Why it matters: The 110 requirements in NIST SP 800-171 are the what. The assessment objectives in 800-171A are how an assessor checks it — reading only the requirement text and guessing at an assessor’s checklist is a common, avoidable mistake.
Commonly confused with: The requirement itself. 3.5.3 (multifactor authentication) is a requirement; the objectives under it are the specific things an assessor examines, interviews, or tests to confirm it.
An organization accredited by the Cyber AB to conduct Level 2 certification assessments.
Why it matters: If a contract requires Level 2 (C3PAO) rather than Level 2 (Self), a C3PAO is who performs it — not DCMA DIBCAC, and not an assessor outside the accredited pool.
Commonly confused with: DCMA DIBCAC, which is a government assessor for Level 3, not a private accredited organization.
Source: 32 CFR 170.4, 170.9
CAICO CMMC Assessor and Instructor Certification Organization
The organization responsible for training, testing, certifying, and recertifying the individual CMMC-certified assessors, instructors, and professionals who staff C3PAOs.
Why it matters: CAICO certifies people; the Cyber AB accredits organizations. The two are often mentioned together and do different jobs.
Commonly confused with: The Cyber AB itself, which oversees CAICO but is a separate role in the ecosystem.
Source: 32 CFR 170.4, 170.10
CMMC Status
The recorded result of an assessment — Final or Conditional, at Level 1 (Self), Level 2 (Self or C3PAO), or Level 3 (DIBCAC). Officially stored in SPRS, and additionally shown on a certificate if a C3PAO or DIBCAC performed the assessment.
Why it matters: CMMC Status is the actual contractual trigger. DFARS 252.204-7021 requires a contractor to have and maintain a current CMMC Status at a specified level — not merely to be compliant in the abstract.
Commonly confused with: A score. A score is a number; a Status is the recorded outcome that the score, plus POA&M rules, produces.
Source: 32 CFR 170.4; DFARS 252.204-7021(a)
Conditional vs. Final status
Conditional status means the assessed score met the threshold but some NOT MET items remain open on a POA&M. Final status means either everything is MET outright, or a Conditional status’s POA&M items have been closed out.
Why it matters: Conditional status is time-limited — a Level 2 POA&M has 180 days to close before it lapses — and DFARS 252.204-7021 treats Conditional and Final status as having different “current” shelf lives (180 days vs. up to three years).
Commonly confused with: Passing vs. failing. Conditional is not a failing grade; it is a defined, time-boxed status with its own rules, not an assessment failure.
A commercial item, sold in substantial quantities to the general public, offered to the government without modification in the same form it is sold commercially.
Why it matters: Contracts exclusively for COTS items are the one clear exemption named directly in the CMMC applicability rule. Everything else touching FCI or CUI above the micro-purchase threshold is in scope.
Commonly confused with: Any commercial product. A commercial item modified for a government buyer, or bundled with a service component, does not automatically stay COTS — the exemption is narrow.
Source: 32 CFR 170.3(c); FAR 2.101
CRMA Contractor Risk Managed Asset
An asset category from the Level 2 Scoping Guide: assets that can, but are not intended to, process, store, or transmit CUI, and are managed using the contractor’s own risk-based security practices rather than fully assessed like a CUI Asset.
Why it matters: Getting this category right changes how much of an environment actually needs to be assessed — one of the five categories that make up a Level 2 CMMC Assessment Scope.
Commonly confused with: Out-of-Scope Assets, which cannot process, store, or transmit CUI at all. CRMAs technically could, which is exactly why they need a documented risk-management rationale.
An external company providing cloud computing services — on-demand, shared, rapidly provisioned computing resources.
Why it matters: A CSP that stores, processes, or transmits CUI has its own bar to clear: FedRAMP Moderate authorization, or an accepted equivalency.
Commonly confused with: ESP. Every CUI-handling CSP is a kind of external service provider, but CSPs face the FedRAMP-specific requirement that non-CSP ESPs don’t.
Information the government creates or possesses, or that an entity creates or possesses on the government’s behalf, that a law, regulation, or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.
