CMMC Acronyms, Decoded
The acronyms that carry DoD compliance conversations, decoded in one place. Grouped by theme; use search (Ctrl/Cmd-F) for fast lookup. Definitions verified against 32 CFR Part 170, NIST publications, and the NARA CUI program, July 2026.
The program and its ecosystem
CMMC - Cybersecurity Maturity Model Certification - the DoD program (32 CFR Part 170) that verifies contractors protect FCI and CUI, at three levels with self-assessment or third-party certification.
C3PAO - CMMC Third-Party Assessment Organization - the accredited firms that conduct Level 2 certification assessments.
Cyber AB - The CMMC Accreditation Body - authorizes C3PAOs and runs the ecosystem marketplace.
CAICO - CMMC Assessors and Instructors Certification Organization - certifies the individuals (CCPs, CCAs) who staff assessments.
CCP - Certified CMMC Professional - the entry assessor-track credential.
CCA - Certified CMMC Assessor - qualified to assess at Level 2.
OSC - Organization Seeking Certification - the company being assessed for certification. You, if you are reading this before an assessment.
OSA - Organization Seeking Assessment - the broader term covering self-assessing organizations as well.
RP / RPO - Registered Practitioner / Registered Practitioner Organization - consulting-side registrations with the Cyber AB; advisors, not assessors.
DIB - Defense Industrial Base - the contractors, subcontractors, and suppliers serving DoD.
DIBCAC - Defense Industrial Base Cybersecurity Assessment Center - DCMA’s assessment arm; conducts government-led assessments, including joint surveillance with C3PAOs.
SPRS - Supplier Performance Risk System - where self-assessment scores and annual affirmations are posted; primes check it.
POA&M - Plan of Action and Milestones - the documented plan for NOT MET requirements; under CMMC, only limited requirements are POA&M-eligible and closeout is time-boxed at 180 days. See the SSP guide.
CAP - CMMC Assessment Process - the Cyber AB document that governs how certification assessments run.
Regulations and clauses
CFR - Code of Federal Regulations. 32 CFR Part 170 is the CMMC program rule; Title 48 is federal acquisition regulation.
DFARS - Defense Federal Acquisition Regulation Supplement - where the DoD-specific contract clauses live.
DFARS 252.204-7012 - The safeguarding and cyber-incident-reporting clause: NIST SP 800-171 protection for covered defense information, 72-hour incident reporting, and FedRAMP Moderate-or-equivalent for clouds that touch CUI. Paragraphs (c)–(g) are why cloud choice matters.
DFARS 252.204-7019 / -7020 - The clauses requiring a current NIST SP 800-171 self-assessment score in SPRS and government access to verify it.
DFARS 252.204-7021 - The CMMC clause - puts a required CMMC level into solicitations and contracts, phasing in from November 2025.
FAR 52.204-21 - The 15 basic safeguarding requirements for FCI - the substance of CMMC Level 1.
NIST - National Institute of Standards and Technology - publishes the SP 800 series that CMMC assesses against.
SP 800-171 Rev 2 - The 110-requirement standard for protecting CUI in nonfederal systems - the technical core of CMMC Level 2. See the full controls list.
SP 800-171A - The assessment procedures companion - 320 assessment objectives, and the examine/interview/test methods assessors use.
SP 800-172 - Enhanced requirements for critical programs - the basis of CMMC Level 3.
NARA - National Archives and Records Administration - runs the government-wide CUI program and the CUI Registry.
Data types and scoping
CUI - Controlled Unclassified Information - information requiring safeguarding under law, regulation, or government-wide policy. The 110 requirements exist to protect it. See CUI vs FCI.
FCI - Federal Contract Information - provided by or generated for the government under contract, not intended for public release. Triggers Level 1.
CDI - Covered Defense Information - the 7012 clause’s term for unclassified controlled technical information and other CUI on contractor systems.
CTI - Controlled Technical Information - technical data with military or space application; a major CUI category in the DIB.
SPA - Security Protection Asset - an asset that provides security functions to the assessment scope (an MDM, a SIEM, an EDR console). Assessed against relevant requirements; a non-FedRAMP cloud MDM claimed as an SPA over CUI assets is a contested scoping position.
SPD - Security Protection Data - data that protects the environment (logs, vulnerability data, configuration baselines, recovery keys) even when it is not itself CUI.
