📚 Cybersecurity Glossary

Ability to make use of any information system (“IS”) resource.

Access control based on attributes associated with subjects, objects, targets, initiators, resources, or the environment. An access control rule set defines the combination of attributes under which an access may take place.

The process of granting or denying specific requests to:

• Obtain and use information and related information processing services; and
• Enter specific physical facilities (e.g., federal buildings, military establishments, border crossing entrances, etc.).

A mechanism that implements access control for a system resource by listing the identities of the system entities that are permitted to access the resource.

The set of rules that define the conditions under which any access may take place. Also known as Access Management Policy.

Association of a user with a list of protected objects the user may access.

Set of actions that are accomplished within a practice in order to make it successful. Multiple activities can make up a practice. Practices may have only one activity or a set of activities.

Administrative actions and policies and procedures to manage the selection, development, implementation, and maintenance of security measures to protect any electronic information that is by definition “protected information” and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.

A symmetric block cipher chosen by the U.S. government to protect classified information, widely used for encryption of sensitive data.

An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors. The advanced persistent threat:

• Pursues its objectives repeatedly over an extended period of time
• Adapts to defenders’ efforts to resist it; and
• Is determined to maintain the level of interaction needed to execute its objectives

Assess the ability of an organization equipped with a system to support its mission while withstanding cyber threat activity representative of an actual adversary.

Individual, group, organization, or government that conducts or has the intent to conduct detrimental activities.

A trade association representing manufacturers and suppliers of civil, military, and business aircraft, helicopters, UAVs, space systems, aircraft engines, missiles, materiel, and related components.

An interface between two systems that are not connected physically, and do not have any logical connection automated (i.e., data is transferred through the interface only manually, under human control).

An internal or external notification that a specific action has been identified within an organization’s information systems.

Tools that help identify, prevent execution, and reverse engineer malware.

A program that specializes in detecting both malware and non-malware forms of spyware.

Systems engineering activities intended to deter and/or delay exploitation of technologies in a system in order to impede countermeasure development, unintended technology transfer, or alteration of a system.

A program that monitors a computer or network to identify all major types of malware and prevent or contain malware incidents.

A set of protocols, routines, and tools for building software applications that specifies how software components should interact.

The testing or evaluation of security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for an information system or organization.

Defines what is “in” and what is “out” of the assessment, including type (Enterprise vs. Organizational Unit vs. Enclave), system boundaries, CAGE codes, and contracts.

Anything that has value to an organization, including but not limited to another organization, person, computing device, IT system, IT network, IT circuit, software, virtual computing platform, and related hardware.

CMMC defines five asset categories for scoping activities:

• Contractor Risk Managed Asset
• CUI Asset
• Out-of-Scope Asset
• Security Protection Asset
• Specialized Asset

A person or group responsible for the day-to-day management, operation, and security of an asset.

Management of organizational assets including inventory, configuration, destruction, disposal, and updates.

A person or organizational unit with primary responsibility for the viability, productivity, security, and resilience of an organizational asset.

The following asset types should be included when classifying assets:

• People – employees, contractors, vendors, and external service provider personnel
• Technology – servers, client computers, mobile devices, network appliances, VoIP devices, applications, virtual machines, and database systems
• Facilities – physical office locations, satellite offices, server rooms, datacenters, manufacturing plants, and secured rooms
• External Service Provider (ESP) – external people, technology, or facilities that the organization utilizes including Cloud Service Providers, Managed Service Providers, Managed Security Service Providers

The set of points on the boundary of a system, a system element, or an environment where an attacker can try to enter, cause an effect on, or from which data can be extracted.

Independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures.

The NIST SP 800-171 control family focused on creating, protecting, retaining, and reviewing system audit records.

A chronological record of system activities including records of system access and operations performed in a given period.

An individual entry in an audit log related to an audited event.

The Australian Government’s lead agency for cyber security, providing advice and assistance to prevent, detect, and respond to cyber threats.

A security measure designed to protect a communications system against acceptance of fraudulent transmission by establishing the validity of a transmission, message, or originator.

Something that the claimant possesses and controls (typically a cryptographic module or password) that is used to authenticate the claimant’s identity.

