Docs / Glossary

Glossary

The acronym soup of CMMC and NIST 800-171, in plain language. Keep this open in a second tab while you work through your assessment.

CMMC

Cybersecurity Maturity Model Certification. The DoD program that requires defense contractors to demonstrate they protect sensitive government information. CMMC has tiered levels; Level 2 requires implementing all 110 NIST SP 800-171 controls and, for most contracts handling CUI, a third-party assessment. Enforcement went live in November 2025.

NIST SP 800-171 (Rev 2)

The National Institute of Standards and Technology publication Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. It defines the 110 security controls across 14 families that form the basis of CMMC Level 2. Bastion assesses against Revision 2.

CUI — Controlled Unclassified Information

Government-created or -owned information that is sensitive but not classified, and which law or policy requires be safeguarded — for example technical drawings, specifications, and contract data. Handling CUI is what triggers the NIST 800-171 / CMMC Level 2 requirements. Bastion runs entirely in your browser specifically so your CUI never leaves your machine.

FCI — Federal Contract Information

Information provided by or generated for the government under a contract that isn't intended for public release, but is less sensitive than CUI. Protecting FCI requires the 17 basic safeguarding controls of CMMC Level 1 — which Bastion supports via its Level 1 mode.

SPRS — Supplier Performance Risk System

The DoD system of record where your NIST 800-171 self-assessment score is posted. Under DFARS, contractors handling CUI must keep a current score in SPRS to be eligible for award. The score runs from a maximum of 110 down to a floor of −203. Bastion calculates your SPRS score live; you post it to the official system. See SPRS explained.

SSP — System Security Plan

The document describing your in-scope system and explaining how each of the 110 controls is implemented. Required by control 3.12.4 and the first artifact an assessor reviews. Bastion generates your SSP from your control statuses, notes, and evidence.

POA&M — Plan of Action & Milestones

Your remediation roadmap: a list of every control that isn't fully Met, each with the weakness, an owner, and a target completion date. It shows that gaps are being managed. Bastion builds your POA&M automatically from your open controls.

C3PAO — Certified Third-Party Assessment Organization

An organization accredited by the Cyber AB to perform official CMMC Level 2 assessments and issue certifications. Bastion is not a C3PAO and does not issue certifications — it's a self-assessment aid that gets you ready for the real assessment a C3PAO performs.

DFARS

The Defense Federal Acquisition Regulation Supplement. The contract clauses that impose these obligations live here — notably DFARS 252.204-7012 (safeguard CUI, report incidents), -7019 (post a current self-assessment score to SPRS), -7020 (NIST 800-171 assessment requirements), and -7021 (the CMMC requirement itself).

Enclave

A deliberately carved-out, isolated portion of your environment where all CUI is stored, processed, and transmitted — separated from the rest of the business. Building a tight enclave is the most common way to shrink your assessment scope: the 110 controls only apply to systems inside it, not your whole company.

Inheritance

When a control is satisfied for you by an external provider rather than implemented by you directly — for example physical data-center security or FIPS-validated encryption provided by a FedRAMP-authorized cloud or GCC High tenant. In Bastion you mark such controls Inherited. Inheritance must be documented (via the provider's responsibility matrix), and shared controls only inherit the provider's portion — your part still has to be Met. See the assessment guide.

Control (requirement)

One of the 110 individual security requirements in NIST 800-171, identified by a dotted number like 3.1.1 (the family prefix 3.1 = Access Control, then the requirement number). In Bastion each control gets a status, evidence, and notes.

Control family

One of the 14 groupings the 110 controls fall into — Access Control, Awareness & Training, Audit & Accountability, Configuration Management, Identification & Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System & Communications Protection, and System & Information Integrity. Bastion's gap dashboard reports your posture family by family.

Control weight (5 / 3 / 1)

The point value DoD's assessment methodology assigns each control based on its risk impact. An unmet control subtracts its weight from 110. Highest-impact controls are worth 5, significant ones 3, and the rest 1. This is why fixing the right high-weight gaps moves your score most. See the methodology.

CMMC levels

Level 1 covers FCI with 17 basic safeguarding controls (self-assessed annually). Level 2 covers CUI with all 110 NIST 800-171 controls (third-party assessed for most contracts). Level 3 adds enhanced requirements for the highest-priority programs. Bastion focuses on Level 2, with a Level 1 mode for the 17-control FCI scope.

Cyber AB

The Cyber Accreditation Body (formerly the CMMC-AB), the organization that accredits C3PAOs and assessors for the CMMC ecosystem. Bastion is independent of and not endorsed by the Cyber AB.

DIBCAC

The Defense Industrial Base Cybersecurity Assessment Center, the DoD body that conducts higher-assurance government-led NIST 800-171 assessments and helped define the assessment methodology behind SPRS scoring.

CAGE code & PIEE

A CAGE (Commercial and Government Entity) code uniquely identifies your business to the government and ties your SPRS score to your entity. PIEE (Procurement Integrated Enterprise Environment) is the DoD portal through which you access the SPRS application to post that score.

GCC High

Government Community Cloud High — a Microsoft 365 / Azure environment built to meet DoD requirements for handling CUI and ITAR data. Many defense suppliers host their CUI enclave in GCC High and inherit a set of controls from it.

FedRAMP

The Federal Risk and Authorization Management Program, which authorizes cloud services for government use. A FedRAMP-authorized (typically Moderate or High) cloud is a common source of inherited controls for a CUI environment.

CRM — Customer Responsibility Matrix

A document a cloud or service provider publishes that maps each NIST 800-171 control to who's responsible for it — the provider, the customer, or shared. It's the proof you reference when you mark a control Inherited.

FIPS 140 (validated encryption)

Federal Information Processing Standard 140 defines the requirements for cryptographic modules the government accepts. Several 800-171 controls require that encryption protecting CUI be FIPS-validated — not just "encrypted," but using a validated module.