Acronyms
A
A&A
Assessment and Authorization
ABAC
Attribute-Based Access Control
ACL
Access Control List
AES
Advanced Encryption Standard
AI
Artificial Intelligence
AO
Authorizing Official
API
Application Programming Interface
APT
Advanced Persistent Threat
B
BAD
Behavioral Anomaly Detection
BAS
Building Automation System
BCP
Business Continuity Plan
BGP
Border Gateway Protocol
BIA
Business Impact Analysis
BIA
Business Impact Assessment
BIOS
Basic Input/Output System
BLSR
Baseline Security Requirements
BRM
Business Reference Model
BYOD
Bring Your Own Device
C
C&A
Certification and Accreditation
CA
Certificate Authority/Certificate Authorities
CAPEC
Common Attack Pattern Enumeration & Classification
CC
Common Criteria
CDM
Continuous Diagnostics and Mitigation
CEDS
Cybersecurity for Energy Delivery Systems
CEO
Chief Executive Officer
CERT
Computer Emergency Response Team
CFO
Chief Financial Officer
CFR
U.S. Code of Federal Regulations
CI
Critical Infrastructure
CIO
Chief Information Officer
CIP
Critical Infrastructure Protection
CIP
Common Industrial Protocol
CIRT
Computer Incident Response Team
CIRT
Cyber Incident Response Team
CISA
U.S. Cybersecurity and Infrastructure Security Agency
CISO
Chief Information Security Officer
CISS
Cyber Incident Severity Schema
CKMS
Cryptographic Key Management System
CLO
Chief Legal Officer
CM
Configuration Management
CMSS
Common Misuse Scoring System
CONOPS
Concept of Operations
COO
Chief Operating Officer
COOP
Continuity of Operations Plan
COSO
Committee of Sponsoring Organizations of the Treadway Commission
COTS
Commercial Off The Shelf
CP
Contingency Planning
CPO
Chief Privacy Officer
CPRT
Cybersecurity and Privacy Reference Tool (NIST)
CPS
Cyber-Physical System
CPU
Central Processing Unit
CRISP
Cybersecurity Risk Information Sharing Program
CRO
Chief Risk Officer
CRS
Cyber Resiliency and Survivability
CSET
Cyber Security Evaluation Tool
CSF
Cybersecurity Framework
CSIR
Computer Security Incident Response
CSIRT
Computer Security Incident Response Team
CSO
Chief Security Officer
CSP
Cloud Service Provider
CTO
Chief Technology Officer
CUI
Controlled Unclassified Information
CVE
Common Vulnerability Enumeration
CVE
Common Vulnerabilities and Exposures
CVSS
Common Vulnerability Scoring System
CWE
Common Weakness Enumeration
CWSS
Common Weakness Scoring System
CY
Current Year
CyOTE
Cybersecurity for the Operational Technology Environment
CyTRICS
Cyber Testing for Resilient Industrial Control Systems
D
DAA
Designated Approving Authority
DCS
Distributed Control System
DES
Data Encryption Standard
DevOps
Development and Operations
DHCP
Dynamic Host Configuration Protocol
DHS
U.S. Department of Homeland Security
DISA
U.S. Defense Information Systems Agency
DLO
Damage-Limiting Operations
DLP
Data Loss Prevention
DMZ
Demilitarized Zone
DNI
U.S. Director of National Intelligence
DNP3
DNP3 Distributed Network Protocol (published as IEEE 1815)
DNS
Domain Name System
DNSSEC
Domain Name System Security Extensions
DoD
U.S. Department of Defense
DoDI
U.S. Department of Defense Instruction
DOE
U.S. Department of Energy
DoS
Denial of Service
DRM
Data and Information Reference Model
DRM
Digital Rights Management
DRP
Disaster Recovery Plan
DSB
U.S. Defense Science Board
DSS
Digital Signature Standard
DVD
Digital Versatile Disc
DVD
Digital Video Disc
DVD-R
Digital Versatile Disc-Recordable
E
E-ISAC
Electricity Information Sharing and Analysis Center
Electronic Mail
EA
Enterprise Architecture
EAP
Extensible Authentication Protocol
EM
Electromagnetic
EMP
Electromagnetic pulse
EMS
Energy Management System
EMSEC
Emissions Security
ENISA
European Union Agency for Cybersecurity
EO
Executive Order
EPA
U.S. Environmental Protection Agency
EPRI
Electric Power Research Institute
ERM
Enterprise Risk Management
ERP
Enterprise Risk Profile
ERP
Enterprise Resource Planning
ERR
Enterprise Risk Register
ESD
Emergency Shutdown
F
FAA
