HomeGuides › Glossary

CMMC & NIST 800-171 Glossary

The acronyms and terms every defense contractor runs into — defined in plain English, with links to go deeper.

CMMC drowns small contractors in acronyms. Here are the ones that actually matter, defined plainly — each links to a deeper guide or a free tool where it helps.

AffirmationAssessment ObjectiveC3PAOCMMCCMMC LevelsCUICyber ABDFARS 7021DIBCACDoD MethodologyEnclaveFCIFIPS encryptionGCC HighMFANIST 800-171NIST 800-171APOA&MSPRSSSP

Affirmation

A formal attestation, entered in SPRS by a senior company official, that the organization meets its CMMC requirements — made at assessment time and annually after. It carries real accountability; affirming compliance you don't have creates False Claims Act exposure. See the annual affirmation.

Assessment Objective

The specific determination statements in NIST SP 800-171A that an assessor checks for each control. A control isn't "met" in the abstract — each of its objectives must be satisfied. Your SSP narrative should map to them.

C3PAO

Certified Third-Party Assessment Organization — an organization accredited by the Cyber AB to perform official CMMC Level 2 certification assessments. Required when your contract calls for certification rather than self-assessment. See self-assessment vs C3PAO.

CMMC

Cybersecurity Maturity Model Certification — the DoD program that verifies defense contractors protect federal information. It enforces existing standards (NIST 800-171 for Level 2) through self-assessment or third-party certification, phased in from November 2025 through 2028.

CMMC Levels

Level 1 protects FCI (annual self-assessment). Level 2 protects CUI against all 110 NIST 800-171 controls (self-assessment or C3PAO certification). Level 3 covers the most sensitive programs and is assessed by the government (DIBCAC).

CUI (Controlled Unclassified Information)

Government information that requires safeguarding but isn't classified. Handling CUI is what pushes you to CMMC Level 2 and the full NIST 800-171 standard. Figuring out whether CUI touches your systems is the first scoping question — see asset scoping.

Cyber AB

The Cybersecurity Accreditation Body — the organization that accredits C3PAOs and assessors for the CMMC ecosystem.

DFARS 252.204-7021

The contract clause that implements CMMC. When it appears in a solicitation, it states the CMMC level your contract requires — which you must hold before award. It became effective November 10, 2025.

DIBCAC

The Defense Industrial Base Cybersecurity Assessment Center — the government body that conducts CMMC Level 3 assessments and high-priority NIST 800-171 assessments.

DoD Assessment Methodology

The NIST SP 800-171 DoD Assessment Methodology (Version 1.2.1) — the scoring system that turns your control status into an SPRS score from −203 to +110, weighting each control 1, 3, or 5 points.

Enclave

A deliberately small, segmented environment where you keep all CUI, so only that boundary must meet the controls. Scoping CUI into an enclave is the single biggest way to cut compliance cost and effort. See asset scoping.

FCI (Federal Contract Information)

Non-public information provided by or generated for the government under a contract. Handling FCI (but not CUI) puts you at CMMC Level 1.

FIPS-validated encryption

Encryption using a cryptographic module validated under FIPS 140 — required by NIST 800-171 control 3.13.11 when you protect CUI with cryptography. "Encrypted" isn't enough; it must be FIPS-validated.

GCC High

Microsoft 365 Government Community Cloud High — a Microsoft cloud environment built to support CUI and ITAR data. Many contractors migrate CUI into GCC High to meet the controls; it's a common (and significant) line in the cost.

MFA (Multifactor Authentication)

Requiring more than a password to authenticate. One of the highest-impact controls — NIST 800-171 3.5.3 requires it for privileged and network access. Phishing-resistant factors are strongly preferred over SMS.

NIST SP 800-171

The National Institute of Standards and Technology standard defining 110 requirements for protecting CUI in nonfederal systems. It is the basis for CMMC Level 2. Revision 2 remains the basis for SPRS scoring and assessment.

NIST SP 800-171A

The companion assessment guide to 800-171 — it breaks each control into the specific assessment objectives an assessor verifies. Writing your SSP to 800-171A is what makes it defensible.

POA&M

Plan of Action and Milestones — the document tracking each control you haven't met yet, how you'll fix it, and by when. The companion to your SSP. See what a POA&M is.

SPRS

Supplier Performance Risk System — the DoD system where you report your NIST 800-171 self-assessment score. Calculate yours free with the SPRS calculator.

SSP (System Security Plan)

The master document describing your CUI system and how it meets each of the 110 controls. Required by control 3.12.4 — without it, an assessment can't be completed. Learn more in what is an SSP, or draft one with the free SSP generator.

Put the terms to work

You now know the vocabulary — see where you actually stand. The free calculator scores you against all 110 controls in about 10 minutes.

Calculate your SPRS score →