Why it matters: CUI is what triggers Level 2 or Level 3, rather than Level 1. What counts as CUI on a given contract is normally marked or specified — see the Data page.
Commonly confused with: FCI, a broader and less sensitive bar that triggers only Level 1. Not all sensitive-feeling information is CUI in the regulatory sense.
Source: 32 CFR 2002.4(h); 32 CFR 170.4
Cyber AB The Accreditation Body
The single organization DoD contracts with to accredit C3PAOs and oversee CAICO’s certification of individual assessors.
Why it matters: There is only one Accreditation Body for the program at any given time — the reason “accredited” means something specific in CMMC, not a marketing claim.
Commonly confused with: A C3PAO. The Cyber AB accredits; it does not itself perform assessments.
Source: 32 CFR 170.4, 170.8
D
DIBCAC DCMA’s Defense Industrial Base Cybersecurity Assessment Center
The government assessment arm, inside the Defense Contract Management Agency. Conducts Level 3 certification assessments and higher-confidence Level 2 government assessments.
Why it matters: If a contract needs Level 3, DIBCAC — not a C3PAO — performs the assessment, and Final Level 2 (C3PAO) on the same scope is a prerequisite before that can even start.
Commonly confused with: C3PAO. DIBCAC is government; C3PAOs are private organizations accredited by the Cyber AB.
Source: 32 CFR 170.4
DIBNet DIB cyber-incident reporting
The DoD reporting path for cyber incidents required under DFARS 252.204-7012, now operated as part of DC3’s Defense Industrial Base Collaborative Information Sharing Environment (DCISE). Reports are filed through the Incident Collection Format within 72 hours of discovery.
Why it matters: The 72-hour reporting clock in 7012 is a contractual obligation that exists independent of CMMC’s assessment machinery — a reporting duty, not an assessment requirement, running on its own timeline.
Commonly confused with: A CMMC reporting requirement. This reporting duty comes from DFARS 252.204-7012, a companion clause, not from 32 CFR Part 170 itself.
Source: DFARS 252.204-7012
E
Enclave scoping strategy
A logically or physically separated part of a network, built to contain where CUI lives and travels, so the CMMC Assessment Scope can be smaller than the whole company.
Why it matters: A well-built enclave can meaningfully shrink what has to be assessed. It trades a smaller boundary for more operational discipline about what stays inside it — the Boundary page covers the trade-offs.
Commonly confused with: Something that automatically shrinks the assessment. An enclave only shrinks scope if CUI, and the systems that touch it, genuinely stay inside the boundary drawn.
Source: CMMC Level 2 Scoping Guidance
ESP External Service Provider
External people, technology, or facilities an organization uses for IT or cybersecurity services. Under CMMC, an ESP only counts as an ESP if CUI or Security Protection Data is actually processed, stored, or transmitted on its assets.
Why it matters: A non-CSP ESP does not make the client’s responsibility disappear. Its services, responsibility matrix, and the client infrastructure that connects to it become part of the assessment story, not a way around the assessment.
Commonly confused with: A CSP, which is a specific kind of ESP (cloud computing) that carries an added FedRAMP-related requirement.
Information not intended for public release, provided by or generated for the government under a contract to develop or deliver a product or service — not information the government itself publishes, and not simple transactional data like payment-processing details.
Why it matters: FCI alone triggers Level 1: the 15 requirements in FAR 52.204-21, self-assessed, no POA&M allowed. It is a lower and more common bar than CUI — most DoD contractors handle at least FCI.
Commonly confused with: CUI. FCI is broader and less sensitive; CUI is narrower, specifically categorized, and triggers Level 2 or 3 instead.
Source: 48 CFR 4.1901; FAR 52.204-21
FedRAMP equivalency
A path by which a Cloud Service Provider handling CUI can meet the CMMC scoping requirement without a full FedRAMP Moderate authorization, by demonstrating security equivalent to it.
Why it matters: Not every CSP a contractor uses will hold formal FedRAMP Moderate authorization. Equivalency is the alternative route the rule provides, and it changes what a contractor needs to verify from a cloud vendor.
