The Authorization Boundary is every part of the system included in CMMC certification. Anywhere where FCI/CUI is stored, transmitted, or processed is included in the authorization boundary. This includes databases, compute instances, physical devices, gateways, etc.

The Cybersecurity Maturity Model Certification (CMMC) is an DoD compliance certification built to secure systems that handle DoD information.

A Certified 3rd-Party Assessment Organization (C3PAO) is an organization that is certified the conduct CMMC assessments. These assessors conduct an unbiased assessment for the Organization Seeking Certification (OSC).

Controlled Unclassified Information (CUI) is any information deemed as CUI by Government partners. CUI is typically labeled and must remain within the Authorization Boundary of the system.

A Data Flow Diagram (DFD) is a diagram showing how data flows both inside and outside the Authorization boundary.

Is typically another organization that provides services to the Organization Seeking Certification (OSC). These services are outside the Authorization Boundary a should meet FedRAMP moderate standards to support CMMC equivalency.

FedRAMP is cyber attestation program that is used by Cloud Service Providers to work with government systems. FedRAMP utilizes the NIST 800-53 Rev 5 standard for control assessments. FedRAMP publishes many resources and forms that may be helpful for CMMC practices. Learn more about FedRAMP.

Federal Contract Information (FCI) is any information that includes contract information from government partners. FCI is typically labeled and must remain within the Authorization Boundary of the system.

These are a series of publications referring to common cryptographic modules that approved for use within CMMC certified systems. Refer to FIPS 140-2 and FIPS 140-3 for further information.

Note: FIPS 140-2 will fully be replaced by FIPS 140-3 in September 2026

A documented plan written by an organization detailing their own plan when dealing with Incidents. These plans usually include a variety of playbooks for different types of attacks, while including roles and responsibilities of people involved within the incident.

The National Institute of Standards and Technology (NIST) is an organization that is part of the department of commerce and tries to promote U.S. Innovation and competition. They create varying levels of standards for different industries.

This is a document that outlines the specific controls utilized within CMMC and other cybersecurity frameworks.

The Organization Seeking Certification (OSC) is any organization that is seeking CMMC certification. If your organization is pursuing CMMC then you are the Organization Seeking Certification (OSC).

A Plan Of Action & Milestones (POA&M) is a piece of documentation that list potential and found weakness within the system. The POA&M includes organizational next steps and plans to eliminate or mitigate weakness found.

A large document outlining an organizations security plan. This includes control implementation, risk assessments, system inventories, IRPs, and much more. This package includes all security related policies and documentation.