Skip to content
Learn
Get help ↗

Section · 5 of 5

Glossary.

Key terms used across CMMC Level 2 — consolidated from 32 CFR Part 170, the Assessment Guide, Scoping Guide, and NIST standards.

Glossary

Affirming Official — The senior official within the OSA who signs the annual affirmation in SPRS, attesting to continuing compliance with the applicable CMMC security requirements. Per 32 CFR § 170.22. The Affirming Official is also a key participant in the assessment In-Brief and bears legal responsibility for the affirmation under 18 USC § 1001 and 31 USC § 3729.

Annual Affirmation — The yearly attestation submitted to SPRS by the Affirming Official confirming the OSA’s continued compliance with all applicable CMMC security requirements. Required for each year between certification assessments. Applies to both Final and Conditional certification holders. Per 32 CFR § 170.22. Missed affirmations result in loss of contract eligibility.

Assessment — Testing or evaluating security controls to determine if they’re implemented correctly, operating as intended, and producing the desired outcome for the security requirements. Defined in 32 CFR § 170.4.

C3PAO — CMMC Third-Party Assessment Organization. An accredited body authorized by the Cyber AB to conduct Level 2 certification assessments.

CMMC Assessment Scope — The defined set of assets (people, systems, facilities) that will be evaluated during an assessment. Includes CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, and Specialized Assets. Defined in 32 CFR § 170.19(c).

CMMC eMASS — The CMMC instantiation of the DoD Enterprise Mission Assurance Support Service. The system where C3PAOs upload pre-assessment forms and assessment results, and where the OSA’s CMMC status is recorded. A separate system from generic DoD eMASS.

Conditional Level 2 — Assessment outcome when NOT MET findings exist but all are POA&M-eligible. Triggers a 180-day clock to remediate and pass a closeout assessment. Revoked if items aren’t closed within 180 days.

CRMA (Contractor Risk Managed Asset) — An asset that could handle CUI but isn’t intended to, based on documented policies and risk-based practices. Assessed through SSP review with potential limited check.

CRM (Customer Responsibility Matrix) — Document from a service provider detailing which security responsibilities are theirs and which are yours. Critical for ESP relationships.

CSP (Cloud Service Provider) — A company that provides its own cloud computing platform (AWS, Azure, GCP, Microsoft 365). CSPs hosting CUI must meet FedRAMP Moderate or equivalent per DFARS 252.204-7012.

CUI (Controlled Unclassified Information) — Information the Government creates or possesses, or that a non-Federal entity creates or possesses for or on behalf of the Government, that requires safeguarding or dissemination controls per law, regulation, or government-wide policy. Not classified, but not public. The “creates for or on behalf of the Government” clause is what brings DIB-contractor-generated information under CUI handling rules. Defined in 32 CFR § 170.4.

DFARS 252.204-7012 — Defense Federal Acquisition Regulation Supplement clause requiring safeguarding of covered defense information (CUI) and reporting of cyber incidents within 72 hours. Establishes the FedRAMP Moderate (or equivalent) baseline requirement for cloud services hosting CUI. The foundational DFARS clause that flows down through DoD contracts. Companion clauses 7019 (SPRS reporting), 7020 (NIST 800-171 compliance), and 7021 (CMMC requirements).

DIBCAC — Defense Industrial Base Cybersecurity Assessment Center. The government body within DCMA that conducts Level 3 assessments and has authority over Level 2 assessment oversight.

Enduring Exception — A permanent situation where full compliance with a CMMC requirement isn’t feasible. Examples from 32 CFR § 170.4: systems required to replicate fielded configurations, medical devices, test equipment, OT, and IoT. Documented in the SSP with mitigations. Assessed as MET. No remediation plan required. Note: this is distinct from but often overlaps with Specialized Asset categories — a Specialized Asset may qualify for an Enduring Exception if remediation genuinely isn’t feasible, but the two terms are not interchangeable.

ESP (External Service Provider) — External people, technology, or facilities that the OSA uses, including CSPs, MSPs, MSSPs, and cybersecurity-as-a-service providers. In scope when CUI or Security Protection Data resides on their systems.

Evidence in Final Form — Approved, signed, operational documents. Not drafts, not working papers, not policies pending approval. The only form of evidence that counts during assessment.

FCI (Federal Contract Information) — Information provided by or generated for the government under a contract, not intended for public release. Covered by CMMC Level 1. Distinguished from CUI, which has more stringent handling requirements.

FedRAMP — Federal Risk and Authorization Management Program. The authorization standard CSPs must meet when hosting CUI for federal agencies or contractors. FedRAMP Moderate (or equivalent) is required per DFARS 252.204-7012.

