ANNOUNCEMENT: Remediate Risks Faster with Contextualized, Trusted, and Actionable AI Monitoring.

{{ noResultsMessage }}

Bill of Materials (BOM) A comprehensive inventory of the number of raw materials, assemblies, sub-assemblies, parts, and components needed to manufacture a product. CIS The Center for Internet Security CIS Controls Sometimes referred to as Critical Security Controls, these are a recommended set of actions for cyber-defense that provide specific and actionable ways to stop or mitigate an attack. EO 13920 The Executive Order enacted in May 2020 that directs the secretary of energy to work with various federal agencies to ensure that the acquisition of bulk-power systems is in line with national security demands. CMMC The Cybersecurity Maturity Model Certification consists of 5 tier levels and is the U.S. government's solution to fix low rates of compliance associated with NIST SP 800-171. CMMC is not optional for those seeking contracts with federal organizations. Compliance Automation The process of using technology, such as artificial intelligence, to continually check systems for compliance and make updates as needed. This process of administrative work was traditionally done manually. Continuous Control Monitoring (CCM) These are technology-based solutions that automate the monitoring process of a business’s transactions as they occur. These help businesses reduce operating costs and increase efficiency. Controlled Unclassified Information (CUI) Created by Executive Order 13556, this is a category of government-created or owned information that requires safeguarding or dissemination controls consistent with applicable laws, regulations, and government-wide policies. Critical Infrastructure Protection (CIP) A collective approach to prevent, protect, mitigate losses, respond to, investigate, and recover from incidents affecting the physical and cyber systems vital to the nation’s operation, including food and agriculture, power and utility, and transportation. Cyber Hygiene The fundamental best practices used by security practitioners and individuals to maintain the health and safety of an organization’s network. These habitual procedures can ensure the continued safe handling of critical data and secured networks. Cybersecurity Risk Assessment Matrix An analytical tool used in many industries for risk evaluation. This tool provides a graphical depiction of the areas of risk within an organization's digital ecosystem or vendor network. Cyber Supply Chain Risk Management (C-SCRM) The practice of identifying, assessing, and mitigating cybersecurity risks within and across the supply chain within both vendor ecosystems and products. Cyber Threat Intelligence (CTI) A specialized area of cybersecurity that focuses on collecting, processing, and analyzing threat information in an attempt to better understand where threats come from and how to better protect against them. Cyber Vulnerability Management Program The practice of identifying security vulnerabilities in unpatched systems that, if exploited, could jeopardize the integrity of an organization. This program utilizes automated vulnerability scanners to assess risks and generate reports that allow businesses to prioritize and mitigate them. Domain Name System Security Extensions (DNSSEC) A set of specifications that extend the DNS protocol by adding cryptographic authentication for responses received from authoritative DNS servers. It aims to combat nefarious techniques that direct computers and users toward rogue websites and servers. DODI 5000.75 The Department of Defense’s instruction establishes policy for the use of the business capability acquisition cycle (BCAC) for business systems requirements and acquisition. File Integrity Assurance (FIA) The continuous monitoring of software and files, ensuring their integrity and delivering intelligence to identify known and emerging threats from third-party application patches, updates, and more. Foreign Ownership, Control, or Influence (FOCI) A company can be considered to have a FOCI presence whenever a foreign interest has direct or indirect power or influence over decision-making or matters that affect an organization’s management or operations.  Hardware Bill of Materials (HBOM) A comprehensive list of physical materials that comprise a single physical asset. In the example of a computer, this would include items such as the motherboard, processor, power supply unit, and memory storage unit.  ICS Security Also known as Industrial Control Systems security, this specified safeguarding is intended to protect the hardware and software of systems that monitor the industrial processes of machinery and production factories, ensuring their uninhibited performance and output.  