Bill of Materials (BOM) A comprehensive inventory of the number of raw materials, assemblies, sub-assemblies, parts, and components needed to manufacture a product. CIS The Center for Internet Security CIS Controls Sometimes referred to as Critical Security Controls, these are a recommended set of actions for cyber-defense that provide specific and actionable ways to stop or mitigate an attack. EO 13920 The Executive Order enacted in May 2020 that directs the secretary of energy to work with various federal agencies to ensure that the acquisition of bulk-power systems is in line with national security demands. CMMC The Cybersecurity Maturity Model Certification consists of 5 tier levels and is the U.S. government's solution to fix low rates of compliance associated with NIST SP 800-171. CMMC is not optional for those seeking contracts with federal organizations. Compliance Automation The process of using technology, such as artificial intelligence, to continually check systems for compliance and make updates as needed. This process of administrative work was traditionally done manually. Continuous Control Monitoring (CCM) These are technology-based solutions that automate the monitoring process of a business’s transactions as they occur. These help businesses reduce operating costs and increase efficiency. Controlled Unclassified Information (CUI) Created by Executive Order 13556, this is a category of government-created or owned information that requires safeguarding or dissemination controls consistent with applicable laws, regulations, and government-wide policies. Critical Infrastructure Protection (CIP) A collective approach to prevent, protect, mitigate losses, respond to, investigate, and recover from incidents affecting the physical and cyber systems vital to the nation’s operation, including food and agriculture, power and utility, and transportation. Cyber Hygiene The fundamental best practices used by security practitioners and individuals to maintain the health and safety of an organization’s network. These habitual procedures can ensure the continued safe handling of critical data and secured networks. Cybersecurity Risk Assessment Matrix An analytical tool used in many industries for risk evaluation. This tool provides a graphical depiction of the areas of risk within an organization's digital ecosystem or vendor network. Cyber Supply Chain Risk Management (C-SCRM) This process ensures the integrity of your supply chain by identifying, assessing, and mitigating the risks associated with the distributed and interconnected nature and service supply chains.  Cyber Threat Intelligence (CTI) A specialized area of cybersecurity that focuses on collecting, processing, and analyzing threat information in an attempt to better understand where threats come from and how to better protect against them. Cyber Vulnerability Management Program The practice of identifying security vulnerabilities in unpatched systems that, if exploited, could jeopardize the integrity of an organization. This program utilizes automated vulnerability scanners to assess risks and generate reports that allow businesses to prioritize and mitigate them. Domain Name System Security Extensions (DNSSEC) A set of specifications that extend the DNS protocol by adding cryptographic authentication for responses received from authoritative DNS servers. It aims to combat nefarious techniques that direct computers and users toward rogue websites and servers. DODI 5000.75 The Department of Defense’s instruction establishes policy for the use of the business capability acquisition cycle (BCAC) for business systems requirements and acquisition. File Integrity Assurance (FIA) The continuous monitoring of software and files, ensuring their integrity and delivering intelligence to identify known and emerging threats from third-party application patches, updates, and more. Foreign Ownership, Control, or Influence (FOCI) A company can be considered to have a FOCI presence whenever a foreign interest has direct or indirect power or influence over decision-making or matters that affect an organization’s management or operations.  Hardware Bill of Materials (HBOM) A comprehensive list of physical materials that comprise a single physical asset. In the example of a computer, this would include items such as the motherboard, processor, power supply unit, and memory storage unit.  ICS Security Also known as Industrial Control Systems security, this specified safeguarding is intended to protect the hardware and software of systems that monitor the industrial processes of machinery and production factories, ensuring their uninhibited performance and output.  Log4j Also known as Apache Log4j, is a Java-based logging utility. It is among the most deployed pieces of open-source software, providing logging capabilities for Java applications. In December 2021, when a series of critical vulnerabilities were publicly disclosed, the Log4j exploit began as a single vulnerability, but it became a series of issues involving Log4j and the Java Naming and Directory Interface (JNDI) interface, which is the root cause of the exploit. NDAA Known as the National Defense Authorization Act, this is an annual congressional bill that outlines the federal government’s guidelines on policies and funding levels for critical defense programs, as well as the resources they require. NERC-CIP The North American Electric Reliability Corporation Critical Infrastructure Protection is a set of standards aimed at regulating, enforcing, monitoring, and managing the security of the Bulk Electric System (BES) in North America. NIST SP 800-53 This special publication is a standard of compliance framework developed by the National Institute of Standards and Technology that provides a catalog of security and privacy controls for all U.S. federal information systems except those related to national security. These guidelines are available to the public and can be integrated into an organization’s security protocol. NISTIR 8276 NIST’s key practices in C-SCRM, this final document provides the ever-increasing community of digital businesses a set of key practices that any organization can use to manage cybersecurity risks associated with their supply chains. These can be used to implement a robust C-SCRM function at an organization of any size, scope, or complexity. OT Vulnerability Management The business process of identifying, prioritizing, remediating, and reporting on software insecurities and misconfigurations of endpoints in Operating Technology (OT). Compared to traditional IT environments, OT vulnerability management is more complex. Regulatory Compliance The guidelines created by government legislation and regulatory bodies that a business must follow to satisfy state, federal, and international laws and regulations relevant to its operations to protect sensitive data and human safety. Regulatory Compliance Audit A comprehensive and independent review of an organization's adherence to those regulatory guidelines. It may involve a review of an organization's policies, procedures, processes, files, and documentation to ensure they fulfill the requirements. Software Bill of Materials (SBOM) An inventory of all constituent components and software dependencies involved in the development and delivery of an application. It lists all the open source and third-party components present in a codebase, as well as the licenses that govern those components, the versions of the components used in the codebase, and their patch status. Supply Chain Risk Management (SCRM) An organization’s efforts, practices, and procedures that aim to identify, monitor, detect and mitigate threats to end-to-end supply chains. Section 889 A segment of the NDAA that prohibits recipients of federal funding awards from using or procuring certain covered telecommunications equipment or services. These regulations apply to grants, contracts, and cooperative agreements, including outgoing subcontracts and sub-awards. Security Information and Event Management (SIEM) Security solutions and technology that helps organizations recognize potential security threats, both historical and in real time, through data collection analysis and identify vulnerabilities before they can be exploited.  SIEM Tools These can include real-time visibility across an organization's information security systems, as well as event log management that consolidates data from numerous sources. Examples of these tools include SolarWinds, Splunk, McAfee ESM, and ArcSight ESM. Third-Party Risk Management (TPRM) A form of risk management that aims to analyze risks and mitigate losses involving outside vendors, suppliers, partners, contractors, and service providers. Third-Party Risk Management Framework Provides organizations with a set of guidelines to identify risks and manage loss from vendors, partners, contractors, and suppliers and then, from there, create a framework applicable to that business based on these factors. Threat Intelligence Platform (TIP) A technology solution that collects, aggregates, and organizes threat intel data from multiple sources and formats. This can aid security teams in understanding information about threats and assist them with further refining their processes of identification, investigation, and response. Vendor Risk Management (VRM) The field of risk management focuses on assessing risks and managing losses associated with vendors and suppliers of IT products and services. VRM covers identifying and mitigating business uncertainties, legal liabilities, and reputational damage. Zero Trust Architecture The strategic approach to cybersecurity that secures an organization by eliminating implicit trust and continuously validating every stage of digital interaction. It states that anything and everything trying to connect to a network system must be validated and authorized before its granted access.