Cybersecurity Glossary: Key Terms and Definitions
Cybersecurity terminology spans federal statute, international standards, sector-specific regulation, and operational practice — and the same word frequently carries different meanings depending on the governing framework. This page defines the foundational terms used across information security practice in the United States, maps them to the authoritative bodies that define them, and identifies where definitions diverge across regulatory contexts. Professionals working across compliance requirements, technical operations, or risk management will encounter these terms in frameworks including NIST, CISA guidance, HIPAA, and the CMMC program.
Definition and scope
Cybersecurity glossary terms are not interchangeable across contexts. The same word — "incident," "breach," "threat," "vulnerability" — may carry a precise statutory meaning under one regulatory body and a broader operational meaning under another. The primary authoritative source for US federal and widely adopted private-sector terminology is NIST Interagency Report 7298, Revision 3 (NISTIR 7298), which consolidates definitions drawn from over 60 source documents including FIPS standards, NIST Special Publications, CNSS Instructions, and the Committee on National Security Systems (CNSS) Instruction No. 4009.
The scope of this glossary covers:
- Core conceptual terms — foundational properties (confidentiality, integrity, availability), threat taxonomy, and risk vocabulary
- Operational terms — incident categories, detection mechanisms, and response phases
- Regulatory terms — statutory definitions under HIPAA, FISMA, and sector-specific frameworks
- Technical terms — attack vectors, cryptographic concepts, and architectural components
Where terms have jurisdiction-specific meanings — such as "breach" under state law versus federal statute — those distinctions are noted. The breach notification requirements page addresses state-by-state statutory variations in greater depth.
How it works
Authoritative cybersecurity definitions are produced through a structured publication process managed by standards bodies, regulatory agencies, and interagency committees. NIST's Computer Security Resource Center (CSRC) maintains the primary public glossary at csrc.nist.gov/glossary, drawing from publications including NIST SP 800-53 (Security and Privacy Controls for Information Systems and Organizations) and NIST SP 800-61 (Computer Security Incident Handling Guide).
Foundational term set — core properties:
The CIA triad defines the three baseline properties all information security programs protect:
- Confidentiality — The property that information is not disclosed to unauthorized individuals, processes, or devices. NIST defines this in alignment with FIPS 199, which categorizes systems by their confidentiality impact level (low, moderate, high).
- Integrity — The property that data has not been altered or destroyed in an unauthorized manner. Integrity failures are the mechanism behind tampering attacks and supply chain compromises addressed in supply chain security programs.
- Availability — The property that systems and data are accessible and usable on demand by authorized entities. Denial-of-service attacks and ransomware directly target availability, a subject covered in ransomware defense practice frameworks.
A fourth property — authenticity — is recognized under NIST SP 800-53 Rev. 5 as the requirement that entities are genuine and not fabricated, which underpins identity and access management controls.
Critical term pairs — contrasts and distinctions:
| Term | Definition | Primary Source |
|---|---|---|
| Threat | Any circumstance or event with the potential to adversely impact organizational operations | NIST SP 800-30 |
| Vulnerability | A weakness in a system, application, or process that could be exploited by a threat | NIST SP 800-30 |
| Risk | The probability that a threat will exploit a vulnerability, combined with the resulting impact | NIST SP 800-30 |
| Incident | A violation or imminent threat of violation of security policies or standard security practices | NIST SP 800-61 |
| Breach | The unauthorized acquisition of data that compromises the security or privacy of PII | OMB M-17-12 |
Threat vs. vulnerability is the distinction most commonly misapplied in organizational risk communication. A threat is an external condition; a vulnerability is an internal weakness. Risk arises at their intersection, a concept central to cyber risk management frameworks.
Common scenarios
Glossary precision directly affects how organizations respond to regulatory requirements and operational events. Three scenarios illustrate where definitional accuracy changes outcomes:
Scenario 1 — Incident vs. breach classification
Under HIPAA 45 CFR §164.402, a "breach" requires a presumption of compromise unless a risk assessment demonstrates a low probability that protected health information (PHI) was impaired. A security "incident" — defined as a broader set of adverse events — does not automatically trigger breach notification. Organizations that conflate the two terms may either under-report (regulatory exposure) or over-report (operational disruption). The incident response classification workflow must encode this distinction explicitly.
Scenario 2 — Authentication vs. authorization
Authentication verifies identity; authorization determines what an authenticated entity is permitted to do. These are distinct control layers, both addressed in NIST SP 800-53 under Access Control (AC) and Identification and Authentication (IA) control families. Multi-factor authentication addresses the authentication layer; role-based access control (RBAC) governs authorization. Mixing these terms in policy documents creates gaps in access control audits.
Scenario 3 — Zero-day vs. known vulnerability
A zero-day vulnerability is one for which no vendor patch exists at the time of exploitation. A known vulnerability has a published CVE identifier in the NIST National Vulnerability Database (NVD) and typically a vendor-issued remediation. CISA's Known Exploited Vulnerabilities Catalog tracks exploited known vulnerabilities under Binding Operational Directive 22-01, which mandates federal civilian agencies remediate listed CVEs within defined timeframes. The two categories require different vulnerability management response tracks.
Decision boundaries
Not all cybersecurity terminology is interchangeable across frameworks, and professionals must apply the definition that matches the governing regulatory context.
NIST vs. CNSS definitions — NISTIR 7298 explicitly flags terms where NIST and CNSS Instruction 4009 definitions diverge. When working with national security systems (NSS), the CNSS definition governs; for federal civilian systems under FISMA, the NIST definition applies. The information security frameworks page maps which frameworks apply to which system types.
Sector-specific overrides — HIPAA defines "malicious software" and "security incident" in terms specific to healthcare covered entities. The PCI DSS (Payment Card Industry Data Security Standard) defines "cardholder data environment" in ways that do not map directly to NIST asset classification. Organizations subject to multiple frameworks — common in sectors like healthcare, defense contracting, and financial services — must document which definition applies in each compliance layer.
Operational vs. legal definitions — "Data breach" as used in operational runbooks often encompasses a broader set of events than the legal definition triggering notification obligations under state statutes. The National Conference of State Legislatures tracks state breach notification laws, and the trigger definitions vary across 50 states in scope, data type coverage, and harm thresholds. Applying the operational definition where the legal definition is required creates regulatory exposure documented under breach notification requirements.
Evolving terms — Terminology in areas like zero trust architecture and threat intelligence is still being standardized. NIST SP 800-207 (Zero Trust Architecture, 2020) provides the current federal reference definition of zero trust, but vendor and industry usage frequently deviates from that definition. Cross-referencing terms against NIST CSR publications before incorporating them into policy documents reduces definitional drift in formal documentation.
References
- NIST Glossary of Key Information Security Terms (NISTIR 7298, Rev. 3)
- NIST Computer Security Resource Center (CSRC) Glossary
- NIST SP 800-53 Rev. 5 — Security and Privacy Controls for Information Systems and Organizations
- NIST SP 800-61 — Computer Security Incident Handling Guide
- NIST SP 800-30 — Guide for Conducting Risk Assessments
- NIST SP 800-207 — Zero Trust Architecture
- FIPS 199 — Standards for Security Categorization of Federal Information and Information Systems
- [CISA Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited