General Security
Plain-English definitions for common security concepts.
Zero Trust
“Never trust, always verify.” Check identity, device health, and least privilege on every access—not just at login or the network edge.
Least Privilege (PoLP)
Give each user/service only the access needed to perform their job—nothing more. Reduces blast radius.
EDR / XDR / SIEM
EDR monitors endpoints; XDR extends to email/cloud/identity; SIEM centralizes logs for detection/investigation.
MFA (Multi-Factor Authentication)
Require something you know (password) + something you have (app/key) and/or something you are (biometrics) to login.
DLP (Data Loss Prevention)
Policies and tooling to prevent sensitive data from leaving via email, web, storage, or endpoints (copy/USB restrictions).
BCP/DR, RTO/RPO
BCP/DR are continuity and disaster recovery plans. RTO=time to restore, RPO=max data loss window.
TPRM (Third-Party Risk Management)
Evaluate and monitor vendors (security questionnaire, evidence, contracts). See also supply-chain and flow-downs.
Identity & Access
Authentication, authorization, and workforce/customer identity terms.
IAM (Identity & Access Management)
Policies and systems for user lifecycle, roles, MFA, SSO, and privileged access.
SSO, SAML, OIDC/OAuth2
SSO = single sign-on. SAML and OIDC/OAuth2 are protocols to federate identity across apps.
PAM (Privileged Access Management)
Controls for admin accounts: vaulting, session recording, approvals, JIT access.
Risk & GRC
Risk language and governance artifacts used in audits and questionnaires.
Risk Register / Treatment
A list of risks with impact/likelihood, owners, deadlines, and treatment (accept, mitigate, transfer).
SSP / POA&M / Evidence Binder
SSP: what’s implemented; POA&M: gaps & close plan; Binder: tickets/screenshots/configs mapped to controls.
SPRS Score (NIST 800-171)
Numeric score self-reported to DoD for 800-171. Required by DFARS 7019/7020 for CUI programs.
CVSS / EPSS / KEV
CVSS=severity model; EPSS=exploit probability; KEV=known exploited vulns catalog used to prioritize remediation.
Risk Appetite & ROI
How much risk you’re willing to accept for growth. Helpful for prioritization and board reporting.
Frameworks & Certifications
What buyers ask for, and what maps to regulations.
NIST CSF 2.0
Security program blueprint organized by Identify, Protect, Detect, Respond, Recover with governance and supply-chain themes.
SOC 2 (Type II)
Independent report on controls (security/availability etc.) over a 3–12 month period. Common enterprise requirement for SaaS.
ISO/IEC 27001 (ISMS)
International standard for managing information security (ISMS). Great global/enterprise signal; pairs well with SOC 2.
PCI DSS (SAQ / ROC)
Cardholder data standard. Scope depends on how you handle cards (redirect/tokenized vs store/process).
HITRUST (e1/i1/r2)
Healthcare-oriented assurances layered on HIPAA expectations. i1 is a common “signal” for payers; r2 for higher rigor.
ISO/IEC 27701 (Privacy)
Privacy extension to ISO 27001. Helpful for GDPR/UK GDPR-conscious buyers.
Government & Defense
Terms used in FAR/DFARS/CMMC, FedRAMP, and ATO/RMF contexts.
FCI & FAR 52.204-21 CMMC L1
Government contract info not for public release. Requires 15 basic controls (FAR clause) validated via CMMC Level 1.
CUI & DFARS 7012/7019/7020/7021 CMMC L2
Sensitive but unclassified. Requires NIST SP 800-171 (110 controls), an SPRS score, and program alignment per CMMC.
SPRS Score & 72-hour reporting
Report incidents within 72 hours (DFARS 7012). Maintain and post your NIST 800-171 score to SPRS for solicitations.
FedRAMP (Moderate/High) & DoD SRG IL4/IL5
Authorization for cloud services used by government. CUI in a CSP generally expects FedRAMP Moderate (or accepted equivalent).
RMF / NIST SP 800-53 / ATO
Risk Management Framework and control catalog for systems run on behalf of agencies; ends in an Authority to Operate.
ITAR / EAR (Export Controls)
Rules controlling defense-related tech and dual-use items. Impacts who can access your data, code, and build process.
C3PAO & OSC
C3PAO is a CMMC Third-Party Assessment Organization. OSC is the Organization Seeking Certification.
Gov Contracts Compliance Navigator
Decision-tree that shows which clauses and frameworks apply, with an execution plan.
Vulnerability & Testing
Discovery, prioritization, and validation.
Attack Surface / EASM
Everything exposed to the internet (domains, IPs, APIs). EASM tools inventory and monitor this continuously.
Pen Test / Red vs Blue vs Purple
Red=offense, Blue=defense, Purple=collab. Pen tests validate exploitable paths and give evidence for customers.
SBOM & NIST SSDF (SP 800-218)
Inventory of components and secure-by-design practices across the SDLC; increasingly required in procurement.
Vulnerability Re-Scorer
Combine CVSS with business context and EPSS/KEV to decide what to fix first.
Cloud & DevSecOps
Modern cloud controls and acronyms you’ll see in RFPs.
CSPM / CNAPP / CWPP / CIEM
Cloud posture and workload protections; identity entitlements in cloud; often bundled in CNAPP platforms.
SASE / SSE / ZTNA
Secure Access Service Edge (or SSE subset) that replaces legacy VPNs with Zero Trust Network Access and web/app controls.
IaC & CI/CD security
Secure infrastructure-as-code, secrets scanning, dependency management, and gated releases.
Privacy & Data
Customer data obligations by geography and sector.
GDPR/UK GDPR & DPA/DPIA/ROPA
EU/UK privacy laws; DPA adds processor obligations; DPIA is impact assessment; ROPA documents processing.
HIPAA / BAA / PHI
US healthcare privacy/security law. BAAs define vendor responsibilities; PHI is protected health information.
GLBA/FFIEC & NYDFS 500 (Finserv)
Banking sector expectations for safeguards, vendor oversight, and incident reporting (state-level overlays like NYDFS 500).
US State Privacy (e.g., CCPA/CPRA)
State laws governing consumer data rights, notices, and deletion/DSAR workflows.