An entity that has access to, or verified copies of, accurate information from an issuing source such that a Credential Service Provider (CSP) can confirm the validity of the identity evidence supplied by an applicant during identity proofing.

The right or a permission that is granted to a system entity (user, program, or process) to access a system resource.

Any employee, contractor, agent, or other person that participates in the business operations of the organization and is authorized to access and use any of the Organization’s Information Systems or Nonpublic Data.

Ensuring timely and reliable access to and use of information. Timely, reliable access to data and information services for authorized users.

A learning process that sets the stage for training by changing individual and organizational attitudes to realize the importance of security and the adverse consequences of its failure.

Programs that explain proper rules of behavior for the use of information systems and communicate IT security policies and procedures.

A copy of files and programs made to facilitate recovery, if necessary.

Hardware, software, databases, and relevant documentation for an information system at a given point in time.

A set of specifications for a system that has been formally reviewed and agreed on at a given point in time, and which can be changed only through change control procedures.

The minimum security controls required for safeguarding an IT system based on its identified needs for confidentiality, integrity, and/or availability protection.

Monitoring resources to determine typical utilization patterns so that significant deviations can be detected.

A list of discrete entities such as IP addresses, host names, applications, or software libraries that have been previously determined to be associated with malicious activity.

A list of applications (software) and software libraries that are forbidden to execute on an organizational asset.

The group responsible for defending an organization’s use of information systems by maintaining its security posture against a group of mock attackers (Red Team).

An incident where an adversary has gained access to the internal network of an organization in a manner that breaks organizational policy, resulting in loss of information, data, or assets.

A policy allowing employees to bring personally owned devices to their workplace for use in business operations.

A maturity model that enables organizations to evaluate, prioritize, and improve their cybersecurity capabilities.

An organization authorized to conduct CMMC assessments on behalf of the CMMC Accreditation Body.

The testing or evaluation of security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome.

A formal request to address a nonconformity or deficiency identified during an assessment or audit.

An individual certified to conduct CMMC assessments as part of a C3PAO assessment team.

An individual certified to deliver CMMC training and education programs.

An individual certified with foundational knowledge of the CMMC framework to assist organizations with compliance preparation.

Unclassified controlled technical information or other information that requires safeguarding or dissemination controls pursuant to law, regulations, and Government-wide policies.

An agency within the Executive Office of the President that advises the President on economic policy.

A qualified individual who understands and knows how to look for weaknesses and vulnerabilities in target systems using the same knowledge and tools as a malicious hacker.

A group of information security experts responsible for the protection against, detection of, and response to an organization’s cybersecurity incidents.

The codification of the general and permanent rules and regulations published in the Federal Register by the executive departments and agencies of the federal government.

An identifiable part of a system (e.g., hardware, software, firmware, documentation, or a combination thereof) that is a discrete target of configuration control processes.

A senior executive responsible for the management, implementation, and usability of information and computer technologies within an organization.

A nonprofit organization focused on enhancing the cybersecurity readiness and response among public and private sector entities.

The U.S. federal agency responsible for leading the national effort to understand, manage, and reduce risk to cyber and physical infrastructure.

A collection of activities focused on establishing and maintaining the integrity of products and systems through control of processes for initializing, changing, and monitoring configurations.

Cybersecurity Maturity Model Certification — A framework developed by the Office of the Undersecretary of Defense for Acquisition and Sustainment to provide assurance that DIB contractors can adequately protect CUI at a level commensurate with risk.

The organization responsible for accrediting C3PAOs and certifying CMMC assessors to ensure the integrity of the CMMC assessment ecosystem.

The automated control of machining tools by means of a computer, used in manufacturing for precision parts production.

Directives issued by the Committee on National Security Systems that establish national policy for securing National Security Systems.

Measures and controls taken to deny unauthorized persons information derived from telecommunications and to ensure the authenticity of such communications.

Effect (change or non-change) usually associated with an event or condition, typically allowed, facilitated, caused, prevented, changed, or contributed to by the event, condition, or system.

A natural person.

A physical or logical location where assets are stored, transported, and processed. Can encompass technical containers, physical containers, and people.

