Giga-Green Giga-Green

CMMC & NIST 800-171

The CMMC glossary

Plain-English definitions of the acronyms and terms you'll encounter across CMMC, NIST 800-171, DFARS, and the defense industrial base.

Cybersecurity Maturity Model Certification CMMC

The Department of Defense program that verifies contractors handling FCI or CUI meet specific NIST-based cybersecurity requirements.

CMMC is a tiered certification program (Levels 1, 2, and 3) that applies to DoD contractors and subcontractors. Level 1 aligns to FAR 52.204-21 basic safeguarding; Level 2 aligns to NIST SP 800-171; Level 3 adds enhanced controls from NIST SP 800-172. Requirements flow down through the supply chain.

Controlled Unclassified Information CUI

Government-created or -owned information that requires safeguarding or dissemination controls but is not classified.

CUI is defined by 32 CFR Part 2002 and includes categories like Defense CUI, Export Control, Personnel Records, and Procurement & Acquisition. Contractors handling CUI generally need CMMC Level 2 or higher. CUI Specified categories carry additional handling requirements beyond CUI Basic.

Federal Contract Information FCI

Information provided by or generated for the government under a contract, not intended for public release.

FCI is the lowest-sensitivity category of contract information. Contractors handling only FCI (and not CUI) typically need CMMC Level 1, which is a self-assessment against FAR 52.204-21.

NIST SP 800-171

The 110-control NIST publication that defines security requirements for protecting CUI in non-federal systems and organizations.

NIST SP 800-171 is the technical basis for CMMC Level 2. Rev 2 is the currently enforced revision; Rev 3 introduces significant changes and is expected to be incorporated into CMMC in the future.

NIST SP 800-172

A supplement to NIST SP 800-171 that adds enhanced security requirements for high-value CUI facing advanced persistent threats.

NIST SP 800-172 provides the additional controls used in CMMC Level 3. Level 3 assessments are conducted by the government (DIBCAC), not by a C3PAO.

DFARS 252.204-7012

The DoD contract clause requiring contractors to implement NIST SP 800-171 controls and report cyber incidents within 72 hours.

DFARS 252.204-7012 has been in DoD contracts since 2015 and is a prerequisite for CMMC Level 2 obligations. It requires safeguarding CUI, reporting incidents to DoD via DIBNet within 72 hours, and preserving forensic evidence.

FAR 52.204-21

The Federal Acquisition Regulation clause defining 15 basic safeguarding requirements for FCI.

FAR 52.204-21 is the source for the 15 basic safeguarding practices that make up CMMC Level 1. It applies broadly across federal contracts, not just DoD.

Defense Industrial Base DIB

The network of private companies that supply goods and services to the DoD.

The DIB includes prime contractors, subcontractors, and suppliers at every tier of the DoD supply chain. Nearly all DIB members will be subject to some level of CMMC as the program rolls out.

Certified Third-Party Assessment Organization C3PAO

An organization accredited by The Cyber-AB to perform CMMC Level 2 assessments.

A C3PAO conducts the formal Level 2 assessment used to grant CMMC certification. C3PAOs are separate from consultants — the same organization cannot both prepare and assess the same contractor. Level 3 is assessed by the government (DIBCAC), not by a C3PAO.

System Security Plan SSP

The document that describes how each in-scope system meets each NIST SP 800-171 control objective.

The SSP is the primary artifact your C3PAO reads to understand your compliance posture. It documents system boundaries, control implementation status, and references to supporting evidence for every one of the 110 Level 2 controls.

Plan of Action and Milestones POA&M

A document listing unmet CMMC controls with a plan and deadline to remediate each one.

Under the CMMC Final Rule, a POA&M enables conditional Level 2 certification — but only for controls worth 1 point on the SPRS scoring model, and every open item must close within 180 days.

Supplier Performance Risk System SPRS

The DoD system where contractors submit their NIST SP 800-171 self-assessment scores.

SPRS scoring starts at 110 and subtracts weighted points (1, 3, or 5) for each control that is not fully implemented. Contractors handling CUI must submit and maintain a current SPRS score in accordance with DFARS 252.204-7020.

GCC High

Microsoft 365 Government Community Cloud High — a FedRAMP High-authorized cloud tier for hosting CUI Specified, ITAR-controlled data, and IL5 workloads.

GCC High is often required for DoD contractors handling sensitive CUI. It sits above the standard GCC tier, is authorized for higher-sensitivity data, and has a more restricted third-party application ecosystem. See our comparison at /services/gcch-migration.

GCC

Microsoft 365 Government Community Cloud — a FedRAMP Moderate tier suitable for CUI Basic.

GCC is the entry-level government cloud. Suitable for FCI and CUI Basic, but not CUI Specified or ITAR data. Licensing is cheaper than GCC High and the third-party app ecosystem is broader.

International Traffic in Arms Regulations ITAR

U.S. State Department regulations controlling the export and re-export of defense-related articles, services, and technical data.

Contractors handling ITAR-controlled technical data must ensure that data does not touch systems accessible to non-U.S. persons. This constrains cloud choices: GCC High is generally required, and identity/access controls must be configurable to enforce U.S. persons-only access.

CMMC Registered Practitioner RP

An individual credentialed by The Cyber-AB to provide CMMC preparation consulting services.

Registered Practitioners have passed a Cyber-AB knowledge exam and agree to abide by the CMMC Code of Conduct. RPs cannot certify contractors, but they can prepare them for a C3PAO assessment. Giga-Green is a Registered Practitioner Organization.

CMMC Assessment Preparation Engagement CAPE

Giga-Green's fixed-price methodology for taking a contractor from system inventory to a C3PAO-ready SSP, POA&M, and SPRS score.

CAPE is our structured Level 2 preparation engagement. It ends with a decision — ready for assessment, or not ready with a clear POA&M of what must change. Learn more at /services/gap-assessment.

External Service Provider ESP

A third party that provides IT or security services touching the contractor's CMMC scope.

MSPs, MSSPs, and cloud providers can be ESPs. Under CMMC, ESPs whose systems process, store, or transmit CUI generally need to be CMMC-certified themselves, or their scope must be clearly documented and their controls flowed into the contractor's SSP.

Federal Risk and Authorization Management Program FedRAMP

The U.S. government program that standardizes security assessment and authorization for cloud services.

FedRAMP has three levels — Low, Moderate, and High. Moderate is a floor for CUI Basic; High is required for GCC High and higher-sensitivity CUI. Cloud services claiming CMMC compatibility usually need to be at FedRAMP Moderate or High, or "equivalent" per DoD memo guidance.

Defense Industrial Base Cybersecurity Assessment Center DIBCAC

The Defense Contract Management Agency team that conducts CMMC Level 3 assessments and DoD self-assessments.

DIBCAC (part of DCMA) conducts Level 3 CMMC assessments directly, and previously conducted the NIST SP 800-171 assessments that preceded CMMC. Level 3 assessment is government-led; C3PAOs are not authorized to certify Level 3.