Plain-English definitions
of the terms that actually matter.

The Department of Defense's cybersecurity certification program for defense contractors. Under CMMC 2.0, contractors are assessed at Level 1 (self-assessment, 17 basic controls), Level 2 (C3PAO-assessed, 110 controls from NIST SP 800-171 Rev 2), or Level 3 (DIBCAC-assessed, Level 2 plus a subset of NIST SP 800-172 enhanced controls). CMMC Phase 2 begins November 10, 2026, at which point L2 certification is required at contract award for all contracts involving CUI.

The CMMC tier required for defense contractors handling Controlled Unclassified Information. Implements all 110 NIST SP 800-171 Rev 2 controls across 14 families. Requires a C3PAO-conducted third-party assessment; passing score is 110/110 with narrow POA&M flexibility. Typical preparation window is six to nine months for a team with a sound IT baseline.

An organization accredited by the Cyber AB to conduct CMMC Level 2 and Level 3 assessments. C3PAOs are independent of the contractor being assessed; they charge for the assessment and issue the CMMC certificate upon passing. They do not help remediate gaps. Booking a C3PAO often requires months of lead time, especially as the Phase 2 deadline approaches.

The non-profit accreditation body for the CMMC program. Cyber AB accredits the C3PAOs and maintains the public directory of authorized assessor organizations. It does not conduct assessments itself. As of May 2026, roughly fifty C3PAOs are authorized — a supply constraint the DIB is still working through.

Unclassified information that the U.S. government requires be protected or controlled in accordance with specific policy. Examples include technical data, export-controlled information, legal material, privacy information, and critical infrastructure data. Handling CUI in a DoD contract triggers DFARS 252.204-7012, NIST SP 800-171 requirements, and CMMC assessment scope.

The DoD contract clause that requires covered contractors handling CUI to (1) implement NIST SP 800-171 security controls, (2) report cyber incidents to the DoD Cyber Crime Center within 72 hours of discovery, and (3) make affected systems and data available for DoD forensic review. First published as an interim rule in 2013, with the current safeguarding language finalized in 2016 and the NIST 800-171 implementation deadline of December 31, 2017. CMMC formalizes the first prong; the 72-hour reporting obligation remains direct regardless of CMMC status.

The DoD contract clause that implements CMMC — requires contractors to maintain the appropriate CMMC certification level at contract award and throughout performance. Issued under the 32 CFR Part 170 final rule, published October 15, 2024 and effective December 16, 2024. The clause is the contractual teeth of CMMC.

Non-public information provided by or generated for the U.S. government under a contract, excluding information provided to the public or simple transactional info. FCI triggers FAR 52.204-21 (15 basic safeguarding requirements) and CMMC Level 1 self-assessment. Most federal contracts involve at least FCI; CUI is a more sensitive subset that adds DFARS 252.204-7012 and CMMC Level 2 obligations.

The DoD organization that receives cyber-incident reports submitted under DFARS 252.204-7012. Reports are filed via the DIBNet portal (dibnet.dod.mil) within 72 hours of discovering a cyber incident affecting covered defense information. DC3 also runs the DoD Vulnerability Disclosure Program and DCISE (DoD-Defense Industrial Base Collaborative Information Sharing Environment).

The Defense Contract Management Agency component that conducts CMMC Level 3 assessments and high-assurance DoD cybersecurity assessments. DIBCAC assessments are government-led, not commercial, and are reserved for the narrow set of CMMC L3 contracts and other DoD-designated programs.

The collection of U.S. and foreign companies that produce or service DoD weapons systems, components, and supporting technologies. Roughly 70,000 organizations are considered part of the DIB handling CUI — the population subject to CMMC Level 2 under Phase 2.

The NIST special publication defining security requirements for Protecting Controlled Unclassified Information in Nonfederal Systems. Revision 2 contains 110 controls across 14 families and forms the technical basis of CMMC Level 2. A Revision 3 was released but DoD has specified Rev 2 for CMMC through Phase 2.

