CMMC Acronyms

Here are some of the most common acronyms related to the Cybersecurity Maturity Model Certification (CMMC) mandate:

CDI (Covered Defense Information)

A subset of CUI that requires enhanced security controls to protect against unauthorized access.

CMMC (Cybersecurity Maturity Model Certification)

A framework developed by the Department of Defense (DoD) to assess and enhance the cybersecurity capabilities of contractors and subcontractors working with the DoD. CMMC consists of five maturity levels, each representing a set of cybersecurity practices and processes.

CMMC Accreditation Body (CMMC-AB)

The organization responsible for accrediting C3PAOs and training assessors.

CUI (Controlled Unclassified Information)

Information that requires safeguarding or dissemination controls, as defined by federal law, regulation, or government policy.

DFARS (Defense Federal Acquisition Regulation Supplement)

A set of regulations used by the DoD to supplement the Federal Acquisition Regulation (FAR) in the acquisition process.

DoD (Department of Defense)

The United States Department of Defense, responsible for coordinating and supervising all agencies and functions of the government related to national security and the military.

FAR (Federal Acquisition Regulation)

A set of regulations used by federal agencies to govern the acquisition process for goods and services.

FedRAMP (Federal Risk and Authorization Management Program)

A U.S. government program that standardizes security assessment, authorization, and continuous monitoring for cloud products and services.

FCI (Federal Contract Information)

Information that is not intended for public release and is provided by or generated for the government under a contract to develop or deliver a product or service to the government.

NARA (National Archives and Records Administration)

An independent agency of the U.S. government responsible for preserving and documenting government and historical records.

NIST (National Institute of Standards and Technology)

A U.S. federal agency that develops and issues standards and guidelines, including those related to cybersecurity.

OSBP (Office of Small Business Programs)

A program within the DoD that advocates for small businesses and provides resources to help them compete for DoD contracts.

POA&M (Plan of Action and Milestones)

A document outlining the steps an organization will take to address and remediate identified security weaknesses and the associated timelines for completion.

POC (Point of Contact)

An individual or office designated as the primary contact for a specific matter or project.

RMF (Risk Management Framework)

A set of information security standards and guidelines that help organizations manage and mitigate cybersecurity risk.

RTM (Requirements Traceability Matrix)

A document that links requirements throughout the development and testing phases of a project.

SCA (System Component Audit)

An assessment of individual components within a system to ensure compliance with security requirements.

SIM (Supplier Performance Risk System)

A system used by the DoD to assess and manage the performance risk of its suppliers.

SME (Subject Matter Expert)

An individual with specialized knowledge and expertise in a particular subject or field.

SP (Special Publication – NIST)

Publications issued by NIST that provide detailed guidance on various aspects of information security.

SSP (System Security Plan)

A comprehensive document that outlines an organization’s security policies, procedures, and controls for a specific system.

SSP (Security and Privacy Controls for Federal Information Systems and Organizations)

A publication by NIST providing guidance on selecting and implementing security controls for federal information systems.

Third-Party Assessor Organization (C3PAO)

Independent organizations authorized by the CMMC Accreditation Body (CMMC-AB) to conduct CMMC assessments.

Other CMMC Definitions

Assessment

The process of evaluating an organization’s cybersecurity practices against the requirements specified in the CMMC framework.

Certification

Official confirmation from a C3PAO that an organization has met the specified CMMC level.

Conformance

Adherence to the requirements specified in the CMMC framework.

Maturity Levels

In the context of CMMC 1.0, there are five levels (1-5), in CMMC 2.0, the five levels have been consolidated to three levels (1-3) each represent increasing maturity and capability in implementing cybersecurity practices.