Every CMMC term,
in plain English.

32 CFR Part 170 is the Department of Defense final rule that established the CMMC program — defining the three certification levels, the assessment regime, the senior-official affirmation requirement, and the role of C3PAOs and the CMMC Accreditation Body. It became effective December 16, 2024.

32 CFR Part 2002 is the National Archives final rule that implemented Executive Order 13556 across the federal government, defining how agencies designate, mark, safeguard, and disseminate CUI. It is the source of the marking requirements that distinguish CUI from FCI.

The 48 CFR CMMC Acquisition Rule is the September 2025 DFARS amendment that added the CMMC clause (DFARS 252.204-7021) to the FAR/DFARS contract framework. It took effect November 10, 2025 and is what makes CMMC contractually enforceable rather than merely a DoD policy.

DFARS 252.204-7012 is the DoD acquisition clause that requires contractors handling Covered Defense Information (CDI) to implement NIST SP 800-171 and report cyber incidents within 72 hours. It is the contractual hook that has made NIST 800-171 mandatory across the defense industrial base since 2017.

DFARS 252.204-7019 requires offerors on DoD solicitations involving CUI to post a current NIST SP 800-171 self-assessment score in the Supplier Performance Risk System (SPRS) before they are eligible for award. The score must not be more than three years old at the time of the offer.

DFARS 252.204-7020 requires DoD contractors to maintain a current NIST SP 800-171 assessment in SPRS, allow DoD personnel to verify it, and flow the requirement down to subcontractors handling CUI. It is the companion clause to -7019 that binds the obligation through performance, not just the offer.

DFARS 252.204-7021 is the contract clause that makes a CMMC certification or self-assessment a material condition of award and continued performance on covered DoD contracts. It took effect November 10, 2025 as part of the 48 CFR final rule, and triggers the annual senior-official affirmation requirement under 32 CFR 170.22.

Executive Order 13556, signed in November 2010, established the government-wide Controlled Unclassified Information (CUI) program and designated the National Archives (NARA) as Executive Agent. It is the legal origin of the entire CUI regime and, indirectly, of NIST SP 800-171 and CMMC.

FAR 52.204-21 is the Federal Acquisition Regulation clause that requires federal contractors to apply 15 basic safeguarding requirements to systems that process, store, or transmit Federal Contract Information (FCI). It is the regulatory basis for CMMC Level 1 — the 15 Level 1 practices are drawn directly from paragraph (b)(1) of this clause.

NIST SP 800-171 is the National Institute of Standards and Technology publication that defines 110 security controls for protecting Controlled Unclassified Information (CUI) on non-federal systems. It is the controls catalog used at CMMC Level 2 — but is not used at Level 1, which is based on the 15 safeguarding requirements in FAR 52.204-21.

NIST SP 800-171A is the companion assessment guide to SP 800-171 — it breaks each of the 110 controls into discrete assessment objectives (about 320 in total) that an assessor uses to verify implementation. CMMC Level 2 assessments are conducted against the 800-171A objectives.

NIST SP 800-172 specifies 24 enhanced security requirements that supplement NIST SP 800-171 for systems handling CUI associated with critical programs or high-value assets. These additional 24 controls are what distinguishes CMMC Level 3 from Level 2.

Controlled Technical Information (CTI) is technical data or computer software with military or space application that has been marked with one of the DoD distribution statements (B through F). It is a specific category of CUI and a specific category of Covered Defense Information under DFARS 252.204-7012.

Controlled Unclassified Information (CUI) is unclassified information that requires safeguarding or dissemination controls under law, regulation, or government-wide policy. It is explicitly marked CUI by the originating agency and triggers NIST SP 800-171 protections — and at the contractual level, CMMC Level 2.

Covered Defense Information (CDI) is the subset of CUI that DoD specifically requires contractors to protect under DFARS 252.204-7012. It includes unclassified controlled technical information and other information that requires safeguarding when in support of a DoD contract.

DoD Distribution Statements (A through F) are markings the Department of Defense applies to technical documents to indicate who may receive them and under what conditions. Statements B through F generally indicate Controlled Technical Information and trigger CUI handling requirements.

Federal Contract Information (FCI) is non-public information provided by or generated for the federal government under a contract to develop or deliver a product or service. It is the information type protected under FAR 52.204-21 and is the trigger for CMMC Level 1.

The NARA CUI Registry is the official, public list of every category and subcategory of information that qualifies as Controlled Unclassified Information across the federal government. It is the authoritative source for determining whether a given type of information is CUI.

The Civil Cyber-Fraud Initiative (CCFI) is the Department of Justice program, launched October 6, 2021, that uses the False Claims Act to pursue federal contractors who knowingly provide deficient cybersecurity, misrepresent their security practices, or fail to report cyber incidents. It is the enforcement frame that gives CMMC affirmations legal teeth.