The ability of a system or component to gather information about its environment at any given time and adapt behaviors accordingly using software and hardware.

An organization’s ability to sustain assets and services in response to a disruptive event.

Continuing without stopping; ongoing.

Maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.

Assets capable of, but not intended to, process, store, or transmit CUI because of the security policy, procedures, and practices in place. Not required to be physically or logically separated from CUI Assets.

A U.S. federal law that imposes certain requirements on operators of websites or online services directed to children under 13 years of age regarding the collection of personal information.

The methods, policies, and procedures—manual or automated—used by an organization to safeguard and protect assets, promote efficiency, or adhere to standards.

Information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.

Technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination.

An asset that processes, stores, or transmits CUI.

Elements or components of a research, development, or acquisition program that, if compromised, could cause significant degradation in mission effectiveness.

The process of using a mathematical algorithm against data to produce a numeric value that is representative of the data.

A joint effort between NIST and the Canadian Centre for Cyber Security that validates cryptographic modules to FIPS 140 standards.

A framework developed by NIST providing a policy framework of computer security guidance for how private sector organizations can assess and improve their ability to prevent, detect, and respond to cyber attacks.

A bipartisan, nonprofit policy research organization dedicated to advancing practical ideas on the world’s greatest challenges.

A company that offers cloud computing services such as infrastructure, platform, or software services delivered via the cloud.

A list of publicly disclosed computer security flaws. Each entry contains an identification number, description, and at least one public reference for publicly known cybersecurity vulnerabilities.

A community-developed list of software and hardware weakness types that serves as a common language for describing software security weaknesses.

Any Nonpublic Information provided to the organization by a customer including customer documents, information entered into systems, and Personally Identifiable Information.

Prevention of damage to, protection of, and restoration of computers, electronic communication systems, and information contained therein to ensure availability, integrity, authentication, confidentiality, and nonrepudiation.

Any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt, or misuse an information system or information stored on such system.

The practice of detecting and preventing data breaches, exfiltration, or unwanted destruction of sensitive data to protect and secure data and comply with regulations.

A collaborative environment for sharing cyber threat information between the DoD and the Defense Industrial Base.

The DoD agency that works directly with defense suppliers to help ensure that DoD, federal, and allied government supplies and services are delivered on time, at projected cost, and meet performance requirements.

A computerized control system for a process or plant usually with many control loops, in which autonomous controllers are distributed throughout the system.

Regulations that supplement the Federal Acquisition Regulation (FAR) specifically for the Department of Defense, including cybersecurity requirements for defense contractors.

The worldwide industrial complex that enables research and development, as well as design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts, to meet U.S. military requirements.

The DoD organization responsible for assessing defense contractors’ compliance with cybersecurity requirements.

A network and portal for sharing cyber threat information between the DoD and Defense Industrial Base partners.

A defined process includes guidelines for tailoring the process to meet the needs of an organizational unit. A defined process provides a predictable level of consistency in asset management activities across the organization.

Information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer.

A perimeter network segment that is logically between internal and external networks. Its purpose is to enforce the internal network’s Information Assurance policy for external information exchange and to provide external, untrusted sources with restricted access to releasable information while shielding the internal networks from outside attacks.

When an entity has access to, control of, ownership in, possession of, responsibility for or other defined obligations related to one or more assets or services of the organization.

Any physical object that is capable of connecting to the Internet, directly or indirectly, or to another device.

A process of verifying the security posture and compliance status of a device before granting access to network resources.

CMMC: Grouping of like practices based on the 14 control families set forth in NIST SP 800-171. Networking: A region characterized by a special feature, or a territory governed by a single ruler or government.

An email authentication method designed to detect forged sender addresses in emails by allowing the receiver to check that an email was indeed sent and authorized by the owner of that domain.

An email authentication protocol that gives email domain owners the ability to protect their domain from unauthorized use.

The hierarchical and decentralized naming system used to identify computers, services, and other resources reachable through the Internet or other networks.

A suite of extensions that add security to the Domain Name System protocol by enabling DNS responses to be validated.

The federal executive department charged with coordinating and supervising all agencies and functions of the U.S. government directly related to national security and the United States Armed Forces.

