CMMC Explained: A High-Level Look at Common Terms and Definitions
The Cybersecurity Maturity Model Certification (CMMC) program went live on Oct 15th, 2024 with the publication of the 32 CFR Part 170, “Final Rule”. CMMC is the framework designed by the Department of Defense (DoD) to enforce the protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) shared with government contractors, subcontractors and suppliers across the defense industrial base. At its’ core, CMMC is a third-party validation system to ensure organizations are consistently and fully implementing security guidelines and requirements outlined in the DFARS and NIST SP 800-171 as the expectation and foundation for protecting sensitive data outside government walls. Organizations entrusted with CUI or FCI on DoD contracts must conform to CMMC to prove their cybersecurity posture is mission-ready and resilient.
One of the first steps in the compliance journey starts with mastering the language of CMMC. We have prepared a brief glossary to help you begin unpacking common terms to help accelerate your path to readiness.
For an expanded list of acronyms and CMMC vernacular, download and explore our e-book, “The Alphabet Soup of CMMC” and gain clarity on widely used terms and definitions essential to speaking the language of CMMC conformity.
Beyond regulatory compliance, conformance with CMMC has many advantages for contractors and subcontractors wanting to partner with the DoD. Certification empowers organizations to compete for DoD contracts, broaden their footprint in the defense sector, and strengthen credibility with both government and commercial partners. Additionally, implementing NIST 800-171 and the requirements set forth in the DFARS 7012 elevates an organizations cybersecurity maturity posture and fosters a more secure and resilient future.
What Is Controlled Unclassified Information (CUI)?
While CUI is unclassified– unauthorized disclosure—especially when combined with other data—can compromise sensitive defense activities and violate federal laws. Proper handling of CUI is essential, as failure to safeguard it can have serious security implications and national consequences.
Controlled Unclassified Information (CUI) is defined as information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls, including FCI.
The DoD’s CUI Program, established under Executive Order 13556, provides a unified approach to identifying, marking, safeguarding, disseminating, and decontrolling sensitive but unclassified information that requires protection pursuant to laws, regulations, or government-wide policies. The various categories of CUI is maintained by The National Archives and Records Administration (NARA), the executive agent and authoritative source for managing CUI across the executive branch. A full list of CUI categories is available through the DoD CUI Registry.
CMMC includes a rigorous framework for protecting CUI, such as implementing NIST 800-171, the DFARS, and 110 security controls across 14 Domain Families. Contractors handling CUI must achieve a minimum of Level 2 CMMC compliance to be eligible for DoD contracts.
What Is Federal Contract Information (FCI)?
FCI as defined in the FAR, means Information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.
Like CUI, FCI includes sensitive contract information that must be protected from cyber threats and adversaries. Any organization handling FCI is required to meet CMMC Level 1 under the final CMMC rule. Which includes ‘the 15 basic safeguarding requirements’ outlined in the Federal Acquisition Regulation (FAR) Clause 52.204-21.
What Is Federal Acquisition Regulation (FAR)?
The Federal Acquisition Regulation (FAR) is the primary rulebook for how the U.S. Government buys goods and services. It is used by all executive branches and sets the policies and procedures that federal agencies and contractors must follow to ensure fairness, transparency, and efficiency in government contracting.
What Is the Meaning of DFARS?
DFARS, or the Defense Federal Acquisition Regulation Supplement, is a set of rules issued by the Department of Defense that supplements the broader Federal Acquisition Regulation (FAR). It defines additional requirements—particularly around cybersecurity, supply chain risk, and safeguarding sensitive defense information—that contractors and subcontractors must follow when doing business with the DoD.
What Is NIST SP 800-171?
NIST SP 800-171 outlines the National Institute of Standards and Technology’s security framework for protecting Controlled Unclassified Information (CUI) in nonfederal systems. It provides a set of technical and procedural safeguards that federal agencies require contractors to follow when handling sensitive data outside government networks, such as CUI.
