Cybersecurity Terms and Definitions Glossary

The cybersecurity field operates on a dense and standardized vocabulary drawn from federal standards bodies, international frameworks, and sector-specific regulatory regimes. This glossary page defines the most operationally significant terms across network security, identity management, threat classification, and incident response — as those terms appear in authoritative public sources including NIST, CISA, and ISO standards. Professionals navigating provider listings or regulatory compliance requirements depend on precise term definitions to interpret contracts, assessments, and regulatory obligations accurately.

Definition and scope

Cybersecurity terminology is not uniform across all contexts. The National Institute of Standards and Technology (NIST) maintains the primary federal vocabulary through the NIST Glossary of Key Information Security Terms (NISTIR 7298), which defines over 4,000 terms used across federal information security programs. The Committee on National Security Systems (CNSS) publishes a parallel vocabulary under CNSSI 4009, which governs terminology within national security systems and may diverge from NIST definitions at specific points.

The scope of this glossary covers five primary classification domains:

  1. Threat and vulnerability terminology — terms describing attack vectors, threat actors, and exploitable weaknesses
  2. Identity and access management (IAM) — terms governing authentication, authorization, and credential management
  3. Network security — terms applied to perimeter defense, traffic inspection, and protocol-level protections
  4. Incident response — terms standardized by frameworks including NIST SP 800-61 and CISA operational guidance
  5. Cryptographic and data protection terminology — terms drawn from FIPS standards and NIST cryptographic publications

Terms in national security contexts carry additional classification constraints under CNSSI 4009 that differ from civilian federal agency usage under FISMA (44 U.S.C. § 3551 et seq.).

How it works

Standardized cybersecurity terminology functions as a control layer within regulatory compliance, procurement, and incident documentation. When a federal agency issues a security assessment under NIST SP 800-53 Rev 5, the 20 control families and their associated terms carry legally operative meanings — not colloquial ones. Misapplication of terms such as "vulnerability" versus "risk" versus "threat" in a System Security Plan (SSP) can invalidate compliance documentation.

The definitional hierarchy for most US federal contexts flows as follows:

  1. NIST FIPS Publications — mandatory standards for federal agencies (e.g., FIPS 140-3 for cryptographic module validation)
  2. NIST Special Publications (SP 800 series) — technical guidelines with strong adoption weight across civilian agencies
  3. CISA Advisories and Frameworks — operationally applied terminology within critical infrastructure sectors
  4. Sector-specific regulatory definitions — HIPAA Security Rule definitions (45 CFR Part 164) for healthcare, PCI DSS terminology for payment card environments, and NERC CIP standards for energy sector operators

A term defined differently across two applicable frameworks creates a compliance gap that requires explicit reconciliation in security documentation. The purpose and scope of this resource explains how this directory is structured relative to those regulatory layers.

Common scenarios

Threat vs. vulnerability vs. risk

NIST NISTIR 7298 defines a threat as "any circumstance or event with the potential to adversely impact organizational operations" — distinct from a vulnerability, which is "a weakness in an information system, system security procedures, external controls, or implementation that could be exploited." Risk is the product of threat likelihood and impact magnitude, not synonymous with either component.

Conflating these three terms in a risk assessment produces materially incorrect outputs. A penetration test report that labels an unpatched service as a "risk" rather than a "vulnerability" misrepresents the finding's status in a remediation workflow.

Authentication vs. authorization

Authentication confirms identity; authorization determines permitted actions. NIST SP 800-63B (Digital Identity Guidelines) governs authentication assurance levels across three tiers — AAL1, AAL2, and AAL3 — each with distinct technical requirements for federal-facing systems. An IAM implementation that conflates these concepts typically produces access control failures at the authorization layer even when authentication is technically sound.

Incident vs. event vs. breach

NIST SP 800-61 Rev 2 distinguishes an event (any observable network or system occurrence) from an incident (an event that actually or potentially jeopardizes confidentiality, integrity, or availability). A breach, under the Health Breach Notification Rule enforced by the FTC (16 CFR Part 318), and the HIPAA Breach Notification Rule (45 CFR §§ 164.400–414), carries specific notification obligations that activate only when defined thresholds are crossed — not at the event or incident stage.

Decision boundaries

Selecting the correct definitional framework depends on the regulatory environment, sector, and system classification. Three primary decision axes apply:

Civilian federal vs. national security systems — NIST SP 800 series terminology applies to civilian agencies; CNSSI 4009 governs national security systems. The two vocabularies overlap substantially but diverge on classified system contexts.

Sector-specific overlays — Healthcare entities subject to HIPAA must apply HHS Office for Civil Rights definitions of "protected health information" and "covered entity" regardless of how NIST defines equivalent concepts. Energy sector operators under NERC CIP standards use "Critical Cyber Assets" and "Electronic Security Perimeters" as defined within the CIP reliability standards, not NIST nomenclature.

Contractual vs. regulatory definitions — A vendor contract may define "security incident" more narrowly than NIST SP 800-61 for liability-limitation purposes. Service Level Agreements in the federal contracting space must align terminology with FedRAMP authorization boundaries, which reference NIST definitions directly.

Professionals assessing provider capabilities through listings or procurement processes should verify which definitional framework a vendor's documentation references. Misaligned terminology across contract, assessment, and regulatory documents creates audit exposure independent of the underlying technical controls. The resource overview describes how listings on this platform are categorized relative to these framework boundaries.

References

📜 2 regulatory citations referenced  ·  🔍 Monitored by ANA Regulatory Watch  ·  View update log

Read Next

Smart Security Listings Each entry represents a vetted organizational or individual presence within a defined service category, mapped against... Smart Security Directory: Purpose and Scope This reference covers the scope of listed service categories, the criteria governing inclusion, the regulatory frameworks that... How to Use This Smart Security Resource This page describes how the directory is organized, what types of professionals and services are catalogued, and where the...