Cybersecurity Terms and Definitions Glossary

The cybersecurity profession operates on a precise technical vocabulary shared across federal agencies, standards bodies, industry sectors, and legal frameworks. This glossary establishes authoritative definitions for the terms most frequently encountered in regulatory compliance, incident response, and security program design. The definitions are drawn from named public sources including the National Institute of Standards and Technology (NIST), the Cybersecurity and Infrastructure Security Agency (CISA), and the Committee on National Security Systems (CNSS). The Cyber Safety Listings section of this resource provides structured access to the service categories these terms govern.

Definition and Scope

A cybersecurity glossary in the regulatory context is not a general dictionary — it is a precision instrument that determines how obligations are interpreted, how incidents are classified, and whether a specific technical control satisfies a stated requirement. Misapplication of terms such as "encryption," "authentication," or "covered entity" can expose organizations to enforcement liability under federal law.

The authoritative US government source for cybersecurity terminology is NIST IR 7298, Revision 3: Glossary of Key Information Security Terms, published by NIST's Computer Security Resource Center (CSRC). The CNSS Instruction 4009 also provides a parallel authoritative vocabulary used in national security contexts. CISA publishes operational definitions aligned with critical infrastructure protection under the National Infrastructure Protection Plan (NIPP).

The scope of this glossary covers five major term categories:

  1. Identity and Access — terms governing authentication, authorization, identity verification, and privilege management
  2. Threat and Vulnerability — terms classifying attack vectors, threat actors, exploit types, and risk ratings
  3. Cryptographic Controls — terms defining encryption standards, key management, certificate authorities, and hashing
  4. Incident and Response — terms structuring breach classification, notification triggers, and forensic procedures
  5. Regulatory and Compliance — terms tied to specific statutory definitions under HIPAA, FISMA, GLBA, CCPA, and related frameworks

How It Works

Authoritative cybersecurity definitions function through a tiered derivation model. Federal standards bodies publish foundational definitions; sector regulators adopt, modify, or extend those definitions within specific statutory authority; and regulated entities are bound to the definition as stated in the applicable rule — not the general or colloquial usage.

Core term set with authoritative sourcing:

Advanced Persistent Threat (APT): NIST defines APT as "an adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors." The term is operationally significant under CISA's threat intelligence classifications.

Authentication: Verification of the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system (NIST IR 7298). Distinct from authorization, which governs what an authenticated identity is permitted to do.

Data Breach: Under California Civil Code §1798.82, a breach is an unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information. The Federal Trade Commission (FTC) and the Department of Health and Human Services (HHS) apply parallel definitions under the Gramm-Leach-Bliley Act (GLBA) and HIPAA Breach Notification Rule (45 CFR §164.400–414), respectively.

Encryption: The process of transforming plaintext into ciphertext using a cryptographic algorithm and key. NIST SP 800-175B provides guidance on approved cryptographic standards, distinguishing between symmetric encryption (e.g., AES-256) and asymmetric encryption (e.g., RSA-2048).

Zero Trust: An architectural security model defined by NIST SP 800-207 as one in which no implicit trust is granted to assets or user accounts based solely on their physical or network location.

Incident vs. Breach — Critical Distinction: A security incident (NIST: any actual or suspected adverse event in an information system) is broader than a breach. Not every incident constitutes a breach; statutory notification obligations under laws such as HIPAA attach only to confirmed breaches, not to every incident. This distinction determines whether mandatory 60-day notification windows under HIPAA (45 CFR §164.412) are triggered.

The resource overview at this site details how these term categories map to service sectors in the directory.

Common Scenarios

Scenario 1 — Ransomware Classification:
Ransomware is classified as malicious code (malware) under NIST and as a cyber incident under CISA's incident taxonomy. Whether a ransomware event also constitutes a notifiable data breach depends on whether personal data was exfiltrated — encryption alone does not automatically trigger breach notification under HHS guidance for HIPAA-covered entities.

Scenario 2 — Phishing vs. Spear Phishing:
Phishing refers to a broad category of social engineering attacks using deceptive communications, typically at scale. Spear phishing is a targeted variant directed at a specific individual or organization. The FBI's Internet Crime Complaint Center (IC3) reported phishing as the most common cybercrime type in its 2022 annual report, with over 300,000 complaints filed that year.

Scenario 3 — Vulnerability vs. Exploit:
A vulnerability is a weakness in a system that could be exploited (NIST: cvss.nist.gov). An exploit is the active mechanism — code, technique, or procedure — by which an attacker leverages that vulnerability. NIST's National Vulnerability Database (NVD) assigns Common Vulnerability Scoring System (CVSS) scores from 0.0 to 10.0 to categorize severity.

Scenario 4 — PII vs. PHI vs. Sensitive PII:
Personally Identifiable Information (PII) is defined by OMB Memorandum M-07-16 as information that can be used to distinguish or trace an individual's identity. Protected Health Information (PHI), governed by HHS under 45 CFR §160.103, is a subset limited to health-related data held by covered entities. Sensitive PII carries a higher protection threshold and includes Social Security numbers, financial account data, and biometric records.

Decision Boundaries

Applying the correct definition is a regulatory compliance function, not an editorial one. Three boundary conditions govern which definition applies in a given context:

1. Jurisdiction Determines the Governing Definition
The term "personal information" carries different scope under California Civil Code §1798.81.5, HIPAA (45 CFR §164.514), and the EU's General Data Protection Regulation (GDPR, Article 4). A term applicable in one regulatory regime may not carry the same legal weight in another. The relevant statute or rule — not the NIST glossary — is controlling where a legal obligation is at issue.

2. Sector Specificity Narrows General Definitions
FISMA (44 U.S.C. §3551 et seq.) governs federal information systems and carries definitions for "information security" and "incident" that may differ from the FTC's interpretation of "reasonable security" under Section 5 of the FTC Act. Financial institutions subject to the FTC Safeguards Rule (16 CFR Part 314) operate under a definition of "customer information" that is narrower than general PII definitions.

3. Technical Terms Require Standard-Specific Precision
"Multi-factor authentication" (MFA) is defined differently in NIST SP 800-63B (Authentication Assurance Levels 1–3) than in common commercial usage. Regulatory compliance programs — particularly those subject to PCI DSS, HIPAA, or the NIST Cybersecurity Framework (CSF) — must apply the standard's own definition, not a general interpretation.

The distinction between compensating controls and equivalent controls provides a useful example: PCI DSS v4.0 permits compensating controls only where a technical constraint prevents standard compliance, whereas NIST CSF treats equivalent controls as substitutable by design. These distinctions are operationally material for auditors and compliance officers navigating the service categories in this directory.

For a full orientation to how this reference resource is structured and how to locate specific service categories, the How to Use This Cyber Safety Resource page provides structural navigation guidance.

References

📜 3 regulatory citations referenced  ·  🔍 Monitored by ANA Regulatory Watch  ·  View update log

Read Next

Cyber Safety Listings Each entry is structured to support service seekers, compliance professionals, and researchers who need to identify qualified... Cyber Safety Directory: Purpose and Scope Entries span federal agencies, independent service providers, standards bodies, and sector-specific compliance resources. How to Use This Cyber Safety Resource The Cyber Safety Listings index presents categorized service provider information, while the Directory Purpose and Scope page...