Cybersecurity Terms and Definitions Reference

Precise terminology is foundational to cybersecurity compliance, incident response, legal reporting, and professional certification. This reference covers the core terms, definitions, and classification frameworks used across federal standards bodies, regulatory agencies, and industry practice in the United States. The definitions presented here align with authoritative public sources including NIST, CISA, and federal statute, and are structured for use by practitioners, researchers, legal professionals, and procurement officers navigating the cybersecurity service sector.

Definition and scope

Cybersecurity terminology in the United States is not standardized by a single authority. NIST, CISA, the Committee on National Security Systems (CNSS), the Department of Defense (DoD), and sector-specific regulators each maintain distinct glossaries that partially overlap and sometimes diverge. The primary public reference is the NIST Computer Security Resource Center Glossary, which catalogs over 4,000 terms drawn from FIPS publications, NIST Special Publications, and CNSSI standards.

NIST defines cybersecurity as "the ability to protect or defend the use of cyberspace from cyber attacks" (NIST SP 800-30, Rev. 1). CNSSI 4009, the Committee on National Security Systems Instruction on national information assurance, provides an alternative operational framing used specifically in national security and classified environments. These two definitional families — civilian/commercial (NIST) and national security (CNSS) — form the two primary classification domains practitioners encounter.

Scope distinctions matter in regulatory practice. Information security (infosec) covers confidentiality, integrity, and availability of information in any form. Cybersecurity is formally the subset addressing threats originating through cyberspace. Information assurance (IA) is a broader construct used in DoD contexts that encompasses risk management, authentication, and continuity of operations alongside protection. Conflating these terms in federal procurement or compliance filings can produce misclassification of controls and scope gaps, a documented failure mode in FedRAMP authorization packages.

How it works

Formal cybersecurity definitions operate through a tiered publication system. NIST issues Federal Information Processing Standards (FIPS) as mandatory baselines for federal civilian agencies under the Federal Information Security Modernization Act (FISMA), codified at 44 U.S.C. § 3551 et seq. Below FIPS, NIST Special Publications (SP 800-series) provide detailed guidance; these are advisory for the private sector but normative for federal contractors and cloud service providers undergoing FedRAMP assessment.

The major definitional layers are:

1. Statutory definitions — Set by Congress in legislation such as FISMA, the Cybersecurity Information Sharing Act (CISA 2015), and the National Cybersecurity Protection Act of 2014. These carry legal weight in enforcement and litigation contexts.
2. Regulatory definitions — Issued by sector regulators such as HHS (HIPAA Security Rule, 45 C.F.R. Part 164), the SEC (cybersecurity risk management rules, 17 C.F.R. Parts 229, 232, 239, 240, 249), and NERC (Critical Infrastructure Protection standards in the energy sector). Covered under the federal cybersecurity compliance requirements framework.
3. Standards body definitions — NIST, ISO/IEC 27000-series, and CNSS provide technical precision; these are not law but are incorporated by reference into contracts, insurance policies, and regulatory guidance.
4. Sector-specific definitions — PCI DSS (payment card), HITRUST (healthcare), and CMMC (defense contracting) each extend or restrict base definitions for their operational contexts. See sector-specific cybersecurity requirements for classification by industry.

The NIST Cybersecurity Framework (CSF), now at version 2.0 (released February 2024 by NIST), organizes cybersecurity activities under six functions: Govern, Identify, Protect, Detect, Respond, and Recover. Each function carries a set of defined categories and subcategories that operationalize abstract terms into measurable controls.

Common scenarios

Incident response classification. The term security incident is defined by NIST SP 800-61 Rev. 2 as "a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices." A breach under HIPAA (45 C.F.R. § 164.402) is a more specific legal construct: an impermissible use or disclosure of protected health information that compromises its security or privacy. These definitions are not interchangeable; a security incident does not automatically constitute a HIPAA breach, and misclassification triggers incorrect notification timelines. The incident response standards section documents response frameworks by sector.

Risk and threat terminology. NIST SP 800-30 defines threat source, threat event, vulnerability, likelihood, and impact as discrete, sequenced terms within a risk assessment process. A threat is the potential for a threat source to exploit a vulnerability. A risk is the combination of that likelihood and the resulting adverse impact. Conflating threat with risk is a recurring error in organizational risk registers and in insurance applications for cyber insurance.

Authentication and access control. The term multi-factor authentication (MFA) requires authentication using at least 2 of 3 defined factor types: something you know, something you have, and something you are (NIST SP 800-63B). Zero trust is defined by NIST SP 800-207 as an approach that assumes no implicit trust granted to assets or user accounts based on physical or network location. These distinctions govern compliance posture under the zero-trust architecture standards applicable to federal agencies under OMB Memorandum M-22-09.

Supply chain terminology. NIST SP 800-161 Rev. 1 defines Cyber Supply Chain Risk Management (C-SCRM) as the set of activities necessary to manage cybersecurity risks across multi-tier supplier networks. This is distinct from third-party risk management (TPRM), which focuses on direct vendor relationships. The supply chain cybersecurity reference covers this distinction in procurement and contracting contexts.

Decision boundaries

Choosing the correct definitional framework depends on the regulatory environment, the sector, and the purpose of the definition:

NIST vs. CNSS definitions. NIST SP 800-series definitions apply to federal civilian agencies and their contractors. CNSS definitions (CNSSI 4009) apply to national security systems. For organizations operating in both environments — such as defense contractors — both glossaries may be simultaneously applicable, and the more restrictive definition governs when they conflict.

Statutory vs. technical definitions. Legal filings, breach notification letters, and regulatory submissions require statutory definitions (from HIPAA, FISMA, or applicable state law). Technical documentation, security architecture, and control mapping use standards-body definitions. Using NIST technical definitions in a regulatory filing, or statutory definitions in a technical specification, produces scope misalignment.

Sector overlay. A term may carry a general NIST definition and a modified sector definition. "Encryption" under HIPAA security guidance does not specify an algorithm; NIST FIPS 140-3 defines validated cryptographic modules with specific algorithm requirements. PCI DSS 4.0 adds its own cryptographic requirements on top of both. Practitioners in the financial sector cybersecurity compliance or healthcare cybersecurity requirements domains must apply the overlay hierarchy — statutory, then regulatory, then standards — to identify the controlling definition.

Certification-specific definitions. Credentialing bodies including (ISC)², CompTIA, and ISACA each use domain-specific terminology in their exam objectives that may not match federal definitions precisely. The cybersecurity certifications and credentials reference documents where certification definitions diverge from NIST or CISA terminology.

References

• NIST Computer Security Resource Center (CSRC) Glossary
• NIST SP 800-30, Rev. 1 — Guide for Conducting Risk Assessments
• NIST SP 800-61, Rev. 2 — Computer Security Incident Handling Guide
• NIST SP 800-63B — Digital Identity Guidelines: Authentication and Lifecycle Management
• NIST SP 800-207 — Zero Trust Architecture
• NIST SP 800-161, Rev. 1 — Cybersecurity Supply Chain Risk Management Practices
• NIST Cybersecurity Framework 2.0
• CNSSI 4009 — Committee on National Security Systems Glossary
• CISA — Cybersecurity Resources and Guidance
• HHS — HIPAA Security Rule, 45 C.F.R. Part 164
• [OM