menu
close_24px

CMMC Index

Have questions about CMMC? Confused by the number of acronyms and terms?  

This index will provide guidance and resources to dive further into CMMC.

A Plan Of Action & Milestone (POAM)

 

A Plan of Action & Milestone (POAM) is a document outlining what CMMC controls haven't been implemented, and how the organization will go about remediating that. 

 

Read More

C3PAO

 

A C3PAO is a "Certified 3rd Party Assessment Organization" and is authorized to audit DoD contractors for CMMC compliance. For many contracts, a C3PAO audit will be required.

 

Read More

CMMC Level 2 Certified (C3PAO)

 

A level 2 certified (C3PAO) organization has undergone a third-party audit to achieve CMMC certification. This audit must be conducted by a C3PAO. 

 

Read more

Controlled Unclassified Information (CUI)

 

Controlled Unclassified Information (CUI) is data that is entrusted to contractors in order to carry out DIB contracts. This data is created, transmitted, or stored by contractors and must be secured. This data's security contributed to the overall security posture of the nation.

 

Read More

CyberAB

 

The CyberAB is the organization that certifies C3PAO's, RPO's and provides resources for organizations seeking CMMC compliance.

 

Read More

Cybersecurity Maturity Model Certification (CMMC)
 
The Cybersecurity Maturity Model Certification (CMMC) is a model created by the Department of Defense (DoD) to ensure contractors are protecting confidential data from the federal government. Any organization that partners with the DoD or works within the DIB has to comply with CMMC to maintain their current contracts or bid on new ones. 
 
Defense Federal Acquisition Regulation (DFARS)

 

DFARS stands for "Defense Federal Acquisition Regulation Supplement" and refers to cybersecurity standards that are applicable to defense contractors and suppliers to the federal government.

 

Read More

Defense Industrial Base (DIB)

 

The Defense Industrial Base (DIB) is a network of organization that provides products or services to the federal government.  These services contribute to the nation's defense and require a certain level of security.

 

Read More

External Service Provider (ESP)

 

Managed Service Providers (MSPs) and External Service Providers (ESPs) are organization that provide IT or cybersecurity solutions to businesses. CMMC refers to MSPs as "ESPs" in their documentation. 

 

Read More

Federal Contract Information (FCI)

 

Federal Contract Information (FCI) is information that is not intended for public release and contains details on contracts.

 

Read More

Governance, Risk and Compliance (GRC)

 

GRC stands for Governance, Risk, and Compliance. Every contractor should have a GRC that documents the actions being taken to reduce risk, remain compliance, and govern who is responsible and how controls are implemented. 

International Traffic in Arms Regulations (ITAR)

 

ITAR stands for International Traffic in Arms Regulations and is a set of regulations regarding the export and import of defense-related articles, services, and technical data.

 

Read More 

MSP Collective

 

The MSP Collective is an organization that provides resources for contractors seeking help with CMMC compliance. Their ESP database provides a list of CMMC certified MSPs.

 

Read more

NIST 800-171

 

NIST 800-171 is the framework that CMMC is founded on. It consists of 110 controls with 320 assessment objectives that contractors must adhere to in order to be considered compliant. These requirements have been in place since 2017, but CMMC required third-party audits to ensure compliance.

 

Read More

Organization Seeking Certification (OSC)

 

An OSC is an "Organization Seeking Certification". This is any organization that must comply with CMMC requirements and is pursuing a third-party audit via a C3PAO.

 

Read More

Registered Practitioner Organization (RPO)

 

RPO stands for Registered Practitioner Organization and is a company that is certified by the Cyber AB to offer their security and compliance services to DoD contractors.

 

Read More

Risk Management Program (RMP)

 

RMP or Risk Management Program is how you organization deals with risk that is present within your IT systems. What controls do you have in place to mitigate them? Who is in charge of doing so, etc.?

Shared Responsibility Matrix (SRM)

 

A Customer Responsibility Matrix (CRM), formally known as Shared Responsibility Matrix (SRM) is a document that outlines the compliance relationship between a contractor and their service provider. It details whose responsibility each control belongs to, and which ones are shared.

 

Read More

SPRS Score

 

An organizations SPRS score is a score that represents how accurately they've implemented the controls within NIST 800-171. In order to pass, a contractor must score a perfect 110.

 

Read More

TAS for CMMC Compliance

 

Technology Assurance Services (TAS) for CMMC Compliance is CorpInfoTech's managed CMMC compliance product that helps contractors achieve and maintain regulatory requirements.

 

Read More

CMMC Related Blogs

How to Become CMMC Certified - The RPO Route
By Waits Sharpe 19 March 2025

Within the CMMC ecosystem, there are numerous certifications, acronyms, and designations that...

Read More
What I Thought I Knew About CMMC:  From Theory to Audit Table
By Lawrence Cruciana 14 April 2025

And what I learned while sitting across from an assessment team.

There’s a difference between...

Read More
How Does CMMC Impact Remote Work?
By Waits Sharpe 14 April 2025

Can your employees work remote and still achieve CMMC compliance? Five years after the COVID-19...

Read More