Cybersecurity Terms and Definitions Glossary

The cybersecurity field operates on a dense vocabulary drawn from computer science, law, risk management, and military doctrine — and inconsistent use of core terms creates measurable gaps in policy, procurement, and incident response. This page catalogs foundational cybersecurity terminology as defined by authoritative public bodies, including the National Institute of Standards and Technology (NIST), the Cybersecurity and Infrastructure Security Agency (CISA), and the Committee on National Security Systems (CNSS). The definitions here reflect the standardized language used in federal regulation, sector-specific compliance frameworks, and professional credentialing — the vocabulary professionals, auditors, and researchers encounter in formal regulatory contexts.

Definition and scope

Cybersecurity terminology is not uniform across industries, agencies, or frameworks. NIST maintains the Computer Security Resource Center (CSRC) Glossary, which consolidates definitions drawn from NIST Special Publications, Federal Information Processing Standards (FIPS), and CNSS Instruction 4009. These definitions form the baseline vocabulary for federal agency compliance under the Federal Information Security Modernization Act (FISMA), codified at 44 U.S.C. § 3551 et seq..

The scope of cybersecurity terminology spans three primary domains:

1. Technical terms — describing systems, protocols, vulnerabilities, and attack methods (e.g., exploit, payload, cipher, hash function)
2. Operational terms — describing processes, roles, and procedures (e.g., incident response, chain of custody, red team, threat hunting)
3. Regulatory and legal terms — describing compliance obligations, classifications, and enforcement mechanisms (e.g., covered entity, breach notification, authorization to operate)

For practitioners navigating US cybersecurity regulations and compliance, the distinction between technical and legal definitions is operationally significant. A "breach" in HIPAA's regulatory language (45 C.F.R. § 164.402) carries specific notification triggers that differ from the technical definition of an unauthorized system access event.

How it works

Standardized glossaries function as normative references — they establish the precise meaning of terms as used in a specific standard, regulation, or framework. When NIST SP 800-53 Rev. 5 defines "access control" (NIST SP 800-53 Rev. 5, §AC-1), that definition governs how the control is implemented and audited across all federal information systems. The CNSS Glossary (CNSSI 4009) extends this to national security systems.

Key structural elements of formal cybersecurity definitions:

1. Source authority — the standards body or agency publishing the definition (NIST, CISA, ISO/IEC, IETF)
2. Normative vs. informative status — normative definitions impose requirements; informative definitions provide context
3. Scope qualifiers — definitions may be bounded by system type (e.g., industrial control systems, cloud environments) or sector (e.g., financial, healthcare)
4. Cross-references — most formal definitions cite parent standards, enabling traceback to authoritative sources
5. Version control — definitions evolve across publication revisions; NIST SP 800-37 Rev. 2 superseded Rev. 1, with updated terminology throughout

The NIST Cybersecurity Framework reference employs five function-level terms — Identify, Protect, Detect, Respond, Recover — each subdivided into categories and subcategories with discrete definitions tied to informative references. This layered structure illustrates how operational vocabulary is deliberately hierarchical in professional frameworks.

Common scenarios

Terminology disputes and definitional ambiguity surface most frequently in four professional contexts:

Incident classification — Whether an event qualifies as a "security incident," a "breach," or a "data spill" determines regulatory reporting obligations. Under cybersecurity incident reporting requirements, CISA's definition of a "significant cyber incident" (Presidential Policy Directive 41) differs from the breach definition under state notification statutes cataloged in data breach notification laws.

Procurement and contracting — Government contractors must align with definitions in the Defense Federal Acquisition Regulation Supplement (DFARS) and the CMMC compliance reference framework. "Controlled Unclassified Information" (CUI) is defined by the National Archives and Records Administration (NARA) under 32 C.F.R. Part 2002 — not by individual agency interpretation.

Credentialing and workforce roles — Professional certifications use proprietary domain vocabularies. CompTIA Security+ and (ISC)² CISSP employ domain-specific terminology that maps — with some divergence — to NIST definitions. The cybersecurity certifications and credentials reference covers these distinctions across credential bodies.

Risk assessment and audit — The term "risk" has distinct definitions under NIST SP 800-30 Rev. 1 (probability × impact), ISO/IEC 27005, and FAIR (Factor Analysis of Information Risk). Auditors applying the cybersecurity risk assessment frameworks must specify which definition governs a given engagement.

Decision boundaries

Selecting the governing definition for a term depends on the applicable regulatory framework, not preference. The following contrasts clarify where definitional authority lies:

NIST vs. ISO/IEC — NIST definitions govern federal civilian agency compliance under FISMA. ISO/IEC 27001:2022 definitions govern internationally-scoped audits and certifications. The two frameworks use overlapping but non-identical vocabulary — "asset" in ISO 27001 includes intangible information assets explicitly; NIST SP 800-39 frames assets within mission/business process context.

Legal vs. technical "breach" — A technical breach (unauthorized access to a system) does not automatically constitute a legally reportable breach. Forty-seven states maintain independent notification statutes, each with distinct definitional thresholds for what constitutes reportable exposure of personally identifiable information (NCSL State Security Breach Notification Laws).

Operational vs. strategic terminology — "Threat actor" at the tactical level refers to a specific adversary group; at the strategic level (as used in the National Cybersecurity Strategy reference), it encompasses nation-state categories, criminal ecosystems, and hacktivists as policy-relevant classifications.

When terminology governs a compliance determination, audit finding, or contractual obligation, the applicable standard's published glossary — not general-purpose dictionaries or vendor documentation — is the controlling reference. The federal cybersecurity agencies and roles page details which agencies publish normative standards applicable to specific sector contexts.

References

• NIST Computer Security Resource Center (CSRC) Glossary
• NIST SP 800-53 Rev. 5 — Security and Privacy Controls for Information Systems and Organizations
• NIST SP 800-30 Rev. 1 — Guide for Conducting Risk Assessments
• CNSSI 4009 — Committee on National Security Systems Glossary
• CISA — Cybersecurity Resources and Advisories
• NARA — Controlled Unclassified Information (CUI) Program, 32 C.F.R. Part 2002
• NCSL — State Security Breach Notification Laws
• HHS — HIPAA Breach Notification Rule, 45 C.F.R. § 164.402
• FISMA — 44 U.S.C. § 3551 et seq.