C
C3PAO
CMMC Third Party Assessment Organization
The independent auditor that certifies you meet CMMC Level 2 or 3. As of 2025, only ~52 exist for ~80,000 companies that need assessment.
CAS
Cost Accounting Standards
Rules for consistent pricing and cost allocation on government contracts. If your contract is $7.5M+, CAS applies.
CDI
Covered Defense Information
Same as CUI in defense context. Includes technical data, export-controlled info, and other sensitive defense data.
CFR
Code of Federal Regulations
The full collection of federal regulations. Government procurement lives in Title 48.
CMMC
Cybersecurity Maturity Model Certification
DoD's framework requiring defense contractors to meet specific cybersecurity standards. Three levels. Level 2 (110 controls from NIST 800-171) is what most contractors need.
COTS
Commercial Off-the-Shelf
Standard commercial products not modified for government use. COTS-only contractors may only need Level 1.
CUI
Controlled Unclassified Information
Not classified, but sensitive. Contract details, engineering specs, personnel data. NIST 800-171 exists to protect this. If your contract involves CUI, you need CMMC Level 2.
Cyber AB
CMMC Accreditation Body (formerly CMMC-AB)
Independent nonprofit that accredits C3PAOs and manages the CMMC ecosystem.
D
DCAA
Defense Contract Audit Agency
Audits government contractors to verify costs and compliance. Founded 1965. They audit your accounting, timekeeping, cost proposals, and business systems.
DCMA
Defense Contract Management Agency
Manages contract administration. Audits purchasing, property management, and earned value management systems.
DFARS
Defense Federal Acquisition Regulation Supplement
The defense-specific addition to FAR. Key clause: DFARS 252.204-7012 (cybersecurity requirements for CUI).
DFARS 252.204-7012
Safeguarding Covered Defense Information Clause
The specific DFARS clause requiring contractors to implement NIST 800-171 controls, use FedRAMP Moderate+ cloud services for CUI, and report cyber incidents within 72 hours.
F
FAR
Federal Acquisition Regulation
The primary rulebook for government procurement. 2,300+ pages. Covers cost allocation, timekeeping, documentation, and more.
FCI
Federal Contract Information
Information provided by or generated for the government under contract. Less sensitive than CUI. Protected under CMMC Level 1.
FedRAMP
Federal Risk and Authorization Management Program
Security standard for cloud services used by the government. Cloud providers handling CUI must have FedRAMP Moderate authorization (or equivalency).
G
G&A
General & Administrative
An indirect cost category. CMMC compliance costs are likely classified as G&A expenses (allowable on contracts).
GAGAS
Generally Accepted Government Auditing Standards (Yellow Book)
The standards DCAA follows when auditing you.
GCC High
Microsoft 365 Government Community Cloud High
The version of M365 that meets DoD security requirements for handling CUI. If you handle CUI, you should be on GCC High.
GovCon
Government Contractor
Any company doing business with the federal government.
I
ICE
Incurred Cost Electronically
DCAA's electronic system for submitting incurred cost proposals.
ICS
Incurred Cost Submission
Your annual filing of indirect cost rates for DCAA review.
ITAR
International Traffic in Arms Regulations
Controls export of defense articles and technical data. US-only data storage required. No foreign person access. State Department administered. Separate from CMMC.
N
NIST 800-171
National Institute of Standards and Technology Special Publication 800-171
The 110 security controls that form the basis of CMMC Level 2. Organized into 14 control families.
NIST 800-172
NIST SP 800-172 Enhanced Security Requirements
Advanced security controls beyond 800-171. Required for CMMC Level 3 (expert level).
No terms match your search. Try a different keyword.