Cybersecurity Terms and Definitions Reference
Cybersecurity terminology spans federal statute, international standards, operational frameworks, and technical disciplines — and inconsistent use of terms across these domains creates real compliance and interoperability risk for organizations. This reference catalogs core terms and definitions drawn from authoritative public sources including NIST, CISA, the Committee on National Security Systems (CNSS), and federal law. The definitions below reflect formal usage as applied in regulatory, procurement, and incident response contexts across the United States.
Definition and scope
Cybersecurity terminology is not uniformly standardized across all governing bodies, which means the same term may carry slightly different definitions depending on whether the source is a federal statute, a NIST publication, or a sector-specific regulation. The US Cybersecurity Regulatory Framework applies definitions from multiple overlapping authorities.
Core definitional sources:
- NIST SP 800-53 (Rev. 5) — Security and Privacy Controls for Information Systems and Organizations (csrc.nist.gov)
- CNSSI 4009 — Committee on National Security Systems Instruction, the U.S. Government's master glossary for national security systems (cnss.gov)
- FISMA 2014 — Federal Information Security Modernization Act, codified at 44 U.S.C. § 3551 et seq. (congress.gov)
- NIST Cybersecurity Framework (CSF) 2.0 — Voluntary framework with defined function-level terminology (nist.gov/cyberframework)
Foundational terms defined by NIST and CNSS:
| Term | Definition Source | Core Definition |
|---|---|---|
| Cybersecurity | NIST SP 800-53 | Prevention of damage to, protection of, and restoration of computers, electronic communications systems, and the information they contain |
| Information Security | FISMA 2014 | Protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction |
| Threat | CNSSI 4009 | Any circumstance or event with the potential to adversely impact organizational operations through unauthorized access, destruction, disclosure, modification, or denial of service |
| Vulnerability | NIST SP 800-30 | Weakness in an information system that could be exploited by a threat source |
| Risk | NIST SP 800-30 | A measure of the extent to which an entity is threatened by a potential circumstance or event |
| Asset | CNSSI 4009 | Anything that has value to an organization, including IT hardware, software, data, and personnel |
| Control | NIST SP 800-53 | A safeguard or countermeasure prescribed for an information system or organization to protect the confidentiality, integrity, and availability of its information |
The Cybersecurity Glossary provides extended entries across additional operational and technical categories.
How it works
Cybersecurity terminology functions within a layered definitional hierarchy. Federal agencies apply NIST definitions as baseline references, while sector-specific regulators (HHS for healthcare, FERC for energy, FinCEN for financial services) may extend or constrain those definitions within their regulatory domains.
The relationship between key terms follows a structured logic:
- Assets are identified — hardware, software, data, personnel, and facilities that support mission functions.
- Threats are characterized — adversarial (nation-state, criminal, insider) or non-adversarial (natural disaster, human error).
- Vulnerabilities are assessed — weaknesses that a threat could exploit, cataloged in sources such as the National Vulnerability Database (NVD) maintained by NIST.
- Risk is calculated — the intersection of threat likelihood and potential impact on assets.
- Controls are applied — from the NIST SP 800-53 control catalog, organized into 20 control families including Access Control (AC), Incident Response (IR), and Supply Chain Risk Management (SR).
- Residual risk is accepted, transferred (via cyber insurance), or further mitigated.
Key architectural terms defined under NIST and federal guidance include:
- Zero Trust Architecture (ZTA): A security model that eliminates implicit trust within network perimeters; defined in NIST SP 800-207 (csrc.nist.gov/publications/detail/sp/800-207/final). Federal implementation is covered under Zero Trust Architecture – Federal.
- Security Operations Center (SOC): An organizational unit responsible for continuous monitoring and response; referenced in CISA operational guidance.
- Incident: NIST SP 800-61 defines an incident as a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.
- Breach: Under the Health Insurance Portability and Accountability Act (HIPAA) Security Rule (45 C.F.R. § 164.402), a breach is the acquisition, access, use, or disclosure of protected health information in a manner not permitted — a sector-specific refinement of the broader NIST definition.
Common scenarios
Definitional precision becomes operationally critical in three primary contexts:
Regulatory compliance reporting: Cyber incident reporting requirements under CIRCIA (Cyber Incident Reporting for Critical Infrastructure Act of 2022) require covered entities to distinguish between a "covered cyber incident" and a "ransom payment" — terms with specific statutory meanings under the law (Pub. L. 117-103, Division Y). Misclassification affects reporting timelines: 72 hours for covered incidents, 24 hours for ransom payments (CISA CIRCIA overview).
Procurement and contracting: DoD contractors operating under the Cybersecurity Maturity Model Certification (CMMC) framework must demonstrate controls aligned to NIST SP 800-171, which defines Controlled Unclassified Information (CUI) handling requirements. The term "advanced persistent threat" (APT) appears in NIST SP 800-39 with a specific meaning distinct from its common media usage.
Forensics and legal proceedings: Courts and regulators distinguish between "unauthorized access" (18 U.S.C. § 1030, the Computer Fraud and Abuse Act) and "data breach" as defined by state notification laws. As of 2024, all 50 U.S. states have enacted data breach notification statutes, though definitions of "personal information" vary by jurisdiction (NCSL State Security Breach Notification Laws). The Data Breach Notification Laws – US reference covers cross-state definitional variance.
Decision boundaries
Two definitional pairs cause consistent classification errors in compliance and operational contexts:
Incident vs. Event
An event is any observable occurrence in a system or network (NIST SP 800-61). An incident is an event that actually or potentially jeopardizes confidentiality, integrity, or availability. Not every event triggers incident response obligations — the threshold matters for FISMA reporting under the Federal Information Security Modernization Act.
Vulnerability vs. Weakness
The Common Weakness Enumeration (CWE), maintained by MITRE under CISA sponsorship, classifies weaknesses as underlying coding or design flaws. A vulnerability (tracked in the NVD via Common Vulnerabilities and Exposures identifiers, or CVEs) is a specific, exploitable instance of a weakness in a deployed product. A weakness is structural; a vulnerability is contextual and version-specific.
Threat vs. Risk
NIST SP 800-30 establishes that a threat alone does not constitute risk. Risk requires the co-presence of a threat, a vulnerability that the threat can exploit, and a likely impact on organizational assets. Sectors with high-consequence infrastructure — energy, healthcare, financial services — apply sector-specific risk framing through frameworks referenced in Sector-Specific Cybersecurity Regulations.
Confidentiality, Integrity, Availability (CIA Triad)
These three properties form the foundational classification system for information security objectives under FIPS 199 (Standards for Security Categorization of Federal Information and Information Systems). Each property carries a specific impact level — low, moderate, or high — which drives the selection of NIST SP 800-53 control baselines applicable to federal systems.
References
- NIST SP 800-53, Rev. 5 – Security and Privacy Controls
- NIST SP 800-30 – Guide for Conducting Risk Assessments
- NIST SP 800-61 – Computer Security Incident Handling Guide
- NIST SP 800-207 – Zero Trust Architecture
- [CNSSI 4009 – National Information Assurance Glossary](https://www