The CMMC Glossary

Plain-English definitions for every acronym, regulation, and concept in the CMMC ecosystem — written for defense contractors, not lawyers. Bookmark this page; we update it as the rules change.

Frameworks & Rules

CMMC
CMMC 2.0
CMMC Level 1
CMMC Level 2
CMMC Level 3
NIST SP 800-171
NIST SP 800-171A
NIST SP 800-172
FIPS 199
NIST SP 800-53
SOC 2
ISO 27001
NIST RMF
NIST CSF

Documents & Artifacts

SSP
POA&M
Shared Responsibility Matrix
Incident Response Plan
Assessment Package
Data Flow Diagram
Network Diagram
Asset Inventory

Control Families

Control Families
Access Control (AC) Family
Awareness and Training (AT) Family
Audit and Accountability (AU) Family
Configuration Management (CM) Family
Identification and Authentication (IA) Family
Incident Response (IR) Family
Maintenance (MA) Family
Media Protection (MP) Family
Physical Protection (PE) Family
Personnel Security (PS) Family
Risk Assessment (RA) Family
Security Assessment (CA) Family
System and Communications Protection (SC) Family
System and Information Integrity (SI) Family
Supply Chain Risk Management (SR) Family

Specific Requirements

AC.L2-3.1.13
IA.L2-3.5.3
AU.L2-3.3.1
MP.L2-3.8.3
SC.L2-3.13.11
AC.L2-3.1.1
AC.L2-3.1.5
AC.L2-3.1.12
AC.L2-3.1.20
AT.L2-3.2.1
CM.L2-3.4.1
CM.L2-3.4.8
IA.L2-3.5.7
IR.L2-3.6.1
SC.L2-3.13.8
SC.L2-3.13.16
SI.L2-3.14.2
RA.L2-3.11.2
CA.L2-3.12.3

Regulations & Clauses

32 CFR Part 170
DFARS 252.204-7012
DFARS 252.204-7019
DFARS 252.204-7020
DFARS 252.204-7021
ITAR
EAR
FAR 52.204-21

Data Categories

CUI
FCI
CTI
CUI Registry
CUI Basic vs CUI Specified
CUI Marking
Controlled Technical Information

Scoping & Boundary

Scoping & Boundary
SPA
CRMA
Out of Scope
Specialized Asset
CUI Enclave

Tired of looking things up?

CMMCDocs is a working platform that gets you assessment-ready in 60 days. Spin up a free demo workspace pre-loaded with sample data — no signup, no sales call.

Get my demo account