U.S. Federal Aviation Administration
FAIR
Factor Analysis of Information Risk
FAM
Financial Audit Manual
FAQ
Frequently Asked Questions
FAR
Federal Acquisition Regulation
FARM
Frame, Assess, Respond, Monitor
FASCA
U.S. Federal Acquisition Supply Chain Security Act
FBI
U.S. Federal Bureau of Investigation
FCC
U.S. Federal Communications Commission
FDA
U.S. Food and Drug Administration
FedRAMP
U.S. Federal Risk and Authorization Management Program
FEMA
U.S. Federal Emergency Management Agency
FFMIA
U.S. Federal Financial Management Improvement Act
FGS
Fire and Gas System
FIP
U.S. Federal Information Processing Standards
FIPPs
Fair Information Practice Principles
FIPS
U.S. Federal Information Processing Standard
FIRST
Forum of Incident Response and Security Teams
FISMA
U.S. Federal Information Security Management Act
FMEA
Failure Mode and Effects Analysis
FOCI
Foreign Ownership, Control, or Influence
FOIA
U.S. Freedom of Information Act
FOSS
Free and open-source software
FSP
Financial Services Cybersecurity Framework Profile
FTP
File Transfer Protocol
FY
Fiscal Year
G
GCIP
GIAC Critical Infrastructure Protection
GIAC
Global Information Assurance Certification
GMT
Greenwich Mean Time
GOTS
Government Off-The-Shelf
GPS
Global Positioning System
GRC
Governance, Risk, and Compliance
GSS
General Support System
H
HAZMAT
Hazardous Materials
HC3
U.S. Health Sector Cybersecurity Coordination Center
HHS
Health and Human Services
HMI
Human-Machine Interface
HR
Human Resources
HSIN
U.S. Homeland Security Information Network
HSIN-CI
U.S. Homeland Security Information Network - Critical Infrastructure
HTML
Hypertext Markup Language
HTTP
Hypertext Transfer Protocol
HTTPS
Hypertext Transfer Protocol Secure
HVA
High Value Asset
HVAC
Heating, Ventilation, and Air Conditioning
I
I/O
Input/Output
IA
Information Assurance
IACS
Industrial Automation and Control System
IAEA
International Atomic Energy Agency
ICCP
Inter-Control Center Communications Protocol
ICS
Industrial Control System
ICSJWG
U.S. Industrial Control Systems Joint Working Group
ICSS
Integrated Control and Safety Systems
ICT
Information and Communications Technology
ICT ROF
Information and Communications Technology Risk Outcomes Framework
ICT/OT
Information, communications, and operational technology
ICTRM
Information and Communications Technology Risk Management
ID
Identification
IDE
Integrated Development Environment
IDPS
Intrusion Detection and Prevention System
IDS
Intrusion Detection System
IEC
International Electrotechnical Commission
IED
Intelligent Electronic Device
IEEE
Institute of Electrical and Electronics Engineers
IES
IEEE Industrial Electronics Society
IETF
Internet Engineering Task Force
IFIP
International Federation for Information Processing
IG
Inspector General
IIoT
Industrial Internet of Things
IOC
Indicators of Compromise
IoT
Internet of Things
IP
Internet Protocol
IP
Intellectual Property
IPS
Intrusion Prevention System
IPsec
Internet Protocol Security
IR
Incident Response
IRB
Investment Review Board
IRM
Information Resource Management
IRS
Internal Review Service
ISAC
Information Sharing and Analysis Centers (ENISA)
ISAO
Information Sharing and Analysis Organizations
ISCM
Information Security Continuous Monitoring
ISD
Instructional System Methodology
ISDN
Integrated Services Digital Network
ISO
International Organization for Standardization
ISO
Information System Owner
ISO/IEC
International Organization for Standardization/International Electrotechnical Commission
ISOO
Information Security Oversight Office
ISP
Internet Service Provider
ISPAB
U.S. Information Security and Privacy Advisory Board
ISSEA
International Systems Security Engineering Association
ISSO
Information System Security Officer
IT
Information Technology
ITIL
Information Technology Infrastructure Library
J
JTF
Joint Task Force
JWICS
Joint Worldwide Intelligence Communications System
K
KPI
Key Performance Indicator