The original name of the U.S. Cabinet department responsible for military affairs, established on August 7, 1789, under President George Washington. It oversaw the operation and maintenance of the United States Army for 158 years until 1947, when the National Security Act reorganized it into the Department of the Army and the Department of the Air Force under the National Military Establishment (later renamed the Department of Defense). In September 2025, an executive order restored “Department of War” as a secondary title for the Department of Defense.

A type of issuance from the Department of Defense that establishes policy, assigns responsibilities, and provides procedures for DoD activities.

Entities authorized to issue derived Personal Identity Verification credentials for mobile devices.

A type of optical media storage format capable of storing large amounts of data.

Any small, distinct area or group enclosed or isolated within a larger one.

The process of changing plain text into ciphertext.

Policies that manage the use, storage, disposal, and protection of cryptographic keys used to protect organization data and communications.

Declare one’s public approval or support of.

An organization with a defined mission/goal and a defined boundary, using information systems to execute that mission, and with responsibility for managing its own risks and performance.

The description of an enterprise’s entire set of information systems: how they are configured, how they are integrated, how they interface to the external environment, how they are operated to support the enterprise mission, and how they contribute to the enterprise’s overall security posture.

A government owned web-based application with a broad range of services for comprehensive fully integrated cybersecurity management.

The physical and logical surroundings in which an information system processes, stores, and transmits information.

Whenever used as a phrase, it refers not only to the development and maintenance of the object of the practice (such as a policy) but to the documentation of the object and observable usage of the object.

Any observable occurrence in a system and/or network. Events sometimes provide indication that an incident is occurring.

Finding relationships between two or more events.

A simulation of an emergency designed to validate the viability of one or more aspects of an information technology plan.

A directive issued by the President of the United States that manages operations of the federal government.

An external interface for SATA technologies, providing data transfer rates for external storage devices.

External people, technology, or facilities that the organization utilizes including Cloud Service Providers, Managed Service Providers, and Managed Security Service Providers.

Physical means or equipment for facilitating the performance of an action, e.g., buildings, instruments, tools.

A list of questions and answers relating to a particular subject, especially one giving basic information for users.

The primary regulation for use by all federal executive agencies in their acquisition of supplies and services with appropriated funds.

The domestic intelligence and security service of the United States and its principal federal law enforcement agency.

Information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government.

A set of ANSI and ISO standards for data transmission on fiber optic lines in a local area network.

Encryption that automatically converts data on a hard drive into a form that cannot be understood by anyone who doesn’t have the key to undo the conversion.

A U.S. government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.

Organizations that assist the United States government with scientific research and analysis, development and acquisition, and systems engineering and integration.

Trust established within a federation or organization, enabling each of the mutually trusting realms to share and use trust information obtained from any of the other mutually trusting realms.

A collection of realms (domains) that have established trust among themselves. The level of trust may vary, but typically includes authentication and may include authorization.

Standards and guidelines for federal computer systems developed by NIST in accordance with the Federal Information Security Management Act.

NIST standards that specify the security requirements for cryptographic modules. FIPS 140-2 was published in 2002 and superseded by FIPS 140-3 in 2019. Organizations can submit cryptographic modules to NIST for validation against these standards.

A device or program that controls the flow of network traffic between networks or hosts that employ differing security postures.

A removable storage device that utilizes the USB port of a system for data transfer.

A unit to measure employed persons or students in a way that makes them comparable although they may work or study a different number of hours per week.

A standard network protocol used for the transfer of computer files between a client and server on a computer network.

A regulation in EU law on data protection and privacy in the European Union and the European Economic Area.

All property owned or leased by the government. Government property includes both government-furnished and contractor-acquired property. It includes material, equipment, special tooling, special test equipment, and real property but does not include intellectual property or software.

A U.S. federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.

Presidential directives that record and communicate presidential decisions about the homeland security policies of the United States.

A cryptographic reference which provides a mechanism to track the integrity of a digital artifact, but does not provide confidentiality. Confidentiality must be handled separately using a different mechanism, such as encryption.

An asset, information system, information, or data for which unauthorized access, use, disclosure, disruption, modification, or destruction could cause a significant impact to the organization’s interests.

