Cybersecurity Terms and Definitions Glossary

The cybersecurity field operates on a precise technical vocabulary that underpins regulatory compliance, professional certification, contractual obligations, and operational practice. This page maps the core terms and definitions that structure the discipline — covering foundational concepts, threat classifications, control frameworks, and regulatory language used across US federal and industry standards. Professionals navigating procurement decisions, compliance audits, or workforce credentialing will find this glossary organized to reflect how the sector itself is structured, not how introductory curricula present it.

Definition and scope

A cybersecurity glossary, in regulatory and standards practice, is a normative reference document that assigns precise, bounded meanings to technical and legal terms. The distinction between normative and informative definitions is material: normative definitions carry binding force within a framework or statute, while informative definitions provide context without imposing obligation.

The primary authoritative source for US federal cybersecurity terminology is the NIST Computer Security Resource Center (CSRC) Glossary, which aggregates definitions from over 60 NIST publications, Federal Information Processing Standards (FIPS), and Committee on National Security Systems (CNSS) Instruction 4009. CNSS Instruction 4009 is the foundational US government lexicon for national security systems terminology and is maintained by the National Security Agency.

Within this scope, cybersecurity terminology divides into five classification domains:

1. Threat and adversary terms — malware, threat actor, advanced persistent threat (APT), attack vector, exploit, payload
2. Control and countermeasure terms — access control, authentication, encryption, firewall, patch management, defense-in-depth
3. Risk and assurance terms — vulnerability, residual risk, risk tolerance, confidentiality/integrity/availability (CIA triad), impact level
4. Regulatory and compliance terms — authorization to operate (ATO), security control baseline, continuous monitoring, system security plan (SSP)
5. Operational and forensic terms — chain of custody, indicator of compromise (IOC), TTPs (tactics, techniques, and procedures), threat hunting

The NIST Cybersecurity Framework (CSF), maintained under the National Institute of Standards and Technology, defines its own aligned vocabulary in CSF 2.0, released in 2024, with six core functions: Govern, Identify, Protect, Detect, Respond, and Recover. Each function carries subordinate category and subcategory terms that map to specific controls in NIST SP 800-53.

Broader cybersecurity frameworks and standards each maintain internal glossaries that may assign different operational meanings to the same surface-level term — making cross-framework literacy a baseline professional requirement.

How it works

Cybersecurity terminology functions as a precision layer between policy intent and technical implementation. When a regulation mandates "encryption of data at rest," the operative definition of "encryption," "data at rest," and the acceptable cryptographic standard determine compliance boundaries.

The mechanism by which definitions gain regulatory force operates through three channels:

1. Statutory incorporation — A federal statute (e.g., FISMA, 44 U.S.C. § 3551 et seq.) mandates compliance with NIST standards, which then embed specific defined terms. FISMA's scope covers all federal agencies and their contractors, making NIST definitions operationally binding across a large segment of the US technology sector.
2. Contractual flow-down — Defense contractors subject to the Cybersecurity Maturity Model Certification (CMMC) program must use DoD-defined terminology from DFARS 252.204-7012 and NIST SP 800-171, which define "covered defense information" and "controlled unclassified information" (CUI) with precision.
3. Sector-specific regulatory adoption — The Health Insurance Portability and Accountability Act (HIPAA) Security Rule, codified at 45 CFR Part 164, defines "electronic protected health information" (ePHI) and "addressable" versus "required" implementation specifications — terminology with direct bearing on HIPAA cybersecurity requirements audits.

A working understanding of information security fundamentals is prerequisite to applying glossary definitions correctly, as many terms carry interdependencies (e.g., "confidentiality" cannot be fully defined without reference to "access control" and "least privilege").

Common scenarios

Glossary precision failures — using a term with an imprecise or wrong-framework definition — produce measurable operational consequences across four common scenarios:

Regulatory audit discrepancies. An organization that defines "multi-factor authentication" (MFA) loosely may implement SMS-based OTP and believe it satisfies NIST SP 800-63B Authenticator Assurance Level 2 (AAL2). NIST SP 800-63B explicitly classifies SMS OTP as a restricted authenticator type, carrying additional risk documentation requirements — a distinction invisible without glossary-level precision.

Incident response miscommunication. During a security incident, the terms "breach," "incident," "event," and "intrusion" are operationally distinct. NIST SP 800-61 defines a "security incident" as a violation or imminent threat of violation of security policies. Breach notification laws in 47 US states use "breach" to trigger statutory notification timelines — a higher threshold than "incident." Conflating the two delays or misroutes response actions.

Procurement and vendor risk. Organizations evaluating managed security service providers (MSSPs) must distinguish between a Security Operations Center (SOC) offering and a security information and event management (SIEM) platform. These are categorically different: a SOC is an operational unit with human analysts; a SIEM is a software tool class. Glossary confusion here produces procurement decisions that leave detection gaps.

Certification and credentialing alignment. The Certified Information Systems Security Professional (CISSP) credential, governed by (ISC)², structures its Common Body of Knowledge (CBK) around eight domains, each with defined term sets. Candidates and employers who conflate CISSP domain vocabulary with CompTIA Security+ vocabulary — two distinct credentialing frameworks at different proficiency levels — misjudge workforce readiness.

Decision boundaries

The applicability of any specific definition depends on the authoritative source governing a given context. Three decision boundaries apply:

Federal vs. commercial standards. NIST and CNSS definitions govern federal information systems and contractors. ISO/IEC 27001:2022, maintained by the International Organization for Standardization, governs a parallel private-sector and international compliance domain. The term "risk treatment" in ISO 27001 carries a specific four-option taxonomy (modify, retain, avoid, share) that differs structurally from NIST RMF risk response terminology.

Normative vs. descriptive usage. The MITRE ATT&CK Framework uses "technique" and "sub-technique" as structured taxonomy terms with unique identifiers (e.g., T1566.001 for spearphishing attachments). Using "technique" generically outside this taxonomy produces mapping errors in threat intelligence workflows.

Jurisdiction-specific legal definitions. The term "personal data" under California's CCPA and "personally identifiable information" (PII) under OMB Memorandum M-07-16 are not interchangeable. Each carries jurisdiction-specific scope, trigger conditions, and remediation obligations. Cryptography fundamentals terminology similarly bifurcates between FIPS 140-3 validated cryptographic module definitions and general-use descriptions — only the FIPS definition carries weight in federal procurement.

Glossary literacy is a prerequisite function for professionals working across cybersecurity risk management, compliance assessment, and technical implementation — not an optional supplement to operational practice.

References

• NIST CSRC Glossary
• NIST Cybersecurity Framework (CSF) 2.0
• NIST SP 800-53 Rev. 5 — Security and Privacy Controls
• NIST SP 800-61 Rev. 2 — Computer Security Incident Handling Guide
• NIST SP 800-63B — Digital Identity Guidelines
• CNSS Instruction 4009 — National Information Assurance Glossary
• FISMA — 44 U.S.C. § 3551 et seq.
• HIPAA Security Rule — 45 CFR Part 164
• DFARS 252.204-7012 — Safeguarding Covered Defense Information
• ISO/IEC 27001:2022 — Information Security Management
• MITRE ATT&CK Framework
• CISA Known Exploited Vulnerabilities Catalog