Commonly Used Cybersecurity Acronyms
March 18, 2026
Walk into any cybersecurity conversation and the acronyms start flying immediately. APT. CMMC. EDR. SIEM. For business leaders without an IT background, keeping up can feel impossible. But understanding this terminology matters, because it affects compliance decisions, vendor conversations, insurance requirements, and how well you can evaluate your own security posture.
This glossary pulls together the most common acronyms and terms you'll encounter across cybersecurity documentation, regulatory frameworks, and industry conversations. Whether you're working through a CMMC assessment, reviewing a vendor proposal, or building an internal security program, use this as a reference to stay oriented.
A
2FA / MFA — Two-Factor Authentication / Multi-Factor Authentication
Security processes requiring users to verify identity through multiple methods beyond just a password. Typically combines something you know (password), something you have (a token or phone), and something you are (biometric data).
5G — Fifth Generation Wireless
Modern cellular network standard offering significantly faster speeds and lower latency than prior generations.
AAA — Authentication, Authorization, Accounting
A framework for controlling access to resources and logging usage. Authentication verifies identity, authorization defines what that identity can do, and accounting tracks what was done.
ACL — Access Control List
A set of rules that determines what network traffic is allowed or denied based on source, destination, or other criteria.
AES — Advanced Encryption Standard
A widely adopted specification for encrypting electronic data. AES-256 is the current gold standard for protecting sensitive information.
AP — Access Point
A device that connects wireless clients to a wired network, extending Wi-Fi coverage within a facility.
API Security — Application Programming Interface Security
Protection of APIs from attacks that could expose application logic or sensitive data. Requires authentication, authorization, rate limiting, input validation, and encryption. As more software communicates via APIs, securing them has become a critical priority.
APT — Advanced Persistent Threat
A prolonged and targeted cyberattack in which an intruder gains network access and remains undetected for an extended period. Typically conducted by nation-state actors or sophisticated criminal groups to steal data or monitor activity over time.
ARP — Address Resolution Protocol
Maps IP addresses to MAC addresses, allowing devices on the same network segment to communicate directly.
B
Backdoor
A method of bypassing normal authentication procedures to gain unauthorized access to a system. Backdoors can be intentionally created by developers for maintenance purposes or maliciously installed by attackers to maintain persistent access.
BAS — Breach and Attack Simulation
Automated tools that continuously test security controls by simulating real attack scenarios. BAS helps teams identify gaps in their defenses without the cost of a full red team engagement.
BCDR — Business Continuity and Disaster Recovery
The combined practice of planning for operational resilience during disruptions (continuity) and restoring systems after an incident (recovery). Increasingly required in compliance frameworks and cyber insurance underwriting.
BEC — Business Email Compromise
A targeted social engineering attack in which threat actors impersonate executives or trusted vendors via email to trick employees into transferring funds or sensitive data. BEC is consistently one of the costliest cybercrime categories by financial loss.
BGP — Border Gateway Protocol
The routing protocol that manages how data is directed across the internet between networks. Often described as the postal service of the internet.
Botnet — Robot Network
A network of privately owned computers infected with malicious software and controlled as a group without the owners' knowledge. Used to send spam, launch DDoS attacks, steal data, or distribute malware at scale.
BYOD — Bring Your Own Device
A policy allowing employees to use personal devices for work purposes. BYOD creates security challenges including data leakage, device loss, and varying security postures that typically require MDM solutions to manage.
C
C2 / C&C — Command and Control
The infrastructure and communications channel used by attackers to send commands to compromised systems and receive stolen data. C2 infrastructure is a critical component of botnet operations and advanced persistent threats.
C3PAO — Certified Third-Party Assessment Organization
Companies authorized by the Cyber AB to conduct official CMMC assessments for defense contractors.
CA — Certificate Authority
A trusted entity that issues digital certificates used to verify the identity of websites, devices, and users in encrypted communications.
CASB — Cloud Access Security Broker
Software that sits between cloud service users and cloud applications to monitor activity, enforce security policies, ensure compliance, and protect data in cloud environments.
CFR — Code of Federal Regulations
The codification of rules published in the Federal Register by executive departments and agencies of the federal government.
