# Acronyms, Abbreviations, and Initialisms*

Short Form Full Form
ABAC Attribute-Based Access Control
ACL Access Control List
AICPA American Institute of Certified Public Accountants
ALE Annualized Loss Expectancy
ANF Application Normative Framework
ANSI American National Standards Institute
AoC Attestation of Compliance
AONT-RS All-or-Nothing-Transform with Reed-Solomon
APEC Asia-Pacific Economic Cooperation
API Application Programming Interface
APP Australian Privacy Principles
APT Advanced Persistent Threat
ARO Annual Rate of Occurrence
ARRA American Recovery and Reinvestment Act
ASMP Application Security Management Process
AST Application Security Testing
ASV Approved Scanning Vendor
ATASM Architecture, Threats, Attack Surfaces, and Mitigations
AUP Agreed-Upon Procedures
AV Asset Value
BC Business Continuity
BCR Binding Corporate Rule
BCM Business Continuity Management
BCP Business Continuity Plan
BIA Business Impact Analysis
BICSI Building Industry Consulting Services International
BOSS Business Operation Support Services
BPA Best Practices Analyzer
CaaS Compliance as a Service
CAIQ Consensus Assessments Initiative Questionnaire
CAMP Cloud Application Management for Platforms
CapEx Capital Expenditure
CASB Cloud Access Security Broker
CBA Cost-Benefit Analysis
CBPR Cross-Border Privacy Rules
CC Common Criteria
CCL Commerce Control List
CCM Cloud Controls Matrix
CDN Content Delivery Network
CI Configuration Item
CICA Canadian Institute of Chartered Accountants
CI/CD Continuous Integration and Continuous Delivery
CIP Critical Infrastructure Plan
CIS Center for Internet Security
CISA Cybersecurity and Infrastructure Security Agency
CJEU Court of Justice of the European Union
CMM Capability Maturity Model
CMVP Cryptographic Module Validation Program
COBIT Control Objectives for Information and Related Technologies
CompaaS Compliance as a Service
COPPA Children's Online Privacy Protection Act
CORS Cross-Origin Resource Sharing
CPEA Cross-Border Privacy Enforcement Arrangement
CSA Cloud Security Alliance
CSB Cloud Service Broker
CSC Critical Security Controls (formerly)
CSCC Cloud Standards Customer Council
CSIM Continual Service Improvement Management
CSIRT Computer Security Incident Response Team
CSP Cloud Service Provider
CSPRNG Cryptographically Secure Pseudo Random Number Generator
CSRF Cross-Site Request Forgery
CST Cryptographic and Security Testing
CVE Common Vulnerabilities and Exposures
CVSS Common Vulnerability Scoring System
CWE Common Weakness Enumeration
DAM Database Activity Monitoring
DAR Data at Rest
DAST Dynamic Application Security Testing
DBMS Database Management System
DDoS Distributed Denial-of-Service
DIM Data in Motion
DIT Data in Transit
DIU Data in Use
DMCA Digital Millenium Copyright Act
DLP Data Leak Prevention
Data Loss Prevention
DOC Department of Commerce
DoS Denial-of-Service
DOT Department of Transportation
DPA Data Protection Act
DPD Data Protection Directive
DR Disaster Recovery
DRM Digital Rights Management
DRP Disaster Recovery Plan
DRS Distributed Resource Scheduling
DSaaS Data Science as a Service
DSS Data Security Standards
DTD Document Type Definitions)
EA Enterprise Architecture
EAL Evaluation Assurance Level
EAR Export Administration Regulations
ECB Electronic Code Book
ECPA Electronic Communication Privacy Act
EDoS Economic Denial-of-Service
EEA European Economic Area
EF Exposure Factor
EFS Encrypting File System
EFTA European Free Trade Association
EL Expression Language
ELK Elasticsearch, Logstash, Kibana
EHR Electronic Health Record
ENISA European Union Agency for Cybersecurity
ePHI Electronic Protected Health Information
ERM Enterprise Risk Management
ESI Electronically Stored Information
EU European Union
FADP Federal Act on Data Protection
FAM File Activity Monitoring
FDE Full Disk Encryption
FDPIC Federal Data Protection and Information Commissioner
FedRAMP Federal Risk and Authorization Management Program
FERPA Family Educational Rights and Privacy Act
FIM Federated Identity Management
FIPS Federal Information Processing Standard
FISMA Federal Information Security Management Act
FPE Format-Preserving Encryption
FS Forward Secrecy
FT Fault Tolerance
FTC Federal Trade Commission
FTP File Transfer Protocol
GAAP Generally Accepted Accounting Principles
GDPR General Data Protection Regulation
GLBA Gramm-Leach-Bliley Act
HA High Availability
HHS Department of Health and Human Services
HIPAA Health Insurance Portability and Accountability Act
HITEHC Health Information Technology for Economic and Clinical Health
HQL Hibernate Query Language
HSM Hardware Security Module
HSTS HTTP Strict Transport Security
HTTP Hypertext Transfer Protocol
HTTPS Hypertext Transfer Protocol Secure
IaaS Infrastructure-as-a-Service
IAASB International Auditing and Assurance Standards Board
IaC Infrastructure as Code
IAM Identity and Access Management
IAST Interactive Application Security Testing
IDCA International Data Center Authority