Final Level 2 — Assessment outcome when all 110 requirements are MET or N/A. Maximum score of 110. Certification valid for three years with annual affirmations.

FIPS 140-2 / 140-3 — Federal Information Processing Standards for cryptographic modules. Encryption protecting CUI must use FIPS-validated modules. “FIPS mode” must be enabled — standard BitLocker without FIPS mode is not compliant.

GFE (Government Furnished Equipment) — Equipment owned or leased by the government and provided for contractor use, including equipment purchased to government-required specifications under contract terms (FAR 52.245-1).

MET — Assessment finding that all applicable objectives for a requirement are satisfied with evidence in final form. Enduring exceptions (documented in SSP) and temporary deficiencies (documented in operational plan of action with progress) also score as MET.

NOT APPLICABLE (N/A) — Assessment finding that a requirement doesn’t apply to the environment. Must be documented and justified in the SSP. Scored equivalent to MET.

NOT MET — Assessment finding that one or more objectives for a requirement are not satisfied. A single failed objective fails the entire requirement. Deducts the requirement’s point value (1, 3, or 5) from the score.

NIST SP 800-171 Rev 2 — The standard defining 110 security requirements for protecting CUI in nonfederal systems. The technical foundation of CMMC Level 2. Rev 2 remains the enforceable standard per DoD class deviation despite Rev 3 publication.

NIST SP 800-171A — The assessment procedures companion to 800-171. Defines 320 determination statements organized as assessment objectives for each requirement. Specifies the Examine/Interview/Test evidence framework.

Operational Plan of Action — As used in CA.L2-3.12.2: the formal artifact identifying temporary vulnerabilities and temporary deficiencies with documentation of how and when they’ll be corrected. Format defined by the OSA. NOT the same as the CMMC POA&M. Items here score as MET.

Organization-Defined — A parameter set by the OSA being assessed. Applied to frequencies, timeouts, thresholds, and configurations. The assessor checks three things: is a value defined? Is it reasonable? Is it enforced?

Out-of-Scope Asset — An asset that is not in the CMMC Assessment Scope because it cannot process, store, or transmit CUI; provides no security functions for the in-scope environment; and is physically or logically separated from the CUI environment. No documentation requirements per 32 CFR § 170.19(c). Be prepared to justify why an asset is Out-of-Scope if asked.

OSA (Organization Seeking Assessment) — Any organization going through a CMMC assessment, whether self-assessment or certification.

OSC (Organization Seeking Certification) — Specifically an organization undergoing a C3PAO certification assessment. A subset of OSAs.

Periodically — A frequency defined by the organization, documented in policy, and consistently applied. NIST 800-171 deliberately leaves the specific interval as organization-defined. The assessor checks three things: is a frequency defined? Is it reasonable for the requirement? Is it actually followed? Some requirements have implicit annual minimums (e.g., security awareness training under 3.2.1) but most don’t impose a hard maximum interval.

POA&M (Plan of Action and Milestones) — In the CMMC context, specifically the formal document created when a C3PAO assessment finds NOT MET requirements. Triggers conditional certification with 180-day closeout. Distinct from the operational plan of action.

Security Protection Data (SPD) — Data stored or processed by Security Protection Assets that protects the OSA’s environment. Includes configuration data, log files, vulnerability status data, and credentials that grant access to the in-scope environment. SPD is in scope because an attacker can use it to compromise CUI systems.

Specialized Asset — An asset that can process, store, or transmit CUI but cannot be fully secured to all CMMC requirements due to its inherent nature. Includes Government Furnished Equipment (GFE), Internet of Things (IoT/IIoT), Operational Technology (OT), Restricted Information Systems, and Test Equipment. Assessed via SSP review only — not against individual CMMC requirements. May qualify for an Enduring Exception. Defined in the CMMC Scoping Guide L2.

SPA (Security Protection Asset) — An asset that provides security functions for the CUI environment but doesn’t handle CUI itself. Assessed against relevant Level 2 requirements only.

SPRS (Supplier Performance Risk System) — The DoD system where assessment scores are recorded and where contracting officers check contractor compliance status before making award decisions.

SSP (System Security Plan) — The formal document describing the assessment scope, environment, security requirement implementations, and system connections. Required before any assessment can proceed. Must be current, specific, and accurate.

Temporary Deficiency — A condition where remediation is feasible and a fix is available or in progress. Arises AFTER implementation, not during initial rollout. Documented in the operational plan of action. Assessed as MET. No standard maximum duration. Example: FIPS-validated crypto needing a patch where the patched version isn’t yet re-validated.