Since this page contains information from nearly all other pages, this will remain under active construction until all notes have been fully updated.

# Acronyms, Abbreviations, and Initialisms*

Please note that not all acronyms, abbreviations, and initialisms referenced below exist in the glossary with a simple definition. Some acronyms, abbreviations, and initialisms describe concepts, organizations, laws, standards, guidance, or models that require more thoughtful explanation and may exist in their own respective page or pages. For this reason, we chose not to directly link any content below to individual pages or anchors. Please use the search feature to locate and research these terms.

Short Form	Full Form
ABAC	Attribute-Based Access Control
ACL	Access Control List
AICPA	American Institute of Certified Public Accountants
ALE	Annualized Loss Expectancy
ANF	Application Normative Framework
ANSI	American National Standards Institute
AoC	Attestation of Compliance
AONT-RS	All-or-Nothing-Transform with Reed-Solomon
APEC	Asia-Pacific Economic Cooperation
API	Application Programming Interface
APP	Australian Privacy Principles
APT	Advanced Persistent Threat
ARO	Annual Rate of Occurrence
ARRA	American Recovery and Reinvestment Act
ASMP	Application Security Management Process
AST	Application Security Testing
ASV	Approved Scanning Vendor
ATASM	Architecture, Threats, Attack Surfaces, and Mitigations
AUP	Agreed-Upon Procedures
AV	Asset Value
BC	Business Continuity
BCR	Binding Corporate Rule
BCM	Business Continuity Management
BCP	Business Continuity Plan
BIA	Business Impact Analysis
BICSI	Building Industry Consulting Services International
BOSS	Business Operation Support Services
BPA	Best Practices Analyzer
CaaS	Compliance as a Service
CAIQ	Consensus Assessments Initiative Questionnaire
CAMP	Cloud Application Management for Platforms
CapEx	Capital Expenditure
CASB	Cloud Access Security Broker
CBA	Cost-Benefit Analysis
CBPR	Cross-Border Privacy Rules
CC	Common Criteria
CCL	Commerce Control List
CCM	Cloud Controls Matrix
CCRA	Cloud Computing Reference Architecture
CDN	Content Delivery Network
CI	Configuration Item
CICA	Canadian Institute of Chartered Accountants
CI/CD	Continuous Integration and Continuous Delivery
CIP	Critical Infrastructure Plan
CIS	Center for Internet Security
CISA	Cybersecurity and Infrastructure Security Agency
CJEU	Court of Justice of the European Union
CMM	Capability Maturity Model
CMVP	Cryptographic Module Validation Program
COBIT	Control Objectives for Information and Related Technologies
CompaaS	Compliance as a Service
COPPA	Children's Online Privacy Protection Act
CORS	Cross-Origin Resource Sharing
CPEA	Cross-Border Privacy Enforcement Arrangement
CSA	Cloud Security Alliance
CSB	Cloud Service Broker
CSC	Cloud Service Customer Critical Security Controls (formerly)
CSCC	Cloud Standards Customer Council
CSIM	Continual Service Improvement Management
CSIRT	Computer Security Incident Response Team
CSN	Cloud Service Partner
CSP	Cloud Service Provider
CSPRNG	Cryptographically Secure Pseudo Random Number Generator
CSRF	Cross-Site Request Forgery
CST	Cryptographic and Security Testing
CVE	Common Vulnerabilities and Exposures
CVSS	Common Vulnerability Scoring System
CWE	Common Weakness Enumeration
DAM	Database Activity Monitoring
DAR	Data at Rest
DAST	Dynamic Application Security Testing
DBMS	Database Management System
DDoS	Distributed Denial-of-Service
DIM	Data in Motion
DIT	Data in Transit
DIU	Data in Use
DMCA	Digital Millenium Copyright Act
DLP	Data Leak Prevention Data Loss Prevention
DOC	Department of Commerce