Log4j Also known as Apache Log4j, is a Java-based logging utility. It is among the most deployed pieces of open-source software, providing logging capabilities for Java applications. In December 2021, when a series of critical vulnerabilities were publicly disclosed, the Log4j exploit began as a single vulnerability, but it became a series of issues involving Log4j and the Java Naming and Directory Interface (JNDI) interface, which is the root cause of the exploit. NDAA Known as the National Defense Authorization Act, this is an annual congressional bill that outlines the federal government’s guidelines on policies and funding levels for critical defense programs, as well as the resources they require. NERC-CIP The North American Electric Reliability Corporation Critical Infrastructure Protection is a set of standards aimed at regulating, enforcing, monitoring, and managing the security of the Bulk Electric System (BES) in North America. NIST SP 800-53 This special publication is a standard of compliance framework developed by the National Institute of Standards and Technology that provides a catalog of security and privacy controls for all U.S. federal information systems except those related to national security. These guidelines are available to the public and can be integrated into an organization’s security protocol. NISTIR 8276 NIST’s key practices in C-SCRM, this final document provides the ever-increasing community of digital businesses a set of key practices that any organization can use to manage cybersecurity risks associated with their supply chains. These can be used to implement a robust C-SCRM function at an organization of any size, scope, or complexity. OT Vulnerability Management The business process of identifying, prioritizing, remediating, and reporting on software insecurities and misconfigurations of endpoints in Operating Technology (OT). Compared to traditional IT environments, OT vulnerability management is more complex. Regulatory Compliance The guidelines created by government legislation and regulatory bodies that a business must follow to satisfy state, federal, and international laws and regulations relevant to its operations to protect sensitive data and human safety. Regulatory Compliance Audit A comprehensive and independent review of an organization's adherence to those regulatory guidelines. It may involve a review of an organization's policies, procedures, processes, files, and documentation to ensure they fulfill the requirements. Software Bill of Materials (SBOM) An inventory of all constituent components and software dependencies involved in the development and delivery of an application. It lists all the open source and third-party components present in a codebase, as well as the licenses that govern those components, the versions of the components used in the codebase, and their patch status. Supply Chain Risk Management (SCRM) An organization’s efforts, practices, and procedures that aim to identify, monitor, detect and mitigate threats to end-to-end supply chains. Section 889 A segment of the NDAA that prohibits recipients of federal funding awards from using or procuring certain covered telecommunications equipment or services. These regulations apply to grants, contracts, and cooperative agreements, including outgoing subcontracts and sub-awards. Security Information and Event Management (SIEM) Security solutions and technology that helps organizations recognize potential security threats, both historical and in real time, through data collection analysis and identify vulnerabilities before they can be exploited.  SIEM Tools These can include real-time visibility across an organization's information security systems, as well as event log management that consolidates data from numerous sources. Examples of these tools include SolarWinds, Splunk, McAfee ESM, and ArcSight ESM. Third-Party Risk Management (TPRM) A form of risk management that aims to analyze risks and mitigate losses involving outside vendors, suppliers, partners, contractors, and service providers. Third-Party Risk Management Framework Provides organizations with a set of guidelines to identify risks and manage loss from vendors, partners, contractors, and suppliers and then, from there, create a framework applicable to that business based on these factors. Threat Intelligence Platform (TIP) A technology solution that collects, aggregates, and organizes threat intel data from multiple sources and formats. This can aid security teams in understanding information about threats and assist them with further refining their processes of identification, investigation, and response. Vendor Risk Management (VRM) The field of risk management focuses on assessing risks and managing losses associated with vendors and suppliers of IT products and services. VRM covers identifying and mitigating business uncertainties, legal liabilities, and reputational damage. Zero Trust Architecture The strategic approach to cybersecurity that secures an organization by eliminating implicit trust and continuously validating every stage of digital interaction. It states that anything and everything trying to connect to a network system must be validated and authorized before its granted access.  A2V The Asset to Vendor (A2V) network enables industry sourcing of vendor and asset reports to empower data decision-making, ensuring a safe and secure supply chain. AI Assessments Assessments which are completed using AI methods to verify that vendors and products meet regulatory and cyber standards. AI Monitoring Leveraging AI to continuously monitor vendors and products to increase cybersecurity and enable systems to operate as intended, safely and ethically. Asset Inventory A comprehensive list of an organization's assets, including hardware, software, data, and other resources which enables improved cybersecurity and regulatory compliance. Asset Management The process of developing, operating, maintaining, and disposing of assets in a cost-effective manner to ensure security across critical assets. Attack Surface Management The practice of identifying, assessing, and mitigating the various points where an unauthorized user could potentially enter or extract data from an environment. Attestations Formal statements or declarations, often provided by vendors, confirming adherence to specific standards, policies, or regulations often requested by