IT Acronyms.
In Plain English.

Software that scans your computers for known viruses and malicious files. It works from a list of known threats — if a threat isn't on the list, AV often misses it. The original standard for endpoint security, now considered a baseline rather than sufficient protection on its own.

Signature-based malware detection that identifies known threats by matching file hashes, byte patterns, or heuristics against a continuously updated threat database. Effective against known malware families but fundamentally limited against zero-day exploits, fileless malware, LOLBins (living-off-the-land binaries), and custom payloads that evade static analysis. Modern AV incorporates behavioral heuristics but lacks the telemetry and response capabilities of EDR. Industry consensus treats AV as necessary but insufficient — a hygiene baseline, not a security strategy.

Security software installed on each device (laptop, desktop, server) that watches for suspicious behavior — not just known viruses, but anything that looks like an attack in progress. If it sees something bad, it can automatically isolate the device before the damage spreads. Significantly smarter than traditional antivirus.

Behavioral telemetry agent deployed at the kernel level on endpoints that continuously streams process telemetry, file system events, network connections, registry modifications, and memory activity to a cloud-based analytics backend. Detects threats using MITRE ATT&CK-mapped behavioral indicators, ML-based anomaly detection, and IOC matching. Key differentiator from AV: automated response capabilities including process kill, network isolation, memory dump collection, and rollback. Modern EDR platforms (CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint) provide threat hunting telemetry and forensic artifacts essential for post-incident investigation.

EDR plus a team of actual humans watching your systems around the clock. The software detects threats; the security team investigates and responds. When something suspicious happens at 2am on a Sunday, MDR means someone is looking at it. This is what most serious small and mid-size businesses should be running.

Managed security service that wraps EDR (or XDR) telemetry with 24/7 SOC analyst coverage, threat hunting, and incident response. MDR providers ingest endpoint, network, and identity telemetry, apply curated detection rules and ML models, and escalate validated incidents to analysts who perform triage, investigation, and containment — often with pre-authorized remediation playbooks. Differentiates from MSSP in its proactive threat hunting posture and focus on detection fidelity over alert volume. Key SLA metrics: mean time to detect (MTTD), mean time to respond (MTTR), and escalation SLA windows. Gartner projects 50%+ of SMBs will use MDR by 2025.

Like EDR, but it pulls data from your entire environment — computers, servers, email, cloud apps, and network — into one unified view. Instead of separate tools that can't talk to each other, XDR correlates signals across everything to catch threats that would look innocent in isolation. Typically more relevant for mid-market and enterprise environments.

Unified detection and response platform that ingests and correlates telemetry across multiple security layers — endpoint (EDR), network (NDR), email, cloud workloads, and identity — into a single data lake for cross-domain attack chain reconstruction. Addresses the signal fragmentation problem where EDR, email gateway, and CASB alerts each see one stage of a multi-vector attack without correlation. Native XDR (single-vendor, e.g. Microsoft Defender XDR, Palo Alto Cortex) differs from open/hybrid XDR (third-party integrations via SIEM/SOAR). Primary value proposition: reduced mean time to detect lateral movement and multi-stage attacks that evade single-domain detection.

A system that collects and analyzes log data from everything on your network — firewalls, servers, applications, user logins — and looks for patterns that suggest a security incident. Where EDR watches individual devices, SIEM watches the whole environment for anomalies. Often paired with MDR for a full security operations capability. Common compliance requirement in regulated industries.

Log aggregation, normalization, correlation, and alerting platform that ingests syslog, Windows Event Log, cloud audit trails, firewall logs, IDS/IPS events, and application logs into a centralized store. Applies correlation rules (e.g., Sigma rules) and behavioral analytics to detect multi-source attack patterns. Core SIEM functions: log retention for compliance (HIPAA, PCI, SOC 2), real-time alerting, forensic search, and dashboards. Modern SIEMs (Splunk, Microsoft Sentinel, Elastic SIEM) add ML-based UEBA (User and Entity Behavior Analytics). Major operational challenge: alert fatigue and tuning — poorly tuned SIEMs generate thousands of false positives daily. Often paired with SOAR for automated playbook execution.

Monitors your user accounts and login activity for signs that an identity has been compromised. Things like: someone logging in from an unusual location, logins at 3am, sudden access to files a user has never touched, or signs that credentials may have been stolen. Attackers frequently target credentials rather than systems — ITDR is specifically designed to catch that.