KRI
Key Risk Indicators
KSA
Knowledge, Skills, and Abilities
L
LAN
Local Area Network
LCC
Life Cycle Cost
LDAP
Lightweight Directory Access Protocol
M
MA
Major Application
MAC
Message Authentication Code
MAC
Media Access Control
MAO
Maximum Allowable Outage
MBR
Master Boot Record
MCAA
Measurement, Control, & Automation Association
MDR
Managed Detection and Response
MEA
Monitor-Evaluate-Adjust
MECE
Mutually Exclusive and Collectively Exhaustive
MFA
Multi-Factor Authentication
MIB
Management Information Base
ML
Machine Learning
MLS
Multi-Level Secure / Multilevel Secure
MOA
Memorandum of Agreement
MOD
Moderate
MOU
Memorandum of Understanding
MP
Media Protection
MSSP
Managed Security Services Provider
MTTF
Mean Time to Failure
MTU
Master Terminal Unit
N
NATO
North Atlantic Treaty Organization
NCC
U.S. National Coordinating Center for Communications
NCCIC
U.S. National Cybersecurity and Communications Integration Center
NCCoE
U.S. National Cybersecurity Center of Excellence
NDA
Non-Disclosure Agreement
NDI
Non-developmental Items
NDIA
U.S. National Defense Industrial Association
NFS
Network File System
NIH
National Institutes of Health
NIST
National Institute of Standards and Technology
NOFORN
Not Releasable to Foreign National
NSA
U.S. National Security Agency
NTIA
U.S. National Telecommunications and Information Administration
NTP
Network Time Protocol
NVD
National Vulnerability Database
O
O-TTPS
Open Trusted Technology Provider™ Standard
O/S
Organization or Information System
OA
Ongoing Authorization
OCI
Organizational Conflict of Interest
OCIL
Open Checklist Interactive Language
OCONUS
Outside of Continental United States
ODNI
U.S. Office of the Director of National Intelligence
ODP
Organization-Defined Parameter
OEM
Original Equipment Manufacturer
OLIR
National Online Informative References Program
OPC
Open Platform Communications
OPSEC
Operations Security
OS
Operating System
OSCAL
Open Security Controls Assessment Language
OSI
Open Systems Interconnection
OSS
Open Source Solutions
OT
Operational Technology
OTS
Off-The-Shelf
OTTF
Open Group Trusted Technology Forum
OVAL
Open Vulnerability and Assessment Language
OWASP
Open Web Application Security Project
P
P.L.
Public Law
PACS
Physical Access Control System
PACS
Picture Archiving and Communications Systems
PBX
Private Branch Exchange
PC
Personal Computer
PCI
Payment Card Industry
PCM
Privacy Continuous Monitoring
Portable Document Format
PDS
Position Designation System
PE
Physical and Environmental Protection
PERA
Purdue Enterprise Reference Architecture
PES
IEEE Power & Energy Society
PGP
Pretty Good Privacy
PHA
Process Hazard Analysis
PHM4SM
Prognostics and Health Management for Reliable Operations in Smart Manufacturing
PID
Proportional-Integral-Derivative
PII
Personally Identifiable Information
PIN
Personal Identification Number
PIV
Personal Identity Verification
PIV-I
Personal Identity Verification-Interoperable
PKI
Public Key Infrastructure
PL
Public Law
PLC
Programmable Logic Controller
PM
Program Manager
PM
Program Management
PMO
Program Management Office
PNT
Positioning, Navigation, and Timing
POA&M
Plan of Action and Milestones
POC
Point of Contact
PRA
Paperwork Reduction Act
PRA
Penetration-Resistant Architecture
PRAM
Privacy Risk Assessment Methodology
PRISMA
U.S. Program Review for Information Security Management Assistance
PRM
Performance Reference Model
PSCCC
IEEE Power System Communications and Cybersecurity
PSIRT
Product Security Incident Response Team
PSS
Process Safety Shutdown
PT
Pressure Transmitter
PTP
Precision Time Protocol
PUB
Publication
PY
Prior Year
Q
QA/QC
Quality Assurance/Quality Control
R
R&D
Research and Development
RA
Registration Authority
RAID
Redundant Array of Independent Disks
RAR
Risk Assessment Report
RAS
IEEE Robotics and Automation Society
RBAC
Role-Based Access Control
RD
Restricted Data
RDP
Remote Desktop Protocol
RDR
Risk Detail Record
