Contractor Information ProtectionExplained by WRS

Glossary

Contractor information protection glossary

Plain-English explanations of common contractor information security, CMMC, NIST, CUI, Canadian program, and questionnaire terms.

Access control

Rules and settings that determine who can access which systems, records, folders, devices, or functions.

Affirmation

A formal confirmation associated with some CMMC assessment paths. Contractors should not treat an informal statement as an official affirmation.

C3PAO

A CMMC Third-Party Assessment Organization. The Cyber AB describes C3PAOs as organizations that conduct assessments of organizations seeking assessment through qualified assessors.

CMMC

Cybersecurity Maturity Model Certification, an assessment framework used in the U.S. defence contracting environment to assess implementation of required protections for FCI and CUI.

Controlled Goods Program

A Canadian program connected to examining, possessing, or transferring controlled goods in Canada. This site does not provide registration advice or access instructions.

Controlled Unclassified Information (CUI)

Unclassified information that requires safeguarding or dissemination controls under applicable law, regulation, or government-wide policy.

CPCSC

Canadian Program for Cyber Security Certification, Canada’s defence-supplier cyber certification program language.

Cybersecurity questionnaire

A customer, insurer, prime-contractor, or supplier-portal form asking how an organization protects systems, information, or records.

FCI

Federal Contract Information: non-public information provided by or generated for the U.S. government under a contract, excluding public information and simple payment-transaction information.

Incident response

A planned process for identifying, reporting, containing, investigating, and recovering from suspected information or security incidents.

ITSP.10.171

Canadian Centre for Cyber Security guidance referenced in Canadian contractor cyber certification materials for protecting specified information in non-Government of Canada systems and organizations.

Least privilege

The practice of giving users only the access needed for their work.

NIST SP 800-171

A NIST publication about security requirements for protecting CUI in nonfederal systems and organizations.

POA&M

Plan of Action and Milestones: a tracking record for gaps, planned corrective actions, owners, and target dates.

Protected information

Canadian security language for certain sensitive government information. The applicable level and handling requirement should be verified through official documents and contract direction.

SPRS

Supplier Performance Risk System, referenced in U.S. defence-contractor cybersecurity assessment and score conversations.

SSP

System Security Plan: documentation that describes a system, its boundary, responsibilities, and how security requirements are implemented.

Verify official definitions

Glossary entries are simplified. Use official program documents, contract language, and qualified support when definitions affect obligations.