CIA Triad — Confidentiality, Integrity, Availability
The foundational model for information security. Confidentiality ensures information is not disclosed to unauthorized individuals. Integrity ensures information is accurate and unaltered. Availability ensures information and resources are accessible when needed. Every security control traces back to one or more of these three principles.
CIRP — Cyber Incident Response Plan
A documented approach to addressing and managing cybersecurity incidents, defining roles, responsibilities, and procedures for containing and recovering from a breach.
CISO — Chief Information Security Officer
The executive responsible for an entity's information and data security strategy, operations, and compliance.
CMMC — Cybersecurity Maturity Model Certification
A unified standard for implementing cybersecurity across the defense industrial base, required for DoD contractors and subcontractors to verify implementation of cybersecurity practices protecting controlled unclassified information. CMMC is being phased into defense contracts through 2025 and beyond.
CRM — Customer Relationship Management
Systems used to manage customer data and interactions. CRM platforms often store sensitive business and customer data that require proper access controls and data protection policies.
CSIRT — Computer Security Incident Response Team
A group responsible for receiving, reviewing, and responding to computer security incident reports within a company or across an industry sector.
CSPM — Cloud Security Posture Management
Tools that continuously monitor cloud infrastructure for misconfigurations, policy violations, and compliance gaps. Increasingly important as cloud adoption expands attack surfaces for businesses of all sizes.
CSRM — Cybersecurity Risk Management
The process of identifying, analyzing, evaluating, and addressing cybersecurity risks within a structured framework tied to business objectives.
CTI — Cyber Threat Intelligence
Evidence-based knowledge about existing or emerging threats, including indicators of compromise, attacker tactics, and threat actor context. Used to inform security decisions and improve defenses. Also referred to as Threat Intelligence.
CTEM — Continuous Threat Exposure Management
A framework for continuously identifying, scoping, and remediating a business's exposure to cyber threats, moving security teams beyond point-in-time assessments toward ongoing risk reduction.
CUI — Controlled Unclassified Information
Information that requires safeguarding or dissemination controls according to law, regulation, or government-wide policy. Protecting CUI is the primary focus of CMMC Level 2 requirements.
CVE — Common Vulnerabilities and Exposures
A publicly disclosed database and standard for identifying security vulnerabilities. Each entry receives a unique CVE identifier (e.g., CVE-2024-1234) for tracking and reference across the security community.
CVSS — Common Vulnerability Scoring System
A framework for rating the severity of computer system security vulnerabilities on a scale of 0 to 10, helping teams prioritize which issues to address first.
D
DDoS — Distributed Denial of Service
An attack where multiple compromised systems flood a target with traffic, overwhelming it and making it unavailable to legitimate users.
DevSecOps — Development Security Operations
The integration of security practices within the DevOps process throughout the software development lifecycle. Makes security a shared responsibility of development, security, and operations teams from design through deployment, rather than a final checkpoint.
DFARS — Defense Federal Acquisition Regulation Supplement
A set of cybersecurity regulations for defense contractors that serves as a precursor to and implementing vehicle for CMMC requirements.
DIB — Defense Industrial Base
The worldwide industrial complex that enables research, design, production, delivery, and maintenance of military weapons systems and components. CMMC applies to all companies within the DIB that handle federal contract information or controlled unclassified information.
DIBCAC — Defense Industrial Base Cybersecurity Assessment Center
The DoD entity responsible for conducting CMMC Level 3 assessments for contractors handling the most sensitive defense information systems.
DKIM — DomainKeys Identified Mail
An email authentication method that uses cryptographic signatures to verify that a message was not altered in transit and originates from an authorized mail server.
DLP — Data Loss Prevention
Tools and processes that ensure sensitive data is not lost, misused, or accessed by unauthorized users. DLP monitors, detects, and blocks sensitive data in motion across networks, at rest in storage, and in use on endpoints.
DMARC — Domain-based Message Authentication, Reporting, and Conformance
An email authentication protocol that builds on SPF and DKIM to give domain owners control over how unauthenticated messages are handled by receiving mail servers.
DMZ — Demilitarized Zone
A network segment positioned between the public internet and the internal LAN, typically used to host public-facing servers while limiting their access to internal resources.
