If you work anywhere near a Department of Defense contract, you have probably encountered a wall of acronyms that seems designed to confuse. CMMC documents, solicitations, and compliance guidance are packed with shorthand that experienced practitioners use interchangeably and without explanation, leaving many contractors lost before they even begin.
This glossary cuts through that. Every term below is defined using official government sources, with links so you can go straight to the source.
CMMC — Cybersecurity Maturity Model Certification
The program itself. The CMMC Program is designed to provide increased assurance to the DoD that defense contractors and subcontractors are compliant with information protection requirements for FCI and CUI and are protecting such information at a level equivalent with risk from cybersecurity threats, including Advanced Persistent Threats. U.S. Department of Defense
CMMC currently has three levels. Level 1 covers basic safeguarding of FCI. Level 2 covers the full protection of CUI through 110 security requirements. Level 3 adds 24 enhanced requirements drawn from NIST SP 800-172 for the most sensitive programs.
source: DoD CIO — About CMMC
CUI — Controlled Unclassified Information
This is the category of data that drives most of the compliance burden for Level 2 contractors.
Controlled Unclassified Information is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended. National Archives
In plain terms: CUI is sensitive government information that is not classified but still needs formal protection. In a defense contracting context, this includes things like technical specifications, engineering drawings, export-controlled data, and information related to critical programs.
Established by Executive Order 13556, the CUI program standardizes the way the executive branch handles unclassified information that requires safeguarding or dissemination controls pursuant to and consistent with law, Federal regulations, and Government-wide policies. National Archives
Official source: National Archives — About CUI | NIST CSRC Glossary — CUI
FCI — Federal Contract Information
FCI is the lower-sensitivity category of government information and the threshold for CMMC Level 1 requirements.
Federal contract information means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government. It does not include information provided by the Government to the public, such as on public websites, or simple transactional information, such as information necessary to process payments. Acquisition.GOV
If your company only processes FCI and no CUI, you fall under CMMC Level 1 and are required to self-assess annually against 15 basic safeguarding practices drawn from FAR clause 52.204-21.
Official source: DFARS 204.7501 — Definitions
DIB — Defense Industrial Base
The DIB refers to the network of contractors and subcontractors performing work for the Department of Defense U.S. Department of Defense ranging from major prime contractors to small subcontractors deep in the supply chain. If your company is part of the DIB and handles FCI or CUI, CMMC applies to you. The DoD estimates the DIB includes over 300,000 companies at various tiers.
Official source: DoD CIO — CMMC
DFARS — Defense Federal Acquisition Regulation Supplement
The DFARS is DoD’s extension of the standard Federal Acquisition Regulation (FAR). Several DFARS clauses are directly relevant to CMMC compliance.
DFARS 252.204-7012 requires contractors to provide adequate security for covered defense information and to report cyber incidents to the DoD. It points directly to NIST SP 800-171 as the security standard.
DFARS 252.204-7021 is the clause that introduces CMMC certification requirements into solicitations and contracts.
Official source: Acquisition.gov — DFARS 252.204-7012
NIST SP 800-171 — The Security Standard Behind CMMC Level 2
NIST SP 800-171, published by the National Institute of Standards and Technology, defines the 110 security requirements that CMMC Level 2 is built on.
NIST SP 800-171 provides federal agencies with a set of recommended security requirements for protecting the confidentiality of CUI in nonfederal systems and organizations. NIST CSRC The companion document, NIST SP 800-171A, provides the assessment procedures used to evaluate whether those controls are actually in place.
Official source: NIST — Protecting CUI
SPRS — Supplier Performance Risk System
SPRS is the DoD’s centralized database where contractors submit their CMMC self-assessment results and compliance affirmations. If your score is not in SPRS, contracting officers cannot verify your eligibility, and you cannot win covered contracts.
SPRS is the authoritative source to retrieve supplier and product performance information assessments for the DoD acquisition community to use in identifying, assessing, and monitoring unclassified performance. Disa
SPRS provides storage and access to NIST SP 800-171 assessment scoring information. The NIST SP 800-171 Assessments module contains assessment date, score, scope, plan of action completion date, CAGE code, System Security Plan name, SSP version, SSP date, and confidence level. Disa
SPRS scores range from -203 to +110. A perfect score of 110 means all 110 NIST controls are fully implemented. Points are deducted for each requirement that is not met, with higher-value controls carrying heavier penalties.
Official source: SPRS.csd.disa.mil | SPRS — NIST SP 800-171 Module
C3PAO — Certified Third-Party Assessment Organization
A C3PAO is an independent auditing organization accredited by the Cyber AB to conduct official CMMC Level 2 certification assessments. Only C3PAOs can issue the Level 2 certification that will be required beginning November 10, 2026.