CMMC Level 1 is the lowest of the three CMMC certification tiers, covering contractors who handle Federal Contract Information (FCI) but not CUI. It requires implementing the 15 safeguarding requirements in FAR 52.204-21(b)(1), an annual self-assessment, and an annual senior-official affirmation posted in SPRS.

CMMC Level 2 is the middle CMMC certification tier, covering contractors who handle Controlled Unclassified Information (CUI). It requires implementing all 110 controls of NIST SP 800-171 and undergoing either a self-assessment or a triennial assessment by a CMMC Third-Party Assessment Organization (C3PAO) depending on the program's prioritization.

CMMC Level 3 is the highest CMMC certification tier, reserved for DoD programs involving CUI of the highest priority. It requires implementing NIST SP 800-171 plus 24 enhanced controls drawn from NIST SP 800-172, and triennial assessments performed by the DoD's Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense program that verifies whether contractors meet the cybersecurity controls already required by FAR 52.204-21 and NIST SP 800-171. It defines three certification levels and the assessment mechanism for each, established by 32 CFR Part 170 and made contractually binding by DFARS 252.204-7021.

The False Claims Act (31 U.S.C. §§ 3729–3733) is the federal civil statute that imposes treble damages and per-claim penalties on anyone who knowingly submits a false claim for payment to the government. Knowledge includes actual knowledge, deliberate ignorance, and reckless disregard — and applies to contractors who falsely affirm cybersecurity compliance under CMMC.

The Affirming Official is the named senior representative of a contractor organization who electronically affirms continued compliance with the applicable CMMC requirements at least annually, as required by 32 CFR 170.22. They must have authority to bind the organization, and they bear the False Claims Act exposure created by a knowingly false affirmation.

A Certified CMMC Assessor (CCA) is an individual credentialed by the Cyber AB to lead CMMC Level 2 assessments under a C3PAO. CCAs are not required for Level 1 — and the credential itself does not authorize anyone to issue a Level 1 certification.

A Certified CMMC Professional (CCP) is the baseline credential issued by the Cyber AB for individuals participating in the CMMC ecosystem. CCPs may serve as assessment team members under a CCA, but the credential alone does not authorize them to lead assessments or issue certifications.

A CMMC Third-Party Assessment Organization (C3PAO) is an entity accredited by the Cyber AB to perform CMMC Level 2 assessments on behalf of DoD contractors. C3PAOs are not used at Level 1 — Level 1 is exclusively self-assessed — and they are not used at Level 3, which is assessed by DIBCAC.

A Contracting Officer (CO or KO) is the federal government employee with delegated authority to enter into, administer, or terminate contracts and make related determinations. For CMMC purposes, the contracting officer determines the required CMMC level for the contract and is the government's point of accountability for compliance enforcement.

The Cyber AB is the sole accreditation body for the CMMC ecosystem. It is responsible for authorizing and accrediting C3PAOs, Certified CMMC Assessors (CCAs), Certified CMMC Professionals (CCPs), and Registered Practitioners (RPs).

The Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) is the Defense Contract Management Agency (DCMA) component that conducts NIST SP 800-171 assessments and CMMC Level 3 assessments on DoD contractors. DIBCAC assessments are the highest assurance level in the program.

A prime contractor is the entity that holds the direct contract with the federal government. The prime is responsible for flowing down applicable CMMC requirements to its subcontractors and for assessing whether each subcontractor's required CMMC level matches the type of information being shared.

Subcontractor flow-down is the contractual mechanism by which a prime contractor passes federal cybersecurity requirements (FAR 52.204-21, DFARS 252.204-7012/7019/7020/7021) to its subcontractors. CMMC requirements flow down to any subcontractor that will process, store, or transmit FCI or CUI in performance of the contract.

The annual affirmation is the electronic statement, posted in SPRS at least every 12 months by an Affirming Official under 32 CFR 170.22, that the contractor continues to meet the security requirements for its CMMC level. Knowingly false affirmations are the explicit enforcement target of the DOJ Civil Cyber-Fraud Initiative.

An assessment objective is a discrete, atomic statement an assessor uses to determine whether a security requirement has been satisfied. NIST SP 800-171A breaks each of the 110 NIST 800-171 controls into multiple assessment objectives (approximately 320 in total) — the CMMC Level 1 Assessment Guide breaks each of the 15 requirements into a smaller set of objectives.

Binary assessment is the CMMC Level 1 scoring model in which each of the 15 safeguarding requirements is rated either MET or NOT MET — there is no partial credit, no point value, and no Plan of Action and Milestones (POA&M) permitted. The organization must achieve MET on all 15 requirements to be compliant.

A Plan of Action and Milestones (POA&M) is a written document that identifies security weaknesses, the corrective actions planned to address them, and the milestones for doing so. POA&Ms are permitted at CMMC Level 2 (for limited categories of controls, with closure timelines) but are NOT permitted at Level 1 — Level 1 requires full implementation before affirmation.

