Federal compliance is full of acronyms. Here is what each one actually means in plain language — so you always know what you're looking at.
The person at your company who signs off on the assessment.
The SAO is the executive accountable for your compliance posture. They approve final SPRS scores and sign assessment artifacts. Usually a CIO, CISO, COO, or owner.
The VeeSafe Technology expert running your assessment.
The AOR is the qualified internal assessor at VeeSafe Technology who reviews your evidence, applies federal scoring rules, and validates each control. They are your primary point of contact.
A single security requirement you must meet.
A control is one specific requirement from NIST SP 800-171 — for example 'use multi-factor authentication for privileged accounts.' There are 110 of them in Rev 2.
The person responsible for one control working as designed.
Each control needs a named human accountable for it — IT, HR, facilities, etc. Without an owner, controls drift.
Where your CUI environment starts and stops.
The set of systems, networks, devices, and people that store, process, or transmit Controlled Unclassified Information. Anything inside the boundary is in scope; anything outside is not.
Proof a control actually works.
Screenshots, configuration exports, policy documents, log samples, training rosters — anything that an auditor would accept as objective proof. We collect, time-stamp, and tie each piece to its control.
The official DoD score (max 110).
The Supplier Performance Risk System score uses DoD's published methodology: start at 110, subtract 1, 3, or 5 points for each Rev 2 control not fully implemented. This is the number primes and the DoD see.
Your written plan to fix gaps.
Plan of Action & Milestones. For every control you cannot fully implement today, the POA&M says what you'll do, who owns it, and by when. Mandatory for L2 conditional certification.
All 110 NIST 800-171 Rev 2 controls.
This is the baseline assessed for handling CUI. It is the standard we evaluate every client against.
The 17 most basic safeguards — table stakes.
Derived from FAR 52.204-21. Required for any DoD work involving Federal Contract Information. Self-attested annually.
What's coming next — get ahead of it.
NIST SP 800-171 Rev 3 (May 2024) reorganizes and strengthens the requirements. It will be the basis for future contractual obligations. We assess it now as advisory so you have runway.
Hiding sensitive evidence from the client view.
Some assessment material — internal notes, draft findings, sensitive evidence — should not appear in client deliverables. The redaction toggle hides those items everywhere a client could see them.