Security discipline focused on detecting and responding to identity-layer attacks — credential theft, pass-the-hash, pass-the-ticket, Golden Ticket/Silver Ticket attacks, Active Directory enumeration, privilege escalation, and lateral movement via compromised accounts. ITDR platforms (CrowdStrike Identity Protection, Microsoft Defender for Identity, Semperis) monitor AD/AAD event logs, Kerberos ticket activity, LDAP queries, and authentication anomalies using behavioral baselines and known attack technique fingerprints. Addresses the gap between EDR (process/file activity) and SIEM (log correlation) by focusing specifically on identity plane abuse — now the primary attack vector in ransomware pre-deployment reconnaissance.

Requiring more than just a password to log in. Typically a password plus a code from an app on your phone. If an attacker steals your password, they still can't get in without the second factor. MFA is the single highest-impact security control available to any business and should be enforced for all users on all systems — not optional, not just for admins.

Authentication mechanism that requires possession of at least two factors from distinct categories: something you know (password, PIN), something you have (TOTP token, hardware key like YubiKey, push notification via authenticator app), or something you are (biometric). TOTP (RFC 6238) is significantly more phishing-resistant than SMS OTP, which is vulnerable to SIM-swapping and SS7 attacks. FIDO2/WebAuthn hardware keys (Yubikey, Titan) are phishing-proof by design — they bind to the originating domain at registration. Microsoft research: enabling MFA blocks 99.9% of automated account compromise attacks. Enforcement via Conditional Access (Entra ID) or Google Workspace admin policy — MFA that users can self-opt-out of is not enforced MFA.

A system that lets employees log in once — to one central identity provider — and then access all their business applications without logging in again. Better for security (fewer passwords to manage), better for productivity (no password reset calls), and easier to revoke access immediately when someone leaves. Microsoft Entra and Google Workspace both include SSO. If your business has 10+ applications, SSO is worth it.

Federated authentication protocol that allows a single identity provider (IdP) authentication event to grant access to multiple service providers (SPs) via a signed assertion (SAML 2.0) or token (OAuth 2.0 / OIDC). IdPs: Microsoft Entra ID (formerly Azure AD), Okta, Google Workspace, OneLogin. SSO enables centralized MFA enforcement — MFA happens at the IdP once, not at each application separately. Critical offboarding benefit: disabling an account in the IdP simultaneously revokes access to all SSO-connected applications. Not all SaaS apps support SSO at all pricing tiers — some vendors gate SAML behind enterprise pricing (the "SSO tax"). Evaluate before standardizing on a SaaS stack.

A system that controls and monitors access to your most sensitive systems — server admin accounts, firewall credentials, domain admin access. Instead of IT staff knowing the password, PAM vaults the credential and issues time-limited, logged access when needed. Every action taken with a privileged account is recorded. Significantly limits the damage if an IT person's account is compromised or if someone goes rogue.

Security platform for managing, monitoring, and auditing access to privileged accounts (local admin, domain admin, root, service accounts, application accounts). Core capabilities: credential vaulting with automated rotation, just-in-time (JIT) access provisioning (zero-standing privilege), session recording and keystroke logging, and privileged session proxy (no direct credential exposure to the requester). Platforms: CyberArk, BeyondTrust, Delinea (Thycotic), HashiCorp Vault. PAM addresses the standing privilege problem — admin credentials that persist indefinitely and are reused across systems are the primary escalation path after initial compromise. JIT access: user requests temporary privilege elevation → approval workflow → time-limited session → automatic revocation.

A security philosophy that says "never trust, always verify" — every user and device must prove they have the right to access a resource, every time, regardless of whether they're inside the office network or not. The old model assumed that once inside the firewall, you were safe. Zero Trust assumes the attacker is already inside and requires verification at every step. Increasingly the standard for modern IT environments.

Security architecture framework (NIST SP 800-207) that eliminates implicit trust based on network location. Core tenets: verify explicitly (always authenticate and authorize based on all available signals), use least-privilege access (limit user access with JIT and JEA), and assume breach (minimize blast radius, segment access, encrypt everything). Technical implementation: identity-centric access control via Conditional Access (Entra ID), device compliance enforcement (Intune), micro-segmentation, ZTNA replacing VPN, continuous session evaluation. Zero Trust is not a product — it's an architecture achieved through coordinated implementation across identity (MFA + SSO), device management (MDM/EDR), network (ZTNA), and data (DLP/CASB) controls. Microsoft, Okta, Zscaler, and Palo Alto all have Zero Trust architecture frameworks and product stacks.