NIST's enhanced security requirements for protecting CUI against advanced persistent threats. A subset of 800-172 controls is incorporated into CMMC Level 3. Most contractors handling CUI do not need 800-172; it applies to programs where the adversary threat level justifies enhanced controls.

A living document tracking open security findings, the remediation plan for each, the owner, and the target completion date. A POA&M is an expected artifact in CMMC, FedRAMP, and SOC 2 assessments. A zero-items POA&M is often a red flag — it signals either immature program awareness or an incentive to under-report rather than a truly gap-free posture.

The authoritative document describing how each security control is implemented for a specific system. Every CMMC, FedRAMP, and DoD CC SRG assessment centers on the SSP. Assessor-grade SSPs describe the implementation in enough detail that an independent reviewer could verify the control by inspecting the system — a bar most first-time SSPs do not clear.

The DoD system of record where contractors submit NIST SP 800-171 self-assessment scores under DFARS 252.204-7019 / -7020. As CMMC Phase 2 takes effect, the CMMC certificate status is also tracked in SPRS. DoD contracting officers check SPRS before award.

The federal government's standardized approach to security authorization for cloud service providers. FedRAMP issues Provisional Authorizations (via the JAB) or Agency Authorizations that allow federal agencies to consume the cloud service. Baselines are Low, Moderate, and High, mapped to FIPS-199 impact levels. FedRAMP Moderate is the typical target for commercial CSPs entering federal.

The DoD's overlay on top of FedRAMP that defines Impact Levels 2 through 6 for cloud workloads handling DoD data. IL2 is public-facing DoD data; IL4 is CUI; IL5 is mission-critical CUI and unclassified National Security Systems; IL6 is Secret. Each level adds DoD-specific requirements (US-citizen operators, FIPS 140 cryptography, specific region isolation) on top of the FedRAMP baseline.

The DoD CC SRG tier covering CUI workloads. Builds on FedRAMP Moderate / High with DoD-specific overlay controls. Typically runs in AWS GovCloud, Azure Government, or equivalent. Most DoD cloud consumption targeted by commercial CSPs lands at IL4.

The DoD CC SRG tier covering mission-critical CUI and unclassified National Security Systems. Adds US-citizen operator verification for privileged access, FIPS 140-validated cryptography at every boundary, and stricter continuous monitoring cadence on top of IL4.

The DoD CC SRG tier covering Secret-classified workloads. Runs in isolated classified regions (AWS Secret Region, Azure Government Secret). IL6 involves personnel clearances, classified network access, and accreditation processes that put it in a different operational world from IL2-IL5.

An independent firm accredited by the FedRAMP PMO (or A2LA) to perform the security assessment component of a FedRAMP authorization. 3PAOs conduct the penetration testing, control assessment, and produce the Security Assessment Report that agencies rely on for ATO decisions. Analogous in structure to a C3PAO but for the FedRAMP world.

The formal authorization issued by a federal Agency Authorizing Official that permits a cloud service to process the agency's data at a specified FedRAMP baseline. An ATO is agency-specific; a single CSP can hold multiple ATOs from different agencies. Under the JAB path, CSPs instead receive a Provisional ATO (P-ATO) that is then adopted by individual agencies.

The ongoing evidence program required after a FedRAMP ATO — monthly vulnerability scans, POA&M updates, significant change notifications, annual assessments. ConMon is not a milestone; it is a sustained operational program that, done well, produces audit-ready evidence as a byproduct of running the system.

AWS's isolated US-only region designed for regulated workloads. Physically separated from AWS commercial, operated by cleared personnel, and authorized at FedRAMP High + DoD IL2-5 depending on region. Most DoD-adjacent AWS workloads live in GovCloud.

Microsoft's Government Community Cloud High tier — the compliance tier of Microsoft 365 authorized for CUI and DoD IL4-5 workloads. Distinct from commercial M365, GCC (the non-high tier), and DoD (IL5-6). GCC High is the typical target for DoD contractors using Microsoft for productivity and CUI handling.