A service on which the success of the organization’s mission depends.

Programs that simulate one or more network services on your computer’s ports. An attacker assumes you’re running vulnerable services that can be used to break into the machine. A honey pot can be used to log access attempts including the attacker’s keystrokes.

The process of discovering the true identity (i.e., origin, initial history) of a person or item from the entire collection of similar persons or items.

The set of attribute values by which an entity is recognizable and that, within the scope of an identity manager’s responsibility, is sufficient to distinguish that entity from any other entity. This also encompasses non-person entities (NPEs).

Identity management system comprised of one or more systems or applications that manages the identity verification, validation, and issuance process.

Programs, processes, technologies, and personnel used to create trusted digital identity representations of individuals and non-person entities, bind those identities to credentials, and leverage the credentials to provide authorized access to an organization’s resources.

Access control based on the identity of the user where access authorizations to specific objects are assigned based on user identity.

An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of a system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies.

The actions the organization takes to prevent or contain the impact of an incident while it is occurring or shortly after it has occurred. Also known as Incident Response.

A person or organization with a vested interest in the management of an incident throughout its life cycle.

General term that encompasses several types of control systems, including SCADA systems, distributed control systems, and other control system configurations such as programmable logic controllers found in industrial sectors and critical infrastructures.

See Internet of Things. Interconnected devices having physical or virtual representation in the digital world, sensing/actuation capability, and programmability features used in industrial environments.

The flow of information or connectivity from one location to another. This can be related to data as well as connectivity from one system to another, or from one security domain to another.

A discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of electronic information.

A discrete, identifiable information technology asset that represents a building block of an information system, excluding separately authorized systems.

Any person with authorized access to any organization or United States Government resource to include personnel, facilities, information equipment, networks, or systems.

The threat that an insider will use their authorized access, wittingly or unwittingly, to do harm to the security of the organization. This can include damage through espionage, terrorism, unauthorized disclosure, or the loss or degradation of resources or capabilities.

The security objective that generates the requirement for protection against either intentional or accidental attempts to violate data integrity or system integrity.

Interconnected devices having physical or virtual representation in the digital world, sensing/actuation capability, and programmability features. They may include smart electric grids, lighting, heating, air conditioning, and fire and smoke detectors.

The physical or virtual verification of the presence of each organizational asset.

The legal and regulatory framework that establishes requirements for handling and protecting government information.

Requires that each user account, process, system, device, etc. within the computing environment can only access the information and resources that are necessary for its legitimate purpose.

Evolution of a system, product, service, project, or other human-made entity from conception through retirement.

Any act that either prevents the failure or malfunction of equipment or restores its operating capability.

Software or firmware intended to perform an unauthorized process that will have adverse impact on the confidentiality, integrity, or availability of an information system. Includes viruses, worms, Trojan horses, spyware, and some forms of adware.

Software or firmware intended to perform an unauthorized process that will have adverse impact on the confidentiality, integrity, or availability of an information system. A virus, worm, Trojan horse, or other code-based entity that infects a host.

A company that remotely manages a customer’s IT infrastructure and/or end-user systems, typically on a proactive basis and under a subscription model.

A company that provides outsourced monitoring and management of security devices and systems.

Physical devices or writing surfaces including magnetic tapes, optical disks, magnetic disks, LSI memory chips, and printouts onto which information is recorded, stored, or printed within an information system.

The actions taken to render data written on media unrecoverable by both ordinary and extraordinary means.

Software programs or parts of programs obtained from remote systems, transmitted across a network, and executed on a local system without explicit installation or execution by the recipient.

A portable computing device that has a small form factor, is designed to operate wirelessly, possesses local non-removable data storage, and is powered for extended periods with a self-contained power source. Examples include smart phones, tablets, and e-readers.

The act of continually checking, supervising, critically observing, or determining the status in order to identify change from the performance level required or expected.

An authentication system that requires more than one authentication factor for successful authentication. The three factors are: something you know, something you have, and something you are.

A non-regulatory federal agency within the U.S. Department of Commerce that promotes innovation and industrial competitiveness by advancing measurement science, standards, and technology.