A modern replacement for VPN. Instead of giving remote employees access to the entire company network (as VPN does), ZTNA grants access only to the specific applications they need — and verifies identity and device health each time. Less attack surface, more control, and generally a better user experience. If your business uses a traditional VPN for remote access, ZTNA is what most security teams recommend replacing it with.

Application-layer access control framework that replaces network-layer VPN tunnels with per-application, policy-enforced access proxies. Architecture: client agent or clientless browser access → cloud proxy evaluates identity (IdP assertion) + device posture (MDM compliance, EDR health, OS patch level) → grants access to specific app only, not network segment. Key differentiator from VPN: VPN grants L3 network access (attacker with VPN = attacker on LAN); ZTNA grants L7 application access only — no lateral movement path. Platforms: Zscaler Private Access (ZPA), Cloudflare Access, Palo Alto Prisma Access, Microsoft Entra Private Access. ZTNA also enables identity-aware logging at the application layer — full audit trail of who accessed what application and when.

Blocks dangerous, malicious, or inappropriate websites before your computer even connects to them. Every website visit starts with a "DNS lookup" — essentially asking the internet for the address. DNS filtering intercepts that lookup and can block the request entirely if the destination is known to be harmful. Stops a lot of malware and phishing before it ever reaches a device.

Recursive DNS resolver that enforces policy at the query layer, blocking resolution of domains categorized as malicious, phishing, C2 infrastructure, botnets, or policy-prohibited categories (adult content, gambling, etc.) before a TCP connection is established. Operates upstream of TLS, making it effective against HTTPS destinations without certificate inspection. DNS filtering catches C2 callbacks from already-compromised endpoints — an infected machine that can't resolve its C2 domain can't receive instructions or exfiltrate data. Major platforms: Cisco Umbrella, Cloudflare Gateway, DNSFilter, Webroot DNS. At the RMM level, commonly deployed as an agent-based filter that enforces policy even off-network (roaming clients).

A firewall that doesn't just block traffic by port and IP address — it inspects the actual content of network traffic to detect threats, identify applications, and enforce detailed policies. Your home router has a basic firewall. An NGFW understands that traffic on port 443 could be legitimate web browsing, malware, or a ransomware C2 callback — and can tell the difference. Required for any business environment with more than a handful of users.

Stateful inspection firewall with additional application-layer visibility via DPI (Deep Packet Inspection), application identification (AppID), user identity tracking (User-ID), and integrated IPS/IDS, SSL inspection, URL filtering, and sandboxing capabilities. Differentiates from traditional packet-filter firewalls by operating at L7 rather than L3/L4 — enforces policy based on application (e.g., block file sharing within Slack but allow messaging) not just port/protocol. SSL inspection is operationally important: ~90% of malware now uses HTTPS — NGFWs without SSL inspection cannot inspect this traffic. Leading vendors: Palo Alto Networks, Fortinet FortiGate, Cisco Firepower, SonicWall TZ/NSa. NGFW UTM (Unified Threat Management) bundles IPS, URL filtering, AV scanning, and sandboxing in a single appliance — common SMB deployment.

Creates an encrypted tunnel between a remote employee and your office network, so they can access internal files, servers, and applications as if they were physically at the office. VPN was the standard remote access solution for 20 years. It's increasingly being replaced by ZTNA for new deployments because VPN gives access to the entire network — if an attacker compromises a VPN user, they get access to everything too.

Protocol suite for establishing encrypted L3 tunnels between remote clients and a corporate network gateway. Common protocols: OpenVPN (TLS-based, widely compatible), WireGuard (modern, high-performance, simpler codebase), IPSec/IKEv2 (common on enterprise hardware). Split tunnel (route only corporate traffic through VPN) vs. full tunnel (route all traffic) represents a policy tradeoff: full tunnel enables content filtering on remote devices at the cost of performance; split tunnel reduces load but blind spots increase. VPN's fundamental security limitation: network-layer access once authenticated — a compromised VPN session has LAN-equivalent access. Combined with stolen credentials + no MFA = lateral movement path. VPN gateways are frequent ransomware entry points (Pulse Secure, Fortinet, Citrix vulnerabilities in 2020–2023). Modern recommendation: ZTNA for application access; VPN retained only for legacy systems requiring L3 connectivity.