RE(f)
Risk Executive (function)
RF
Radio Frequency
RFC
Request for Comments
RFI
Request for Information
RFID
Radio-Frequency Identification
RFP
Request for Proposal
RFQ
Request for Questions
RMF
Risk Management Framework
ROI
Return On Investment
RPC
Remote Procedure Call
RPKI
Resource Public Key Infrastructure
RPO
Recovery Point Objective
RTO
Recovery Time Objective
RTOS
Real-Time Operating System
RTU
Remote Terminal Unit
S
S/MIME
Secure/Multipurpose Internet Mail Extension
S4
SCADA Security Scientific Symposium
SAISO
Senior Agency Information Security Officer
SAMM
Software Assurance Maturity Model
SANS
SysAdmin, Audit, Network, Security
SAOP
Senior Agency Official for Privacy
SAP
Special Access Program
SAR
Security Assessment Report
SBOM
Software Bill of Materials
SBU
Sensitive But Unclassified
SC
Security Category
SCADA
Supervisory Control and Data Acquisition
SCAI
Safety, Controls, Alarms, and Interlocks
SCAP
Security Content Automation Protocol
SCI
Sensitive Compartmented Information
SCIF
Sensitive Compartmented Information Facility
SCOR
Security Control Overlay Repository
SCP
System Contingency Plan
SCRI
Supply Chain Risk Information
SCRSS
Supply Chain Risk Severity Schema
SD
Secure Digital
SDL
[Microsoft] Security Development Lifecycle
SDLC
Software Development Life Cycle
SDLC
System Development Life Cycle
SDN
Software-Defined Networking
SEC
U.S. Securities and Exchange Commission
SECURE
U.S. Strengthening and Enhancing Cyber-capabilities by Utilizing Risk Exposure (Technology Act)
SEI
Software Engineering Institute
SHA
Secure Hash Algorithm
SIA
Security Impact Analysis
SIEM
Security Information and Event Management
SIF
Safety Instrumented Function
SIS
Safety Instrumented System
SISO
Senior Information Security Officer
SLA
Service-Level Agreement
SLC
Software Lifecycle
SME
Subject Matter Expert
SMTP
Simple Mail Transfer Protocol
SOA
Service-Oriented Architecture
SOAR
State-of-the-Art Resources
SOC
Security Operations Center
SOO
Statement of Objective
SOP
Standard Operating Procedure
SOW
Statement of Work
SP
Special Publication (NIST)
SPAN
Switched Port Analyzer
SPP
Security and Privacy Profile
SQL
Structured Query Language
SRM
Service Component Reference Model
SSA
Sector-Specific Agency
SSCP
Secure SCADA Communications Protocol
SSDF
Secure Software Development Framework
SSH
Secure Shell
SSID
Service Set Identifier
SSL
Secure Sockets Layer
SSP
System Security Plan
SSPP
Substation Serial Protection Protocol
ST&E
Security Test and Evaluation
STIG
Security Technical Implementation Guide
SWA
Software Assurance
SwAAP
Software Assurance Automation Protocol
SWID
Software Identification
SWID
Software Identification Tag
SWOT
Strengths, Weaknesses, Opportunities, Threats
T
TC
Technical Committee
TCB
Trusted Computing Base
TCO
Total Cost of Ownership
TCP
Transmission Control Protocol
TCP/IP
Transmission Control Protocol/Internet Protocol
TEE
Trusted Execution Environment
TFTP
Trivial File Transfer Protocol
TIC
Trusted Internet Connections
TIP
Technical Information Paper
TLS
Transport Layer Security
TLV
Type, Length, Value
TPM
Trusted Platform Module
TRM
Technical Reference Model
TSA
Transportation Security Administration
TSP
Telecommunications Service Priority
TT
Temperature Transmitter
TTP
Tactics, Techniques, and Procedures
U
UDP
User Datagram Protocol
UEFI
Unified Extensible Firmware Interface
UPS
Uninterruptible Power Supply
US
United States (of America)
USB
Universal Serial Bus
USC
United States Code
UTC
Coordinated Universal Time
V
VDP
Vulnerability Disclosure Policy
VDR
Vulnerability Disclosure Report
VLAN
Virtual Local Area Network
VoIP
Voice over Internet Protocol
VPN
Virtual Private Network
W
WAF
Web Application Firewall
WAN
Wide Area Network
WG
Working Group
Wi-Fi
Wireless Fidelity
WORM
Write-Once, Read-Many
X
XCCDF
eXtensible Configuration Checklist Description Format
XML
Extensible Markup Language
Z
ZTA
Zero Trust Architecture