Compliance Glossary

Agent-to-Agent protocol enabling AI systems to communicate and delegate tasks across organizational boundaries. A2A creates new governance requirements because automated agent interactions bypass traditional human approval workflows.

Authenticator Assurance Level 3, the highest of the three NIST SP 800-63B authenticator assurance levels. AAL3 requires multi-factor authentication using a hardware-based cryptographic authenticator (such as a FIDO2 security key or a PIV smart card) plus verifier impersonation resistance, meaning the protocol is designed so an attacker cannot relay the authentication to a malicious site. OMB Memorandum M-22-09 requires federal civilian executive branch agencies to use phishing-resistant multi-factor authentication for staff, contractors, and partners; AAL3 authenticators satisfy the phishing-resistant requirement, AAL2 with SMS or push notifications does not.

Security mechanism that restricts system access based on identity, role, or clearance level. SOC 2 maps access controls to CC6.1, where 68% of findings cite accounts active more than 30 days after employee departure.

A DFARS 252.204-7012 term of art meaning protective measures commensurate with the consequences and probability of loss, misuse, or unauthorized access to covered defense information. The clause establishes implementation of NIST SP 800-171 as the minimum baseline that satisfies the adequate security obligation; anything less must be approved in writing by the DoD CIO.

HIPAA Security Rule category covering policies, procedures, and workforce management that protect ePHI. Administrative safeguards include risk analysis, workforce training, contingency planning, and security management processes.

Organizational framework of policies, oversight structures, and accountability mechanisms that govern AI system development and deployment. Effective AI governance addresses bias, transparency, data privacy, and regulatory compliance across the entire AI lifecycle.

The cross-functional body OMB Memorandum M-25-21 requires every CFO Act agency to convene under the chairmanship of the agency CAIO. The board reviews proposed high-impact AI use cases, approves or denies the use case for production, oversees compliance with the minimum risk management practices, and signs off on the agency annual AI use case inventory before publication. Required participants include the CIO, CISO, Chief Data Officer, Chief Privacy Officer, General Counsel, and senior program officials from the mission components deploying AI. Cabinet-level agencies were required to convene the board by August 12, 2025.

Under EU AI Act Article 4, the skills, knowledge, and understanding that enable personnel to make informed decisions about AI system deployment and use. AI literacy is an affirmative obligation on both providers and deployers, proportionate to role and exposure, entering force February 2, 2025.

Structured evaluation of threats and impacts associated with AI system deployment. The NIST AI RMF organizes AI risk assessment around four functions: Govern, Map, Measure, and Manage.

Systematic process of identifying, assessing, and mitigating risks from AI systems throughout their lifecycle. ISO 42001 and NIST AI RMF provide the two primary frameworks for structuring AI risk management programs.

Documented catalog of all AI models, algorithms, and automated decision systems deployed within an organization. The EU AI Act requires organizations to maintain inventories that classify each system by risk tier.

Requirement that AI systems disclose their capabilities, limitations, and decision-making processes to affected parties. The EU AI Act mandates transparency obligations for all AI systems interacting with humans.

The annual public inventory of agency AI use cases that OMB Memorandum M-25-21 requires every federal agency to publish, building on the Executive Order 13960 inventory framework. The inventory lists each use case, the mission purpose, the deployment status, and whether the use case is classified as high-impact. CAIO approval is required for the inventory before publication, and the inventory feeds the government-wide ai.gov dashboard. Agencies that omit known production AI from the inventory face OMB findings in the annual review.

American Institute of Certified Public Accountants, the professional organization that develops the Trust Services Criteria underpinning SOC 2 audits. AICPA sets the standards that CPA firms use to evaluate service organization controls.

Structured evaluation of how an AI system affects individuals and groups, examining bias, fairness, and civil liberties implications. Required under multiple regulatory frameworks including the EU AI Act for high-risk systems.

A cost that the government will reimburse under a cost-type contract because it satisfies all four FAR 31.201-2 tests: it is reasonable, it is allocable to the contract, it conforms to the Cost Accounting Standards or GAAP as applicable, and it complies with the terms of the contract and any limitations in FAR Subpart 31.2. Allowability is a contractual concept, not an accounting one. A cost can be properly recorded, fully documented, and economically justified, and still be unallowable for government billing purposes because FAR 31.205 specifically excludes it.

The expected dollar value of loss from a specific risk scenario over one year, calculated as Loss Event Frequency multiplied by Loss Magnitude. ALE is the core output of a FAIR analysis, expressed as a probability-weighted range rather than a single point estimate.

Application Programming Interface, a standardized connection point that allows software systems to exchange data. In GRC engineering, APIs connect compliance platforms with cloud providers, identity systems, and evidence repositories.

The fourth step of the Risk Management Framework, in which an independent assessor tests each implemented control against the assessment procedures in NIST SP 800-53A and produces a Security Assessment Report. The SAR documents which controls are satisfied, which are partially satisfied, and which are not, and is the primary evidentiary basis for the authorization decision in Step 5.

Approved Scanning Vendor, a company authorized by the PCI Security Standards Council to perform external vulnerability scans. PCI DSS requires ASV scans at least quarterly for organizations handling cardholder data.

Authority to Operate, the formal management decision by an Authorizing Official to accept the risk of operating a federal information system. An ATO is granted at the conclusion of RMF Step 5 based on the Security Assessment Report, the Plan of Action and Milestones, and the residual risk determination. ATOs are typically valid for three years under traditional RMF or maintained indefinitely under Ongoing Authorization.

The federal agency that issues an Authority to Operate to a cloud service provider and assumes responsibility for ongoing oversight of that authorization. Under the post-JAB FedRAMP 20x model, every authorization requires a sponsoring agency; the FedRAMP Program Management Office reviews the assessment package but does not itself sponsor. Without a sponsor, a cloud service cannot reach Authorized status.

A summary certification document confirming an organization's PCI DSS compliance status. The AoC accompanies the Report on Compliance for QSA-assessed entities or the Self-Assessment Questionnaire for self-assessing entities.

State of preparedness where an organization can produce sufficient evidence to satisfy audit requirements on demand. Audit readiness transforms compliance from a periodic scramble into a continuous operating state.

Chronological record of system activities providing documentary evidence of operations, user actions, and data changes. SOC 2 auditors evaluate audit trails under CC7.2 to verify that anomalies are detected and investigated.

The set of information system components included within an Authority to Operate, the perimeter the Authorizing Official accepts risk for. NIST SP 800-37 Revision 2 defines the boundary as all components an organization owns, operates, or has direct responsibility for that contribute to the system mission. Boundary definition is the first technical decision in the Risk Management Framework after categorization: a boundary drawn too narrowly leaves dependencies unauthorized, too broadly inflates the assessment scope. Cloud authorization boundaries typically include the customer tenancy, the inherited cloud service controls, and the integrations to other authorized systems.

The fifth step of the Risk Management Framework, in which the Authorizing Official reviews the Security Assessment Report, the Plan of Action and Milestones, and the residual risk and either grants an Authority to Operate, grants a conditional ATO, or denies authorization. The decision is a formal acceptance of risk by a senior agency official and is the act that legally permits the system to process federal data.

The senior federal official with the authority to formally accept the risk of operating an information system on behalf of the agency, defined in NIST SP 800-37 Revision 2 Appendix D. The AO is typically a senior executive at the assistant secretary or component head level, never the system owner. The AO reviews the Security Assessment Report, the Plan of Action and Milestones, and the residual risk, and either grants the Authority to Operate, grants a conditional ATO, or denies authorization. The AO signature is the legal act that permits the system to process federal data.

One of five SOC 2 Trust Services Criteria, requiring that systems operate and are accessible as committed in service-level agreements. Availability controls cover disaster recovery, capacity planning, and incident response.

Amazon Web Services, the cloud infrastructure platform used by a majority of SOC 2 audit candidates. AWS provides shared responsibility documentation and compliance artifacts through AWS Artifact for audit preparation.

Business Associate Agreement, a HIPAA-mandated contract between a covered entity and any vendor that handles PHI. Without a signed BAA, sharing PHI with a third party constitutes a HIPAA violation regardless of actual data handling practices.

Authentication methods using unique biological characteristics such as fingerprints, facial recognition, or iris patterns. The EU AI Act classifies real-time biometric identification in public spaces as a prohibited AI practice.

Binding Operational Directive, a compulsory instruction CISA issues under 44 U.S.C. 3553(b) to federal civilian executive branch agencies for the purpose of safeguarding federal information and information systems. BODs carry the force of law for FCEB agencies and are time-bound: each directive includes specific actions and deadlines (BOD 22-01 set 14-day and 21-day remediation windows for vulnerabilities in the KEV Catalog, for example). BODs are the standing mechanism CISA uses for sustained programs; Emergency Directives address acute, time-critical threats.

HIPAA requirement that covered entities notify affected individuals within 60 days of discovering a breach of unsecured PHI. Breaches affecting 500 or more individuals also require notification to HHS and prominent media outlets.

Any person or organization performing functions involving PHI on behalf of a HIPAA covered entity. Business associates carry direct HIPAA liability and face the same penalty structure as covered entities for violations.