A human being, as opposed to a Legal Person, which is an entity or group considered collectively as a single individual for legal purposes.

All electronic information that is not Publicly Available Information and is: business related information of a client; Personally Identifiable Information; or any health-related data in any form or medium created by or derived from a health care provider or individual.

Actions that do not stop unless a stop action is purposely put in place.

Assets that cannot process, store, or transmit CUI. These assets are required to be physically or logically separated from CUI assets.

Used in manufacturing systems, industrial control systems (ICS), or SCADA systems. OT may include programmable logic controllers (PLCs), CNC devices, machine controllers, fabricators, assemblers, and machining.

An entity of any size, complexity, or positioning within an organizational structure (e.g., a federal agency, or, as appropriate, any of its operational elements).

The entity that is going through the CMMC assessment process to receive a level of certification for a given environment.

The term used in many CUI security requirements in NIST SP 800-171. Requirements apply only to components of nonfederal systems that process, store, or transmit CUI, or that provide security protection for such components.

Parameters or values that are left to the discretion of the implementing organization, allowing flexibility in how controls and practices are applied.

An update to an operating system, application, or other software issued specifically to correct particular problems with the software.

The process of downloading and installing a patch.

Security testing in which evaluators mimic real-world attacks in an attempt to identify ways to circumvent the security features of an application, system, or network. Often involves issuing real attacks on real systems and data using the same tools and techniques used by actual attackers.

Occurring at regular intervals. As used in CMMC, the interval length is organizationally defined with an interval of no more than one year.

A Natural Person, proprietorship, firm, partnership, joint venture, syndicate, business trust, company, corporation, limited liability company, association, committee, and any other organization or group of persons acting in concert.

Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

An email-borne attack that attempts to get the recipient to perform a malicious action. Many attacks attempt to obtain confidential information by sending an email with a link or attachment that looks like it’s from a legitimate source.

The person about whom the Personally Identifiable Information pertains.

An artifact or collection of artifacts that provides oversight for implementing defined CMMC policies. Unlike Procedures, Plans are inherently intended to be more flexible because the nature of an event can vary.

A document that identifies tasks needing to be accomplished to correct deficiencies found during assessments, with milestones for completion.

An artifact or collection of artifacts that establishes governance over the implementation of CMMC practices and activities. Policies provide answers to “what” and “why” without dealing with “how” and are normally technology-independent.

A system component that can be inserted into and removed from a system, used to store data or information (e.g., floppy disks, CDs/DVDs, flash/thumb drives, external hard drives).

An activity or set of activities that are performed to meet a defined objective.

A right granted to an individual, program, or process.

Rights to access information and computer resources that are greater than those of a regular user.

A user, system, or network account authorized (and trusted) to perform security-relevant functions that ordinary accounts are not authorized to perform.

A user who is authorized (and trusted) to perform security-relevant functions that ordinary users are not authorized to perform.

A set of steps to be followed to ensure a policy is properly implemented. Should provide enough detail for a trained individual to perform the activity.

With respect to CUI Assets, process means that CUI can be used by that asset (e.g., accessed, entered, edited, generated, manipulated, or printed). Also: a procedural activity performed to implement a defined objective.

An application that “breaks” the connection between client and server. The proxy accepts certain types of traffic entering or leaving a network and processes it and forwards it, making it more difficult for an attacker to obtain internal addresses.

Any information that the organization has a reasonable basis to believe is lawfully made available to the general public from Federal, State or local government records, widely distributed media, or disclosures required by law.

A matrix that defines the roles and responsibilities for a given task: Responsible, Accountable, Consulted, and Informed.

Pertaining to the performance of a computation during the actual time that the related physical process transpires so that the results can be used to guide the physical process.

Actions necessary to restore data files of an information system and computational capability after a system failure.

A group of people authorized and organized to emulate a potential adversary’s attack or exploitation capabilities against an enterprise’s security posture.

The acts performed by a red team to identify weaknesses, vulnerabilities, procedural shortcomings, and misconfigurations within an organization’s cyber environment.

On a regular basis; at regular intervals.

Access to an organizational system by a user communicating through an external network (e.g., the Internet).

