CMMC Acronyms

Here are some of the most common acronyms related to the Cybersecurity Maturity Model Certification (CMMC) mandate:

CMMC (Cybersecurity Maturity Model Certification)

A framework developed by the Department of Defense (DoD) to assess and enhance the cybersecurity capabilities of contractors and subcontractors working with the DoD. CMMC consists of five maturity levels, each representing a set of cybersecurity practices and processes.

DoD (Department of Defense)

The United States Department of Defense, responsible for coordinating and supervising all agencies and functions of the government related to national security and the military.

CUI (Controlled Unclassified Information)

Information that requires safeguarding or dissemination controls, as defined by federal law, regulation, or government policy.

FCI (Federal Contract Information)

Information that is not intended for public release and is provided by or generated for the government under a contract to develop or deliver a product or service to the government.

NIST (National Institute of Standards and Technology)

A U.S. federal agency that develops and issues standards and guidelines, including those related to cybersecurity.

DFARS (Defense Federal Acquisition Regulation Supplement)

A set of regulations used by the DoD to supplement the Federal Acquisition Regulation (FAR) in the acquisition process.

POA&M (Plan of Action and Milestones)

A document outlining the steps an organization will take to address and remediate identified security weaknesses and the associated timelines for completion.

SCA (System Component Audit)

An assessment of individual components within a system to ensure compliance with security requirements.

SSP (System Security Plan)

A comprehensive document that outlines an organization’s security policies, procedures, and controls for a specific system.

RMF (Risk Management Framework)

A set of information security standards and guidelines that help organizations manage and mitigate cybersecurity risk.

SP (Special Publication – NIST)

Publications issued by NIST that provide detailed guidance on various aspects of information security.

Third-Party Assessor Organization (C3PAO)

Independent organizations authorized by the CMMC Accreditation Body (CMMC-AB) to conduct CMMC assessments.

CMMC Accreditation Body (CMMC-AB)

The organization responsible for accrediting C3PAOs and training assessors.

FedRAMP (Federal Risk and Authorization Management Program)

A U.S. government program that standardizes security assessment, authorization, and continuous monitoring for cloud products and services.

SSP (Security and Privacy Controls for Federal Information Systems and Organizations)

A publication by NIST providing guidance on selecting and implementing security controls for federal information systems.

SIM (Supplier Performance Risk System)

A system used by the DoD to assess and manage the performance risk of its suppliers.

NARA (National Archives and Records Administration)

An independent agency of the U.S. government responsible for preserving and documenting government and historical records.

OSBP (Office of Small Business Programs)

A program within the DoD that advocates for small businesses and provides resources to help them compete for DoD contracts.

FAR (Federal Acquisition Regulation)

A set of regulations used by federal agencies to govern the acquisition process for goods and services.

CDI (Covered Defense Information)

A subset of CUI that requires enhanced security controls to protect against unauthorized access.

RTM (Requirements Traceability Matrix)

A document that links requirements throughout the development and testing phases of a project.

POC (Point of Contact)

An individual or office designated as the primary contact for a specific matter or project.

SME (Subject Matter Expert)

An individual with specialized knowledge and expertise in a particular subject or field.

Other CMMC Definitions


The process of evaluating an organization’s cybersecurity practices against the requirements specified in the CMMC framework.


Official confirmation from a C3PAO that an organization has met the specified CMMC level.


Adherence to the requirements specified in the CMMC framework.

Maturity Levels

In the context of CMMC, the five levels (1-5) represent increasing maturity and capability in implementing cybersecurity practices.