Certified Third-Party Assessment Organization, accredited by The Cyber AB to conduct CMMC Level 2 certification assessments. Only C3PAO assessments produce valid CMMC certifications. Accreditation status is verifiable through The Cyber AB Marketplace.

Certified Third-Party Assessment Organization, a firm authorized by the Cyber AB to perform CMMC Level 2 certification assessments. A C3PAO must complete its own DIBCAC High assessment of its internal Federal Contract Information environment before it can assess others. As of early 2026 fewer than 80 C3PAOs are authorized, against an estimated assessable base of 80,000 prime and subcontractor entities.

Commercial and Government Entity code, the five-character alphanumeric identifier the Defense Logistics Agency assigns to entities doing business with the federal government. The CAGE Code is generated automatically when an entity completes SAM.gov registration. NATO entities receive an NCAGE through the parallel NATO Codification System. The CAGE Code is the identifier embedded in DoD contract files, packing slips, and the Wide Area Workflow invoicing system; it is distinct from the UEI and the two are not interchangeable, though both are required for award.

Chief Artificial Intelligence Officer, the senior agency official OMB Memorandum M-25-21 (April 3, 2025) requires every CFO Act agency to designate. The CAIO chairs the agency AI Governance Board, approves the agency use of high-impact AI, signs the annual AI compliance plan, and coordinates with the agency CIO on technology and the CISO on security. M-25-21 supersedes the Biden-era M-24-10 but retains the CAIO role; cabinet-level agencies were required to convene their governance bodies by August 12, 2025 and issue compliance plans by December 26, 2025. The CAIO reports to the agency head, not to the CIO.

The people, processes, and technology that store, process, or transmit cardholder data or sensitive authentication data. Defining the CDE boundary is the foundational scoping exercise for any PCI DSS assessment.

Cloud Access Security Broker, a security enforcement point between users and cloud services that applies data loss prevention, access control, and threat protection policies. CASBs provide visibility into shadow IT and unsanctioned SaaS usage.

The first operational step of the Risk Management Framework, in which the system owner uses FIPS 199 to classify the information system as Low, Moderate, or High impact based on the worst-case effect of a loss of confidentiality, integrity, or availability. The categorization determines which NIST SP 800-53 control baseline applies and is the most consequential single decision in the entire authorization process.

Continuous Authorization to Operate, the DoD authorization model in which a software delivery organization sustains an Authority to Operate through continuous monitoring, automated control evidence, and a fully implemented DevSecOps pipeline rather than a point-in-time assessment refreshed every three years. The DoD CIO published the "DevSecOps Continuous Authorization Implementation Guide" on April 11, 2024, defining specific security and development metrics, evaluation criteria, and the role of software bills of material in cATO eligibility. Air Force Platform One operates one of the longest-running cATO implementations in the department.

California Consumer Privacy Act, state legislation granting California residents rights over their personal information including access, deletion, and opt-out of data sales. CCPA applies to businesses exceeding $25 million in annual revenue or handling data of 100,000+ consumers.

Continuous Diagnostics and Mitigation, the CISA-operated program that provides federal civilian executive branch agencies with cybersecurity tools, integration services, and dashboards to identify cybersecurity risks on an ongoing basis. CDM is organized into capability areas covering asset management, identity and access management, network security management, and data protection management. The CDM Dashboard aggregates agency data into a federal-level view of cybersecurity posture; CISA uses the aggregate to inform Binding Operational Directives, OMB reporting, and federal incident response. CDM funds and contracts flow through GSA.

The federated reporting platform in the CISA Continuous Diagnostics and Mitigation program that aggregates each agency asset, vulnerability, identity, and configuration data into an agency-level dashboard, with summary data flowing to a federal dashboard CISA operates. The dashboard is the operational instrument by which CISA tracks compliance with Binding Operational Directives across the federal civilian executive branch, identifies systemic exposure (every FCEB agency running an unpatched KEV, for example), and reports federal cybersecurity posture to OMB and Congress under FISMA.

Structured process for evaluating, approving, and deploying modifications to IT systems while maintaining compliance controls. SOC 2 maps change management to CC8.1, requiring documented approval workflows and post-deployment validation.

Continuous Integration and Continuous Deployment, the automated pipeline for building, testing, and releasing software changes. GRC engineering embeds compliance checks directly into CI/CD pipelines using policy-as-code tools like OPA.

Center for Internet Security, a nonprofit that publishes security benchmarks and hardening guidelines for operating systems, cloud platforms, and applications. CIS Benchmarks are the most widely adopted baseline for cloud security configurations.

Prescriptive configuration baselines published by the Center for Internet Security for operating systems, cloud platforms, databases, and applications. CIS Benchmarks provide the specific hardening standards that auditors expect when evaluating configuration management controls.

The Cybersecurity and Infrastructure Security Agency, established within the Department of Homeland Security by the Cybersecurity and Infrastructure Security Agency Act of 2018. CISA is the operational lead for federal civilian executive branch cybersecurity, the national coordinator for critical infrastructure security, and the issuer of Binding Operational Directives and Emergency Directives that bind the FCEB. CISA also operates the Known Exploited Vulnerabilities Catalog, the Continuous Diagnostics and Mitigation program, and the .gov registrar. Within DHS, CISA is the only operational component of its kind; DHS sets policy, CISA executes.

Chief Information Security Officer, the executive responsible for an organization\'s information security strategy, risk management, and compliance posture. The CISO role has expanded to include AI governance and board-level reporting in most enterprises.

Cybersecurity Maturity Model Certification, a DoD framework requiring defense contractors to meet verified cybersecurity standards before receiving contract awards. CMMC 2.0 defines three maturity levels, with Level 2 aligning to NIST SP 800-171.

The Department of Defense's revised Cybersecurity Maturity Model Certification program, codified at 32 CFR Part 170 and finalized December 16, 2024. CMMC 2.0 collapses the original five maturity levels to three (Level 1 self-assessment, Level 2 third-party assessment, Level 3 government-led assessment) and aligns Level 2 directly to the 110 controls in NIST SP 800-171 Revision 2. The corresponding DFARS contract clause 252.204-7021 began phasing into solicitations in 2025 on a four-phase rollout that completes in 2028.

The CMMC tier for defense contractors that handle only Federal Contract Information and not CUI. Level 1 requires implementation of the 17 basic safeguarding requirements drawn from FAR 52.204-21 and is satisfied by an annual self-assessment with senior official affirmation submitted to SPRS. No third-party assessment is required, but a knowingly false affirmation carries False Claims Act exposure.

The CMMC tier required for any defense contractor that processes, stores, or transmits Controlled Unclassified Information. Level 2 requires implementation of all 110 controls in NIST SP 800-171 Revision 2, an assessment by a Certified Third-Party Assessment Organization, and a passing score against 320 individual assessment objectives. Reciprocity is allowed for FedRAMP Moderate cloud services hosting CUI.

The four-phase rollout that introduces CMMC certification requirements into DoD solicitations between 2025 and 2028. Phase 1 (2025) limits the requirement to Level 1 and Level 2 self-assessments; Phase 2 (2026) adds Level 2 third-party assessments to most CUI-handling contracts; Phase 3 (2027) extends Level 2 third-party assessments to all applicable solicitations; Phase 4 (2028) introduces Level 3 government-led assessments and applies CMMC to all in-scope contracts including option periods.

Cloud-Native Application Protection Platform, a unified security tool combining CSPM, CWPP, and runtime protection for cloud workloads. CNAPPs replace fragmented point solutions with a single view of cloud security posture.

Use of technology to automate evidence collection, control testing, and audit preparation across regulatory frameworks. Organizations using compliance automation reduce audit preparation time from weeks to days and cut manual effort by 60-80%.

An organization\'s current state of adherence to applicable regulatory requirements and internal control standards. Compliance posture is measured through continuous monitoring rather than periodic audits in mature GRC programs.

The engineering discipline of expressing compliance controls and evidence in machine-readable artifacts (configuration files, policy code, infrastructure templates, automated tests) that are version-controlled, peer-reviewed, and enforced by the same continuous integration pipeline that ships application code. Open Policy Agent and Rego, HashiCorp Sentinel, AWS Config Rules, and OSCAL-based control catalogs are the visible expressions of this discipline. Federal cATO programs and FedRAMP 20x both depend on compliance-as-code; an authorization that requires manual screenshot collection cannot deliver continuous evidence at the cadence the model demands.

A time-bound certification a C3PAO may issue when an organization scores at least 88 of 110 on its NIST SP 800-171 assessment but has open POA&M items on eligible controls. The conditional status is valid for 180 days; if all POA&M items are not closed and verified within that window the certification lapses, and the contractor loses eligibility for any DFARS 252.204-7021 award until reassessment.

One of five SOC 2 Trust Services Criteria, requiring that information designated as confidential is protected as committed. Confidentiality controls cover encryption, access restrictions, and data handling procedures for sensitive information.

Process of demonstrating that an AI system meets applicable regulatory requirements such as the EU AI Act. Conformity assessment for high-risk AI systems requires third-party evaluation before market placement in the EU.

The monthly continuous monitoring deliverables FedRAMP requires from authorized cloud service providers: vulnerability scan results from operating system, web application, and database scanners; an updated Plan of Action and Milestones; a deviation request log; and an inventory of changes. Late or incomplete ConMon submissions are the most common trigger for FedRAMP corrective action and, in repeated cases, authorization suspension.