CRMA - Contractor Risk Managed Asset - an asset that can, but is not intended to, handle CUI, controlled by policy and practice. Not an escape hatch: observed use controls the categorization.
ESP - External Service Provider - an outside organization whose people, processes, or technology are used in the scope (MSPs, MSSPs, hosting). See the vetting guide.
CSP - Cloud Service Provider. When CUI touches one under a 7012 contract, FedRAMP Moderate-or-equivalent applies.
MSP / MSSP - Managed Service Provider / Managed Security Service Provider - common ESPs in small-shop scopes.
VDI - Virtual Desktop Infrastructure - the Scoping Guide’s example of keeping an endpoint out of CUI scope, if the local device truly cannot process, store, or transmit it.
AO - Assessment Objective - the 320 determination statements under the 110 requirements; every applicable one must be MET for the requirement to pass. (In RMF contexts, AO also means Authorizing Official.)
Government cloud
FedRAMP - Federal Risk and Authorization Management Program - the authorization regime for cloud services used by federal agencies; the Marketplace is the authoritative status source.
StateRAMP - The state/local government analog to FedRAMP - relevant status context, but not a substitute for FedRAMP under 7012.
IL2 / IL4 / IL5 / IL6 - DoD cloud impact levels from the DISA Cloud Computing SRG - increasing sensitivity tiers for DoD workloads.
GCC / GCC High - Microsoft 365 Government Community Cloud tiers. GCC High is the tier that supports DFARS 7012 (c)–(g) commitments and export-controlled CUI. See the comparison.
DISA - Defense Information Systems Agency - publishes the Cloud SRG and STIGs.
SRG - Security Requirements Guide - DISA’s requirement sets; the Cloud SRG defines the impact levels above.
STIG - Security Technical Implementation Guide - DISA’s hardening baselines; a macOS STIG exists and is one of three credible Mac baselines.
Security stack
MFA - Multifactor authentication - required for network and privileged access under IA.L2-3.5.3. How to satisfy it on macOS.
FIPS - Federal Information Processing Standards. For CMMC, the one that bites is FIPS 140 validation of cryptographic modules - “encryption enabled” is not “FIPS-validated.” The deep dive.
CMVP - Cryptographic Module Validation Program - the NIST/CCCS program that issues FIPS 140 certificates; certificate numbers are the evidence.
EDR - Endpoint Detection and Response - endpoint telemetry and response tooling; feeds SI and IR families.
SIEM - Security Information and Event Management - central log collection and correlation; the usual answer to AU-family retention.
SOC - Security Operations Center - the team (internal or ESP) watching the telemetry.
IdP - Identity Provider - the directory and authentication service (Entra ID, Okta, etc.) that anchors AC and IA on modern fleets.
SSO - Single Sign-On - one identity across services; on Macs, see PSSO below.
ITAR / EAR - International Traffic in Arms Regulations / Export Administration Regulations - export-control regimes; export-controlled CUI drives sovereignty requirements (and GCC High).
The 14 family codes - AC Access Control · AT Awareness & Training · AU Audit & Accountability · CM Configuration Management · IA Identification & Authentication · IR Incident Response · MA Maintenance · MP Media Protection · PE Physical Protection · PS Personnel Security · RA Risk Assessment · CA Security Assessment · SC System & Communications Protection · SI System & Information Integrity. All 110 requirements by family: the controls list.
The Mac stack
ABM - Apple Business Manager - Apple’s organizational portal for device ownership and automated enrollment; the root of supervised management. Why it matters for CMMC.
ADE - Automated Device Enrollment - ships a Mac straight into supervised MDM enrollment the user cannot remove; the tamper-resistance CMMC evidence leans on.
APNs - Apple Push Notification service - the channel MDM commands travel through; a network dependency worth documenting.
DDM - Declarative Device Management - Apple’s newer management model where devices enforce and report state themselves, including enforced software updates.
MDM - Mobile Device Management - the management plane for Apple fleets. Hosting model matters: the comparison.
mSCP - macOS Security Compliance Project - the NIST-hosted open-source project (SP 800-219) that generates macOS baselines, profiles, and compliance scripts. Versus CIS and STIG.
PSSO - Platform Single Sign-On - macOS-native IdP-backed login (GA with Entra ID in 2025), including phishing-resistant methods; retired the “Macs can’t do modern auth” objection. In the MFA guide.
SIP - System Integrity Protection - macOS’s built-in protection of system files and processes; supporting evidence for SI-family narratives.