Acronyms and frameworks, in plain terms.

Definitions written to match how federal and SLED evaluators actually use the terms — not generic dictionary entries. Where the way a vendor talks about a term diverges from how an agency talks about it, the agency usage wins here.

Authorization, accreditation, and assessment

ATO

Authorization to Operate. A formal management decision by a senior agency official to authorize a system to operate in production. Granted under the agency's authorization process — typically FISMA-driven, sometimes FedRAMP-derived. Synonymous, in practice, with "the system can run." A system has an ATO; it does not "receive certification."

cATO

Continuous Authorization to Operate. A DoD-flavored approach to ATO that replaces the periodic re-authorization cycle with continuous evidence streaming. The agency monitors controls continuously and the authorization remains valid as long as the evidence does. Often associated with the DoD CIO's accelerated-authorization initiatives.

FedRAMP

Federal Risk and Authorization Management Program. The government-wide program for authorizing cloud services. Tiers are Low, Moderate, and High by impact. A system is "FedRAMP Authorized" — not "FedRAMP certified." Marketplace statuses include "In Process" and "Ready" before "Authorized." CybrIQ does not hold any FedRAMP status today — not Authorized, not In Process, no Marketplace listing.

FISMA

Federal Information Security Modernization Act. The legal foundation for federal cybersecurity. Agencies authorize their own systems under FISMA when the system is not a cloud service eligible for FedRAMP. FISMA is the older, broader umbrella; FedRAMP is the cloud-specific path inside it.

IL4 / IL5 / IL6

Impact Levels. DoD-specific cloud security tiers for environments processing data of increasing sensitivity. IL5 is for Controlled Unclassified Information; IL6 is for classified up to SECRET. These are environments, not products — a vendor offers an IL5 environment, not an IL5 product.

SSP

System Security Plan. The document that describes a system's controls, deployment, and risk posture for authorization. Every authorized system has one. CybrIQ supplies controls-inheritance language an agency's SSP can cite when it authorizes CybrIQ as a deployed system.

POA&M

Plan of Action and Milestones. The document tracking known control gaps and the agency's plan to remediate them. POA&M items have deadlines; auditors check whether deadlines are met.

C3PAO

CMMC Third-Party Assessment Organization. The accredited body that performs CMMC Level 2 assessments for defense contractors. The contractor's SSP is the input; the C3PAO's report is the output.

eMASS

Enterprise Mission Assurance Support Service. The DoD-wide system of record for cybersecurity authorization documentation. Many DoD ATO packages live in eMASS.

Mandates and frameworks

NDAA Section 889

National Defense Authorization Act Section 889. The 2019 NDAA provision restricting federal procurement and use of telecommunications and video-surveillance equipment from named entities (Huawei, ZTE, Hytera, Hikvision, Dahua and subsidiaries). Subsection (a)(1)(A) restricts procurement; (a)(1)(B) restricts use.

EO 14028

Executive Order 14028. The 2021 "Improving the Nation's Cybersecurity" executive order. Sets the framework for federal zero-trust adoption, SBOM expectations, and incident-reporting requirements.

OMB M-22-09

OMB Memorandum M-22-09. The Federal Zero Trust Strategy memo. Directs agencies to implement a zero-trust architecture by the end of FY2024. The Devices pillar implementation evidence lives in CybrIQ's territory.

NIST CSF 2.0

NIST Cybersecurity Framework 2.0. The 2024 release of the CSF. Voluntary for the private sector; widely referenced by agencies for risk-based framing. The Identify function is where asset-management activities live (ID.AM-1, ID.AM-2).

NIST SP 800-53

NIST Special Publication 800-53. The control catalog for federal information systems. Rev. 5 is current. Controls referenced for CybrIQ deployments: CM-8 family (System Component Inventory), SI-4 (System Monitoring), CA-7 (Continuous Monitoring), SR-3 and SR-11 (Supply Chain).

