Skip to content
CMMC Level 2 Reference | Ancitus

Glossary

Assessment — Testing or evaluating security controls to determine if they’re implemented correctly, operating as intended, and producing the desired outcome for the security requirements. Defined in 32 CFR § 170.4.

C3PAO — CMMC Third-Party Assessment Organization. An accredited body authorized by the Cyber AB to conduct Level 2 certification assessments.

CMMC Assessment Scope — The defined set of assets (people, systems, facilities) that will be evaluated during an assessment. Includes CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, and Specialized Assets. Defined in 32 CFR § 170.19(c).

Conditional Level 2 — Assessment outcome when NOT MET findings exist but all are POA&M-eligible. Triggers a 180-day clock to remediate and pass a closeout assessment. Revoked if items aren’t closed within 180 days.

CRMA (Contractor Risk Managed Asset) — An asset that could handle CUI but isn’t intended to, based on documented policies and risk-based practices. Assessed through SSP review with potential limited check.

CRM (Customer Responsibility Matrix) — Document from a service provider detailing which security responsibilities are theirs and which are yours. Critical for ESP relationships.

CSP (Cloud Service Provider) — A company that provides its own cloud computing platform (AWS, Azure, GCP, Microsoft 365). CSPs hosting CUI must meet FedRAMP Moderate or equivalent per DFARS 252.204-7012.

CUI (Controlled Unclassified Information) — Government-created or government-generated information that requires safeguarding or dissemination controls per law, regulation, or government-wide policy. Not classified, but not public.

DIBCAC — Defense Industrial Base Cybersecurity Assessment Center. The government body within DCMA that conducts Level 3 assessments and has authority over Level 2 assessment oversight.

Enduring Exception — A permanent situation where full compliance with a CMMC requirement isn’t feasible. Examples from 32 CFR § 170.4: systems replicating fielded configurations, medical devices, test equipment, OT, IoT, GFE. Documented in the SSP with mitigations. Assessed as MET. No remediation plan required.

ESP (External Service Provider) — External people, technology, or facilities that the OSA uses, including CSPs, MSPs, MSSPs, and cybersecurity-as-a-service providers. In scope when CUI or Security Protection Data resides on their systems.

Evidence in Final Form — Approved, signed, operational documents. Not drafts, not working papers, not policies pending approval. The only form of evidence that counts during assessment.

FCI (Federal Contract Information) — Information provided by or generated for the government under a contract, not intended for public release. Covered by CMMC Level 1. Distinguished from CUI, which has more stringent handling requirements.

FedRAMP — Federal Risk and Authorization Management Program. The authorization standard CSPs must meet when hosting CUI for federal agencies or contractors. FedRAMP Moderate (or equivalent) is required per DFARS 252.204-7012.

Final Level 2 — Assessment outcome when all 110 requirements are MET or N/A. Maximum score of 110. Certification valid for three years with annual affirmations.

FIPS 140-2 / 140-3 — Federal Information Processing Standards for cryptographic modules. Encryption protecting CUI must use FIPS-validated modules. “FIPS mode” must be enabled — standard BitLocker without FIPS mode is not compliant.

GFE (Government Furnished Equipment) — Equipment owned or leased by the government and provided for contractor use, including equipment purchased to government-required specifications under contract terms (FAR 52.245-1).

MET — Assessment finding that all applicable objectives for a requirement are satisfied with evidence in final form. Enduring exceptions (documented in SSP) and temporary deficiencies (documented in operational plan of action with progress) also score as MET.

NOT APPLICABLE (N/A) — Assessment finding that a requirement doesn’t apply to the environment. Must be documented and justified in the SSP. Scored equivalent to MET.

NOT MET — Assessment finding that one or more objectives for a requirement are not satisfied. A single failed objective fails the entire requirement. Deducts the requirement’s point value (1, 3, or 5) from the score.

NIST SP 800-171 Rev 2 — The standard defining 110 security requirements for protecting CUI in nonfederal systems. The technical foundation of CMMC Level 2. Rev 2 remains the enforceable standard per DoD class deviation despite Rev 3 publication.

NIST SP 800-171A — The assessment procedures companion to 800-171. Defines 320 determination statements organized as assessment objectives for each requirement. Specifies the Examine/Interview/Test evidence framework.

Operational Plan of Action — As used in CA.L2-3.12.2: the formal artifact identifying temporary vulnerabilities and temporary deficiencies with documentation of how and when they’ll be corrected. Format defined by the OSA. NOT the same as the CMMC POA&M. Items here score as MET.

Organization-Defined — A parameter set by the OSA being assessed. Applied to frequencies, timeouts, thresholds, and configurations. The assessor checks three things: is a value defined? Is it reasonable? Is it enforced?

OSA (Organization Seeking Assessment) — Any organization going through a CMMC assessment, whether self-assessment or certification.

OSC (Organization Seeking Certification) — Specifically an organization undergoing a C3PAO certification assessment. A subset of OSAs.

Periodically — At a regular interval defined by the organization, not exceeding one year. When a requirement says “periodically,” you define the frequency, document it, and follow it.

POA&M (Plan of Action and Milestones) — In the CMMC context, specifically the formal document created when a C3PAO assessment finds NOT MET requirements. Triggers conditional certification with 180-day closeout. Distinct from the operational plan of action.

Security Protection Data (SPD) — Data stored or processed by Security Protection Assets that protects the OSA’s environment. Includes configuration data, log files, vulnerability status data, and credentials that grant access to the in-scope environment. SPD is in scope because an attacker can use it to compromise CUI systems.

SPA (Security Protection Asset) — An asset that provides security functions for the CUI environment but doesn’t handle CUI itself. Assessed against relevant Level 2 requirements only.

SPRS (Supplier Performance Risk System) — The DoD system where assessment scores are recorded and where contracting officers check contractor compliance status before making award decisions.

SSP (System Security Plan) — The formal document describing the assessment scope, environment, security requirement implementations, and system connections. Required before any assessment can proceed. Must be current, specific, and accurate.

Temporary Deficiency — A condition where remediation is feasible and a fix is available or in progress. Arises AFTER implementation, not during initial rollout. Documented in the operational plan of action. Assessed as MET. No standard maximum duration. Example: FIPS-validated crypto needing a patch where the patched version isn’t yet re-validated.