NIST Federal Information Processing Standard for cryptographic modules. Required for federal and DoD use of cryptography. A module is not "FIPS 140" merely because it uses approved algorithms; it must be validated under the Cryptographic Module Validation Program and appear on the active validation list. The difference between "FIPS-compliant" and "CMVP-validated" is a common audit gotcha.

The vendor delivering a cloud service that a federal agency or DoD program consumes. In FedRAMP and DoD CC SRG context, the CSP is the entity pursuing the authorization and operating the cloud service offering (CSO). Distinct from the CSO itself, which is the specific bounded service being authorized.

The DoD agency that operates DoD information networks, publishes the DoD Cloud Computing SRG, and issues Provisional Authorizations for cloud services at IL4 and above. DISA also publishes the STIGs (Security Technical Implementation Guides) used as DoD configuration baselines.

Information systems handling classified information or directly involved in command and control of military forces, weapons systems, intelligence, or cryptologic activities. NSS controls are drawn from CNSSI 1253 (which extends NIST 800-53 with NSS-specific overlays). The DoD CC SRG IL5 v1r3 update layered ~170 NSS controls onto the IL5 baseline.

FedRAMP 20x's machine-verifiable indicators that replace much of manual 3PAO attestation. A KSI is a discrete, automatable statement (e.g., "data encrypted at rest with FIPS 140-validated algorithms") that the CSP's environment can demonstrate continuously. The KSI model trades upfront automation investment for faster, cheaper ongoing authorization.

GSA's modernization of FedRAMP authorization, replacing manual control-by-control 3PAO attestation with automated validation against Key Security Indicators. Phase 2 wrapped March 31, 2026 with ~10 FedRAMP Moderate pilot authorizations; Phase 3 (FY26 H2) is now active. Phase 4 will pilot FedRAMP High in FY27 H1.

A FedRAMP authorization issued by the JAB (Joint Authorization Board, composed of DoD, DHS, and GSA CIOs) rather than by an individual agency. P-ATO is the strongest signal of federal-wide reusability; an agency can adopt a CSP's P-ATO without conducting its own full authorization. Distinct from agency ATO (a-ATO), which is agency-specific.

The senior federal official (or designee) responsible for issuing an Authority to Operate. The AO accepts residual risk on behalf of the agency or program. AO accountability is what makes ATOs binding — the AO's name is on the authorization, and continuous monitoring keeps that decision current.

The DoD's system of record for RMF/ATO documentation. SSPs, SARs, POA&Ms, and authorization decisions for DoD systems are tracked in eMASS. CSPs operating under DoD CC SRG IL4-6 authorizations submit and maintain their authorization packages in eMASS.

NIST's machine-readable format for representing security control catalogs, profiles, system security plans, and assessment results. FedRAMP is progressively requiring OSCAL-formatted submissions to enable automation. OSCAL is the data layer behind FedRAMP 20x's automation capability.

DISA-published configuration baselines for operating systems, databases, network devices, and applications. STIGs prescribe specific hardening settings (registry keys, configuration parameters, audit policies) and are referenced by DoD authorization packages. SCAP-formatted STIGs enable automated compliance scanning via tools like OpenSCAP and Tenable.

An AICPA attestation framework for service organizations. SOC 2 examines controls against the Trust Services Criteria (Security, Availability, Confidentiality, Processing Integrity, Privacy). It's the de facto commercial B2B SaaS security signal. Type I attests that controls are designed appropriately; Type II attests that they operated effectively over a defined period, typically six to twelve months.

The more rigorous of the two SOC 2 attestation types. Auditors sample control operations across the audit period (usually twelve months) rather than attesting to design at a point in time. Enterprise buyers generally require Type II; Type I is acceptable as an interim signal for newer companies still building their program.