The Procurement Integrated Enterprise Environment (PIEE) is the DoD's single sign-on portal for procurement-related applications, including SPRS, WAWF, and the CMMC Enterprise Mission Assurance Support Service. Contractors must hold a PIEE account to post SPRS scores or CMMC affirmations.

A safeguarding requirement is one of the 15 specific security practices enumerated in FAR 52.204-21(b)(1) that contractors must apply to Covered Contractor Information Systems. The 15 safeguarding requirements are the entire substantive content of CMMC Level 1.

A CMMC self-assessment is an internally-conducted evaluation of an organization's implementation of the applicable security requirements, performed without a third-party assessor. CMMC Level 1 is exclusively self-assessed; CMMC Level 2 is self-assessed for some programs and C3PAO-assessed for others depending on the contract requirement.

An SPRS score is a numerical NIST SP 800-171 self-assessment score, ranging from a maximum of +110 down to a possible -203, calculated using the DoD Assessment Methodology by subtracting weighted point values for unimplemented controls. SPRS scores are required at CMMC Level 2 and above — Level 1 is binary MET/NOT MET with no numerical score.

The Supplier Performance Risk System (SPRS) is the Department of Defense system of record where contractors post their NIST SP 800-171 assessment scores and CMMC affirmations. Contracting officers verify SPRS entries before award on solicitations that include DFARS 252.204-7019, -7020, or -7021.

A System Security Plan (SSP) is the written document that describes the boundary of a contractor's information system, the security controls implemented to protect it, and how each applicable requirement is satisfied. NIST SP 800-171 control 3.12.4 requires an SSP at Level 2; at Level 1 an SSP is not regulation-required but is considered a best-practice evidence artifact.

The assessment scope (also called the boundary) is the set of assets — people, technology, facilities, external service providers — that process, store, or transmit FCI or CUI and therefore must meet the applicable CMMC requirements. Drawing the smallest defensible scope is the highest-leverage decision in a CMMC project.

A Covered Contractor Information System is an unclassified information system owned, or operated by or for, a contractor that processes, stores, or transmits Federal Contract Information. FAR 52.204-21's 15 safeguarding requirements apply to every Covered Contractor Information System.

An External Service Provider (ESP) is an external entity that provides information technology or cybersecurity services that handle the contractor's FCI or CUI, or that play a security-protection role for in-scope systems. Examples include managed service providers, cloud hosting providers, and managed security service providers; ESPs that handle CUI must themselves meet applicable CMMC requirements.

FedRAMP is the federal government program that standardizes the security assessment, authorization, and continuous monitoring of cloud service offerings used by federal agencies. Cloud services used by DoD contractors to process or store CUI must be FedRAMP Moderate Equivalent or higher under DFARS 252.204-7012(b)(2)(ii)(D).

A Managed Service Provider (MSP) is an outsourced IT services firm that operates portions of a contractor's information environment. Under CMMC, an MSP that handles FCI is treated as an External Service Provider and must meet the applicable safeguarding requirements for the in-scope environment it manages.

Microsoft 365 Government Community Cloud High (GCC High) is the Microsoft cloud offering authorized to handle CUI and ITAR data for DoD contractors. GCC High is generally required at CMMC Level 2 when CUI is present; it is not required at Level 1, where standard Microsoft 365 Commercial is sufficient for FCI.

A CAGE Code is a five-character alphanumeric identifier assigned to suppliers doing business with the U.S. federal government. It is the unique identifier under which an organization's SPRS score and CMMC affirmation are posted.

A NAICS code is the six-digit numeric identifier used by federal agencies to classify business establishments by industry. The NAICS code assigned to a contract determines size standards for small-business set-asides, but does not by itself determine whether CMMC applies — that turns on the data type (FCI vs CUI), not the industry.

SAM.gov is the official U.S. government website where vendors register to do business with the federal government, search for opportunities, and check exclusion lists. Active SAM registration is a prerequisite for receiving any federal contract award and for posting an SPRS score or CMMC affirmation.

The Small Business Innovation Research (SBIR) program is a federal initiative that funds small-business R&D in three phases (feasibility, prototype, commercialization). DoD SBIR awards routinely include FAR 52.204-21 (Phase I) and frequently progress into CUI-handling work that triggers DFARS 252.204-7012 and CMMC Level 2 (Phase II and beyond).

A set-aside is a federal contracting tool that restricts competition to a specific category of small business (e.g., 8(a), HUBZone, SDVOSB, WOSB) for a particular procurement. Set-asides do not change the CMMC requirements that apply — a small business prime is subject to the same FAR 52.204-21 safeguarding requirements as a large prime.

The Unique Entity Identifier (UEI) is the 12-character alphanumeric identifier assigned by SAM.gov to every entity registered to do business with the federal government. It replaced the legacy DUNS number in April 2022 as the primary entity identifier for federal procurement.