Commonly confused with: Full FedRAMP Moderate authorization. Equivalency is a documented alternative, not the same authorization under a different name.
Source: 32 CFR 170.19; CMMC Briefing, FedRAMP Authorization and Equivalency (DoD CIO, Feb 2025)
Flow-down
The mechanism by which a CMMC requirement in a prime contract passes down to subcontractors — at the CMMC level appropriate to what the subcontractor itself will handle, not automatically the prime’s level.
Why it matters: A sub-of-a-sub does not inherit the prime’s exact requirement; it inherits a requirement sized to what flows to its own tier. Primes are responsible for flowing the correct level down and verifying subcontractor status before award.
Commonly confused with: Everyone in a supply chain needing the same level. In practice a Level 2 prime may have Level 1 subcontractors, if that is genuinely all those subs touch.
The three determination outcomes an assessor records for each requirement. MET means the objectives were satisfied; NOT MET means they weren’t; N/A means the requirement genuinely does not apply to the assessed environment.
Why it matters: NOT MET items are what a POA&M exists to manage — and at Level 2, only 1-point NOT MET items generally qualify, with the SC.L2-3.13.11 exception at 3 points.
Commonly confused with: Pass/fail at the whole-assessment level. MET/NOT MET is scored per requirement; the overall Conditional/Final status is a separate calculation built from all of them together.
Source: NIST SP 800-171A; 32 CFR 170.24
O
OSA vs. OSC Organization Seeking Assessment / Organization Seeking Certification
An OSA is any organization undergoing a self-assessment or certification assessment, for any CMMC Status. An OSC is specifically an organization seeking a certification assessment — Level 2 (C3PAO) or Level 3 (DIBCAC). Every OSC is an OSA; not every OSA is an OSC.
Why it matters: The distinction shows up directly in the guides — a document written for “OSCs” is about the certification path specifically, not self-assessment.
Commonly confused with: Each other, constantly. They’re a one-letter difference describing overlapping but not identical groups.
Source: 32 CFR 170.4
P
POA&M Plan of Action and Milestones
A document identifying NOT MET requirements still to be remediated, the resources needed, and the completion date — used to reach Conditional status when a small number of gaps remain.
Why it matters: POA&M is not a general deferral mechanism. At Level 2 it requires a score of at least 88, applies only to 1-point requirements (with one named exception), and closes within 180 days or the Conditional status lapses.
Commonly confused with: An open-ended extension. It is a bounded, scored, time-limited mechanism, not a way to defer arbitrary gaps.
Source: 32 CFR 170.21, 170.4
S
Specialized Asset
One of five CMMC asset categories: Government Furnished Equipment, IoT/IIoT, Operational Technology, Restricted Information Systems, or Test Equipment.
Why it matters: Specialized Assets are documented in the SSP rather than fully remediated the way a CUI Asset is in many cases — “enduring exceptions” exist specifically because some of these can’t be patched or reconfigured like ordinary IT.
Commonly confused with: Out-of-scope IT. Specialized Assets are explicitly named and documented as part of the scope conversation; they aren’t simply excluded.
The DoD system of record where CMMC scores, statuses, and affirmations are officially posted and stored.
Why it matters: A contracting officer checking whether a contractor meets a contract’s CMMC requirement is, in practice, checking SPRS. If a status isn’t current there, it doesn’t matter what happened during the assessment.
Commonly confused with: eMASS. C3PAO/DIBCAC assessment results are filed through the CMMC instance of eMASS; SPRS is the system a contracting officer actually references for status.
Source: 32 CFR 170.4; DFARS 252.204-7019, -7021
SSP System Security Plan
The formal document describing an information system’s boundary, its environment, and how each security requirement is implemented or planned.
Why it matters: The SSP is the document the rest of the program hangs on — CA.L2-3.12.4 is the requirement that an SSP exist at all, and assessors verify practices against what it says.
Commonly confused with: A POA&M. The SSP describes the system as it is, or is planned to be; the POA&M tracks what is specifically not yet MET and the plan to close it.