For defense contractors, NIST SP 800-171 forms the contractual baseline for cybersecurity expectations. Federal agencies embed it into agreements, while contractors use it as the playbook for securing CUI.
CMMC Levels 2 and 3 are built directly on the NIST SP 800-171 controls, reinforcing them with additional practices tailored to meet the DoD’s heightened security demands.
What Is a System Security Plan (SSP)?
In CMMC terms, an SSP is a formal document prepared by the information system owner (or common security controls owner for inherited controls) that provides an overview of the security requirements for the system and describes the security controls in place or planned for those requirements. The system security plan describes the system boundary; the environment in which the system operates and the relationships with or connections to other systems and shared services, and how the security requirements are implemented. The SSP may also contain security configurations, a network and CUI Flow diagram, a risk assessment, privacy impact assessment, contingency plan and an incident response plan.
Developing and maintaining a comprehensive SSP is not just a best practice but it is a requirement for compliance with NIST SP 800-171 and, by extension, the Cybersecurity Maturity Model Certification (CMMC). An effective SSP serves as a roadmap for securing sensitive information and demonstrates an organization’s commitment to cybersecurity excellence.
What Is Zero Trust?
Zero trust is a cybersecurity model that assumes no user, device or system – inside or outside your network – should be trusted by default. Organizations are encouraged to develop zero trust strategies in preparation for CMMC.
Although zero trust is not an explicit requirement of CMMC, it aligns with many of its principles. NIST SP 800-207 and DoD’s pillars of zero trust architecture detail the value of and work involved in developing a zero trust security position.
What Is a C3PAO?
A C3PAO –Certified 3rd Party Assessor Organization – is an independent organization authorized by the Cyber AB to perform CMMC assessments. Organizations seeking Level 2 or 3 (C3PAO) certification status must undergo an assessment performed by an authorized and accredited third-party, i.e., a C3PAO to officially assess and certify their compliance with CMMC requirements. DoD requires that contractors handling CUI must undergo a Level 2 assessment conducted by an accredited C3PAO — at a minimum.
What Is the Cyber AB?
The Cyber AB is the official accreditation body for the DoD CMMC program. It is the sole authorized non-governmental partner of the US DoD in implementing and overseeing the CMMC conformance regime. The Cyber AB is also responsible for authorizing and accrediting Registered practitioners (RPs), Registered Practitioner organizations (RPOs), Registered Practitioner Advanced (RPA), Certified Third Party Organizations (C3PAOs), CMMC Certified Assessors (CCA’s), CMMC Certified Professionals (CCPs), CMMC Certified Instructors (CCIs), Approved Training Providers (ATPs), and Approved Partner Publishers (APPs) within the CMMC ecosystem.
There is a lot at stake for organizations seeking CMMC Certification. It is imperative for the success of CMMC that every organization seeking CMMC certification be assessed impartially, accurately, and with consistency and integrity. An organization seeking assessment can validate that they are working with an accredited individual by visiting the Cyber AB marketplace. The accreditation ensures the individual(s) are qualified and in line with DoD requirements.
Why Trust NeoSystems for CMMC and Compliance?
For over 20 years, NeoSystems has delivered trusted managed services, consulting, and secure hosting solutions to government contractors navigating the complex world of federal compliance. We’ve been immersed in CMMC from its inception—long before most managed service providers entered the conversation.
Additionally, we have achieved a perfect 110/110 score in our CMMC Level 2 assessment, earning an official Final Level 2 (C3PAO) status certification. This milestone reflects our unwavering commitment to cybersecurity excellence, our alignment with DoD CMMC standards, and our ongoing dedication to protecting our clients’ sensitive information and the CUI they maintain on behalf of the Defense Industrial Base.
Our team brings deep subject matter expertise in both CMMC implementation and sustainment, with real-world experience integrating systems like Deltek Costpoint in environments governed by stringent cybersecurity requirements.
We’re also driven by a customer-centric approach and are on a mission to help our partners thrive. We aim to make CMMC easy to digest as we guide our partners to compliance.