Software that lets IT manage, monitor, and control mobile phones, tablets, and laptops — including personal devices employees use for work. Can enforce security policies (screen lock, encryption, approved apps), push software updates, and remotely wipe a device if it's lost or stolen. If employees access company email or files on their personal phones, MDM is what lets you protect that data without relying on the employee to do it themselves.

Enterprise device management platform for enforcing security policy and managing configuration on iOS, Android, macOS, and Windows endpoints — both corporate-owned and BYOD. Core capabilities: device enrollment (DEP/ABM for Apple, zero-touch for Android), configuration profile deployment, application management (MAM — push/remove/update enterprise apps), compliance policy enforcement (passcode requirements, encryption, OS version gates), and remote wipe (full device wipe or selective corporate data wipe for BYOD). Platforms: Microsoft Intune (dominant in M365 environments), Jamf (Apple-focused), Kandji, VMware Workspace ONE. Intune + Entra ID Conditional Access enables device compliance as an access gate — non-compliant devices blocked from corporate resources regardless of valid credentials.

A social engineering attack where a criminal impersonates a company executive, vendor, or attorney via email to trick employees into wiring money, changing bank account information, or sharing credentials. No malware, no ransomware — just a convincing fake email. BEC is the costliest category of cybercrime by dollar amount: $2.9 billion in losses in the US in 2023 (FBI IC3). A single successful attack often results in a $50,000–$500,000 wire transfer that is nearly impossible to recover.

Sophisticated social engineering attack leveraging impersonation of trusted parties — executives (CEO/CFO fraud), vendors, legal counsel, or financial institutions — to manipulate employees into performing unauthorized financial transactions or credential disclosure. Attack variants: account takeover (attacker compromises actual executive email account to send legitimate-domain requests), domain spoofing (look-alike domains: "serenitllc.com" vs. "serenit-llc.com"), display name spoofing (legitimate-looking From: field with malicious Reply-To:). Defense layers: DMARC enforcement (blocks spoofed domains), email authentication headers, AI-based email anomaly detection (Abnormal Security, INKY), out-of-band verification for wire transfer requests (policy requiring phone verification before processing any payment change). Key control: never process payment changes or wire transfers based solely on email, regardless of apparent sender.

Three DNS settings that prove your email is actually from your domain — and prevent criminals from sending emails that pretend to be from you. SPF says which servers are allowed to send email for your domain. DKIM cryptographically signs each email. DMARC tells receiving email servers what to do if an email fails those checks: monitor, quarantine, or reject it entirely. Most businesses have SPF but not DMARC enforcement, which means anyone can still spoof their domain with a persuasive fake email. Setting these up is free and typically takes less than an hour.

Layered email authentication framework implemented via DNS TXT records. SPF (Sender Policy Framework, RFC 7208): specifies authorized IP ranges/mail servers for a domain; evaluated by the receiving MTA during SMTP transaction. DKIM (DomainKeys Identified Mail, RFC 6376): RSA/Ed25519 cryptographic signature applied to email headers/body by sending MTA; verified against public key in DNS. DMARC (Domain-based Message Authentication, Reporting & Conformance, RFC 7489): policy declaration that specifies handling for SPF/DKIM failures (none/quarantine/reject) and requests aggregate/forensic reporting to a designated RUA/RUF address. DMARC p=reject is the only configuration that prevents domain spoofing — p=none and p=quarantine leave the domain impersonatable. Common gap: DMARC p=none deployed for monitoring but never escalated to p=reject — providing reporting data but no protection.

An email (or text message, phone call, or fake website) designed to trick employees into giving up their credentials, clicking malicious links, or transferring money. Phishing is the #1 method attackers use to get into small business networks — because it bypasses all the technical security and targets the human instead. About 90% of cyberattacks start with a phishing email. The most dangerous ones look exactly like legitimate emails from Microsoft, your bank, your IT provider, or your CEO.