Portable data storage medium that can be added to or removed from a computing device or network. Examples include optical discs, external hard drives, USB drives, flash memory cards, and magnetic tapes.

The final phase of the computer and network forensic process, which involves reporting the results of the analysis, including describing actions used, explaining tool and procedure selection, and providing recommendations for improvement.

Portion of risk remaining after security measures have been applied.

The ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions, including deliberate attacks, accidents, or naturally occurring threats.

Systems configured based on government requirements and used to support a contract (e.g., fielded systems, obsolete systems, and product deliverable replicas).

A measure of the extent to which an entity is threatened by a potential circumstance or event. Typically expressed as a function of the adverse impacts that would arise if the event occurs and the likelihood of occurrence.

The process of identifying the risks to system security and determining the likelihood of occurrence, the resulting impact, and the additional safeguards that mitigate this impact.

The process of identifying risks to organizational operations, assets, individuals, other organizations, and the Nation, resulting from the operation of a system.

Any risk-based system of authentication that detects anomalies or changes in normal use patterns and requires additional verification when deviations are detected.

An organizationally defined description of risk that typically aligns with the various sources of operational risk but can be tailored to the organization’s unique risk environment.

The program and supporting processes to manage information security risk to organizational operations, assets, individuals, other organizations, and the Nation.

Objective criteria that the organization uses for evaluating, categorizing, and prioritizing operational risks based on areas of impact.

Prioritizing, evaluating, and implementing the appropriate risk-reducing controls/countermeasures recommended from the risk management process.

A strategy for mitigating risk that seeks to minimize the risk to an acceptable level.

The fundamental areas of risk that can affect organizational services and associated assets while in operation to meet the organization’s mission.

The level of risk an entity is willing to assume in order to achieve a potential desired result.

An approach for determining the underlying causes of events or problems as a means of addressing the symptoms of such events as they manifest in organizational disruptions.

The top-level directory in a folder hierarchy.

Assets that may or may not process, store, or transmit CUI. Includes government property, IoT devices, Operational Technology, Restricted Information Systems, and Test Equipment.

The protective measures prescribed to meet the security requirements specified for an information system. Synonymous with security controls and countermeasures.

A restricted, controlled execution environment that prevents potentially malicious software from accessing any system resources except those for which the software is authorized.

Sending packets or requests to another system to gain knowledge about the asset, processes, services, and operations.

Defines all assets that will be assessed.

The testing or evaluation of security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome.

A situation in which an information system or application receives protection from security controls developed, implemented, assessed, authorized, and monitored by entities other than those responsible for the system.

An environment or context that includes a set of system resources and a set of system entities that have the right to access the resources as defined by a common security policy.

A tool that provides real-time analysis of security alerts generated by applications and network hardware.

A centralized function within an organization utilizing people, processes, and technologies to continuously monitor and improve security posture while preventing, detecting, analyzing, and responding to cybersecurity incidents.

Defines the objectives and constraints for the security program.

Assets that provide security functions or capabilities within the contractor’s CMMC Assessment Scope.

The senior individual or individuals responsible for the management, operations, security, information systems, compliance and/or risk of the organization.

Information where the loss, misuse, or unauthorized access or modification could adversely affect the national interest or the conduct of federal programs, or the privacy to which individuals are entitled.

The principle of splitting privileges among multiple individuals or systems.

A service-specific plan for sustaining services and associated assets under degraded conditions.

A document that defines the responsibilities between a service provider and customer for each security control or service component.

A virtual connection between two devices by which network traffic is passed.

A temporary key used for a relatively short period of time, typically for the duration of a single connection or transaction set.

A Secure Hash Algorithm (SHA) that produces a condensed representation of electronic data, or message digest, 256 bits in length.

An authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems.

The perception of an enterprise’s security posture and its threat environment; the comprehension of both taken together (risk); and the projection of their status into the near future.

Companies that fall below certain thresholds for revenue or number of employees, often targeted by cybersecurity requirements due to their role in supply chains.

Computer programs stored in and executed by computer hardware, and associated data that may be dynamically written or modified during execution.

Unsolicited or unauthorized email, blog postings, newsgroup postings, or related communications.