An HTTP response header restricting which domains can serve scripts, styles, and resources to a web page. CSP is a primary defense against XSS and Magecart-style payment page attacks, and a widely accepted method for satisfying PCI DSS 4.0.1 Requirement 6.4.3.

The federal authorization model that replaces the traditional three-year reauthorization cycle with sustained, evidence-driven risk acceptance. NIST SP 800-37 Revision 2 established continuous authorization in 2018 as the natural endpoint of the Monitor step (RMF Step 6); the Authorizing Official maintains the ATO indefinitely so long as the continuous monitoring program produces sufficient evidence to support the ongoing risk decision. The DoD cATO program and FedRAMP 20x are the two most visible operational implementations. The model collapses the documentation cliff at the three-year boundary into a steady stream of monitored controls.

Automated, ongoing observation of systems and controls to detect security threats and compliance deviations in real time. Continuous monitoring replaces quarterly manual reviews with automated evidence collection and alerting.

The post-authorization phase of FedRAMP requiring cloud service providers to submit monthly vulnerability scan results, deviation requests, and significant change requests, plus an annual 3PAO reassessment of one-third of controls. Continuous monitoring is where most FedRAMP authorizations are lost; agencies revoke authorization for sustained ConMon non-compliance more often than they deny initial authorization.

Information Security Continuous Monitoring as defined in NIST SP 800-137, the process of maintaining ongoing awareness of information security, vulnerabilities, and threats to support agency risk management decisions. ISCM is broader than the monthly evidence cadence used in FedRAMP; it specifies a tiered governance structure (organization, mission, system) and requires the agency to define its own metrics, frequencies, and reporting channels.

A gap where a security control is missing, inadequately designed, or not operating effectively. Auditors classify control deficiencies by severity: a significant deficiency affects the audit opinion while an observation is informational.

A logical grouping of related security or privacy controls within NIST SP 800-53. Revision 5 organizes its 1,007 controls into 20 families including Access Control (AC), Audit and Accountability (AU), Configuration Management (CM), Incident Response (IR), and Supply Chain Risk Management (SR). Each control identifier carries the family prefix, so AC-2 is the second control in the Access Control family.

Structured set of security and compliance controls that organizations implement to meet regulatory and business objectives. Common control frameworks include NIST CSF, ISO 27001, SOC 2 TSC, and CIS Controls.

Documented plan specifying how an organization will address identified compliance violations or security gaps within a defined timeline. HHS OCR requires corrective action plans in most HIPAA enforcement settlements.

Committee of Sponsoring Organizations of the Treadway Commission, the body that developed the internal controls framework used in financial and compliance auditing. COSO\'s framework underpins SOC 2 Trust Services Criteria.

The factual data, other than judgmental information, that a contractor possesses on costs and prices at the time of price agreement, defined at FAR 2.101. Cost or pricing data are facts about prior costs, vendor quotes, make-or-buy decisions, scrap and rework rates, and any other verifiable inputs to a price proposal. When TINA applies, the contractor must certify the data are accurate, complete, and current as of the agreement date. The certification is the legal hook for a TINA price reduction if a post-award audit shows the data were defective.

Under HIPAA, a health plan, healthcare clearinghouse, or healthcare provider that transmits health information electronically. Covered entities bear primary responsibility for HIPAA compliance and face penalties up to $2.13 million per violation category annually.

Certified in Risk and Information Systems Control, an ISACA certification for professionals managing enterprise IT risk. CRISC holders specialize in identifying, assessing, and responding to information system risks.

Cloud Security Alliance, the industry body that publishes the Cloud Controls Matrix (CCM) and administers the STAR certification program. CSA CCM maps controls across 17 domains for cloud service providers.

Cybersecurity Framework, most commonly referring to NIST CSF, a voluntary framework of standards and best practices for managing cybersecurity risk. NIST CSF 2.0 added a Govern function to the original five: Identify, Protect, Detect, Respond, Recover.

Cloud Security Posture Management, automated tooling that continuously scans cloud environments for misconfigurations, compliance violations, and security risks. CSPM tools typically cover AWS, Azure, and GCP with pre-built policy libraries.

Controlled Unclassified Information, government-created or government-controlled information requiring safeguarding per law or regulation but not classified. CUI triggers CMMC Level 2 requirements and NIST SP 800-171 controls for defense contractors.

Controlled Unclassified Information, government-created or government-owned information that requires safeguarding under law, regulation, or government-wide policy but is not classified. The National Archives CUI Registry organizes CUI into roughly 20 categories (Defense, Export Control, Privacy, and others); presence of CUI on a contractor system triggers DFARS 252.204-7012 and CMMC Level 2.

A document published by a cloud service provider mapping each compliance framework control to one of four categories: fully inherited, partially inherited, not inherited, or not applicable. The CRM is the primary artifact auditors use to verify inherited control documentation.

Common Vulnerabilities and Exposures, the global identification system that assigns unique IDs to publicly disclosed security vulnerabilities. Security teams use CVE identifiers to track, prioritize, and verify that specific vulnerabilities are patched.

Common Vulnerability Scoring System, a standardized 0-10 scale for rating the severity of security vulnerabilities. CVSS scores above 9.0 are classified as Critical and typically require patching within 24-48 hours under most vulnerability management policies.

Cloud Workload Protection Platform, security tooling that protects server workloads running in cloud, hybrid, and multi-cloud environments. CWPPs provide runtime protection, vulnerability management, and compliance monitoring at the workload level.

The Cyber AB, formally the Cybersecurity Maturity Model Certification Accreditation Body, is the sole authorizing body for the CMMC ecosystem. It accredits C3PAOs, certifies individual assessors and instructors, and maintains the marketplace of authorized providers. The Cyber AB operates under a contract with the DoD Office of the Chief Information Officer.

Process of categorizing data by sensitivity level to apply appropriate security controls and access restrictions. Common tiers include Public, Internal, Confidential, and Restricted, each with defined handling requirements.

The Defense Contract Audit Agency, the DoD field activity that performs contract audits on behalf of all federal agencies that buy from defense contractors. DCAA examines contractor accounting systems, incurred costs, forward pricing rates, and compliance with the Cost Accounting Standards. It does not award or terminate contracts; it issues audit reports that contracting officers and DCMA administrative contracting officers rely on to negotiate price, settle final indirect cost rates, and resolve allowability disputes. DCAA reports to the Under Secretary of Defense (Comptroller) and operates under the Contract Audit Manual (DCAAM 7640.1).

The labor recording discipline DCAA expects on any contractor handling cost-reimbursement or time-and-materials work. The DCAA "Information for Contractors" pamphlet (DCAAM 7641.90) sets the floor: every employee records time daily, in their own hand or under their own electronic identity; time is charged to the specific job or indirect account worked; supervisor approval is documented; and corrections are made by line-out and initial, never by overwrite. A floor check (an unannounced DCAA visit comparing employees physically present to the timesheets in the system) is the most common live test of the system.

The DCAA Contract Audit Manual, formally DCAAM 7640.1, the master procedural document DCAA auditors follow on every engagement. The DCAM is published openly at dcaa.mil and is updated chapter by chapter; recent material updates include Chapter 6 (Incurred Cost Audit Procedures) and Chapter 8 (Cost Accounting Standards). Contractors who read the DCAM chapter that governs the audit they are about to face encounter no surprises in the field. The audit programs, sample sizes, and risk-assessment thresholds are all written down.

The Defense Contract Management Agency, the DoD combat support agency that administers contracts after award. DCMA contracting officers, known as ACOs (administrative contracting officers), execute the post-award functions delegated by the procuring contracting officer: monitoring performance, approving progress payments, definitizing undefinitized actions, and issuing final indirect cost rate agreements that close out the year. DCMA also performs Contractor Purchasing System Reviews and Earned Value Management System validations. DCAA audits the books; DCMA acts on the findings.

The Defense Federal Acquisition Regulation Supplement clause that requires defense contractors to provide adequate security on covered contractor information systems and to report cyber incidents to the DoD within 72 hours via DIBNet. The clause has been in force since December 31, 2017 and is the legal predicate for both NIST SP 800-171 implementation and the newer CMMC certification requirement under DFARS 252.204-7021.

Defense Industrial Base, the network of private-sector companies, subcontractors, and suppliers that provide products and services to the U.S. Department of Defense. All DIB contractors handling FCI or CUI fall under CMMC requirements.

The Defense Industrial Base Network, the DoD-operated portal at dibnet.dod.mil where defense contractors submit mandatory cyber incident reports under DFARS 252.204-7012. Reports are due within 72 hours of discovery and require a medium-assurance ECA certificate to file. DIBNet also distributes threat intelligence to participating contractors through the voluntary DIB CS Program.

Data Loss Prevention, technology that monitors and controls data transfers to prevent unauthorized exfiltration of sensitive information. DLP systems scan email, cloud storage, USB devices, and network traffic for policy violations. Required under HIPAA, PCI DSS, and SOC 2.

Data Processing Agreement, a contract required under GDPR between data controllers and processors that specifies how personal data will be handled. DPAs must define processing purposes, data categories, retention periods, and subprocessor arrangements.