Social engineering attack delivered via email (phishing), SMS (smishing), voice (vishing), or search engine poisoning (malvertising) designed to harvest credentials, deliver malware, or manipulate targets into fraudulent financial transactions. Attack sophistication spectrum: bulk generic phishing (mass delivery of credential harvesting pages impersonating M365 login, banking portals) → spear phishing (targeted attack using OSINT on specific individual — personalized lure, correct organizational context) → whaling (executive impersonation/targeting) → BEC (no malware, pure social manipulation for wire transfer fraud). Technical delivery: look-alike domains, Unicode homoglyphs, display name spoofing, compromised legitimate accounts, malicious macro attachments, HTML smuggling. Defense stack: email authentication (DMARC/DKIM/SPF), email gateway filtering (Defender for O365/Proofpoint), MFA (prevents credential harvesting from enabling access), SAT + phishing simulation, conditional access policies (device compliance as access gate even with valid credentials).

Malicious software that encrypts your files and demands a ransom payment (usually Bitcoin) for the decryption key. Modern ransomware operators don't just encrypt — they also steal your data first and threaten to publish it if you don't pay (double extortion). The average ransom demand for small businesses is over $100,000. Even if you pay, there's no guarantee you get your files back. The real cost includes downtime, recovery labor, reputational damage, and potential regulatory fines if customer data was involved.

Malware category that encrypts victim files (symmetric AES encryption with attacker-held RSA private key for key exchange) and demands cryptocurrency ransom for decryption. Modern ransomware operations (RaaS — Ransomware-as-a-Service) follow a structured attack lifecycle: initial access (phishing, VPN exploitation, RDP brute force) → persistence → lateral movement and privilege escalation (AD compromise) → data exfiltration → encryption deployment → ransom demand. Double extortion: data exfiltrated before encryption; payment demanded for both decryptor and suppression of data publication on leak site. Triple extortion adds DDoS threat. Recovery without paying requires: immutable offline backups (WORM storage not accessible via compromised credentials), incident response retainer (forensic investigation to close initial access vector before restore), and clean restore environment. Average SMB ransomware cost (Coveware): $200K–$800K total including downtime, recovery, legal — not just the ransom. 60% of SMBs that experience a breach close within 6 months.

Formal training that teaches your employees to recognize phishing emails, phone scams (vishing), fake login pages, and other attacks that target people rather than systems. Usually includes simulated phishing tests where the training provider sends fake phishing emails to your staff to see who clicks. Studies consistently show it reduces successful phishing attacks by over 60%. Your employees are the most attacked surface you have.

Structured security education program combining computer-based training (CBT) modules with simulated social engineering campaigns to reduce human-layer attack susceptibility. Platform components: phishing simulation engine (spear-phishing, smishing, vishing), training content library mapped to attack technique awareness, reporting dashboard tracking click rates/susceptibility scores, and automated remediation training assignment for users who fail simulations. Key metric: phishing susceptibility rate — Proofpoint/KnowBe4 data consistently shows 60–80% reduction in click rates after 12 months of SAT. Compliance driver: HIPAA workforce training requirements, SOC 2 CC9.2, PCI DSS Req 12.6. Platforms: KnowBe4, Proofpoint Security Awareness, Cofense, Curricula.

The federal law that governs how health information is protected, stored, and transmitted. Any business that handles patient health information — doctors, dentists, mental health practices, medical billers, and their IT providers — must comply. HIPAA requires specific technical controls (encryption, audit logging, access controls), written policies, and Business Associate Agreements with every vendor who touches patient data. Violations carry fines of $100–$50,000 per incident.

Federal law (45 CFR Parts 160 and 164) establishing privacy and security standards for Protected Health Information (PHI). Security Rule mandates administrative safeguards (risk analysis, workforce training, access management), physical safeguards (workstation security, device controls), and technical safeguards (access controls, audit controls, transmission security, encryption — addressable vs. required standard). Business Associate Agreement (BAA) required with all vendors who receive, create, or transmit PHI on the covered entity's behalf — including MSPs, EHR vendors, cloud storage providers. Notable: HIPAA does not explicitly mandate encryption, but failure to encrypt results in presumptive breach upon incident — effectively mandating encryption as the risk mitigation for addressable specifications. HHS OCR enforces; penalties: $100–$50,000/violation; willful neglect: $10,000–$50,000/violation up to $1.9M/year per category.

The security standard required for any business that accepts credit or debit card payments. Maintained by the major card networks (Visa, Mastercard, Amex, Discover). Covers how card data is stored, transmitted, and protected, and includes 12 requirement areas with specific technical controls. Non-compliance doesn't result in government fines, but card brands can levy penalties and revoke your ability to accept card payments — which for most retail or service businesses is existential.