DNS — Domain Name System
The internet's phonebook, translating human-readable domain names into the IP addresses computers use to communicate.
DoD — Department of Defense
The federal department responsible for coordinating and supervising all agencies and functions of the government relating to national security and the United States Armed Forces.
DoS — Denial of Service
An attack that disrupts the availability of a system or network by flooding it with traffic or requests until it becomes unresponsive. Unlike DDoS, a DoS attack originates from a single source.
DRP — Disaster Recovery Plan
A documented, structured approach to responding to unplanned incidents that threaten IT infrastructure, detailing how systems will be restored and operations resumed within defined timeframes.
E
EDR — Endpoint Detection and Response
Security solutions that continuously monitor endpoint devices for suspicious activity, providing real-time threat detection, investigation capabilities, and automated response to cyber threats. EDR goes beyond traditional antivirus by detecting behavioral anomalies rather than just known malware signatures.
eMASS — Enterprise Mission Assurance Support Service
A web-based application used by the DoD to manage the implementation and assessment of cybersecurity controls, including tracking CMMC assessment results.
Encryption — Data Encryption
The process of encoding information so that only authorized parties with the decryption key can access it. Converts plaintext into ciphertext using cryptographic algorithms to protect data confidentiality at rest and in transit.
EPP — Endpoint Protection Platform
Security software providing traditional antivirus, anti-malware, and device control capabilities. Often deployed alongside EDR for comprehensive endpoint coverage.
Exploit — Security Exploit
A piece of software, data, or sequence of commands that takes advantage of a vulnerability to cause unintended behavior in a system. Used by attackers to gain unauthorized access, escalate privileges, execute code, or cause denial of service.
F
FAR — Federal Acquisition Regulation
The primary regulation used by federal agencies for acquiring supplies and services with appropriated funds. FAR clauses appear in government contracts and set baseline requirements for vendors, including cybersecurity obligations.
FCI — Federal Contract Information
Information provided by or generated for the government under a contract that is not intended for public release. Protecting FCI is the focus of CMMC Level 1 requirements.
FIM — File Integrity Monitoring
Technology that monitors and detects unauthorized changes to files and system configurations. Required under several compliance frameworks including PCI DSS and HIPAA, and useful for detecting early signs of a breach.
Firewall — Network Firewall
A network security device or software that monitors and filters incoming and outgoing network traffic based on predetermined security rules. Acts as a barrier between trusted internal networks and untrusted external ones.
G
GDPR — General Data Protection Regulation
European Union regulation on data protection and privacy that applies to all businesses processing personal data of EU residents, regardless of where those businesses are located. Requires consent for data collection, breach notification, and data protection by design.
GRC — Governance, Risk, and Compliance
A strategy for managing an enterprise's overall governance, risk management, and compliance obligations in a unified, structured way. GRC connects security operations to business objectives and regulatory requirements.
H
HIPAA — Health Insurance Portability and Accountability Act
U.S. legislation providing data privacy and security provisions for safeguarding protected health information (PHI). Requires healthcare firms and their business associates to implement administrative, physical, and technical safeguards.
I
IAM — Identity and Access Management
A framework of policies and technologies ensuring the right individuals have appropriate access to technology resources at the right times for the right reasons. Includes user authentication, authorization, and access control.
ICS — Industrial Control System
Computer systems used to monitor and control industrial processes and critical infrastructure. ICS environments, including SCADA systems, operate under unique security requirements due to legacy technology and safety implications.
IDS / IPS — Intrusion Detection System / Intrusion Prevention System
An IDS monitors network or system activities for malicious behavior and policy violations, then reports them. An IPS goes further by actively blocking or preventing detected threats in real time before they can cause damage.
Incident Response
The methodology a business uses to respond to and manage a cyberattack or data breach. A structured incident response process includes preparation, detection, containment, eradication, recovery, and post-incident analysis to minimize damage and reduce recovery time and cost.
IoC — Indicator of Compromise
Forensic data or artifacts found on networks or systems that indicate a potential security breach or malicious activity. Indicators include suspicious IP addresses, file hashes, URLs, domains, registry keys, or behavioral patterns used by security teams for threat detection.