Data Protection Impact Assessment, a GDPR-required evaluation of processing activities that pose high risk to individuals\' privacy rights. DPIAs must be completed before processing begins and documented for supervisory authority review.

Data Protection Officer, the designated individual responsible for overseeing GDPR compliance within an organization. DPO appointment is mandatory for public authorities and organizations conducting large-scale systematic monitoring.

Endpoint Detection and Response, security technology that continuously monitors endpoint devices for threats and provides automated investigation and remediation. EDR captures process execution, file changes, and network connections for forensic analysis.

A CISA-issued directive under 44 U.S.C. 3553(h) that compels federal civilian executive branch agencies to take specific actions in response to a known or reasonably suspected information security threat, vulnerability, or incident. Emergency Directives are the acute counterpart to Binding Operational Directives and have been used for incidents including the SolarWinds compromise (ED 21-01), Log4j (ED 22-02), and the 2024 Microsoft Exchange Online intrusions. Compliance is mandatory for FCEB agencies; CISA reports compliance posture to OMB and Congress.

AI systems that infer emotional states through facial expression analysis, vocal pattern detection, or physiological signal processing. Prohibited under EU AI Act Article 5(1)(f) in workplaces and educational institutions, with narrow exceptions for medical and safety-critical use.

Protection of stored data by converting it to ciphertext using encryption algorithms. AES-256 is the standard for encryption at rest, required by HIPAA, PCI DSS, and SOC 2 for sensitive data storage.

Protection of data as it moves between systems using protocols like TLS 1.2 or higher to prevent interception. PCI DSS 4.0 requires TLS 1.2 as the minimum for all cardholder data transmissions.

Executive Order 14028, "Improving the Nation's Cybersecurity", signed May 12, 2021 in the wake of the SolarWinds and Colonial Pipeline incidents. EO 14028 directs federal modernization across software supply chain security (Section 4, including SBOM minimum elements), zero trust architecture adoption, multi-factor authentication and encryption for federal data, the Cyber Safety Review Board, and a standardized federal incident response playbook. The order is the legal and political predicate for OMB M-22-09 (zero trust), the SBOM rulemaking, and the CISA Secure Software Development Attestation form for federal software vendors.

Executive Order 14179, "Removing Barriers to American Leadership in Artificial Intelligence", signed January 23, 2025. The order rescinds the Biden-era Executive Order 14110, directs OMB to revise the federal AI memos (the resulting documents are M-25-21 and M-25-22, both dated April 3, 2025), and requires the development of a national AI Action Plan within 180 days. EO 14179 reframes the federal posture from precautionary AI governance toward accelerated adoption while retaining the CAIO role, the high-impact use case category, and the AI use case inventory obligation.

Executive Order 14275, "Restoring Common Sense to Federal Procurement", signed April 15, 2025. The order initiates the Revolutionary FAR Overhaul, instructs the FAR Council to return the Federal Acquisition Regulation to its statutory roots by removing non-statutory policy and process, directs migration of buying strategies from the FAR into a separate Strategic Acquisition Guidance, and authorizes class deviations during the deviation phase so agencies can begin operating under the new framework before formal rulemaking concludes. EO 14275 is the legal predicate for what the procurement bar calls FAR 2.0.

Electronic Protected Health Information, any PHI created, stored, transmitted, or received in electronic form. The HIPAA Security Rule specifically governs ePHI through administrative, physical, and technical safeguard requirements.

The European Union\'s Artificial Intelligence Act, the world\'s first regulatory framework for AI systems. The EU AI Act classifies AI by risk tier: prohibited, high-risk, limited-risk, and minimal-risk, with obligations scaling accordingly. Penalties reach 7% of global annual turnover.

Factor Analysis of Information Risk, a quantitative risk analysis model that expresses cybersecurity risk in financial terms. FAIR replaces subjective risk matrices with probability distributions and dollar estimates.

The informal name for the Revolutionary FAR Overhaul, the most extensive rewrite of the Federal Acquisition Regulation in over four decades initiated by Executive Order 14275 ("Restoring Common Sense to Federal Procurement"), signed April 15, 2025. The overhaul is led jointly by OMB, GSA, NASA, and DoD. Phase I (April through October 2025) used class deviations to allow agencies to apply the streamlined provisions immediately; Phase II began in October 2025 as the formal rulemaking that permanently amends the FAR. Non-statutory buying strategies migrate from the FAR into OFPP-endorsed buying guides collectively known as the Strategic Acquisition Guidance.

Federal Acquisition Regulation Part 31, "Contract Cost Principles and Procedures", the section of the FAR that governs which costs the government will reimburse on cost-type and certain fixed-price contracts. Subpart 31.2 contains the commercial contractor cost principles and the 50-plus selected-cost rules at 31.205 (advertising, bad debts, entertainment, lobbying, and the rest) that determine allowability. FAR Part 31 is the substantive standard DCAA auditors apply when they question a cost; if a cost fails any of the four tests (reasonable, allocable, in accordance with CAS or GAAP, and compliant with the contract terms), it is unallowable.

Federal Civilian Executive Branch, the set of executive branch agencies excluding the Department of Defense and the Intelligence Community elements. The FCEB scope is the regulatory boundary for CISA Binding Operational Directives, Emergency Directives, the Continuous Diagnostics and Mitigation program, and most OMB cybersecurity memoranda including M-22-09. Agencies in the FCEB include the cabinet-level departments other than DoD, plus independent agencies like EPA, NASA, and SSA. DoD, the Intelligence Community, and the legislative and judicial branches operate under separate authorities and are not subject to CISA directives.

Federal Contract Information, information provided by or generated for the government under a contract not intended for public release. FCI triggers CMMC Level 1 requirements (15 practices, annual self-assessment) with a lower protection threshold than CUI.

The agency-level strategic document OMB Memorandum M-25-21 requires every CFO Act agency CAIO to publish, describing how the agency will use AI to deliver mission outcomes, the priority use cases, the talent and infrastructure investments, and the governance model. The strategy is signed by the CAIO and approved by the agency head. It is the planning instrument that feeds the annual AI use case inventory and the compliance plan; the inventory shows what is deployed, the strategy shows where the agency is going.

The cross-government strategic posture established by OMB Memorandum M-22-09 (January 26, 2022) that organizes federal civilian executive branch cybersecurity around zero trust principles and the five pillars (identity, devices, networks, applications, data). The strategy is operationalized through CISA Zero Trust Maturity Model, individual agency zero trust implementation plans submitted to OMB, and the deadlines and reporting cadence set by M-22-09. The strategy is the federal civilian counterpart to the DoD Zero Trust Strategy published by the DoD CIO in November 2022.

Federal Risk and Authorization Management Program, the standardized security assessment framework for cloud services used by U.S. federal agencies. FedRAMP authorization requires 325+ controls at the Moderate baseline.

The 2025 modernization initiative that replaces the legacy FedRAMP authorization process with a machine-readable, automation-first model designed to compress authorization timelines from 12-18 months to under 90 days. FedRAMP 20x retires the Joint Authorization Board, mandates OSCAL submission for all artifacts, and shifts continuous monitoring from monthly PDF packages to API-driven evidence streams.

The yearly 3PAO assessment that re-tests roughly one-third of the cloud service's authorized control baseline, plus all controls flagged as significantly changed since the prior assessment. The annual assessment culminates in an updated Security Assessment Report and is the primary mechanism by which FedRAMP authorization is sustained over the life of the offering.

The formal designation that a cloud service offering has completed the FedRAMP assessment process and received an Authority to Operate from a federal agency or, historically, the Joint Authorization Board. Authorization is granted at one of three impact levels (Low, Moderate, or High) and remains valid as long as the cloud service provider sustains continuous monitoring obligations and the sponsoring agency does not revoke.

The FedRAMP impact level reserved for cloud services handling data whose compromise would cause severe or catastrophic effects on federal operations, including assets supporting law enforcement, emergency services, financial systems, and health systems. The High baseline requires 410 NIST SP 800-53 Revision 5 controls and is mandatory for cloud workloads processing data such as Personally Identifiable Information at scale, federal financial data, and certain healthcare records.

The official directory at marketplace.fedramp.gov where federal agencies discover cloud service offerings by authorization status, impact level, and sponsoring agency. A listing on the Marketplace is the formal indicator that a cloud service is either FedRAMP Authorized, In Process, or Ready, and is the first place agency contracting officers verify status before procurement.

The FedRAMP impact level for cloud services that handle data whose loss of confidentiality, integrity, or availability would have serious adverse effects on federal operations or assets. The Moderate baseline requires implementation of 323 NIST SP 800-53 Revision 5 controls and is the most common authorization level, covering the majority of federal SaaS, IaaS, and PaaS workloads.

The pre-authorization status indicating a cloud service provider has engaged a 3PAO to produce a Readiness Assessment Report and the FedRAMP PMO has accepted that report. Ready status is the public signal that the cloud service is on a credible path to authorization; it is not itself an authorization and does not permit federal use of the service for production data.

A streamlined FedRAMP path historically used for low-risk, low-impact Software-as-a-Service offerings such as collaboration tools and surveys. Tailored required a reduced control set drawn from the FedRAMP Low baseline. The pathway has been deprecated under FedRAMP 20x in favor of the new Low Impact SaaS framework, which uses a smaller, automation-friendly control set and machine-readable submission.