DoS	Denial-of-Service
DOT	Department of Transportation
DPA	Data Protection Act
DPD	Data Protection Directive
DR	Disaster Recovery
DRM	Digital Rights Management
DRP	Disaster Recovery Plan
DRS	Distributed Resource Scheduling
DSaaS	Data Science as a Service
DSS	Data Security Standards
DTD	Document Type Definitions)
EA	Enterprise Architecture
EAL	Evaluation Assurance Level
EAR	Export Administration Regulations
ECB	Electronic Code Book
ECPA	Electronic Communication Privacy Act
eDiscovery	Electronic Discovery
EDoS	Economic Denial-of-Service
EEA	European Economic Area
EF	Exposure Factor
EFS	Encrypting File System
EFTA	European Free Trade Association
EL	Expression Language
ELK	Elasticsearch, Logstash, Kibana
EHR	Electronic Health Record
ENISA	European Union Agency for Cybersecurity
ePHI	Electronic Protected Health Information
ERM	Enterprise Risk Management
ESI	Electronically Stored Information
EU	European Union
FADP	Federal Act on Data Protection
FAM	File Activity Monitoring
FDE	Full Disk Encryption
FDPIC	Federal Data Protection and Information Commissioner
FedRAMP	Federal Risk and Authorization Management Program
FERPA	Family Educational Rights and Privacy Act
FIM	Federated Identity Management
FIPS	Federal Information Processing Standard
FISMA	Federal Information Security Management Act
FPE	Format-Preserving Encryption
FS	Forward Secrecy
FT	Fault Tolerance
FTC	Federal Trade Commission
FTP	File Transfer Protocol
GAAP	Generally Accepted Accounting Principles
GDPR	General Data Protection Regulation
GLBA	Gramm-Leach-Bliley Act
HA	High Availability
HHS	Department of Health and Human Services
HIPAA	Health Insurance Portability and Accountability Act
HITEHC	Health Information Technology for Economic and Clinical Health
HQL	Hibernate Query Language
HSM	Hardware Security Module
HSTS	HTTP Strict Transport Security
HTTP	Hypertext Transfer Protocol
HTTPS	Hypertext Transfer Protocol Secure
IaaS	Infrastructure as a Service
IAASB	International Auditing and Assurance Standards Board
IaC	Infrastructure as Code
IAM	Identity and Access Management
IAST	Interactive Application Security Testing
IDCA	International Data Center Authority
IdP	Identity Provider
IDS	Intrusion Detection System
IEC	International Electrotechnical Commission
IG	Implementation Group
IGO	Intergovernmental Organization
IMT	Incident Management Team
IoT	Internet of Things
IP	Intellectual Property
IPS	Intrusion Prevention System
IRM	Information Rights Management
IRT	Incident Response Team
ISA	Internal Security Assessor
ISM	Information Security Management
ISMS	Information Security Management System
ISO	International Organization for Standardization
ISP	Information Security Plan Internet Service Provider
IT	Information Technology
ITA	International Trade Administration
ITAR	International Traffic in Arms Regulations
ITIL	Information Technology Infrastructure Library (formerly)
ITOS	Information Technology Operation and Support
ITSM	Information Technology Service Management
JSON	JavaScript Object Notation
JWT	JSON Web Token
KEV	Known Exploited Vulnerabilities
KRI	Key Risk Indicator
KVM	Kernel-based Virtual Machine
LDAP	Lightweight Directory Access Protocol
LOI	Letter of Intent
MAD	Maximum Allowable Downtime
MD5	Message-Digest Algorithm
MDT	Microsoft Deployment Toolkit
MFA	Multifactor Authentication
MOA	Memorandum of Agreement
MOU	Memorandum of Understanding
MTD	Maximum Tolerable Downtime
MSP	Managed Service Provider
MTBF	Mean Time Before Failure
MTTR	Mean Time to Repair
MTTS	Mean Time to Switchover
NaaS	Network as a Service
NBI	Northbound Interface
NEC	National Electrical Code
