CMMC Glossary: 30 Terms Translated for Non-Technical Business Owners

CMMCheck

CMMCheck

7 min read
CMMC Glossary: 30 Terms Translated for Non-Technical Business Owners

If you've tried reading official CMMC documentation, you've probably encountered a wall of acronyms and jargon. C3PAO, SPRS, POA&M, FCI, CUI—it can feel like a different language.

This glossary translates the 30 most common CMMC terms into plain English. No technical background required. Bookmark this page and reference it whenever you hit an unfamiliar term.

A

Access Control

Plain English: Rules about who can get into your systems and what they can do once they're in.

Why it matters: Access Control is an entire domain in CMMC Level 1 with four requirements. It's the foundation of protecting your information.

Assessment Objective

Plain English: The specific things you need to prove you're doing to meet a requirement. Each CMMC requirement breaks down into multiple assessment objectives—there are 59 total for Level 1.

Why it matters: You don't just need to meet 15 requirements; you need to satisfy all 59 underlying objectives. Every single one must be marked "MET" for compliance.

Authenticator

Plain English: Something that proves you are who you claim to be—usually a password, but could also be a PIN, fingerprint, or security token.

Why it matters: CMMC requirements talk about "authenticators" when they mean passwords and other identity verification methods. Don't let the fancy word confuse you.

B

Boundary Protection

Plain English: Security measures at the edge of your network where it connects to the internet or other outside systems. Think of it as guarding the doors and windows of your digital building.

Why it matters: One of the Level 1 requirements specifically addresses boundary protection—typically satisfied by having a properly configured firewall.

C

C3PAO (Certified Third-Party Assessment Organization)

Plain English: A company authorized to conduct official CMMC audits. They're the ones who come in, review your security, and decide if you pass.

Why it matters: You need a C3PAO for Level 2 certification, but not for Level 1. Level 1 is self-assessed—no third-party audit required.

CMMC (Cybersecurity Maturity Model Certification)

Plain English: The Department of Defense's program requiring contractors to prove they protect sensitive information. It's a certification system with multiple levels based on what type of information you handle.

Why it matters: This is the whole reason you're reading this glossary. Without CMMC certification at the appropriate level, you can't work on DoD contracts.

CUI (Controlled Unclassified Information)

Plain English: Sensitive government information that isn't classified but still needs protection. It's typically marked with "CUI" labels on documents and files.

Why it matters: If you handle CUI, you need Level 2 certification—not Level 1. The simple test: have you received documents marked "CUI"? If not, you're probably Level 1.

D

DFARS (Defense Federal Acquisition Regulation Supplement)

Plain English: The contract rules that require defense contractors to implement cybersecurity. DFARS clause 252.204-7012 is the one that started all of this.

Why it matters: DFARS clauses in your contract are what legally require you to comply with cybersecurity standards. CMMC is how you prove you're doing it.

DIB (Defense Industrial Base)

Plain English: All the companies that work with the Department of Defense—manufacturers, suppliers, service providers, consultants, and everyone in the supply chain. That includes you.

Why it matters: When the DoD talks about protecting the "DIB," they're talking about requiring companies like yours to have proper cybersecurity.

E

Enclave

Plain English: A separate, isolated section of your IT environment where you handle sensitive information. It's walled off from the rest of your systems for extra protection.

Why it matters: Some businesses create enclaves specifically for handling CUI or FCI, limiting how much of their environment needs to meet CMMC requirements. It's a scoping strategy.

F

FAR 52.204-21

Plain English: The basic federal rule requiring contractors to protect Federal Contract Information. It lists 15 security requirements—the same 15 that make up CMMC Level 1.

Why it matters: CMMC Level 1 isn't new requirements; it's the same requirements from FAR 52.204-21, now with a certification framework around them.

FCI (Federal Contract Information)

Plain English: Any non-public information related to your government contract—documents, emails, pricing, specifications, schedules, and anything else that isn't meant for public release.

Why it matters: If you handle FCI (and virtually every DoD contractor does), you need at least CMMC Level 1.

FedRAMP (Federal Risk and Authorization Management Program)

Plain English: A security certification program for cloud services used by the government. Cloud providers go through rigorous assessment to earn FedRAMP authorization.

Why it matters: For Level 2, some of your cloud services may need to be FedRAMP authorized. For Level 1, it's less critical but still good to understand.

Flow-Down

Plain English: When contract requirements pass from a prime contractor down to subcontractors. If the prime has CMMC requirements, they "flow down" to you.

Why it matters: Even if your contract is with another company (not directly with DoD), CMMC requirements can still apply to you through flow-down clauses.

G

GCC High (Government Community Cloud High)

Plain English: Microsoft's special cloud environment designed for government contractors handling sensitive data. It's a more secure version of regular Microsoft 365.

Why it matters: Level 2 contractors handling CUI often need GCC High for their Microsoft services. It's more expensive than commercial Microsoft 365. Level 1 typically doesn't require it.