IoT — Internet of Things
The network of physical objects embedded with sensors and software that connect and exchange data over the internet. IoT devices, from smart thermostats to industrial sensors, expand the attack surface and often run with limited security controls.
M
Malware — Malicious Software
Software intentionally designed to cause damage to computers, servers, networks, or users. Malware encompasses viruses, worms, trojans, ransomware, spyware, adware, and other malicious programs designed to infiltrate or damage systems.
MDM — Mobile Device Management
Software allowing IT administrators to control and secure mobile devices across a business. MDM enforces security policies, manages applications, encrypts data, and enables remote wipe capabilities for lost or stolen devices.
MFA Fatigue / MFA Bombing
An attack technique where threat actors repeatedly push multi-factor authentication requests to a target's device, hoping the user will approve one out of frustration or confusion. This method has been used to bypass MFA on high-profile accounts and is a known weakness in push-based authentication systems.
MITRE ATT&CK — MITRE Adversarial Tactics, Techniques & Common Knowledge
A globally accessible knowledge base of adversary tactics and techniques based on real-world observations. Security teams use the MITRE ATT&CK framework as a foundation for threat modeling, detection engineering, and understanding how attackers move through a target environment.
MSSP — Managed Security Service Provider
A company that offers outsourced monitoring and management of security systems and devices. MSSPs typically provide services such as SIEM monitoring, threat detection, vulnerability management, and incident response support.
N
NIST — National Institute of Standards and Technology
A U.S. federal agency that develops cybersecurity standards, guidelines, and frameworks. NIST publications including the Cybersecurity Framework (CSF) and NIST SP 800-53 are widely adopted across both government and private sector environments.
NIST SP 800-171
Guidelines for protecting Controlled Unclassified Information in non-federal systems and organizations. These 110 security requirements form the basis for CMMC Level 2 compliance.
NIST SP 800-172
Enhanced security requirements for protecting CUI from advanced persistent threats. Used as the basis for CMMC Level 3 assessments conducted by DIBCAC.
O
OT Security — Operational Technology Security
Cybersecurity practices applied to industrial control systems, SCADA systems, and physical infrastructure. OT security is distinct from IT security due to unique industrial protocols, legacy systems, and the potential for cyberattacks to cause physical harm or production disruption.
OWASP — Open Web Application Security Project
An online community that produces freely available web application security resources. OWASP is best known for the OWASP Top 10, a regularly updated list of the most critical web application security risks.
P
PAM — Privileged Access Management
Solutions that control, monitor, and audit access by privileged accounts such as system administrators and service accounts. PAM reduces the risk of credential misuse and is a critical control in limiting the blast radius of a breach.
Patch Management
The process of identifying, acquiring, testing, and installing software updates to fix vulnerabilities, bugs, or security weaknesses. Consistent patch management is one of the most effective and straightforward ways to reduce exposure to known threats.
PCI DSS — Payment Card Industry Data Security Standard
An information security standard for all entities that store, process, or transmit cardholder data. PCI DSS is designed to protect against fraud and data breaches through a set of technical and operational requirements.
Penetration Testing — Pen Test
An authorized simulated cyberattack on a computer system, network, or web application to evaluate its security. A pen test identifies vulnerabilities that could be exploited by real attackers and validates the effectiveness of existing security controls.
PHI — Protected Health Information
Individually identifiable health information protected under HIPAA. Any data that can link a person to their health condition, treatment, or payment history qualifies as PHI.
Phishing
A social engineering attack where attackers impersonate legitimate entities through email, text, or other communication to trick victims into revealing credentials, financial information, or downloading malware. Phishing remains the most common initial attack vector in data breaches.
PII — Personally Identifiable Information
Data that can be used to identify a specific individual, including names, Social Security numbers, email addresses, and financial account details. PII protection requirements appear in HIPAA, GDPR, state privacy laws, and numerous other regulations.
PKI — Public Key Infrastructure
A framework of policies, procedures, hardware, and software for creating, managing, distributing, using, storing, and revoking digital certificates. PKI enables secure electronic transfers of information for authentication and encryption purposes.
POAM — Plan of Action and Milestones
A document that identifies tasks needed to address cybersecurity gaps, with assigned owners and target completion dates. POAMs are used in CMMC assessments to track remediation progress for deficiencies that cannot be resolved before an assessment.
