Home Resources Acronyms

People in the security space love acronyms! Just saying some of these out loud makes your infrastructure more secure.



Asset Identification, part of the SCAP standard, is a language that provides a data model for identifying assets, methods for identifying assets, and guidance on how to use asset identification.


The Asset Reporting Format, part of the SCAP standard, is a language that expresses the transport format of information about assets, and the relationships between assets and reports. It is also often called Result DataStream because it is complementary to Source DataStream.


Common Configuration Enumeration, part of the SCAP standard, is an enumeration of security relevant configuration elements for applications and operation systems.


The Common Configuration Scoring System, part of the SCAP standard, is a specification for measuring the relative severity of system security configuration issues.


The Center for Internet Security, Inc. (CIS) is a 501c3 nonprofit organization focused on enhancing the cybersecurity readiness and response of public and private sector entities.


Common Platform Enumeration, part of the SCAP standard, is a structured naming scheme used to identify information technology systems, platforms, and packages.


Common Vulnerabilities and Exposures, part of the SCAP standard, is an enumeration for publicly known information security vulnerabilities.


The Common Vulnerability Scoring System, part of the SCAP standard, is a language for representing system configuration information, assessing machine state, and reporting assessment results.


Common Weakness Enumeration is a community project whose main task is to collect a catalog of software weaknesses and vulnerabilities and deal with them.


The Federal Information Processing Standards are an official set of standards developed by the United States federal government. These standards describe document processing, encryption algorithms and more. They apply to the use of computer systems by non-military government agencies, government contractors and vendors who work with the agencies.


MITRE is an American nonprofit Corporation which performs research & analysis, development, engineering and integration. They are sponsored by the federal government and have various research programs.


The National Institute of Standards and Technology is a federal technology agency. They advance official technology, measurement science and standards.


The National Vulnerability Database is the U.S. government repository of vulnerability management data, which enables automation of vulnerability management, security measurement, and compliance. NVD includes databases of security checklists, security related software flaws, misconfigurations, product names, and impact metrics.


The Open Checklist Interactive Language, part of the SCAP standard, is a language for representing checks that collect information from people or from existing data stores made by other data collection efforts.


The Open Vulnerability and Assessment Language, part of the SCAP standard, is declarative language for making logical assertions about the state of endpoint system.


The Payment Card Industry Data Security Standard (PCI DSS) provides a baseline of technical and operational requirements designed to protect cardholder data. PCI DSS applies to all entities involved in payment card processing on one hand, and simultaneously to all subjects processing, transmitting, or storing cardholder data or sensitive user authentication information on the other.


The Script Check Engine is a SCAP extension to allow script execution from SCAP policy. That might be useful during rapid policy development as scripts are easier to write than OVAL.


SCAP source data stream that is a standalone XML file containing XCCDF, OVAL, CPE and possibly other files required for evaluation.


Security Automation and Continuous Monitoring is a life-cycle process which provides effective asset control and efficient delivery of information. The process includes managing resources (infrastructure, data), capabilities (people) and artifacts (HWs, SWs, Documentation).


Security Content Automation Protocol is a specification for expressing and manipulating security data in standardized ways. SCAP uses several individual specifications in concert to automate continuous monitoring, vulnerability management, and security policy compliance evaluation reporting.


Software identification tags (SWID tags) record unique information about an installed software application, including its name, edition, version, whether it’s part of a bundle and more.


The purpose of the United States Government Configuration Baseline is to create security configuration baselines for Information Technology products widely deployed across the federal agencies.


The eXtensible Configuration Checklist Description Format, part of the SCAP standard, is a language to express, organize, and manage security policies. It is a basic building block of security policy.