IdP Identity Provider
IDS Intrusion Detection System
IEC International Electrotechnical Commission
IG Implementation Group
IGO Intergovernmental Organization
IMT Incident Management Team
IoT Internet of Things
IP Intellectual Property
IPS Intrusion Prevention System
IRM Information Rights Management
IRT Incident Response Team
ISA Internal Security Assessor
ISM Information Security Management
ISO International Organization for Standardization
ISP Information Security Plan
Internet Service Provider
IT Information Technology
ITA International Trade Administration
ITAR International Traffic in Arms Regulations
ITIL Information Technology Infrastructure Library (formerly)
ITOS Information Technology Operation and Support
ITSM Information Technology Service Management
JSON JavaScript Object Notation
JWT JSON Web Token
KEV Known Exploited Vulnerabilities
KRI Key Risk Indicator
KVM Kernel-based Virtual Machine
LDAP Lightweight Directory Access Protocol
LOI Letter of Intent
MAD Maximum Allowable Downtime
MD5 Message-Digest Algorithm
MDT Microsoft Deployment Toolkit
MFA Multifactor Authentication
MOA Memorandum of Agreement
MOU Memorandum of Understanding
MTD Maximum Tolerable Downtime
MSP Managed Service Provider
MTBF Mean Time Before Failure
MTTR Mean Time to Repair
MTTS Mean Time to Switchover
NaaS Networking as a Service
NBI Northbound Interface
NEC National Electrical Code
NERC North American Electric Reliability Corporation
NFPA National Fire Protection Association
NIS Network and Information Security
NIST National Institute of Standards and Technology
NPI Nonpublic Personal Information
NVD National Vulnerability Database
NVLAP National Voluntary Laboratory Accreditation Program
OCR Office for Civil Rights
OECD Organization for Economic Co-operation and Development
OGNL Object Graph Navigation Library
OIDC OpenID Connect
OLA Operational-Level Agreement
OMB Office of Management and Budget
ONF Organizational Normative Framework
OpEx Operational Expenditure
ORM Object Relational Mapping
OS Operating System
OWASP Open Web Application Security Project
PaaS Platform-as-a-Service
PAN Primary Account Number
PASTA Process for Attack Simulation and Threat Analysis
PCI Payment Card Industry
PDCA Plan-Do-Check-Act
PDPA Personal Data Protection Act
PFI PCI Forensic Investigator
PHI Protected Health Information
PI Personal Information
PII Personally Identifiable Information
PIPEDA Personal Information Protection and Electronic Documents Act
PKCS Public Key Cryptography Standards
PLA Privacy-Level Agreement
PMF Privacy Management Framework
QA Quality Assurance
QSA Qualified Security Assessor
RASP Runtime Application Self-Protection
RBAC Role-Based Access Control
RCE Remote Code Execution
RDM Release and Deployment Management
REST Representational State Transfer
ROC Report of Compliance
ROI Return on Investment
RPO Recovery Point Objective
RSL Recovery Service Level
RSO Reduced Sign-On
RTO Recovery Time Objective
SaaS Software-as-a-Service
SABSA Sherwood Applied Business Security Architecture
SAD Sensitive Authentication Data
SAML Security Assertion Markup Language
SAQ Self-Assessment Questionnaire
SAS Statement on Auditing Standards
SAST Static Application Security Testing
SBI Southbound Interface
SBU Sensitive But Unclassified
SCA Source Code Analysis
Stored Communication Act
SCC Standard Contractual Clause
SCIM System for Cross-domain Identity Management
SDLC Software Development Lifecycle
SDN Software-Defined Networking
SEC Securities and Exchange Commission
SHA Secure Hashing Algorithm
SIEM Security Information and Event Management
SLE Single Loss Expectancy
SLM Service Level Management
SMSS Secret Sharing Made Short
SMTP Simple Mail Transfer Protocol
SOA Service-Oriented Architecture
SOAP Simple Object Access Protocol
SOC System and Organization Controls
SOX Sarbanes-Oxley
SP Special Publication
SPML Service Provisioning Markup Language
SQL Structured Query Language
SSAE Statement on Standards for Attestation Engagements
SSO Single Sign-On
SSRF Server-Side Request Forgery
ST Security Target
STAR Security, Trust, Assurance, and Risk
TADP Trans-Atlantic Data Privacy
TCI Trusted Cloud Initiative
TCSEC Trusted Computer System Evaluation Criteria
TLS Transport Layer Security
TOCTOU Time-of-Check, Time-of-Use
TOTP Time-Based One-Time Password
TPM Trusted Platform Module
TSC Trust Services Criteria
TSP Trust Services Principles
TTP Tactics, Techniques, and Procedures
UC Underpinning Contract
U.S. United States
U.S.C. United States Code
USG United States Government
USML United States Munitions List
UTM Unified Threat Management
VLAN Virtual Local Area Network
VMI Virtual Machine Introspection
VPN Virtual Private Network
WAF Web Application Firewall
WDE Whole Disk Encryption
WORM Write Once, Read Many
WRT Work Recovery Time
WSTG Web Security Testing Guide
XML Extensible Markup Language
XSS Cross-Site Scripting
XXE XML External Entities
ZAP Zed Attack Proxy