Federal Information Processing Standards, U.S. government standards for cryptographic modules and data security. HIPAA requires FIPS 140-2 validated encryption for protecting ePHI at rest and in transit.

The Federal Information Security Modernization Act of 2014, which updated the original 2002 statute and requires every federal agency to develop, document, and implement an agency-wide information security program. FISMA assigns NIST the authority to develop the standards (FIPS 199, FIPS 200) and guidelines (the SP 800 series) that operationalize the law, and assigns OMB and CISA the oversight and reporting roles. Annual FISMA scores are reported to Congress.

Fundamental Rights Impact Assessment, an evaluation required by the EU AI Act for high-risk AI systems to assess potential effects on fundamental rights. FRIAs examine discrimination, privacy, freedom of expression, and due process impacts.

Assessment comparing current security posture against a target framework to identify control deficiencies. Gap analysis is the standard first step in compliance programs, typically completed 6-12 months before the target audit date.

Generally Accepted Privacy Principles, a framework developed by AICPA and CICA for managing personal information. GAPP defines 10 privacy principles that map to the Privacy criterion in SOC 2 engagements.

Google Cloud Platform, a cloud infrastructure provider offering compute, storage, and AI services with built-in compliance tooling. GCP\'s Assured Workloads service enforces data residency and regulatory compliance controls.

General Data Protection Regulation, the EU privacy law governing how organizations collect, process, and store personal data of EU residents. GDPR enforces fines up to 4% of global annual turnover or 20 million euros, whichever is higher.

Governance, Risk, and Compliance, the integrated discipline of aligning organizational objectives with risk management and regulatory adherence. GRC engineering automates these three functions through platforms, APIs, and policy-as-code.

Software that centralizes governance, risk management, and compliance operations into a unified system. GRC platforms like Vanta, Drata, and Anecdotes automate evidence collection, control monitoring, and audit preparation across multiple frameworks.

U.S. Department of Health and Human Services, the federal agency responsible for HIPAA enforcement through its Office for Civil Rights (OCR). HHS publishes breach reports, enforcement actions, and compliance guidance for healthcare organizations.

The class of federal AI use case that OMB Memorandum M-25-21 defines as AI whose output serves as a principal basis for a decision or action with legal, material, binding, or significant effect on rights, services, or safety. M-25-21 narrows the prior M-24-10 categories of "rights-impacting" and "safety-impacting" into the single high-impact tier and triggers the minimum risk management practices: pre-deployment testing, ongoing monitoring, human oversight, and a documented determination that benefits outweigh risks. CAIO approval is required before the use case may operate in production.

AI systems classified under the EU AI Act as posing significant risks to health, safety, or fundamental rights. High-risk categories include biometric identification, critical infrastructure, and employment decisions. These systems require conformity assessment before deployment.

Health Insurance Portability and Accountability Act, the federal law establishing standards for protecting patient health information. HIPAA comprises the Privacy Rule, Security Rule, and Breach Notification Rule, with penalties reaching $2.13 million per violation category annually.

HIPAA-specific requirement to evaluate threats to ePHI and determine the likelihood and impact of potential breaches. HHS OCR cites failure to conduct risk assessments as the most common finding in enforcement actions.

Health Information Trust Alliance, an organization that publishes the HITRUST CSF, a certifiable security framework incorporating requirements from HIPAA, NIST, ISO, and PCI DSS. HITRUST certification is increasingly required by healthcare payers and large covered entities.

Infrastructure as a Service, a cloud computing model providing virtualized computing resources over the internet. In IaaS environments, the customer is responsible for operating system, application, and data security under the shared responsibility model.

Identity and Access Management, the discipline of ensuring the right individuals access the right resources at the right time. IAM controls cover authentication, authorization, provisioning, and deprovisioning across all systems.

Identity, Credential, and Access Management, the federal program of record for managing the identities of employees, contractors, and partners across the federal civilian executive branch. ICAM is governed by the Federal Identity, Credential, and Access Management Architecture maintained by GSA at idmanagement.gov. ICAM covers identity proofing, credential issuance (including PIV cards under FIPS 201), and access management decisions at the application layer. OMB Memorandum M-22-09 makes enterprise ICAM a precondition for the identity pillar of the federal zero trust strategy: an agency cannot enforce zero trust if identities are managed application by application.

Intrusion Detection System, a monitoring tool that analyzes network traffic or system activity for signs of malicious behavior. IDS generates alerts but does not block threats, distinguishing it from IPS which takes automated preventive action.

Formal evaluation of how a proposed system, policy, or change affects stakeholders, operations, or compliance obligations. In AI governance, impact assessments evaluate algorithmic fairness, privacy implications, and potential harms to affected populations.

The third step of the Risk Management Framework, in which the system owner implements the selected controls and documents how each control is satisfied in the System Security Plan. Implementation evidence accumulated here becomes the input to the assessment step; weak documentation at the implement step is the most common driver of assessment delay.

Organized approach to detecting, containing, and recovering from security incidents to minimize damage and restore operations. SOC 2 auditors evaluate incident response under CC7.3, CC7.4, and CC7.5 for detection, analysis, and remediation effectiveness.

The annual submission a contractor with cost-reimbursement or time-and-materials contracts files with the cognizant ACO and DCAA, reconciling actual costs incurred during the fiscal year to the provisional billing rates used during that year. The ICS is due six months after the contractor fiscal year end under FAR 52.216-7(d)(2). Late filing exposes the contractor to unilateral final indirect cost rate determinations by the contracting officer, typically at rates well below what the contractor would have proposed. The submission is the input DCAA audits to set final indirect cost rates and close the year.

The ratio used to allocate indirect costs (overhead, fringe, general and administrative) to cost objectives in proportion to a chosen base. A contractor typically maintains separate indirect rate pools for fringe (benefits as a percent of labor), overhead (engineering or manufacturing support as a percent of direct labor), and G&A (executive and corporate functions as a percent of total cost input or value-added base). Provisional billing rates are used during the year and reconciled to actual rates in the Incurred Cost Submission. Final indirect cost rate agreements with DCMA close out the year and lock the rates for retroactive billing adjustment.

Compliance controls whose implementation responsibility transfers from the customer to the cloud service provider based on FedRAMP authorization, SOC 2 report, or equivalent certification. Customers must document which controls are inherited and verify alignment with their own System Security Plan.

Intrusion Prevention System, a network security tool that monitors traffic and automatically blocks detected threats. IPS extends IDS capabilities by taking real-time enforcement actions rather than only generating alerts.

Incident Response Plan, a documented procedure defining how an organization detects, responds to, and recovers from security incidents. SOC 2 requires a tested IRP with defined roles, communication protocols, and escalation procedures.

International standard for information security management systems (ISMS), requiring organizations to systematically manage security risks. ISO 27001:2022 certification involves 93 controls across organizational, people, physical, and technological domains.

International standard providing guidelines for information security risk management, aligned with ISO 27001. The 2022 revision explicitly supports quantitative risk analysis, providing standards-body backing for FAIR-style dollar-denominated risk quantification.

International standard for AI management systems (AIMS), published in 2023 as the first certifiable framework for AI governance. ISO 42001 requires organizations to establish policies, risk assessments, and controls for responsible AI use.

The Joint Authorization Board, the FedRAMP governance body composed of the Chief Information Officers of the Department of Defense, Department of Homeland Security, and General Services Administration. The JAB issued Provisional Authorities to Operate that any agency could rely on without repeating the assessment. The JAB was sunset under FedRAMP 20x in 2025; authorization decisions now sit with the FedRAMP Program Management Office and individual agency Authorizing Officials.

Known Exploited Vulnerabilities catalog, maintained by CISA, listing vulnerabilities confirmed to be actively exploited in the wild. Federal agencies must remediate KEV entries within CISA-defined timelines, and private organizations use KEV as a patching priority signal.

The CISA Known Exploited Vulnerabilities Catalog, the authoritative list of CVEs CISA has determined carry significant risk to the federal enterprise based on three criteria: an assigned CVE ID, clear remediation guidance, and reliable evidence of active exploitation. CISA Binding Operational Directive 22-01 (November 3, 2021) requires federal civilian executive branch agencies to remediate KEV-listed vulnerabilities within the timeframe CISA assigns, typically two weeks for vulnerabilities published before the directive and three weeks for new additions. The catalog is updated continuously and is published openly at cisa.gov.

Security principle granting users only the minimum access permissions required to perform their job functions. Least privilege reduces blast radius when accounts are compromised and is a foundational requirement across SOC 2, HIPAA, and PCI DSS.

Large Language Model, an AI system trained on massive text datasets to generate, analyze, and transform human language. LLMs introduce governance challenges including hallucination risk, data privacy exposure, and prompt injection vulnerabilities.

A FAIR taxonomy variable measuring how often a threat agent successfully causes a loss event per year. Calculated from Threat Event Frequency multiplied by Vulnerability (probability of success given current controls). One of two root inputs to annualized loss expectancy.

Written statement by service organization management that its system description is accurate and controls are suitably designed and operating effectively. The management assertion is a required component of every SOC 2 report.