Security standard maintained by the PCI Security Standards Council governing protection of cardholder data (CHD). PCI DSS v4.0 (mandatory March 2025) comprises 12 requirements across 6 goals: build/maintain secure networks, protect cardholder data, maintain vulnerability management, implement access controls, monitor/test networks, maintain information security policy. Compliance validated via SAQ (Self-Assessment Questionnaire) for merchants not processing large transaction volumes, or QSA (Qualified Security Assessor) audit for larger merchants. SAQ types depend on card acceptance channel: SAQ-A (fully outsourced, card-not-present only), SAQ-B (imprint or standalone terminals), SAQ-D (all other merchants or SAPs). Scope reduction via tokenization and P2PE (Point-to-Point Encryption): if CHD never enters your environment, PCI scope dramatically reduces. Penalties: card brand fines ($5,000–$100,000/month), potential loss of card acceptance capability.

A third-party audit framework that validates whether a technology company's security, availability, and data handling practices meet a defined standard. Not a legal requirement — but increasingly demanded by enterprise customers before they'll sign contracts with SaaS vendors or IT service providers. A SOC 2 Type II report (which covers a 6–12 month observation period, not just a point-in-time snapshot) is the most meaningful signal of operational security maturity. Getting it is a significant undertaking that typically takes 6–12 months and $30,000–$100,000.

AICPA auditing standard (AT-C 205) assessing service organization controls against Trust Service Criteria (TSC): Security (mandatory — Common Criteria), Availability, Processing Integrity, Confidentiality, and Privacy. Type I report: point-in-time assessment that controls are suitably designed. Type II report: historical observation period (minimum 6 months) that controls operated effectively — significantly more credible for enterprise procurement. Audit performed by licensed CPA firm. Scope of Common Criteria: logical access, change management, risk assessment, vendor management, monitoring, incident response, logical and physical access controls. Modern SOC 2 prep platforms (Vanta, Drata, Secureframe, Tugboat Logic) automate evidence collection and continuous control monitoring, reducing audit prep from months to weeks. Relevant distinction: SOC 2 ≠ HIPAA compliance, ≠ PCI compliance — different frameworks, different auditors, different controls. Passing one does not satisfy another.

The Department of Defense's framework for verifying that defense contractors have adequate cybersecurity protections. Required for businesses that hold DoD contracts or work as subcontractors. Three levels: Level 1 (basic controls, self-assessed annually), Level 2 (110 controls from NIST 800-171, third-party assessment required), Level 3 (advanced, government-led assessment). If you do any federal contract work, CMMC 2.0 applies to you — even as a subcontractor two or three tiers removed from the prime.

DoD contractor cybersecurity certification program (32 CFR Part 170, effective Dec 2024) replacing the previous self-attestation model with independent verification. Level 1: 17 FAR 52.204-21 practices mapped to NIST SP 800-171 basic requirements; annual self-assessment; required for all FCI-handling contractors. Level 2: 110 NIST SP 800-171 r2 practices; triennial C3PAO (Certified Third-Party Assessment Organization) assessment required for CUI handling (some programs accept self-assessment for non-prioritized acquisitions). Level 3: 24 additional NIST SP 800-172 practices; DIBCAC (Defense Industrial Base Cybersecurity Assessment Center) government-led assessment. SPRS (Supplier Performance Risk System) score required: 0–110 scale reflecting 800-171 control implementation — negative scores are possible. Flow-down requirement: prime contractors must flow CMMC requirements to all subcontractors handling FCI/CUI. GCC High required for DoD CUI handled in cloud environments.

A set of 110 cybersecurity requirements published by the National Institute of Standards and Technology, specifically for protecting Controlled Unclassified Information (CUI) in non-federal systems. It's the technical backbone of CMMC Level 2. If you hold DoD contracts involving CUI, these requirements aren't optional — they're contractual. The 14 control families cover everything from access controls and encryption to audit logging, incident response, and configuration management.

