GovCon Glossary
Plain-English definitions for the acronyms and terms capture, proposal, and BD teams run into every day.
26 terms
C
Communications Security
COMSECCommunications Security covers the measures, equipment, and procedures used to protect government voice, data, and message traffic from interception, exploitation, or unauthorized disclosure, including encryption, key management, and transmission security. Contractors working with classified or sensitive communications equipment must follow NSA/CNSS COMSEC policy, often including trained custodians and controlled key material.
Contracting Officer
KOThe Contracting Officer is the government official with legal authority to enter into, administer, modify, or terminate a contract on the agency's behalf. Only the KO can bind the government to contractual commitments; direction from any other government employee, including a program manager or COR, does not carry that authority.
Contracting Officer's Representative
CORA Contracting Officer's Representative is appointed in writing by the KO to monitor day-to-day contract performance, inspect deliverables, and serve as the technical point of contact with the contractor. A COR has no authority to change price, scope, or terms; performance concerns get escalated back to the Contracting Officer for a binding decision.
Controlled Unclassified Information
CUIControlled Unclassified Information is unclassified government information that still requires safeguarding or dissemination controls under law, regulation, or agency policy, such as procurement-sensitive data, export-controlled technical data, or personally identifiable information. Contractors handling CUI must follow specific marking, storage, and access rules, and it is a core driver behind CMMC requirements.
Cybersecurity Maturity Model Certification
CMMCThe Cybersecurity Maturity Model Certification is DoD's framework for verifying that contractors handling Federal Contract Information and CUI have adequate cybersecurity controls in place, spanning three levels: Level 1 (basic safeguarding, self-assessed), Level 2 (110 NIST SP 800-171 controls, generally third-party assessed), and Level 3 (added NIST SP 800-172 controls, government-assessed). It is becoming a mandatory condition of award as DoD phases it into solicitations.
F
Federal Information Security Management Act
FISMAOriginally enacted in 2002 and updated by the 2014 Federal Information Security Modernization Act, this law requires federal agencies to develop, document, and operate risk-based information security programs for their systems, including systems run by contractors on the agency's behalf. It underpins the ATO process and the NIST security control baselines contractors must satisfy on federal information systems.
FedRAMP (Federal Risk and Authorization Management Program)
FedRAMP is a government-wide program that standardizes the security assessment, authorization, and continuous monitoring of cloud services sold to federal agencies, letting a cloud provider get assessed once and have that authorization reused across multiple agencies instead of repeating the process for each. A FedRAMP authorization is frequently a prerequisite for selling cloud-hosted software or infrastructure to the federal government.
For Official Use Only
FOUOFor Official Use Only was a legacy marking applied inconsistently across agencies to unclassified information not intended for public release, such as internal deliberations or sensitive but unclassified data. It has been formally superseded government-wide by the Controlled Unclassified Information program, though contractors may still see it on older, unmigrated documents.
G
GCC High
GCC High is Microsoft's Government Community Cloud High environment, a segregated Microsoft 365 tenant hosted in the continental U.S. and administered only by screened U.S. persons, built to satisfy DFARS 252.204-7012, ITAR/EAR, and CMMC Level 2/3 requirements. Contractors handling CUI or export-controlled technical data on DoD work typically need GCC High rather than a commercial or standard GCC tenant.
General and Administrative Expenses
G&AGeneral and Administrative expenses are indirect costs that support the business as a whole rather than any single contract, such as executive compensation, corporate accounting, and HR, allocated across contracts through an approved cost pool and base. A contractor's G&A rate is a key input in cost buildups and DCAA rate audits, and it directly affects competitiveness on price.
GovCloud
GovCloud generally refers to isolated cloud regions built to meet elevated federal security requirements, most notably AWS GovCloud (US), which restricts access to vetted U.S. persons, hosts data within the U.S., and supports FedRAMP High, DoD SRG, ITAR, and CJIS compliance. Contractors use it to host CUI or export-controlled workloads that can't run in a standard commercial cloud region.
I
Identity and Access Management
IAMThe framework of policies and technology that governs who can access which systems and data, and what they're allowed to do once they're in. In GovCon, IAM underpins zero trust architecture and is a core control family assessed under FedRAMP, CMMC, and RMF authorizations, covering provisioning, authentication, role-based permissions, and access revocation.
Information Security
INFOSECThe practice of protecting information and information systems from unauthorized access, disclosure, alteration, or destruction. Federal contracts frequently impose INFOSEC requirements (such as NIST 800-171 or FedRAMP controls) as flow-down clauses, making it a contractual obligation for contractors handling government data, not just a best practice.
M
Major Defense Acquisition Program
MDAPA DoD acquisition program formally designated ACAT I because its projected costs exceed statutory thresholds (currently more than $1 billion in RDT&D or $4.5 billion in procurement, in FY2024 constant dollars) under 10 U.S.C. 4201. MDAPs face the highest level of oversight, including milestone reviews and mandatory reporting to Congress.
Multiple Award Task Order Contract
MATOCAn indefinite-delivery, indefinite-quantity vehicle under which the government awards contracts to two or more companies who then compete against each other for individual task orders as work is identified. MATOCs are common in DoD construction and services procurements and require contractors to win at the task-order level, not just at the base award.
P
Procurement Administrative Lead Time
PALTThe elapsed time between an agency issuing a solicitation and awarding the resulting contract or order. PALT is a metric many agencies use, and increasingly report publicly through FPDS, to gauge acquisition efficiency, and long PALT is a frequent target of process-improvement efforts across DoD and civilian agencies.
Public Key Infrastructure
PKIThe system of digital certificates, certificate authorities, and cryptographic keys used to verify identity and encrypt communications. Federal agencies rely on PKI for CAC-based login, digitally signed documents, and secure email, and contractors working on federal networks often must support or integrate with DoD or federal PKI credentials.
S
Security Technical Implementation Guide
STIGA DISA-published configuration standard that spells out exactly how to lock down a piece of hardware, software, or network device to meet DoD security requirements. Systems operating on DoD networks are typically required to be hardened to the applicable STIG, and compliance is checked during security assessments and authorization to operate.
Supplier Performance Risk System
SPRSDoD's system of record for contractor self-assessment scores and other supplier risk data. Contractors score their NIST SP 800-171 implementation on a 110-point scale, losing points for unmet controls, and post the result to SPRS under DFARS 252.204-7019 and 252.204-7020. A missing or outdated score can keep a contractor from being considered for award on solicitations that require one.
System Security Plan
SSPA formal document describing a system's boundaries, the security controls it has in place, and how those controls meet applicable requirements, such as NIST SP 800-53 or 800-171. The SSP is the centerpiece of a FedRAMP or RMF authorization package and is what assessors validate against during a security assessment.

Ready to connect your pursuit work?
GovEagle gives BD directors, capture managers, and proposal teams one AI workspace from pipeline through proposal, with CMMC/FedRAMP Moderate compliance built in.