I

In Scope

Plain English: The systems, people, and locations that are subject to CMMC requirements because they handle or could access FCI or CUI.

Why it matters: Not everything in your business necessarily needs to meet CMMC requirements—only what's "in scope." Defining scope correctly can significantly reduce your compliance burden.

L

Level 1 / Level 2 / Level 3

Plain English: The three tiers of CMMC certification. Level 1 has 15 requirements for FCI. Level 2 has 110 requirements for CUI. Level 3 has additional requirements for the most sensitive work.

Why it matters: Knowing which level applies to your contracts determines how much work you need to do. Most small contractors are Level 1.

M

MFA (Multi-Factor Authentication)

Plain English: Requiring two or more forms of identification to log in—typically a password plus a code from your phone, a fingerprint, or a security key.

Why it matters: MFA isn't strictly required for Level 1, but it's required for Level 2 and strongly recommended regardless. It's one of the most effective security measures available.

MSP (Managed Service Provider)

Plain English: An outside company that manages your IT systems—your "IT guy" or IT company that handles computers, networks, and technical support.

Why it matters: Your MSP may handle some of your CMMC compliance, but you're still responsible. Make sure your MSP understands CMMC and knows what's required.

N

NIST SP 800-171

Plain English: A federal document listing 110 security requirements for protecting CUI. CMMC Level 2 is based entirely on these requirements.

Why it matters: If you need Level 2, you need to implement all 110 controls from NIST 800-171. Level 1 contractors don't need to worry about this—your 15 requirements come from a different source.

O

OSA (Organization Seeking Assessment)

Plain English: The company trying to get CMMC certified. That's you, when you're going through the assessment process.

Why it matters: You'll see this term in official CMMC documentation. It just means the contractor being assessed.

P

POA&M (Plan of Action and Milestones)

Plain English: A formal document listing your compliance gaps and your plan to fix them, with specific deadlines. It's your remediation roadmap.

Why it matters: For Level 2, POA&Ms are part of the assessment process—you can be certified with some gaps if you have a solid plan to close them. For Level 1, having a POA&M is good practice even though it's not formally required.

Prime Contractor

Plain English: A company that has a direct contract with the Department of Defense. Primes often hire subcontractors and flow CMMC requirements down to them.

Why it matters: If you work under a prime contractor rather than directly with DoD, your CMMC requirements come through them. They may have specific expectations beyond the baseline.

R

Remediation

Plain English: The process of fixing compliance gaps—implementing missing controls, updating configurations, creating documentation, or whatever else is needed to meet requirements.

Why it matters: After you assess your current state, remediation is how you close the gaps and achieve compliance.

S

Sanitization

Plain English: Completely removing information from media (hard drives, USB drives, paper) so it can't be recovered. Not just deleting—truly destroying the data.

Why it matters: CMMC Level 1 requires you to sanitize media before disposal. Simple deletion isn't enough; you need proper wiping or physical destruction.

Self-Assessment

Plain English: You evaluating your own compliance against CMMC requirements, rather than having a third party audit you.

Why it matters: Level 1 uses self-assessment—you evaluate yourself and affirm compliance. No expensive third-party audit required. But your self-assessment needs to be honest and accurate.

SPRS (Supplier Performance Risk System)

Plain English: The government database where contractors report their CMMC self-assessment results. It's managed by the Defense Logistics Agency.

Why it matters: After completing your Level 1 self-assessment, you report it through SPRS. Contracting officers check SPRS to verify contractors are compliant.

SSP (System Security Plan)

Plain English: A detailed document describing your IT environment, the security controls you have in place, and how your systems are protected. It's essentially a comprehensive security blueprint.

Why it matters: SSPs are primarily a Level 2 requirement. Level 1 doesn't formally require an SSP, though documenting your security practices is still wise.

Subcontractor

Plain English: A company that works under a prime contractor rather than having a direct contract with DoD. Even though you're a step removed, CMMC requirements still apply.

Why it matters: Being a subcontractor doesn't exempt you from CMMC. If FCI or CUI flows to you, you need the appropriate certification level.

V

Vulnerability

Plain English: A weakness in your systems that could be exploited by attackers—a software bug, a misconfiguration, an unpatched system, or a security gap.

Why it matters: CMMC requires you to identify and fix vulnerabilities in a timely manner. Staying current on patches and updates addresses most common vulnerabilities.

Use This Glossary

Bookmark this page. Share it with your team. When you encounter unfamiliar terms in contracts, compliance documents, or conversations with primes, you'll have a quick reference that cuts through the jargon.

Understanding the language is the first step toward understanding the requirements.

Ready to assess your actual compliance—not just learn the vocabulary? CMMCheck walks you through each CMMC Level 1 requirement in plain English, helping you identify gaps and understand exactly what you need to do.

Try CMMCheck and see where you stand.

This glossary is part of CMMCheck's Plain English CMMC Level 1 Guide, a complete resource for small businesses navigating DoD cybersecurity requirements.

Read more