Glossary

The cyber and IT communities have a serious acronym problem. This page is the running index of the terms used across the rest of the site, grouped by domain. Where a term is documented in depth elsewhere, the entry is intentionally short — the goal is to get you oriented, not to replicate the source.

NIST 800-53 Control Families

AC

Access Control. Who is allowed to do what, on which system, under what conditions.

AT

Awareness and Training. Workforce security education and role-specific training requirements.

AU

Audit and Accountability. Logging, log review, and the ability to attribute actions to actors.

CA

Assessment, Authorization, and Monitoring. The mechanics of getting and keeping an ATO.

CM

Configuration Management. Baselines, change control, and preventing configuration drift.

CP

Contingency Planning. Backup, recovery, and continuity of operations.

IA

Identification and Authentication. Proving who or what is making a request.

IR

Incident Response. Detection, containment, eradication, recovery, and lessons learned.

MA

Maintenance. Controlled hardware and software maintenance, including remote and third-party.

MP

Media Protection. Handling, storage, transport, and sanitization of physical and digital media.

PE

Physical and Environmental Protection. Doors, locks, HVAC, fire suppression, power.

PL

Planning. System security and privacy plans, rules of behavior.

PM

Program Management. Enterprise-level governance controls, distinct from system-level controls.

PS

Personnel Security. Screening, position-risk designation, transfer, and termination procedures.

PT

PII Processing and Transparency. Privacy controls introduced in NIST 800-53 Rev 5.

RA

Risk Assessment. Identifying and analyzing risk to operations, assets, and individuals.

SA

System and Services Acquisition. Building security into procurement and the SDLC.

SC

System and Communications Protection. Boundary protection, cryptographic protection, isolation.

SI

System and Information Integrity. Flaw remediation, malicious-code protection, monitoring.

SR

Supply Chain Risk Management. Third-party and supply-chain risk introduced in Rev 5.

Risk, Compliance, and Authorization

RMF

Risk Management Framework. NIST SP 800-37 Rev 2. The seven-step process by which federal systems achieve and maintain authorization.

FISMA

Federal Information Security Modernization Act. The 2014 update that gave OMB and DHS expanded oversight and made RMF the de facto standard.

FedRAMP

Federal Risk and Authorization Management Program. RMF as applied to cloud service offerings.

ATO

Authority to Operate. The signed risk-acceptance decision from an Authorizing Official permitting a system to run in production.

POA&M

Plan of Action and Milestones. The living document tracking unresolved findings, owners, and target completion dates.

SSP

System Security Plan. The system’s “blueprint” for control implementation. The single most-referenced document in any RMF package.

SAR

Security Assessment Report. The assessor’s evidence-backed verdict on each control.

SAP

Security Assessment Plan. The pre-assessment document that defines scope, methods, and acceptance criteria.

AO

Authorizing Official. The senior executive accountable for the residual risk of operating the system.

ISSO

Information System Security Officer. Day-to-day owner of the system’s security posture.

ISSE

Information System Security Engineer. Engineering counterpart to the ISSO; designs the controls into the architecture.

CCB

Configuration Control Board. The body that approves or rejects changes to the authorized baseline.

BIA

Business Impact Analysis. Quantifies the consequences of a system being unavailable or compromised; feeds CP and categorization.

CONOPS

Concept of Operations. Plain-language description of how a system is actually used.

Cybersecurity Operations

SOC

Security Operations Center. The team and tooling that monitors, triages, and responds.

SIEM

Security Information and Event Management. Centralized log collection, correlation, and alerting.

SOAR

Security Orchestration, Automation, and Response. The “hands and feet” layer that automates SOC playbooks.

EDR / MDR / XDR

Endpoint / Managed / Extended Detection and Response. A spectrum of tooling, from agent-on-host (EDR) to outsourced 24×7 (MDR) to multi-telemetry (XDR).

IDS / IPS

Intrusion Detection / Prevention System. Network sensors that alert on (IDS) or block (IPS) suspicious traffic.

DLP

Data Loss Prevention. Controls that detect and stop sensitive data from leaving an environment.

CASB

Cloud Access Security Broker. A policy-enforcement point between users and cloud services.

WAF

Web Application Firewall. L7 filter for HTTP-based attacks against web apps and APIs.

ZTA / ZTNA

Zero Trust Architecture / Network Access. “Never trust, always verify” — identity-aware, per-request access decisions instead of perimeter trust.

ATT&CK

MITRE Adversarial Tactics, Techniques, and Common Knowledge. A globally accessible knowledge base of adversary behavior.

ATLAS

MITRE Adversarial Threat Landscape for AI Systems. ATT&CK’s sibling knowledge base for ML/AI-system attacks.

CKC

Cyber Kill Chain. Lockheed Martin’s seven-stage model of an intrusion. Older than ATT&CK but still useful for executive framing.

CTI

Cyber Threat Intelligence. Curated information about adversaries, intent, capability, and infrastructure.

IoC

Indicator of Compromise. A specific artifact (hash, IP, domain) that suggests a compromise has occurred.