NIST SP 800-171

NIST Special Publication 800-171. The 110 controls for protecting Controlled Unclassified Information (CUI) in non-federal systems. Rev. 3 is current; CMMC Level 2 is currently based on Rev. 2 controls (transition in progress).

CMMC 2.0

Cybersecurity Maturity Model Certification 2.0. The DoD's contractor cybersecurity assessment program. Level 2 applies to contractors handling CUI; assessments are live as of December 2024. Inherits the 110 practices of NIST 800-171.

CDM

Continuous Diagnostics and Mitigation. The CISA-run program for continuous federal cybersecurity monitoring. HWAM (Hardware Asset Management) is the capability where device-inventory completeness lives. CybrIQ supplies the data CDM HWAM cannot reach on its own.

ZTMM 2.0

Zero Trust Maturity Model 2.0. CISA's reference model for federal zero-trust implementation. Five pillars: Identity, Devices, Networks, Applications and Workloads, Data. CybrIQ lives in the Devices pillar (Pillar 2).

FAR 52.204-24 / 25 / 26

Federal Acquisition Regulation clauses on Section 889. Three FAR clauses that operationalize 889 for federal procurement. 52.204-25 is the prohibition; 52.204-24 and 52.204-26 are the representations contractors and offerors make.

Network and architecture

SNMP

Simple Network Management Protocol. The standard protocol for managing network devices. SNMP is bidirectional — it can be configured read-only or read-write. CybrIQ uses read-only access via SNMP. "Read-only SNMP" is a common mis-statement; the correct phrasing is "read-only switch access via SNMP."

LLDP / CDP

Link Layer Discovery Protocol / Cisco Discovery Protocol. Two protocols devices use to announce themselves to network switches. The signal set produced — chassis ID format, system descriptor, TLV ordering, port-ID encoding — is part of what CybrIQ's Device DNA reads.

OUI

Organizationally Unique Identifier. The first 24 bits of a MAC address, registered to the manufacturer. A useful but spoofable identification input — which is why CybrIQ combines OUI with four other signal classes, rather than trusting it alone.

OT

Operational Technology. Hardware and software that interacts directly with the physical environment — building systems, industrial control, lab equipment, environmental sensors. OT devices typically cannot host endpoint agents; switch-side identification is the practical path.

SCIF

Sensitive Compartmented Information Facility. A secured physical environment for handling classified information. SCIF deployment of CybrIQ runs disconnected, with reference-library updates moved in via approved-media process.

TIC 3.0

Trusted Internet Connections 3.0. The CISA initiative for agency internet boundary security. Less rigid than TIC 2.x, focused on use-case-based access policies. CybrIQ's posture (no outbound vendor connectivity required) fits all TIC 3.0 use cases.

SLED-specific

MS-ISAC

Multi-State Information Sharing and Analysis Center. The CISA-funded ISAC for state, local, tribal, and territorial governments. Provides reporting and threat intelligence services. SLED leaders report quarterly governance data to MS-ISAC; hardware-inventory completeness is one of the recurring asks.

StateRAMP

State Risk and Authorization Management Program. A state-government version of FedRAMP — vendors get authorized once for use across participating states. Customer-installed deployment shapes like CybrIQ's are compatible with the procurement standards StateRAMP-aligned states use.

SLCGP

State and Local Cybersecurity Grant Program. The federal grant program for SLED cybersecurity investments. Asset-discovery work funded through SLCGP carries reporting requirements that hardware-inventory completeness contributes to.

CIPA

Children's Internet Protection Act. Requires K-12 schools and libraries receiving E-Rate funds to maintain internet-content filtering. Affects what runs on the school network, not device discovery — but the device inventory is the input to verifying CIPA hardware is actually deployed and operating.

FERPA

Family Educational Rights and Privacy Act. Federal law protecting student educational records. CybrIQ's posture (no packet inspection, no payload access) means the device-discovery process does not engage FERPA-protected records.