Starting November 10, Phase 1 of the US Department of Defense’s CMMC 2.0 program went into effect, marking the start of a phased three-year rollout. Phase 1 begins with Level 1 and 2 self-assessments and culminates with the full implementation of program requirements in Phase 4. Organizations that fail to demonstrate compliance will not be eligible to bid on U.S. Defense contracts.
This glossary defines the key terminology you’ll encounter around CMMC and is referenced in our whitepaper “CUI Compliance Checklist: Your Guide to CMMC 2.0 Compliance” (archTIS, October 2025). These resources are intended to support organizations navigating CMMC 2.0 requirements and implementing mandatory safeguards for Controlled Unclassified Information (CUI).
Term |
Definition |
| CMMC | Cybersecurity Maturity Model Certification. Created by the U.S. Department of Defense (DoD) to establish a standard set of cybersecurity controls for contractors to protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). |
| CUI | Controlled Unclassified Information. Refers to information that is created or owned by the U.S. government, or that a non-federal entity receives, possesses, or generates on behalf of the U.S. government. It requires safeguarding and dissemination controls according to laws, regulations, and government-wide policies. |
| FAR | Federal Acquisition Regulation. The primary regulation for use by all executive agencies in their acquisition of supplies and services with appropriated funds. |
| DFARS | Defense Federal Acquisition Regulation Supplement. Implements and supplements FAR. Contains requirements of law, DoD-wide policies, delegations of FAR authorities, deviations from FAR requirements, and policies/procedures that have a significant effect on the public. Should be read in conjunction with the primary set of rules in the FAR. |
| CFR | Code of Federal Regulations. Establishes policies for designating, handling, and safeguarding CUI. |
| NIST | The National Institute of Standards and Technology. Part of the U.S. Department of Commerce. Its mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life. |
| NIST SP 800-171 | NIST Special Publication (SP) 800-171 Serves as the foundation of CMMC 2.0 compliance along with the Cybersecurity Framework (CSF). Established rigorous data protection and security controls for organizations handling sensitive federal and defense related information. It outlines 110 security controls that Defense contractors must implement to protect CUI. |
| FCI | Federal Contract Information. Information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments. |
| CMMC Level 1 | Encompasses the basic safeguarding requirements for FCI specified in FAR Clause 52.204-21. Focuses on the protection of FCI and consists of only practices that correspond to the basic safeguarding requirements specified in 48 CFR 52.204-21, commonly referred to as the FAR Clause which is non-public information provided by or generated for the government under a contract. Applies to all U.S. Department of Defense (DoD) contractors and subcontractors who handle Federal Contract Information (FCI), which is non-public information provided by or generated for the government under a contract. |
| CMMC Level 2 | Requires compliance with the full set of 110 NIST 800-171 controls for handling CUI. Applies to Department of Defense (DoD) contractors and subcontractors who process, store, or transmit Controlled Unclassified Information (CUI). It requires organizations to implement all 110 security controls from NIST SP 800-171 to safeguard this sensitive, non-public data. This level serves as the minimum standard for handling CUI and mandates either a self-assessment or a third-party assessment, depending on the contract’s specific needs. |
| CMMC Level 3 | Provides additional protection against advanced persistent threats (APTs), and increased assurance to the DoD that an OSC can adequately protect CUI at a level commensurate with the adversarial risk, to include protecting information flow with the government and with subcontractors in a multitier supply chain. Information on Level 3 will be released at a later date and will contain a subset of the security requirements specified in NIST SP 800-172. Will be based on a subset of NIST SP 800-172 requirements. |
| OMB | Office of Management and Budget. Oversees the performance of U.S. federal agencies, and administers the federal budget. Plays a crucial role in the implementation of the Cybersecurity Maturity Model Certification (CMMC) program primarily through its final regulatory review and clearance of the CMMC rules before they are published and become enforceable. |
| FedRAMP | Federal Risk and Authorization Management Program. A U.S. government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by federal agencies. |
| Policy Enforcement | Includes mechanisms to enforce policies rules and controls known as policies for governing data access, use, and sharing across platforms and users. |
| Granular Access Restrictions | Precise controls that limit user access to only the specific data and system functions required for their job. Important for CMMC to reduce risk, enhance compliance, improve accountability, and protect CUI. |
| Classification | The categorization of information, particularly distinguishing between FCI and CUI, is a fundamental step in determining the CMMC level, assessment type, and required security controls for a given DoD contract. |
| Attribute-Based Access Control (ABAC) | Access is determined by evaluating attributes of the user, data and environment, rather than static role-based permissions. Supports CMMC compliance by providing dynamic, granular, and context-aware access controls, enforcing the principle of least privilege, and enabling comprehensive auditing that aligns with CMMC’s strict data protection and accountability requirements. |
| Labeling | Applying metadata to files that define the data’s sensitivity level. Organizations must identify, mark, and protect CUI through consistent, clear labels, adhering to guidelines from the DoD CUI Registry and ISOO, and train employees on proper handling to meet CMMC standards and avoid unauthorized disclosure. |
| Visual Markings | CUI must be visually marked to inform or alert recipients and/or users that CUI is present and of any limited dissemination controls. |
| Classification Categories | CUI falls withing one of 125 categories under 20 groups. Data classification enables organizations to identify, track, and protect CUI by categorizing data based on sensitivity and regulatory requirements, ensuring appropriate security controls are applied throughout the data lifecycle to prevent mishandling and maintain certification. |
| Encryption | Converting readable data (plaintext) into an unreadable format (ciphertext) using an algorithm and a cryptographic key. This is a foundational requirement across all CMMC levels |
| Continuous Monitoring | Ongoing observation and review of system security controls and data handling activities. Essential for CMMC compliance to provide real-time awareness of threats and vulnerabilities after initial certification. |
| Audit-Ready Compliance Reporting | CMMC compliance requires detailed user activity and policy logs to meet regulatory and audit requirements. |
CUI Compliance Checklist—an easy guide to be CMMC-ready.
Your Guide to CMMC 2.0 Compliance