The five categories defined by AICPA that SOC 2 audits against: Security (mandatory on every audit), Availability, Confidentiality, Processing Integrity, and Privacy. Most SaaS companies audit against Security + Availability + Confidentiality; additional criteria are added based on product context (Privacy for personal data, Processing Integrity for financial/transactional systems).

The international standard for Information Security Management Systems. ISO 27001 is process-oriented — it certifies that an organization has an ISMS in place and is operating it — with control selection documented in the Statement of Applicability. ISO 27001:2022 (the current revision) contains 93 Annex A controls reorganized into four themes: organizational, people, physical, and technological.

The core artifact of ISO 27001 — the documented management system that governs how an organization identifies, assesses, and treats information security risks. The ISMS is the thing that gets certified; the Annex A controls are selected within the ISMS. A poorly scoped ISMS is the most common cause of rework during first-time ISO 27001 engagements.

The ISO 27001 document that lists each of the 93 Annex A controls and records whether it is applicable to the organization, implemented, and how. The SoA is the map between the standard's controls and the organization's actual implementation. Auditors read the SoA carefully; weak SoAs produce long audit findings.

The control reference set in ISO 27001. In the 2022 revision, Annex A contains 93 controls organized into four themes. Selection is driven by the risk assessment and documented in the SoA — not every control is required for every organization, which is a key difference from more prescriptive standards like NIST 800-171.

A U.S. government-accredited facility for processing, storing, discussing, or electronically handling Sensitive Compartmented Information. Construction and operational standards are specified in ICD 705 and the IC Tech Specs. A SCIF is accredited by a Cognizant Security Authority — typically ODNI for IC programs — and maintained per NISPOM requirements.

A facility accredited for Special Access Program material — classified information with compartmented access controls governed by DoD Manual 5205.07. SAPFs typically share construction standards with SCIFs (ICD 705) but add SAP-specific access control, compartmentation, and program-security procedures. Every SAPF is also a SCIF; the reverse is not always true.

The Intelligence Community Directive and its accompanying Technical Specifications that govern SCIF construction, acoustic attenuation, access control, TEMPEST countermeasures, alarms, and documentation. ICD 705 is the foundational standard — nearly every SCIF and SAPF construction decision references a specific ICD 705 Tech Spec paragraph.

The security categorization and control baseline for National Security Systems. Extends NIST SP 800-53 with NSS-specific overlays. A SCIF's information systems are categorized and controlled per CNSSI 1253.

The regulation governing how cleared U.S. contractors handle classified information and operate classified facilities. Codified as 32 CFR Part 117. Covers personnel security, physical security, information systems security, visitor controls, reporting requirements, and the Facility Security Officer role.

NIST's process for authorizing information systems to operate. Six steps: categorize, select controls, implement, assess, authorize, monitor. RMF is the authorization framework underpinning ATOs for federal and DoD systems, including classified systems operating within SCIFs and SAPFs.

The Intelligence Community's Top Secret/SCI-level computer network. Accessing JWICS requires a facility accredited to the appropriate level (SCIF), cleared personnel, and dedicated endpoints. JWICS is one of the primary classified-network enclaves inside multi-enclave SAPFs.

The DoD's Secret-level classified network. Reaches across DoD facilities worldwide. Separate from JWICS (TS/SCI) and commercial/DoD unclassified networks (NIPRNet). A Secret-cleared workstation in an accredited facility is the typical SIPRNet access point.

The individual designated by a cleared contractor to manage its personnel security program, reports to DCSA, visitor controls, and overall facility security compliance under NISPOM. Every facility with a Facility Clearance requires an FSO. Small contractors often designate a dual-hat FSO (founder, operations lead) — this works but requires a real time commitment.

A determination by DCSA (Defense Counterintelligence and Security Agency) that a contractor facility is eligible to handle classified information. An FCL is a prerequisite for most classified work by U.S. contractors and takes 8-14 months to establish for a first-time sponsor. The FCL and the specific facility's accreditation (e.g., SCIF accreditation) are separate but related processes.