Mobile Device Management, technology for securing and managing smartphones, tablets, and laptops that access organizational data. HIPAA compliance requires MDM to enforce encryption, remote wipe, and access controls on devices storing ePHI.

Managed Detection and Response, a security service combining technology and human expertise to monitor, detect, and respond to threats. MDR providers operate 24/7 SOCs and deliver faster response times than most in-house security teams.

Multi-Factor Authentication, a security method requiring two or more verification factors to access a system. MFA is mandatory under HIPAA Security Rule, PCI DSS 4.0, and SOC 2 for any system containing sensitive data.

HIPAA principle requiring covered entities to limit PHI access and disclosure to the minimum amount needed for the intended purpose. The standard applies to all uses and disclosures except treatment and payment when requested by the individual.

Documentation artifact describing an AI model\'s intended use, training data, performance metrics, limitations, and ethical considerations. Model cards are a best practice under both ISO 42001 and the NIST AI RMF for AI transparency.

The sixth step of the Risk Management Framework, in which the system owner sustains the authorization through continuous monitoring of selected controls, ongoing assessment, and configuration management. NIST SP 800-137 governs the design of the monitoring strategy, and modern implementations pursue Ongoing Authorization, in which a sustained monitoring program substitutes for the traditional three-year reauthorization cycle.

A computational technique running thousands of iterations with randomized inputs to produce a probability distribution of outcomes. In FAIR-based cyber risk quantification, Monte Carlo simulation converts variable estimates into defensible ranges of annualized expected losses.

Mean Time to Contain, the average duration from incident detection to successful containment of the threat. MTTC is a key security operations metric, with top-performing teams targeting containment within 1 hour of detection.

Mean Time to Detect, the average duration from when a security incident begins to when it is identified. Industry median MTTD is 204 days for data breaches according to IBM, making detection speed the highest-leverage security investment.

Mean Time to Remediate, the average duration from incident detection to full resolution. MTTR measures the effectiveness of incident response processes and is tracked as a key performance indicator in SOC operations.

North American Industry Classification System code, the six-digit identifier the Census Bureau publishes and federal contracting officers assign to each solicitation to indicate the principal nature of the work. SBA pairs each NAICS code with a small business size standard (a revenue ceiling or employee count) at 13 CFR 121.201; contractors above the size standard cannot self-certify as small for that solicitation. The contracting officer NAICS designation drives both the size determination and the set-aside eligibility, and may be appealed to the SBA Office of Hearings and Appeals within 10 calendar days of solicitation issuance.

The practice of dividing a federal information system into discrete network zones so that compromise of one zone does not yield access to others. Under the federal zero trust strategy, segmentation evolves from the legacy "trusted internal network" model to micro-segmentation: every workload is its own enforcement boundary, and every request between workloads is authenticated and authorized at the application layer. CISA Zero Trust Maturity Model treats segmentation as the Networks pillar; the Optimal stage requires fully distributed ingress and egress controls and automated, dynamic enforcement based on application identity, not IP address.

National Institute of Standards and Technology, the U.S. agency that publishes cybersecurity frameworks, standards, and guidelines. NIST publications including the CSF, SP 800-53, and AI RMF form the foundation of most federal and private-sector security programs.

NIST Artificial Intelligence Risk Management Framework, a voluntary framework for managing AI risks across the development lifecycle. NIST AI RMF 1.0 organizes AI risk management into four core functions: Govern, Map, Measure, and Manage.

NIST Artificial Intelligence Risk Management Framework 1.0, published January 26, 2023 as NIST AI 100-1, the voluntary framework federal agencies and many private organizations use to govern AI risk. The framework organizes around four functions (Govern, Map, Measure, Manage) and is paired with the NIST AI RMF Playbook for implementation guidance. The Generative AI Profile (NIST AI 600-1, July 2024) extends the framework to large language models and other foundation models. The framework is voluntary; OMB M-25-21 makes substantial elements of it operationally mandatory for federal agencies.

NIST Cybersecurity Framework, a voluntary framework providing a common language for managing cybersecurity risk. NIST CSF 2.0 includes six functions: Govern, Identify, Protect, Detect, Respond, and Recover.

NIST Special Publication 800-171 defines 110 security requirements for protecting Controlled Unclassified Information in nonfederal systems. CMMC Level 2 maps directly to NIST SP 800-171 Revision 2, making it the operational foundation for defense contractor cybersecurity certification.

NIST Special Publication 800-171 Revision 2 defines 110 security requirements across 14 control families for protecting Controlled Unclassified Information in nonfederal systems. It is the technical baseline for CMMC Level 2 and the operational requirement embedded in DFARS 252.204-7012. Revision 3, published May 2024, restructures the catalog and is expected to replace Revision 2 in the CMMC ruleset on a future timeline DoD has not yet committed to.

NIST Special Publication 800-207, "Zero Trust Architecture", published August 2020 by the NIST Computer Security Division. The publication is the federal canonical definition of zero trust: an architecture that assumes no implicit trust based on network location and instead authenticates and authorizes every access request based on the identity, the device posture, and the resource sensitivity at the moment of the request. SP 800-207 introduces the Policy Decision Point and Policy Enforcement Point reference model that CISA Zero Trust Maturity Model and OMB Memorandum M-22-09 build on.

NIST Special Publication 800-53, the catalog of security and privacy controls for federal information systems. SP 800-53 Rev. 5 contains over 1,000 controls across 20 families and serves as the baseline for FedRAMP and FISMA compliance.

NIST Special Publication 800-53 Revision 5, the catalog of 1,007 security and privacy controls organized into 20 families that federal information systems use to satisfy FISMA. Revision 5 was published September 2020 and integrated privacy controls into the security catalog for the first time, added a Supply Chain Risk Management family, and reframed many controls in outcome-based language. It is the technical baseline for FedRAMP, FISMA, and most agency Risk Management Framework implementations.

Office for Civil Rights, the HHS division responsible for HIPAA enforcement including complaint investigation, compliance audits, and penalty assessment. OCR publishes all breaches affecting 500+ individuals on the public Breach Portal.

OMB Memorandum M-22-09, "Moving the U.S. Government Toward Zero Trust Cybersecurity Principles", issued January 26, 2022. The memorandum sets specific federal zero trust goals across five pillars (identity, devices, networks, applications, and data) and required federal civilian executive branch agencies to meet them by the end of fiscal year 2024. Headline requirements include enterprise-managed identities with phishing-resistant multi-factor authentication, encrypted DNS and HTTP traffic, isolation of agency applications from networks, and treatment of every application as internet-facing for security purposes.

The OMB memorandum dated April 3, 2025, "Accelerating Federal Use of AI through Innovation, Governance, and Public Trust", which rescinds and replaces the Biden-era M-24-10. M-25-21 keeps the federal CAIO role and the high-impact AI use case definition, but reframes the governance posture from precaution to acceleration: agencies are directed to remove process barriers to AI adoption, publish annual AI use case inventories, and certify compliance with the minimum risk management practices for high-impact systems. The companion memo M-25-22 covers AI acquisition.

Open Policy Agent, an open-source policy engine that enables policy-as-code enforcement across Kubernetes, APIs, and CI/CD pipelines. OPA evaluates compliance policies in real time, preventing non-compliant configurations from reaching production.

Open Security Controls Assessment Language, a NIST-developed machine-readable format for expressing security control catalogs, baselines, and assessment results. OSCAL enables automated compliance validation across frameworks including FedRAMP and NIST SP 800-53.

Open Security Controls Assessment Language, a NIST-developed family of machine-readable formats (XML, JSON, YAML) for security control catalogs, baselines, System Security Plans, assessment plans, assessment results, and Plans of Action and Milestones. OSCAL is the foundation of FedRAMP 20x automation and the long-term path to making federal authorization artifacts queryable, diffable, and reusable across agencies rather than locked in PDFs.

The federal use of Open Security Controls Assessment Language as the machine-readable authorization artifact format for FedRAMP 20x and DoD cATO programs. OSCAL renders System Security Plans, assessment plans, assessment results, and Plans of Action and Milestones as structured XML, JSON, or YAML rather than narrative PDFs. The federal value is composability: a control implemented once at the cloud platform layer can be inherited and referenced (not copied) by every tenant authorization above it, and a vulnerability in a shared control surfaces in every dependent authorization automatically. OSCAL is the foundation FedRAMP 20x is built on.

Offensive Security Certified Professional, a hands-on penetration testing certification requiring a 24-hour practical exam. OSCP validates the ability to identify vulnerabilities and execute exploits against live systems.

Offensive Security Web Expert, an advanced certification for web application penetration testing. OSWE validates expertise in identifying and exploiting web application vulnerabilities through source code analysis.

Open Worldwide Application Security Project, a nonprofit foundation producing freely available security tools, standards, and knowledge bases. The OWASP Top 10 is the most widely referenced list of critical web application security risks.

Third-Party Assessment Organization, an independent firm accredited by the American Association for Laboratory Accreditation (A2LA) to perform FedRAMP security assessments. A 3PAO conducts the initial authorization assessment, issues the Security Assessment Report, and performs the annual reassessment that maintains continuous authorization. Cloud service providers cannot self-assess for FedRAMP.