TTP

Tactics, Techniques, and Procedures. Adversary behavior at three increasing levels of specificity. The ATT&CK “T” levels.

DFIR

Digital Forensics and Incident Response. The combined discipline of investigating and recovering from incidents.

Vulnerabilities and Exposure

CVE

Common Vulnerabilities and Exposures. Globally unique identifiers for publicly known software vulnerabilities.

CVSS

Common Vulnerability Scoring System. Numeric severity score (0.0–10.0) attached to a CVE. Useful, but not a substitute for context.

CWE

Common Weakness Enumeration. Categories of underlying weaknesses (e.g., CWE-79 = XSS).

NVD

National Vulnerability Database. NIST’s enriched feed of CVEs with CVSS scores and CPE mappings.

SBOM

Software Bill of Materials. Machine-readable inventory of software components. Required for federal acquisition under EO 14028.

VEX

Vulnerability Exploitability eXchange. Companion to SBOM that states whether a CVE is actually exploitable in a given product.

RCE / LPE

Remote Code Execution / Local Privilege Escalation. Two of the most dangerous outcomes a vulnerability can enable.

XSS / CSRF / SSRF / SQLi

Web-app vulnerability classes: cross-site scripting, cross-site request forgery, server-side request forgery, SQL injection.

Identity and Access

IAM

Identity and Access Management. The umbrella discipline.

IGA

Identity Governance and Administration. The lifecycle layer: joiner-mover-leaver, access reviews, segregation-of-duties.

PAM

Privileged Access Management. Vaulting, session recording, and just-in-time elevation for high-privilege accounts.

MFA

Multi-Factor Authentication. Two or more of: something you know, have, or are.

SSO

Single Sign-On. One authentication event grants access to multiple downstream services.

SAML / OIDC / OAuth

The three protocols that carry most enterprise SSO and authorization. SAML is XML-based and older; OIDC sits on top of OAuth 2.0 for authentication.

RBAC / ABAC

Role-Based / Attribute-Based Access Control. RBAC groups permissions by role; ABAC evaluates richer attribute policies at request time.

PoLP

Principle of Least Privilege. Grant the minimum access required for the task. Easier to recite than to implement.

Cryptography

AES / RSA / ECC

Advanced Encryption Standard / Rivest-Shamir-Adleman / Elliptic Curve Cryptography. AES for symmetric, RSA and ECC for asymmetric.

TLS / mTLS

Transport Layer Security. mTLS adds mutual authentication — both sides present certificates.

HSM

Hardware Security Module. Tamper-resistant device for key generation, storage, and signing.

KMS

Key Management Service. Cloud-provider-managed key custody (e.g., AWS KMS, Azure Key Vault).

PKI

Public Key Infrastructure. The certificate authorities, intermediates, CRLs, and OCSP responders that make TLS trust work.

FIPS 140-2 / 140-3

Federal Information Processing Standard 140. US/Canadian validation standard for cryptographic modules.

AI and Machine Learning

LLM

Large Language Model. A transformer-based model trained on text at scale; the engine behind most current generative AI products.

SLM

Small Language Model. Compact LLMs (often <10B parameters) optimized for edge deployment, lower cost, or specific domains.

MoE

Mixture of Experts. Architectural pattern where a router activates a subset of “expert” subnetworks per token; high parameter count, lower active compute.

RAG

Retrieval-Augmented Generation. Pattern of retrieving relevant documents at query time and injecting them into the model’s context.

RLHF

Reinforcement Learning from Human Feedback. Post-training alignment technique that uses human preference data to shape model behavior.

MCP

Model Context Protocol. Open spec that lets language models invoke external tools, resources, and prompts via a JSON-RPC dialect.

AI RMF

AI Risk Management Framework (NIST AI 100-1). NIST’s voluntary framework for managing AI risk, with four functions: Govern, Map, Measure, Manage.

GenAI Profile

NIST AI 600-1. Companion profile to AI RMF specifically addressing generative-AI risks.

OWASP LLM Top 10

The OWASP project that catalogs the most critical LLM-application security risks (prompt injection, insecure output handling, training-data poisoning, and so on).

Agentic AI

AI systems that plan multi-step actions and invoke tools autonomously toward a goal, rather than producing a single response.

Privacy and Regulation

PII

Personally Identifiable Information. Information that can identify a specific individual, alone or in combination.

PHI

Protected Health Information. PII tied to health status or care, regulated under HIPAA in the US.

GDPR

General Data Protection Regulation. EU regulation on personal-data processing, in force since 2018.

CCPA / CPRA

California Consumer Privacy Act / California Privacy Rights Act. California’s GDPR-adjacent privacy regimes.

HIPAA

Health Insurance Portability and Accountability Act. US federal law governing PHI.

PCI DSS

Payment Card Industry Data Security Standard. Industry-mandated controls for entities that store, process, or transmit cardholder data.

Missing a term? Suggestions are welcome via the contact channels listed elsewhere on the site.