Back to Posts

CMMC Terminology: Key Terms and Definitions

April 15, 2026

Defense contractor reviewing CMMC certification documentation

The CMMC ecosystem uses specific terminology defined by the Cyber AB. This reference covers the key roles, designations, and concepts you'll encounter during the certification process.

CMMC Terms and Definitions

Accreditation

The process of issuance of certificate(s) of accreditation.

Accreditation Body Board of Directors

The governing body of the Cyber AB. Individuals who sit on the board are responsible for overseeing the organization's activities. Directors meet periodically to discuss and vote on the affairs of the organization. The board, as a governing body, focuses on the organization's mission, strategy, and goals as defined in the bylaws.

Advisory Councils

Advisory Councils operate at the discretion of, but independently from the board, to inform and advise the board from the perspective of the Advisory Council's membership. The advisory council's leaders participate in the board as non-voting members.

Affiliates

Business concerns, organizations, or individuals that control each other or that are controlled by a common third party. Control may consist of shared management or ownership; common use of facilities, equipment, and employees; or family interest.

Assessment

Formal process of assessing the implementation and reliable use of issuer controls using various methods of assessment (e.g., interviews, document reviews, observations) that support the assertion that an issuer is reliably meeting the requirements of a standard. In the context of CMMC, assessments are performed against the requirements set forth in the CMMC for the OSC's desired CMMC Level.

Assessment Appeals Process

A formal process managed by the Cyber AB to seek resolution of a disagreement of an assessment result.

CAICO Approved Training Materials (CATM)

Training content developed by a Licensed Publishing Partner (LPP) and approved by the CAICO and its designated authorized agent, currently ProCert Communications.

CMMC 3rd Party Assessment Organization (C3PAO)

An entity that is certified to be contracted to an OSC to provide consultative advice or certified assessments.

Certificate

A record issued to an OSC upon successful completion of an assessment which evidences the CMMC Level against which the OSC has been successfully assessed.

Certification

The process of receiving a Certificate upon successful completion of requirements mandated for earning specified certification.

CMMC Certified Assessor (CCA)

A person who has successfully completed all certification program requirements as outlined by the CAICO for becoming a Level 2 CMMC Assessor. A Provisional Assessor (PA) will become a CCP and then a CCA by passing the associated certification exam(s).

CMMC Certified Instructor (CCI)

A person who has successfully completed all certification program requirements as outlined by the CAICO for becoming a CMMC Instructor. A Provisional Instructor (PI) will become a CCI by passing the associated certification exam.

CMMC Certified Professional (CCP)

A person who has successfully completed all certification program requirements as outlined by the CAICO for becoming a Level 1 CMMC Assessor. A Provisional Assessor (PA) will become a CCP by passing the associated certification exam.

CMMC (Cybersecurity Maturity Model Certification)

The set of cybersecurity standards established by the DoD against which an OSC is assessed.

CMMC Assessment Process (CAP)

Provides procedures and guidance for CMMC C3PAOs conducting official CMMC assessments of organizations seeking CMMC certification.

CMMC Certified Organization

An organization whose cybersecurity program has received a CMMC Certificate from the Cyber AB.

CMMC Quality Assurance Professional (CQAP)

A Cyber AB trained person responsible for ensuring assessment documentation completeness and accuracy.

Code of Professional Conduct (CoPC)

Represents the performance standards by which the roles of the CMMC ecosystem will be held accountable, and the procedures for addressing violations of those performance standards.

CUI (Controlled Unclassified Information)

Information that requires safeguarding or dissemination control pursuant to and consistent with laws, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526 or the Atomic Energy Act of 1954, as amended.

Cybersecurity

Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation.

Defense Supply Chain (DSC)

The worldwide industrial complex that enables research and development, as well as design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts, to meet U.S. military requirements.

Digital Signature

An electronic file which is used to authenticate other electronic files and to encrypt files at rest and/or in motion.

FCI (Federal Contract Information)

Information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public or simple transactional information, such as that necessary to process payments.

Licensed Publishing Partner (LPP)

Developer of CMMC curriculum to be utilized by Licensed Training Providers for delivering CMMC training.

Licensed Training Provider (LTP)

Provides the delivery of CMMC training to individuals.

Organization Seeking Certification (OSC)

The organization that is going through the CMMC assessment process to receive a level of certification for a given environment.

Registered Practitioner (RP) & Registered Practitioner Advanced (RPA)

Professionals who provide CMMC implementation consultative services. Any level of RP cannot participate on assessment teams.

Registered Practitioner Organization (RPO)

An organization authorized to represent itself as familiar with the basic constructs of the CMMC Standard, with a Cyber AB-provided logo, to deliver non-certified CMMC consulting services. Signifies that the organization has agreed to the CMMC-AB Code of Professional Conduct.

Working Toward CMMC Certification?

STACK Cybersecurity works with defense contractors to close compliance gaps and prepare for formal CMMC assessments. Whether you're mapping your environment for the first time or getting ready for a C3PAO audit, we can help you build a realistic path to certification.

Website: stackcyber.com
Email: info@stackcyber.com
Phone: (734) 744-5300

Cybersecurity Consultation

Do you know if your company is secure against cyber threats? Do you have the right security policies, tools, and practices in place to protect your data, reputation, and productivity? If you're not sure, it's time for a cybersecurity risk assessment (CSRA). STACK Cybersecurity's CSRA will meticulously identify and evaluate vulnerabilities and risks within your IT environment. We'll assess your network, systems, applications, and devices, and provide you a detailed report and action plan to improve your security posture. Don't wait until it's too late.

Schedule a Consultation Explore our Risk Assessment