NIST SP 800-171 Rev. 2 defines 110 security requirements across 14 control families for protecting CUI in nonfederal systems per DFARS 252.204-7012. Families: Access Control (22 reqs), Awareness and Training (3), Audit and Accountability (9), Configuration Management (9), Identification and Authentication (11), Incident Response (3), Maintenance (6), Media Protection (9), Personnel Security (2), Physical Protection (6), Risk Assessment (3), Security Assessment (4), System and Communications Protection (16), System and Information Integrity (7). Assessment methodology per NIST SP 800-171A: examine, interview, test — each requirement scored as MET, NOT MET, or NOT APPLICABLE. SPRS score = 110 − (sum of point values for unmet requirements); possible range −203 to 110. SSP (System Security Plan) and POAM (Plan of Action and Milestones) required as companion documents. 800-171 Rev. 3 released 2024 — 800-171r3 is structurally aligned with NIST CSF 2.0 and SP 800-53r5.

Federal information that isn't classified, but still requires protection — things like export-controlled technical data, law enforcement sensitive information, defense procurement data, or privacy-protected federal records. If your business receives or handles information marked CUI, you're subject to NIST 800-171 and CMMC requirements. Many small contractors don't realize they're handling CUI until an assessor tells them — check your contracts and the documents you receive from federal agencies carefully.

Category of federal information established by EO 13556 and 32 CFR Part 2002 (NARA CUI Program) requiring safeguarding per law, regulation, or government policy — but not meeting classified information criteria. CUI Registry (cui.gov) defines 125+ specific categories across 20 groups: CUI Basic (standard safeguarding) and CUI Specified (additional restrictions per governing authority, e.g., ITAR, HIPAA, FTI). Defense-related CUI categories: Defense Procurement, DoD Critical Infrastructure, Export Controlled (EAR/ITAR), Naval Nuclear Propulsion, Systems and Plans. Handling requirements: marking (CUI/[Category] header on documents), storage (FIPS 140-2/3 validated encryption), transmission (encryption in transit), destruction (NSA-approved media sanitization), and incident reporting (72-hour DSP notification). CUI marking is often the first step to determining CMMC applicability — if documents you receive say "CUI" or contain ITAR/export-controlled data, Level 2 obligations apply.

The three main ways cloud services are sold. SaaS (Software as a Service) is software you access over the internet without installing anything — Microsoft 365, Salesforce, QuickBooks Online. IaaS (Infrastructure as a Service) is rented computing infrastructure — servers, storage, and networking in the cloud that you configure yourself; AWS EC2 and Azure VMs are examples. PaaS (Platform as a Service) is a development platform in the cloud where developers build and deploy applications without managing the underlying infrastructure. Most business owners only deal with SaaS directly.

Cloud deployment model taxonomy. SaaS: multi-tenant application delivered via browser/API; vendor manages infrastructure, platform, runtime, middleware, OS, and application — customer configures application settings and manages data. Security responsibility: customer owns data classification, access control, and user provisioning; vendor owns everything below. IaaS: vendor provides virtualized compute (VMs), storage (block/object), and network as API-provisioned resources; customer manages OS, middleware, runtime, and application stack. Examples: AWS EC2/EBS/S3, Azure VM/Managed Disks, Google Compute Engine. PaaS: vendor manages infrastructure + OS + runtime; customer deploys application code and manages data. Examples: AWS Lambda/Elastic Beanstalk, Azure App Service, Google App Engine. Shared Responsibility Model: security obligations shift significantly between service models — IaaS customers own more of the security stack than SaaS customers; understanding where vendor responsibility ends and customer responsibility begins is critical for compliance and incident response.

The federal government's authorization process for cloud services used by government agencies. A FedRAMP-authorized cloud product has been independently verified to meet federal security standards. For government contractors who handle CUI, using FedRAMP-authorized cloud services is required — standard commercial cloud services (AWS commercial, standard Microsoft 365 plans) do not qualify. When your IT provider recommends Microsoft 365 GCC High or a FedRAMP-authorized backup solution, this is why.

Government-wide program (OMB Circular A-130) that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP authorization levels mirror NIST SP 800-53 impact levels: Low, Moderate, and High — based on the confidentiality, integrity, and availability impact of the information hosted. FedRAMP Moderate is required for most federal agency SaaS procurement; FedRAMP High is required for data where confidentiality/integrity/availability compromise would have severe or catastrophic consequences. For DoD CMMC purposes: CUI in cloud environments must be hosted in FedRAMP Moderate+ authorized services per DFARS 252.204-7012 cloud requirements; specifically GCC (FedRAMP Moderate) or GCC High (DoD IL2/IL4/IL5) for Microsoft workloads. The FedRAMP Marketplace (marketplace.fedramp.gov) lists all authorized products — verify before procurement.

