Cybersecurity and Compliance Terms and Acronyms

The cybersecurity and compliance industries are rife with terms and acronyms. This section is meant to help define and simplify some of the terms and acronyms and make it easier to understand.


Two Factor Authentication (2FA) refers to situations where people must use two different classes of secret or unique information to prove their identity. .


GRC stands for Governance, Risk, and Compliance. It is generally used to refer to the business practice of centrally managing these related topics.


NIST is the United States National Institute of Standards and Technology. As a non-regulatory agency of the US Department of Commerce, NIST leads the US government’s development of standards for industry – including cybersecurity standards.


The NIST Cybersecurity Framework (NIST CSF) is an outline of policies that organizations can implement to protect, detect, and respond to cyber attacks.



The Payment Card Industry (PCI) is a moniker for the organizations that comprise the electronic payment systems facilitated via payment cards such as credit cards, debit cards, and some gift cards.



The PCI Data Security Standard (PCI DSS) is the payment card industry’s set of requirements on how companies must protect payment card information in their possession.

All companies that store, process, or transmit information from credit cards, debit cards, and some gift cards must comply with this standard. While most jurisdictions have not made PCI DSS compliance a legal obligation, banks and payment card industry partnership agreements force this compliance worldwide upon all merchants and their service providers.



Service Organization Control (SOC) 2 is a report produced by AICPA and CICA members for companies that provide services to other organizations. The report is designed to communicate the nature of a company’s controls to ensure they are meeting their contractual obligations. Most companies seek SOC 2 reports to satisfy their client’s concerns around how they will ensure the secrecy and integrity of data shared with the service provider. Complyify helps companies design and meet their SOC 2 controls so they continually receive satisfactory reports from their assessors.



SOC 3 reports are a special derivative of a SOC 2 report. They are issued only to organizations who receive a satisfactory SOC 2 report that is free of exceptions – meaning they have demonstrated the ability to consistently and effectively deliver on their promises to customers. Complyify helps customers meet their SOC 2 obligations without exception,



The Health Insurance and Portability Act of 1996 (HIPAA) required the U.S. Department of Health and Human Services (HHS) to develop regulations to protect the privacy and security of certain types of health information.


The Cybersecurity Maturity Model Certification is a new standard that will take the place of NIST 800-171 on Department of Defense contracts. The CMMC combines various cybersecurity standards and best practices and maps them to controls and processes across several maturity levels that range from basic cyber hygiene to more advanced levels.


The California Consumer Privacy Act (CCPA), is a state statute intended to enhance privacy rights and consumer protection for residents of California. It creates new consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses. The regulations establish procedures to facilitate consumers’ new rights under the CCPA and provide guidance to businesses for how to comply.


Qualified Security Assessor (QSA) companies are independent security organizations that have been qualified by the PCI Security Standards Council to validate an entity’s adherence to PCI DSS. QSA Employees are individuals who are employed by a QSA Company and have satisfied and continue to satisfy all QSA Requirements.

Custom portals for compliance, attestation, ESG tracking and risk assessment.