Tech Prognosis Glossary: Plain‑English Terms for Regulated Environments

A practical, executive‑friendly glossary for cybersecurity, compliance, and regulated industries.

Organizations in defense, government, and regulated markets regularly encounter terminology that can feel dense, fragmented, or overly technical. This glossary provides clear, concise, and operational explanations that help internal teams, executives, and partners stay aligned — without drifting into assessor or certification functions.

Use this page as a reference during readiness work, documentation development, customer inquiries, and cross‑department communication.

This glossary can also be used to align executives, project owners, and technical teams. All content is assessor‑safe and focused on clarity.

Jump to: A–C · C–F · G–M · N–S · S–Z

A–C

Processes and technologies that ensure people only access authorized systems, data, and functions.
Formal approval given to a system after it meets specific security requirements. (Not performed by Tech Prognosis.)
A formal evaluation performed by authorized assessors to validate compliance. Tech Prognosis does not perform assessments.
A documented list of systems, devices, applications, and data repositories in scope.
Approval allowing a system to operate after prescribed risk and security requirements are met.
HIPAA designation and agreement for entities handling PHI on behalf of covered entities.
A clear definition of systems, devices, users, and data flows included in scope.
A Certified Third‑Party Assessment Organization authorized to conduct CMMC assessments (we support readiness only).
Cybersecurity Maturity Model Certification — the DoD’s cybersecurity framework.
Controlled Unclassified Information requiring specific protection under federal rules.
Formal confirmation that requirements are met. Tech Prognosis offers support only.

C–F

A repeatable process for managing updates to systems and procedures with minimal security disruption.
A vendor providing cloud environments with shared security responsibilities.
Documentation demonstrating that required controls are in place (logs, screenshots, reports, procedures).
Documented methods for establishing and maintaining secure settings.
DoD clauses requiring cybersecurity controls, reporting, and adherence to NIST SP 800‑171.
Operational behaviors showing active management of risk and compliance responsibilities.
Protection of data when stored and when moving across networks.
Federal and Defense Federal Acquisition Regulations governing government contracting.
Federal Contract Information not intended for public release.

G–M

The structure and oversight ensuring security and compliance activities remain consistent and accountable.
Sensitivity classifications for DoD cloud environments.
A documented process for identifying, responding to, and recovering from cybersecurity events.
An evaluation performed inside the organization to confirm adherence to internal policies and expectations.
The structured system of policies, controls, and oversight required by ISO 27001.
The length of time audit and security logs are preserved.
Multi‑Factor Authentication — requires more than one method of verification.
HIPAA principle requiring access only to information needed for the role.

N–S

A confidentiality agreement restricting how shared information can be used.
Required control framework for protecting CUI in non‑federal systems.
Federal control catalog used primarily for government systems.
Organization Seeking Certification under CMMC.
Controlled testing to evaluate defenses (not performed by Tech Prognosis).
Plan of Action and Milestones — remediation plan with owners and timelines.
Policy: high‑level rules; Procedure: step‑by‑step instructions to fulfill a policy.
Elevated permissions that can modify systems, configurations, or data.
Structured list of risks, impact, and planned mitigation.
Supply Chain Risk Management — ensuring vendors meet security expectations.
Statement of Applicability — ISO 27001 control list with inclusion/exclusion rationale.

S–Z

The design of systems and controls ensuring secure operation.
Required education on recognizing and preventing cyber threats.
Service Level Agreement specifying performance and support expectations.
Independent attestation reports on control effectiveness.
A method or pathway threats use to access systems.
Routine verification that permissions remain appropriate.
Automated identification of known weaknesses.
Written Information Security Program — required in some states/frameworks.

Have a term you want added?

Send us a note and we’ll include it in the next update — or ask for an assessor‑safe clarification tailored to your context.

ROLE BOUNDARIES (IMPORTANT)

We are a compliance readiness and sustainment partner.

  • We are not a C3PAO, RP, or RPO.
  • We do not perform or influence official assessments or certifications.
  • We do not guarantee outcomes.
  • For CMMC Level 2 where certification is required, assessments are performed by accredited C3PAOs listed by The Cyber AB.
  • Our role is to help organizations prepare responsibly and operate compliantly within regulated ecosystems.