NERC	North American Electric Reliability Corporation
NFPA	National Fire Protection Association
NIS	Network and Information Security
NIST	National Institute of Standards and Technology
NPI	Nonpublic Personal Information
NVD	National Vulnerability Database
NVLAP	National Voluntary Laboratory Accreditation Program
OCR	Office for Civil Rights
OECD	Organization for Economic Co-operation and Development
OGNL	Object Graph Navigation Library
OIDC	OpenID Connect
OLA	Operational-Level Agreement
OMB	Office of Management and Budget
ONF	Organizational Normative Framework
OpEx	Operational Expenditure
ORM	Object Relational Mapping
OS	Operating System
OWASP	Open Web Application Security Project
PaaS	Platform as a Service
PAN	Primary Account Number
PASTA	Process for Attack Simulation and Threat Analysis
PCI	Payment Card Industry
PDCA	Plan-Do-Check-Act
PDPA	Personal Data Protection Act
PFI	PCI Forensic Investigator
PHI	Protected Health Information
PI	Personal Information
PII	Personally Identifiable Information
PIPEDA	Personal Information Protection and Electronic Documents Act
PKCS	Public Key Cryptography Standards
PLA	Privacy-Level Agreement
PMF	Privacy Management Framework
PP	Protection Profile
QA	Quality Assurance
QSA	Qualified Security Assessor
RASP	Runtime Application Self-Protection
RBAC	Role-Based Access Control
RCE	Remote Code Execution
RDM	Release and Deployment Management
REST	Representational State Transfer
RMF	Risk Management Framework
ROC	Report of Compliance
ROI	Return on Investment
RPO	Recovery Point Objective
RSL	Recovery Service Level
RSO	Reduced Sign-On
RTO	Recovery Time Objective
SaaS	Software as a Service
SABSA	Sherwood Applied Business Security Architecture
SAD	Sensitive Authentication Data
SAML	Security Assertion Markup Language
SAQ	Self-Assessment Questionnaire
SAS	Statement on Auditing Standards
SAST	Static Application Security Testing
SBI	Southbound Interface
SBU	Sensitive But Unclassified
SCA	Source Code Analysis Stored Communication Act
SCC	Standard Contractual Clause
SCIM	System for Cross-domain Identity Management
SDLC	Software Development Lifecycle
SDN	Software-Defined Networking
SEC	Securities and Exchange Commission
SHA	Secure Hashing Algorithm
SIEM	Security Information and Event Management
SLE	Single Loss Expectancy
SLM	Service Level Management
SMSS	Secret Sharing Made Short
SMTP	Simple Mail Transfer Protocol
SOA	Service-Oriented Architecture
SOAP	Simple Object Access Protocol
SOC	System and Organization Controls
SOX	Sarbanes-Oxley
SP	Special Publication
SPML	Service Provisioning Markup Language
SQL	Structured Query Language
SSAE	Statement on Standards for Attestation Engagements
SSO	Single Sign-On
SSRF	Server-Side Request Forgery
ST	Security Target
STAR	Security, Trust, Assurance, and Risk
TADP	Trans-Atlantic Data Privacy
TCI	Trusted Cloud Initiative
TLS	Transport Layer Security
TOCTOU	Time-of-Check, Time-of-Use
TOE	Target of Evaluation
TOTP	Time-Based One-Time Password
TPM	Trusted Platform Module
TSC	Trust Services Criteria
TSP	Trust Services Principles
TTP	Tactics, Techniques, and Procedures
UC	Underpinning Contract
UPS	Uninterruptible Power Supply
U.S.	United States
U.S.C.	United States Code
USG	United States Government
USML	United States Munitions List
VLAN	Virtual Local Area Network
VMI	Virtual Machine Introspection
VPN	Virtual Private Network
WAF	Web Application Firewall
WDE	Whole Disk Encryption
WORM	Write Once, Read Many
WRT	Work Recovery Time
WSTG	Web Security Testing Guide
XML	Extensible Markup Language
XSS	Cross-Site Scripting
XXE	XML External Entities
ZAP	Zed Attack Proxy