government entities. CIP-002 Regulation that requires identification and categorization of critical cyber assets and systems that, if compromised, could impact the reliability or operability of the bulk electric system. CIP-007 Mandates the initial recognition and classification of Bulk Electric System (BES) Cyber Systems, enforcing a foundational set of organizational, operational, and procedural safeguards, including patch management, to reduce risks to BES Cyber Systems. CIP-010 Addresses configuration change management and vulnerability assessments to ensure the continued security of the bulk electric system. CIP-013 Aims at managing cybersecurity risks from supply chain vendors and service providers to protect the Bulk Electric System (BES) from vulnerabilities introduced through third-party components or services. Common Vulnerabilities and Exposures (CVE) A list that catalogs publicly disclosed cybersecurity vulnerabilities, providing a standardized identifier for each known vulnerability to facilitate data sharing and communication. Common Vulnerability Scoring System (CVSS) A framework for rating the severity of security vulnerabilities in software, based on factors like impact and exploitability, to guide remediation priorities. Configuration Management The practice of tracking and controlling changes in software, hardware, and system configurations to ensure consistency, reliability, and security throughout a product's lifecycle. Contract Vehicles Pre-negotiated contracts, often with government agencies, that simplify the procurement process for specific goods or services. Federal contract vehicles include General Services Administration (GSA) and NASA Solutions for Enterprise-Wide Procurement (SEWP). Critical Infrastructure Physical and cyber systems and assets so vital to a country that their incapacity or destruction would have a debilitating impact on national security, economic security, public health, or safety. Some examples include energy generation, hospitals, military operations, and critical manufacturing. CVE-2023-40547 A specific Common Vulnerabilities and Exposures (CVE) identifier for a vulnerability discovered in the Linux xz compression utility in 2024 which has significant implications for software supply chain security. Defense Industrial Base (DIB) The network of private sector companies and government entities that supply products and services essential to national defense. EO 14028 Executive Order 14028, "Improving the Nation's Cybersecurity," issued by the U.S. government to strengthen cybersecurity practices across federal agencies and their supply chains. Fortress Platform Fortress Platform solves the leading cyber and risk challenges, providing a sophisticated, automated approach to managing and securing complex supply chains against cyber threats and organizational risks. Investor-Owned Utility (IOU) A privately-owned electric utility which operates for profit and is regulated by a public utilities commission. NAESAD The North American Energy Software Assurance Database (NAESAD) is an industry collective with the mission of enabling organizations with data to make critical decisions in their cyber supply chain security. National Institute of Standards and Technology (NIST) Establishes guidelines for identifying and classifying information systems, requiring basic organizational, operational, and technical controls, including patch management, to mitigate risks to these systems. National Vulnerability Database (NVD) A comprehensive database maintained by NIST that integrates all CVE entries, providing additional information such as CVSS scores, vulnerability details, and mitigation measures. Patch Management The process of managing updates for software and systems, including the identification, installation, and verification of patches for vulnerabilities. Product Provenance Information about the origin, custody, and ownership of a product, often used to verify its authenticity, safety, and integrity. Product Security Practices and measures taken to protect products from cybersecurity threats and vulnerabilities. Secure Software Development Attestation Form A document based on a federal template used by software developers to attest that their software development practices meet certain security standards or guidelines set by the government. Software Supply Chain Security Measures and processes to protect software from vulnerabilities and threats throughout its development, distribution, and maintenance lifecycle. Threat Intelligence Analysis and collection of information about existing or emerging threats to inform security decisions and enrich vulnerability findings. Trusted AI AI systems designed with a focus on reliability, safety, transparency, and ethical considerations to gain user trust. Uyghur Forced Labor Prevention Act (UFLPA) U.S. legislation aimed at ensuring that goods made with forced labor in the Xinjiang region of China do not enter the U.S. market. Vendor Outreach The process of engaging with vendors to communicate requirements, expectations, or conduct assessments often resulting in improved security and regulatory compliance. Vendor-Sourced Assessments Evaluations or audits conducted by or sourced from vendors to assess product or service compliance with specified standards or requirements. Vulnerability Enrichment Enhancing vulnerability data with additional context or information to better understand its significance and potential impact. Vulnerability Management The cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities in software and hardware.