PTaaS — Penetration Testing as a Service
A continuous or subscription-based model for penetration testing that provides ongoing vulnerability identification rather than point-in-time assessments. PTaaS gives businesses a more dynamic view of their attack surface over time.
R
Ransomware
Malicious software that encrypts a victim's files or locks their system, then demands payment for the decryption key. Modern ransomware variants often employ double extortion tactics, threatening to publish stolen data publicly if the ransom is not paid.
RBAC — Role-Based Access Control
An access control model where permissions are assigned based on roles within a business rather than to individuals directly. RBAC simplifies administration and reduces the risk of excessive access by ensuring users can only reach systems relevant to their job function.
RDP — Remote Desktop Protocol
A Microsoft protocol that allows users to connect to and control a remote computer's desktop graphically. Exposed RDP ports are a common target for brute force and credential-stuffing attacks.
Red Team / Blue Team
Security exercises in which the Red Team simulates adversary attacks to test defenses and the Blue Team defends against and responds to those attacks. Purple Team exercises combine both groups to collaborate on improving detection and response capabilities.
RMF — Risk Management Framework
A structured approach to identifying, assessing, and managing risk across a business or government agency. The NIST RMF is the most widely referenced version and provides a step-by-step process for categorizing systems, selecting controls, and authorizing operations.
RMM — Remote Monitoring and Management
Software used by managed service providers to monitor and manage client endpoints and infrastructure remotely. RMM platforms are high-value targets for threat actors because compromising one can provide access to many downstream clients.
RPO — Registered Provider Organization
A company recognized by the Cyber AB as providing CMMC consulting and preparation services to defense contractors. STACK Cybersecurity is a Registered Provider Organization.
S
SBOM — Software Bill of Materials
A formal record of the components, libraries, and modules used in a software product. SBOMs are increasingly required by federal agencies and regulators to address supply chain security risks and enable faster response to newly discovered vulnerabilities in third-party components.
SCADA — Supervisory Control and Data Acquisition
Industrial control systems used to monitor and manage critical infrastructure including power grids, water treatment facilities, and manufacturing equipment. SCADA systems are high-value targets for nation-state threat actors and ransomware groups due to their potential for real-world disruption.
SIEM — Security Information and Event Management
Technology that aggregates and analyzes security event data from across an infrastructure in real time to identify, monitor, record, and analyze security incidents. A properly tuned SIEM is a cornerstone of most security operations center environments.
SOAR — Security Orchestration, Automation, and Response
Technology that enables businesses to collect threat data from multiple sources and respond to security events with minimal human intervention through automated playbooks and workflow orchestration. SOAR helps security teams handle higher alert volumes without adding headcount.
SOC — Security Operations Center
A centralized unit that monitors, detects, analyzes, and responds to cybersecurity incidents. SOC teams typically operate around the clock and combine technology tools with defined processes to protect an enterprise's systems and data.
SOC 2
An auditing procedure that evaluates how well service providers manage data to protect client interests and privacy. SOC 2 assessments evaluate systems against trust service principles covering security, availability, processing integrity, confidentiality, and privacy. The resulting report is commonly requested by enterprise clients during vendor due diligence.
Social Engineering
Psychological manipulation techniques used to trick users into making security mistakes or revealing sensitive information. Social engineering exploits human behavior rather than technical vulnerabilities and includes phishing, pretexting, baiting, and physical tailgating.
SPF — Sender Policy Framework
An email authentication method that verifies whether a mail server is authorized to send email on behalf of a domain, helping detect and prevent forged sender addresses.
SPRS — Supplier Performance Risk System
The DoD system where CMMC assessment results are reported and maintained. Defense contractors must have a current score in SPRS to be eligible for contracts requiring CMMC compliance.
SQL Injection
An attack technique that exploits vulnerabilities in database-driven applications by inserting malicious SQL code into input fields. A successful SQL injection attack can result in unauthorized database access, data theft, modification, or deletion.
SSH — Secure Shell
An encrypted network protocol used for secure remote system administration and file transfers. SSH replaced older, unencrypted protocols like Telnet for managing servers and network equipment.