A Level 2 certification assessment is the activity performed by a C3PAO to evaluate the information system of an Organization Seeking Certification when seeking a CMMC Status of Level 2. eCFR
C3PAOs conduct their assessments through interviewing staff, reviewing policies and documentation, testing controls, and examining evidence. They then submit results to CMMC eMASS, which transmits results to SPRS. C3PAOs are prohibited from providing pre-assessment consulting to organizations they will certify, to preserve independence.
Official source: DoD CIO — CMMC Assessment Guide Level 2
SSP — System Security Plan
The SSP is a required document that describes how your organization implements each of the 110 NIST SP 800-171 controls across every system that touches CUI. It defines the scope of your environment, documents your security architecture, and maps specific controls to specific systems and users.
The SSP is not just a compliance checkbox. It is the primary document a C3PAO reviews during an assessment and the foundation your POA&M is built from. An SSP that is outdated, incomplete, or aspirational rather than accurate is one of the most common reasons companies fail pre-assessment reviews.
Official source: SPRS — NIST SP 800-171 Module (references SSP as part of required submission)
Not sure where your organization stands with CMMC, ITAR, or federal cybersecurity requirements? The fastest way to get clarity is to talk with an expert. Book a call with our team to review your current environment, identify compliance risks, and understand what steps are required to move forward. A short conversation can help you avoid costly mistakes and focus on what matters for contract eligibility and security.
SCHEDULE YOUR FREE CONSULTATION!
POA&M — Plan of Action and Milestones
A POA&M is a formal document that identifies security gaps found during an assessment and outlines the specific steps and timelines your organization will take to close each one.
A POA&M closeout assessment is a CMMC assessment that assesses only the NOT MET requirements that were identified with POA&M in the initial assessment. The closing of a POA&M must be confirmed by a POA&M closeout assessment within 180 days of the Conditional CMMC Status Date. If the POA&M is not successfully closed out within the 180-day timeframe, the Conditional CMMC Status for the information system will expire. eCFR
Not every gap can be placed on a POA&M. An organization is only permitted to achieve Conditional CMMC Status if the assessment score divided by the total number of CMMC Level 2 security requirements is greater than or equal to 0.8, and none of the security requirements included in the POA&M have a point value greater than 1. eCFR Certain critical controls, such as multi-factor authentication, are expressly prohibited from POA&M and must be fully implemented before certification.
Official source: eCFR — 32 CFR 170.21, POA&M Requirements
OSA and OSC — Organization Seeking Assessment / Organization Seeking Certification
These two terms describe the contractor undergoing the CMMC process, depending on the type of assessment.
An OSA is any company conducting a self-assessment for Level 1 or Level 2 purposes. An Organization Seeking Certification is the entity seeking to undergo a certification assessment for a given information system for the purposes of achieving and maintaining the CMMC Status of Level 2 (C3PAO) or Level 3 (DIBCAC). An OSC is also an OSA. eCFR
Official source: eCFR — 32 CFR Part 170
DIBCAC — Defense Industrial Base Cybersecurity Assessment Center
DIBCAC is the government body within the Defense Contract Management Agency (DCMA) that conducts Level 3 assessments and also has the authority to audit any contractor’s CMMC status at any time.
POA&M closeout certification assessments for Level 3 are conducted by the DIBCAC. POA&Ms must be closed out within 180 days of when the CMMC Assessment results are finalized and submitted to SPRS or CMMC eMASS. Failure to close a POA&M within 180 days will result in an expired CMMC Status. U.S. Department of Defense
Official source: DoD CIO — CMMC 101 Overview
Conditional vs. Final CMMC Status
When an assessment is completed, a contractor receives one of two designations.
Conditional status is granted when an organization passes the overall score threshold but has open POA&M items that still need to be resolved. The 180-day clock starts from the date Conditional status is awarded.
Final status is the clean certification. An Organization Seeking Certification achieves Final CMMC Status when the assessment results in a passing score with no POA&M. U.S. Department of Defense Final Level 2 certification is valid for three years, with an annual affirmation of continuous compliance required in the interim.
Official source: DoD CIO — CMMC 101 Overview
A Note on the Phased Rollout
Understanding these terms matters more than ever right now. Phase 1 of CMMC (in effect since November 10, 2025) requires self-assessments to be submitted in SPRS for contract eligibility. Phase 2, beginning November 10, 2026, mandates C3PAO-issued Level 2 certifications for applicable contracts.
If your organization supports defense contracts and is unsure how CMMC timelines, SPRS requirements, or assessment readiness apply to you, now is the time to get clarity.
About Brea Networks
Brea Networks is a cybersecurity and compliance-focused IT partner dedicated to supporting Defense Industrial Base (DIB) contractors. We help organizations understand and implement the security requirements outlined in FAR 52.204-21, DFARS 252.204-7012, and the CMMC framework. From Level 1 self-assessments to Level 2 readiness and certification preparation, our team works alongside contractors to strengthen system security, define scope, prepare documentation, and build sustainable compliance programs that protect FCI and CUI.
