A Director-altitude glossary. Compliance frameworks, carrier vocabulary, and CybrIQ-specific terms in one place.
Director-level conversations across insurance, audit, board, and procurement use overlapping vocabularies. This page is the cross-reference. Each entry is one paragraph; the goal is "enough context to use the term in a sentence with confidence," not deep technical detail.
Compliance frameworks
PCI DSS 4.0
Payment Card Industry Data Security Standard, version 4.0. Effective March 31, 2025. The standard payment-card-data security requirements; QSA assessment cycle; in scope for any business handling card data. Key inventory and change-detection requirements live in 12.5.1 and 11.5.1.
SOC 2 Type II
Service Organization Control 2, Type II. CPA-firm-attested report on Trust Services Criteria, covering 6 to 12 months of operational evidence. The dominant trust framework for B2B SaaS. Key inventory and detection controls are in the CC6.x and CC7.x families.
HIPAA Security Rule
Health Insurance Portability and Accountability Act, Security Rule provisions covering electronic protected health information (ePHI). 2025 update tightened risk-analysis inventory expectations. Key controls: §164.308(a)(1)(ii)(A) risk analysis, §164.312(b) audit controls.
NIST CSF 2.0
NIST Cybersecurity Framework, version 2.0 (February 2024). Voluntary framework; broadly adopted as a posture-and-maturity reference. Five functions in 1.x (Identify, Protect, Detect, Respond, Recover) plus the new Govern function in 2.0. Inventory controls in the ID.AM family.
CMMC Level 2
Cybersecurity Maturity Model Certification, Level 2. Required for DoD contractors handling Controlled Unclassified Information (CUI). Third-party assessment by a C3PAO is mandatory; 110 controls mirroring NIST SP 800-171. Rolling implementation 2025–2027.
NDAA Section 889 / FAR 52.204-25
National Defense Authorization Act Section 889 prohibits federal contractors from using covered telecommunications equipment from a defined banned-vendor list. Increasingly appears in commercial customer questionnaires as cross-border supply-chain risk gets underwritten.
CCPA / CPRA
California Consumer Privacy Act and the California Privacy Rights Act amendments. CPRA-driven regulations finalized late 2025 added formal cybersecurity-audit and risk-assessment obligations for businesses meeting certain thresholds. Effective January 1, 2026.
FFIEC CAT
Federal Financial Institutions Examination Council Cybersecurity Assessment Tool. Used by banking regulators for examining financial institutions. Risk-based; inherent-risk profile plus maturity tiers.
GLBA Safeguards Rule
Gramm-Leach-Bliley Act Safeguards Rule. Information-security requirements for financial institutions under FTC jurisdiction (and CFPB scope). 2023 amendments expanded scope and tightened expectations.
NYDFS 23 NYCRR Part 500
New York Department of Financial Services cybersecurity regulation. Applies to entities licensed by NYDFS; covers banks, insurers, and large financial-services firms doing business in New York.
HITRUST CSF
Health Information Trust Alliance Common Security Framework. Healthcare-industry-driven framework; many healthcare customers ask their SaaS vendors to certify against HITRUST in addition to or instead of SOC 2.
Carrier and audit vocabulary
Risk-based underwriting
Insurance-carrier practice of pricing cyber-insurance premiums against the specific risk profile of the insured, rather than against a flat industry-rate. The norm in 2026; replaced flat-rate pricing across most carriers.
Continuous evidence vs. annual attestation
The shift in carrier and regulator expectations from "we attest we have controls" to "show me the artifact that proves you did." Continuous evidence is produced by tooling on an ongoing basis; annual attestation is a point-in-time claim. The 2025–2026 compliance window normalized continuous-evidence expectations.
QSA
Qualified Security Assessor. PCI Security Standards Council-certified individual or firm authorized to perform PCI DSS assessments.
C3PAO
CMMC Third-Party Assessment Organization. Authorized to perform CMMC Level 2 assessments under the DoD's CMMC program.
Evidence pack
A structured collection of artifacts (inventory, change history, control-mapping documentation) used to demonstrate compliance with a specific framework. The form auditors expect to receive.
Signed artifact
An artifact (PDF, JSON, log export) cryptographically signed by the producing system, so the consumer (auditor, carrier) can verify integrity. The signature is the evidence the artifact wasn't tampered with after production.
Risk analysis (HIPAA)
The specific HIPAA-mandated assessment of risks to ePHI, including inventory of in-scope systems, threat analysis, and documented mitigations. The 2025 Security Rule update tightened the inventory dimension specifically.
Drift event
A change in the network's device inventory or device identity, detected continuously. Drift events include device additions, removals, identity changes, and topology changes. CybrIQ detects drift at the device-identity layer (the device is no longer what it claimed to be, or a new device appeared); it does not inspect the configuration inside the device. The cumulative drift trail is the change log that satisfies multiple framework inventory and detection controls.
CybrIQ-specific terms
Device DNA™
CybrIQ's patented method of deriving a deterministic identity for each network-connected device from signals the switch supplies about the device. The signature is spoof-resistant because it doesn't depend on the device's self-report.
ESE (External Scan Engine)
The on-premise software component of CybrIQ. Runs on a small server (Linux or Windows; no specific hardware spec; lightweight) in the customer's environment. Polls the customer's managed switches read-only at 30-second default cadence. The "external" in the name distinguishes it from the cloud control plane.
RoomIQ
CybrIQ's per-room product. Optimized for conference-room, AV, and meeting-environment deployments. Priced per-room recurring.
SpacesIQ
CybrIQ's building-or-campus product. Optimized for the full enterprise network. Priced by deployment scale.
Reference database
The 750M+ entry curated database of known device fingerprints CybrIQ uses to resolve each observed device signature against a known-device record. Refreshed twice weekly with human review.
USB-threat agent
CybrIQ's optional endpoint software (Windows and Linux) that detects hardware-side USB attacks: Rubber Ducky-class keyboard injection, Flipper Zero, O.MG cables, BadUSB-class devices. Separate from the network-side ESE.
Continuous inventory
The live, always-current device inventory CybrIQ produces from the switch-polling data. Distinct from a periodic-snapshot inventory the CMDB or asset-discovery scanner might maintain.
Three deliverables
The three exports a CybrIQ pilot ships to the customer: continuous inventory, 30-day drift report, evidence pack mapped to the customer-selected framework. Yours at day 30 regardless of pilot decision.
Term not in the glossary?
A live demo of the platform and a conversation about whether CybrIQ fits your environment. Bring any term you want clarified; we'll work it into the demo.
Book a demo