SSO — Single Sign-On
An authentication process allowing users to access multiple applications and systems with one set of credentials. SSO improves user experience while reducing the number of passwords that need to be managed and protected.
T
Threat Intelligence — Cyber Threat Intelligence
Evidence-based knowledge about existing or emerging threats, including indicators of compromise, attacker tactics, techniques, procedures, and context about specific threat actors. Used to inform security decisions and prioritize defensive investments. Also referenced as CTI.
TLS — Transport Layer Security
The modern encryption standard used in HTTPS, VPNs, and other secure communications. TLS replaced the older, now-deprecated SSL standard and is the foundation of secure data transmission across the internet.
TPCRM — Third-Party Cyber Risk Management
The practice of assessing and managing cybersecurity risks posed by vendors, suppliers, and partners who have access to systems or data. TPCRM has become a growing focus in compliance audits as supply chain attacks increase in frequency and severity.
TTP — Tactics, Techniques, and Procedures
The behavioral patterns and methods used by threat actors to conduct cyberattacks. TTPs are the foundation of frameworks like MITRE ATT&CK and help defenders anticipate, detect, and disrupt adversary activity based on how attackers typically operate.
U
UEBA — User and Entity Behavior Analytics
Security tools that use machine learning to establish behavioral baselines for users and devices and detect anomalies that may indicate insider threats, compromised accounts, or unauthorized access.
UID — Unique Identifier
In the CMMC context, a tracking number assigned to each contractor information system that has undergone an assessment, used to tie assessment results to specific systems in SPRS.
V
VPN — Virtual Private Network
An encrypted connection over the internet that ensures private data transmission between a device and a network. VPNs protect data from interception on untrusted networks and are commonly used for remote work and secure site-to-site connections.
Vulnerability — Security Vulnerability
A weakness in a system, application, or network that can be exploited by a threat actor to gain unauthorized access, cause damage, or compromise security. Vulnerabilities can exist in software code, hardware design, operational procedures, or access controls.
W
WAF — Web Application Firewall
A security solution that monitors, filters, and blocks HTTP/HTTPS traffic to and from a web application. WAFs protect against common attacks like SQL injection, cross-site scripting, and other vulnerabilities identified in the OWASP Top 10.
WPA2 / WPA3 — Wi-Fi Protected Access 2 / 3
The security protocols governing wireless network encryption. WPA2 remains widely deployed, while WPA3 provides stronger protections including improved resistance to offline password attacks. WEP, the original Wi-Fi encryption standard, is deprecated and should never be used.
X
XDR — Extended Detection and Response
A security solution that integrates and correlates data from multiple security products, including email, endpoints, servers, cloud workloads, and network traffic, to improve threat detection, investigation, and response across the full environment.
XSS — Cross-Site Scripting
A vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. Successful XSS attacks can enable session hijacking, credential theft, website defacement, or redirection to malicious sites.
Z
Zero-Day Vulnerability
A security flaw in software or hardware that is unknown to the vendor and has no available patch. Attackers can exploit zero-day vulnerabilities freely until a fix is developed and deployed. The name reflects that developers have had zero days to address the problem.
Zero Trust / ZTA — Zero Trust Architecture
A security model that requires strict identity verification for every user and device attempting to access resources, regardless of whether they are inside or outside the network perimeter. Zero Trust operates on the principle of "never trust, always verify," eliminating the assumption that internal network traffic is inherently safe.
ZTNA — Zero Trust Network Access
A security solution that provides secure remote access based on defined access control policies rather than network location. ZTNA verifies identity and device posture before granting access to specific applications, rather than connecting users to the entire network.
Put This Knowledge to Work
Understanding cybersecurity terminology is the first step toward making better decisions about protecting your business. When you can follow a conversation with a security professional, review a vendor proposal critically, or ask the right questions during a compliance assessment, you're in a much stronger position than most small and midsize business leaders.
This glossary will continue to grow as the threat landscape and regulatory environment evolve. Bookmark it as a reference for audits, tabletop exercises, and policy development, or share it with your team as part of your security awareness program.
If your business needs help translating these concepts into a security program, contact STACK Cybersecurity. We specialize in making cybersecurity accessible and actionable for businesses across manufacturing, health care, legal, and defense contracting industries.