Provisional Authority to Operate, the authorization issued by the FedRAMP Joint Authorization Board that allows a cloud service offering to be used by any federal agency without each agency repeating the assessment. A P-ATO is the strongest market signal in FedRAMP because it represents review by the DoD, DHS, and GSA acting jointly. Under FedRAMP 20x the JAB has been retired and the Program Management Office now issues authorizations directly.

Platform as a Service, a cloud model where the provider manages infrastructure and platform layers while the customer retains responsibility for application code, data access controls, and audit logging. PaaS narrows the compliance burden compared to IaaS but does not eliminate data-layer obligations.

Privileged Access Management, controls that secure, monitor, and audit access for accounts with elevated system permissions. PAM solutions enforce just-in-time access, session recording, and credential vaulting for administrator accounts.

Process of testing and applying software updates to fix known vulnerabilities and maintain system security. Most compliance frameworks require critical patches within 14-30 days and CISA KEV patches within defined timelines.

Payment Card Industry Data Security Standard, the set of security requirements for organizations that store, process, or transmit cardholder data. PCI DSS compliance is enforced by payment brands (Visa, Mastercard) and validated through annual assessments.

The current version of the Payment Card Industry Data Security Standard, effective March 2024. PCI DSS 4.0 introduces customized validation approaches, targeted risk analyses, and enhanced authentication requirements including MFA for all access to cardholder data.

Payment Card Industry Security Standards Council, the global body that develops and maintains PCI DSS and related payment security standards. The PCI SSC does not enforce compliance directly; enforcement flows through payment brands and acquiring banks.

Authorized simulated cyberattack against systems to identify exploitable vulnerabilities before adversaries do. SOC 2 auditors evaluate penetration testing evidence under CC4.1, and PCI DSS requires annual penetration tests by qualified assessors.

Protected Health Information, any individually identifiable health information held by a HIPAA covered entity or business associate. PHI encompasses 18 specific identifiers including names, dates, Social Security numbers, and medical record numbers.

Multi-factor authentication that, by protocol design, prevents an attacker from impersonating the legitimate verifier and capturing or relaying the authenticator output. CISA names FIDO2/WebAuthn and PIV/CAC smart cards as the gold-standard mechanisms. OMB Memorandum M-22-09 requires phishing-resistant MFA for federal civilian executive branch staff, contractors, and partners and explicitly directs agencies to discontinue authentication methods that fail to resist phishing, including SMS one-time codes, voice calls, and push notifications without number matching. The shift is from MFA exists to MFA an attacker cannot phish.

HIPAA Security Rule category covering physical measures that protect electronic information systems and facilities from unauthorized access. Physical safeguards include facility access controls, workstation security, and device disposal procedures.

Personally Identifiable Information, any data that can identify a specific individual either directly or in combination with other data. PII protection is required under CCPA, GDPR, and state privacy laws, with definitions varying by jurisdiction.

Plan of Action and Milestones, a formal remediation document listing security deficiencies, corrective actions, responsible owners, and target completion dates. In CMMC assessments, open POA&M items must be resolved before certification is issued.

Plan of Action and Milestones, the formal document tracking each unimplemented or partially implemented security control, the planned remediation, the responsible owner, and the closure date. Under CMMC 2.0, POA&M closure is permitted only for a limited subset of NIST SP 800-171 controls scoring 1 point and only if at least 88 of 110 points are achieved, with all POA&M items closed within 180 days of conditional certification.

A PCI-validated encryption standard that encrypts cardholder data from the point of interaction through decryption in a secure environment, removing intermediate systems from PCI DSS scope. The single most effective scope reduction strategy for brick-and-mortar merchants.

One of five SOC 2 Trust Services Criteria, addressing how personal information is collected, used, retained, disclosed, and disposed. Privacy controls map to GAPP principles and overlap with GDPR and CCPA requirements.

HIPAA regulation establishing national standards for protecting individuals\' medical records and personal health information. The Privacy Rule governs who can access PHI, how it can be used, and when patient authorization is required.

AI applications banned under the EU AI Act as posing unacceptable risk to fundamental rights. Prohibited practices include social scoring, real-time biometric identification in public spaces, and AI systems that exploit vulnerabilities of specific groups.

Quality Management System, a formalized system documenting processes, procedures, and responsibilities for achieving quality objectives. ISO 42001 AI management systems borrow QMS principles from ISO 9001 for governing AI quality and performance.

Qualified Security Assessor, an individual certified by the PCI SSC to conduct PCI DSS assessments and produce Reports on Compliance. For Level 1 merchants and service providers, a QSA-led assessment is required.

An auditor\'s opinion that controls are effective except for specific identified exceptions. A qualified SOC 2 opinion signals to customers that material control deficiencies exist, often triggering vendor review processes.

Responsibility matrix defining who is Responsible, Accountable, Consulted, and Informed for each task or decision. RACI charts are essential in compliance programs to establish clear ownership of controls and audit evidence.

Retrieval-Augmented Generation, an AI architecture that grounds language model outputs in retrieved factual data from external sources. RAG reduces hallucination risk by providing the model with verified source material before generating responses.

Role-Based Access Control, an access management model where permissions are assigned to organizational roles rather than individual users. RBAC simplifies access provisioning and deprovisioning, which SOC 2 auditors evaluate under CC6.1 and CC6.3.

Process of addressing identified security vulnerabilities or compliance gaps through corrective actions. Remediation tracking with defined timelines, owners, and validation steps is a core audit expectation across all compliance frameworks.

The formal deliverable produced by a QSA after completing a PCI DSS assessment, documenting scope, methodology, findings, and compliance status. Submitted to the acquiring bank or payment brand as evidence of PCI DSS compliance.

The FedRAMP control baselines aligned to NIST SP 800-53 Revision 5, which superseded Revision 4 across the FedRAMP program in 2023. The Revision 5 Low baseline contains 156 controls, Moderate contains 323, and High contains 410, with new emphasis on supply chain risk management, privacy, and contractor accountability that did not appear at the same depth in Revision 4.

Systematic identification and evaluation of risks to ePHI confidentiality, integrity, and availability. HIPAA\'s Security Rule requires documented risk analysis as the foundation of all subsequent security decisions and safeguard selections.

Structured process of identifying, analyzing, and evaluating organizational risks to inform control selection and resource allocation. Risk assessments combine threat identification, vulnerability analysis, and impact estimation to prioritize security investments.

NIST Special Publication 800-37 Revision 2 defines the seven-step Risk Management Framework that federal agencies use to bring information systems into operation under FISMA. The steps are Prepare, Categorize, Select, Implement, Assess, Authorize, and Monitor; each produces specific artifacts that feed the next. The framework replaced the older Certification and Accreditation process in 2010 and has been the de facto federal authorization process since.

Documented inventory of identified risks including likelihood, impact, risk owner, and treatment strategy. The risk register is a living document reviewed quarterly by most organizations and is a standard audit artifact for SOC 2 and ISO 27001.

Risk Management Framework, a structured approach for integrating security and risk management into system development lifecycles. NIST RMF (SP 800-37) defines seven steps: Prepare, Categorize, Select, Implement, Assess, Authorize, and Monitor.

Software as a Service, a cloud delivery model where applications are hosted by a provider and accessed via the internet. SaaS vendors handling sensitive data are primary targets for SOC 2 audits because customers cannot inspect the underlying infrastructure.

The System for Award Management at sam.gov, the consolidated federal portal where prospective contractors register to do business with the U.S. government, search for contract opportunities, and access award and entity data. SAM consolidated nine legacy systems including CCR, ORCA, EPLS, and FBO into a single GSA-operated platform. Active SAM registration is a precondition for any federal award above the micro-purchase threshold; FAR 4.1102 requires the contractor to be registered at award and to maintain registration throughout contract performance. Registration renews annually.

Secure Access Service Edge, a cloud architecture combining network security functions (SWG, CASB, FWaaS) with WAN capabilities into a unified service. SASE replaces traditional VPN-based access for distributed workforces.

Software Bill of Materials, a formal, machine-readable inventory of the software components, libraries, and dependencies that compose a software product, including supplier, version, and dependency relationships. Section 4 of Executive Order 14028 (May 12, 2021) required NTIA to publish minimum SBOM elements, which it did in July 2021, and required federal software acquisitions to include SBOMs. The standard formats are CycloneDX and SPDX. SBOMs are the input that lets a buyer determine in minutes whether a newly disclosed vulnerability (a Log4j, an XZ Utils backdoor) affects software the buyer is running.

Securities and Exchange Commission, the U.S. regulator requiring public companies to disclose material cybersecurity incidents within four business days. SEC cybersecurity rules adopted in 2023 also require annual disclosure of cybersecurity governance and risk management processes.

Structured education programs that teach employees to recognize and respond to security threats like phishing, social engineering, and data handling violations. HIPAA, PCI DSS, and SOC 2 all require documented security awareness training at least annually.

HIPAA regulation establishing national standards for protecting ePHI through required administrative, physical, and technical safeguards. The Security Rule specifies both required and addressable implementation specifications.

The second operational step of the Risk Management Framework, in which the system owner selects the appropriate NIST SP 800-53 baseline (Low, Moderate, or High) based on the categorization, then tailors the baseline by adding, removing, or supplementing controls to address system-specific risk. The output is a documented set of controls and a draft System Security Plan that frames everything that follows.