The set of standards and techniques for preventing information leakage via unintended electromagnetic emanations from electronic equipment. TEMPEST countermeasures may be required inside SCIFs and SAPFs depending on the inspectable space available and the threat assessment. The program is managed by NSA.

The implementation guide governing security controls and operational procedures for Special Access Program information systems. JSIG provides SAP-specific extensions on top of NIST 800-53 and CNSSI 1253. Most SAPF information-system accreditation packages are assessed against JSIG.

A hardware and software system that enables controlled information transfer between security domains of different classification levels (e.g., Secret to TS/SCI, or unclassified to Secret). CDS implementations require NSA's Raise-the-Bar (RTB) compliance and accreditation by the relevant Cognizant Security Authority. CDS is the technical answer to the otherwise-prohibited need to move data across classification boundaries.

An isolated environment — network, identity, endpoints, storage — that processes Controlled Unclassified Information separately from the general corporate environment. A clean CUI enclave scopes a CMMC assessment tightly, reducing cost and complexity. Common architectural mistakes include shared identity providers with corporate tenants, unscoped logging, and loose boundary documentation.

The defined set of systems, components, and interconnections that constitute the system being authorized. The boundary is documented in the SSP and governs what the assessor examines. A well-defined boundary scopes work tightly; a poorly-defined boundary expands assessment scope unpredictably and is a common cause of finding inflation.

The design principle of structuring controls so that operating them produces audit-grade evidence automatically — access reviews exporting a CSV, ticket closures logging to a queryable system, configuration changes tracked in version control. The opposite is "evidence-on-demand" where evidence is reconstructed at assessment time, which is slower, error-prone, and a common cause of schedule slips.

A pre-assessment rehearsal against the actual checklist the real assessor will use — C3PAO for CMMC, 3PAO for FedRAMP, auditor for SOC 2 / ISO 27001. Dry runs surface process gaps, evidence gaps, and interview-readiness gaps before the formal assessment window. Most high-scoring engagements include a dry run four to six weeks before the real assessment.

The DoD agency responsible for industrial security oversight, Facility Clearance processing, personnel security investigations, and counterintelligence for U.S. cleared contractors. DCSA inspects contractor facilities periodically. Interacting with DCSA well is a function of having a prepared FSO and good facility-security discipline.

Any data that can be used to identify a specific individual — name, social security number, biometrics, address, and similar. PII triggers a range of federal protections (Privacy Act, NIST 800-122, OMB Circular A-130) and ISO 27018 in cloud contexts. Many CMMC and FedRAMP boundaries handle PII alongside CUI; the protections are layered but not identical.

The class of tool that aggregates log data from across an environment (endpoints, servers, network devices, cloud services, applications), normalizes it, correlates events, and generates security alerts. SIEM is the evidence backbone for nearly every compliance framework — NIST 800-171 3.3 (Audit and Accountability), SOC 2 CC7 (Monitoring), and FedRAMP/DoD ConMon all assume SIEM exists. Common platforms: Splunk, Microsoft Sentinel, Elastic, Sumo Logic, Devo, Chronicle.

Authentication that requires two or more verification factors from different categories — something you know, have, or are. Required by NIST 800-171 (3.5.3), CMMC, FedRAMP, SOC 2, ISO 27001, and effectively every modern compliance framework. Phishing-resistant MFA (FIDO2 hardware keys, platform authenticators) is increasingly mandated for privileged access; SMS-based MFA is being deprecated for sensitive use cases.

The discipline of identifying, assessing, and mitigating cybersecurity risks introduced by third-party suppliers — software vendors, hardware OEMs, managed service providers, contractors. NIST SP 800-161 is the primary federal reference. CMMC and NIST 800-171 Rev 3 introduce explicit SCRM control families. SBOMs (Software Bills of Material) are an emerging technical artifact of SCRM programs.