For CMMC Level 2 assessments: Government Property, IoT/IIoT, Operational Technology, Restricted Information Systems, and Test Equipment when properly documented.

The process of allowing a remote user or device to establish a non-remote connection with a system and simultaneously communicate via some other connection to a resource in an external network.

Software that is secretly or surreptitiously installed into an information system to gather information on individuals or organizations without their knowledge; a type of malicious code.

The authoritative source to retrieve supplier and product performance information assessments for the DoD acquisition community. Provides on-time delivery scores, quality classifications, NIST SP 800-171 assessment results, and supply chain illumination.

A document established by consensus and approved by a recognized body that provides common and repeated use rules, guidelines, or characteristics for activities or their results.

An operational definition of the basic process that guides the establishment of a common process in an organization.

With respect to CUI Assets, store means that CUI is inactive or at rest on the asset (e.g., located on electronic media, in system component memory, or in physical format such as paper documents).

A subordinate part of an organization’s enterprise network.

A system of organizations, people, activities, information, and resources, possibly international in scope, that provides products or services to consumers.

Attacks that allow the adversary to utilize implants or other vulnerabilities inserted prior to installation in order to infiltrate data or manipulate IT hardware, software, operating systems, peripherals, or services at any point during the life cycle.

A systematic process for managing supply chain risk by identifying susceptibilities, vulnerabilities, and threats throughout the supply chain and developing mitigation strategies.

Maintain a desired operational state.

Any software, hardware (IT, OT, IoT), data, administrative, physical, communications, or personnel resource within an information system.

The scope of the system and environment being assessed. Equivalent to the defined CMMC Assessment Scope.

The quality that a system has when it performs its intended function in an unimpaired manner, free from unauthorized manipulation.

The direct connection of two or more IT systems for the purpose of sharing data and other information resources.

The formal document prepared by the information system owner that provides an overview of the security requirements for the system and describes the security controls in place or planned.

A security process in which users provide two different authentication factors to verify themselves.

An intentional but unauthorized act resulting in the modification of a system, components of systems, its intended behavior, or data.

Hardware and/or associated IT components used in the testing of products, system components, and contract deliverables (e.g., oscilloscopes, spectrum analyzers, power meters).

A Person that is not an affiliate of the organization and provides services to the organization.

A Person that is not an affiliate of the organization, provides services to the organization, and maintains, processes, or otherwise is permitted access to Nonpublic Information.

Any circumstance or event with the potential to adversely impact organizational operations, assets, individuals, other organizations, or the Nation through unauthorized access, destruction, disclosure, modification of information, and/or denial of service.

An individual or a group posing a threat.

Threat information that has been aggregated, transformed, analyzed, interpreted, or enriched to provide the necessary context for decision-making processes.

Analysis, assessment, and review of audit trails and other information collected for the purpose of searching out system events that may constitute violations of system security.

With respect to CUI Assets, transmit means that CUI is being transferred from one asset to another (e.g., data in transit using physical or digital transport methods).

A set of logic statements to be applied to a data stream that produces an event when an anomalous incident or behavior occurs.

A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms.

Technology enabling one network to send its data via another network’s connections by encapsulating a network protocol within packets carried by the second network.

Any access that violates the stated security policy.

An industry standard for short-distance digital data communications, commonly used for connecting peripherals and storage devices to computers.

Individual, or (system) process acting on behalf of an individual, authorized to access the system.

A computer program that can copy itself and infect a computer without permission or knowledge of the user. May corrupt or delete data, spread via email, or erase everything on a hard disk.

Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source.

Systematic examination of an information system or product to determine the adequacy of security measures, identify deficiencies, provide data to predict the effectiveness of proposed measures, and confirm adequacy after implementation.

An Information Security Continuous Monitoring capability that identifies vulnerabilities on devices that are likely to be used by attackers to compromise a device and extend compromise to the network.

Analyzing a device to identify any known vulnerabilities by comparing software/hardware versions against publicly-maintained lists of known vulnerabilities such as those in the National Vulnerability Database.

An approved list or register of entities that are provided a particular privilege, service, mobility, access, or recognition. An implementation of a default deny-all or allow-by-exception policy.