Standard Form 1408, the "Pre-Award Survey of Prospective Contractor Accounting System", used by DCAA to determine whether a contractor accounting system is adequate to support a cost-reimbursement contract. The form lists 14 design criteria including segregation of direct and indirect costs, identification and accumulation of direct costs by contract, a logical and consistent indirect cost allocation method, and timekeeping that distinguishes work by job. A contractor must pass an SF 1408 review before a contracting officer may award a cost-type contract; the audit is the gate, not a courtesy.

Unauthorized use of AI tools by employees without organizational approval, creating unmonitored risk exposure. Shadow AI bypasses data governance controls and can expose sensitive data through prompts to external AI services.

Cloud security framework dividing security obligations between the provider and customer. The provider secures infrastructure (physical, network, hypervisor) while the customer secures data, identity, access, and application configurations.

Security Information and Event Management, a platform that aggregates and analyzes security log data from across an organization to detect threats. SIEM is a core detection control for SOC 2 (CC7.2) and provides the correlation engine for incident response.

Service Level Agreement, a contractual commitment defining performance standards, uptime guarantees, and remediation procedures between service providers and customers. SOC 2 Availability criteria directly reference SLA commitments.

Security Orchestration, Automation, and Response, a platform that automates incident response workflows by integrating security tools and executing predefined playbooks. SOAR reduces manual response effort and accelerates MTTC.

Centralized facility where security analysts monitor, detect, and respond to cybersecurity incidents in real time. SOCs operate 24/7 using SIEM, EDR, and threat intelligence feeds to maintain continuous security monitoring.

Service Organization Control 2, an audit framework developed by AICPA that evaluates a service organization\'s controls across five Trust Services Criteria. SOC 2 reports are the standard due diligence requirement for SaaS vendors handling customer data.

A SOC 2 audit that tests both design and operating effectiveness of controls over a period typically of six months or longer. Type II reports carry more weight than Type I because they demonstrate sustained compliance, not a single-day snapshot.

The use of AI systems by public authorities to evaluate or classify individuals based on social behavior or personal characteristics, producing detrimental or disproportionate treatment. Prohibited under EU AI Act Article 5(1)(c), with penalties up to 35 million EUR or 7% of global revenue.

Supplier Performance Risk System, a DoD system where defense contractors upload self-assessed compliance scores against NIST SP 800-171. SPRS scores are visible to contracting officers during source selection and range from 110 (fully compliant) to negative values.

Supplier Performance Risk System, the DoD-managed database where defense contractors post their NIST SP 800-171 self-assessment scores. The SPRS score is calculated on a 110-point scale where each unimplemented control is deducted at a weight of 1, 3, or 5 points; a perfect score is 110 and the floor is negative 203. Contracting officers check SPRS before award, and a current score is a precondition to receive any DFARS 252.204-7012 contract.

Single Sign-On, an authentication scheme allowing users to access multiple applications with one set of credentials. SSO reduces password fatigue and improves security by centralizing authentication, enabling consistent MFA enforcement.

A browser security mechanism verifying that externally hosted scripts have not been tampered with, using cryptographic hashes embedded in script tags. Required under PCI DSS 4.0.1 Requirement 6.4.3 for payment page script integrity verification.

A formal document describing how an organization implements security controls for a specific system boundary, including data types, operational environment, and how each control requirement is met. Required for FedRAMP authorization and CMMC Level 2 certification.

The authoritative document describing how a contractor system implements each of the 110 NIST SP 800-171 controls, the system boundary, the interconnections, and the personnel responsibilities. The SSP is the primary artifact a C3PAO assessor reads before fieldwork, and an incomplete or inaccurate SSP is the most common reason a Level 2 assessment fails on the first attempt.

Simulation-based discussion exercise where key stakeholders walk through an incident response scenario without executing actual technical procedures. Tabletop exercises test decision-making, communication protocols, and plan gaps in a low-risk environment.

Required documentation under the EU AI Act proving that high-risk AI systems meet regulatory requirements. Technical documentation must cover system architecture, training data, testing methodology, and performance metrics before market placement.

HIPAA Security Rule category covering technology-based protections for ePHI including access controls, encryption, audit controls, and transmission security. Technical safeguards require both implementation and documented procedures.

The Truth in Negotiations Act, now codified at 10 U.S.C. Chapter 271 and implemented by FAR 15.403, requires contractors to submit certified cost or pricing data to the government before negotiating a contract or modification above the statutory threshold. The threshold rose to $2 million effective July 1, 2018 under the FY 2018 NDAA. A defective certification, meaning data that was inaccurate, incomplete, or noncurrent as of the date of agreement on price, exposes the contractor to a price reduction, interest, and potentially a False Claims Act case. TINA does not apply to commercial item acquisitions or competitively awarded contracts.

Transport Layer Security, a cryptographic protocol securing data in transit between systems over a network. TLS 1.2 is the minimum acceptable version for HIPAA, PCI DSS 4.0, and most compliance frameworks. TLS 1.3 is recommended.

The five AICPA-defined categories that form the basis of SOC 2 audits: Security (required), Availability, Processing Integrity, Confidentiality, and Privacy. Security is the only mandatory criterion. Organizations select additional criteria based on their service commitments.

The two forms of SOC 2 audit reports. Type I evaluates control design at a single point in time. Type II evaluates both design and operating effectiveness over a minimum six-month observation period. Type II is the standard enterprise requirement.

Unique Entity Identifier, the 12-character alphanumeric ID GSA assigns through SAM.gov and the federal government sole entity identifier as of April 4, 2022. The UEI replaced the Dun and Bradstreet DUNS Number on that date under the GSA Integrated Award Environment program, ending the long reliance on a proprietary identifier. The UEI is generated within SAM and stays with the entity even if the legal name or address changes. Every contractor, grantee, and subrecipient that does business with the federal government must have an active UEI.

A cost that fails one or more of the FAR 31.201-2 allowability tests or appears on the FAR 31.205 list of expressly unallowable items. Examples include alcoholic beverages (31.205-51), bad debts (31.205-3), entertainment (31.205-14), federal income tax (31.205-41), goodwill (31.205-49), and lobbying (31.205-22). FAR 31.201-6 requires contractors to identify and segregate unallowable costs in their accounting records and exclude them from any billing, claim, or proposal to the government. Failure to segregate is a frequent DCAA audit finding and a False Claims Act exposure if the cost is then billed.

Virtual Private Network, a technology creating encrypted tunnels for secure remote access to organizational networks. HIPAA-compliant VPNs require AES-256 encryption and MFA authentication for all workforce members accessing ePHI remotely.

Vendor Risk Management, the process of assessing and monitoring third-party vendors for security, compliance, and operational risks. VRM programs evaluate vendors through security questionnaires, SOC 2 reports, and continuous monitoring.

A public policy that authorizes good-faith security research on an organization internet-accessible systems and provides a clear channel for researchers to report what they find. CISA Binding Operational Directive 20-01 (September 2, 2020) requires every federal civilian executive branch agency to publish and maintain a VDP covering all internet-accessible systems and to identify the systems in scope on a published list. The directive draws on ISO/IEC 29147 and codifies the practice that researcher reports are received, triaged, and acted on without legal threat to the researcher.

Continuous process of identifying, classifying, prioritizing, and remediating software vulnerabilities across an organization\'s infrastructure. Mature vulnerability management programs combine automated scanning, risk-based prioritization, and defined SLAs for remediation timelines.

Web Application Firewall, a security tool that filters and monitors HTTP traffic between web applications and the internet. WAFs protect against OWASP Top 10 threats including SQL injection, cross-site scripting, and request forgery.

HIPAA requirement that all workforce members receive training on policies and procedures for protecting PHI. Training must occur at hiring, periodically thereafter, and whenever material changes to policies are implemented.

Extended Detection and Response, a security platform unifying threat data from endpoints, networks, cloud workloads, and email into a single detection and investigation interface. XDR correlates signals across vectors that SIEM and EDR handle separately.

Zero-Day Response, the security operations process for responding to vulnerabilities that are exploited before a vendor patch is available. Zero-day response requires compensating controls, network segmentation, and accelerated detection.

Security model requiring strict identity verification for every person and device attempting to access resources, regardless of network location. Zero trust operates on "never trust, always verify" and eliminates implicit trust based on network perimeters.

The CISA Zero Trust Maturity Model, a self-assessment framework that helps federal civilian executive branch agencies plan and measure progress against OMB Memorandum M-22-09. Version 2.0 (April 2023) defines four maturity stages (Traditional, Initial, Advanced, Optimal) across five pillars (Identity, Devices, Networks, Applications and Workloads, Data) and three cross-cutting capabilities (Visibility and Analytics, Automation and Orchestration, Governance). The Optimal stage requires automated dynamic policy enforcement, continuous validation, and self-enumerating dependencies. Most FCEB agencies report at the Initial or Advanced stage on most pillars as of late 2025.

Zero Trust Network Access, a technology that provides secure remote access by verifying identity and context before granting application-level access. ZTNA replaces traditional VPN by connecting users to specific applications rather than entire networks.