A version of Microsoft 365 specifically for US government agencies and their contractors that handles federal information. Standard commercial M365 plans (Business Basic, Business Standard, Business Premium) are not authorized for storing Controlled Unclassified Information (CUI). If you hold DoD contracts and use regular M365 for business email and files, you are likely non-compliant. Migrating to GCC or GCC High is required and non-trivial — it involves migrating all users, data, and configurations to a separate, US-only tenant.

Microsoft 365 Government Community Cloud is a physically and logically separated tenant environment hosted in US-only datacenters, operated by screened US persons, and authorized under FedRAMP Moderate. GCC is distinct from commercial M365 — separate Azure Active Directory (now Entra ID), separate SharePoint/OneDrive/Exchange data stores, and a subset of commercial M365 features (some commercial features not yet FedRAMP-authorized are unavailable in GCC). GCC High is a further-isolated environment authorized for DoD Impact Levels IL4 and IL5, built on Azure Government infrastructure, supporting ITAR/EAR-controlled data — required for aerospace/defense contractors handling export-controlled technical data. Migration path: GCC migration requires tenant-to-tenant migration with third-party tooling (BitTitan MigrationWiz, Quest On Demand Migration); cannot in-place upgrade commercial to GCC. Licensing: GCC plans are ~30% premium over commercial equivalents.

Security software that acts as an intermediary between your users and cloud applications, enforcing security policies — blocking unauthorized cloud storage services, preventing sensitive data from being uploaded to personal cloud accounts, monitoring cloud app usage, and detecting compromised cloud accounts. Relevant once you have a significant number of employees using SaaS applications and you want to prevent data from ending up in the wrong place.

Security enforcement point between enterprise users and cloud service providers, providing visibility and control over cloud application usage, data movement, and threat activity. CASB capabilities: discovery and risk scoring of shadow IT (unsanctioned SaaS usage), DLP (data loss prevention) policies for cloud uploads/downloads/shares, malware scanning of cloud-stored files, UEBA for cloud application activity, and access control for sanctioned applications. Deployment modes: API-based (post-inspection of cloud storage contents, retroactive DLP — no user-path interception), proxy-based (forward proxy or reverse proxy for real-time traffic inspection — requires agent or PAC file). Major platforms: Microsoft Defender for Cloud Apps (formerly MCAS — native integration with M365 GCC), Netskope, Zscaler CASB. Addresses the specific attack pattern of credential-compromised accounts exfiltrating data to attacker-controlled cloud storage — CASB detects anomalous upload volume/destination.

Technology that automatically detects and blocks sensitive data from leaving your organization in ways it shouldn't — employees emailing customer credit card numbers, uploading patient records to personal Dropbox, copying confidential files to a USB drive. DLP enforces data security policies automatically, at scale, without relying on every employee to make the right decision every time. Required for meaningful HIPAA, PCI, and SOC 2 compliance programs.

Security control that classifies data by sensitivity and enforces handling policies across channels: email, cloud storage, endpoint (USB/clipboard), web upload, and print. DLP classification engines use regular expressions, exact data matching (EDM) for structured data (SSNs, credit card numbers, account numbers), machine learning document classifiers, and sensitivity labels (Microsoft Purview, Google DLP). Enforcement modes: audit (log only), notify (warn user before action), block (prevent action), quarantine (require admin review). DLP deployment challenges: false positive rate management (overly aggressive policies break legitimate workflows), user education (blocked actions must explain why and offer alternatives), and classifier tuning for organization-specific sensitive data. Microsoft Purview DLP is included in M365 Business Premium and above — significant DLP capability available without additional cost for M365 customers. Integration with CASB enables cloud egress DLP alongside endpoint DLP.

Software that lets your IT provider monitor and manage all of your computers and servers remotely — without physically coming to your office. Installs security updates, checks system health, deploys software, runs scripts, and flags problems before they become outages. The core tool every managed IT provider uses to actually do their job. If your IT company isn't using an RMM, they're flying blind.

Agent-based platform deployed on managed endpoints and servers that provides persistent remote access, real-time telemetry, automated patch management, policy enforcement, scripting execution (PowerShell, Bash), and alerting. Core capabilities: OS and third-party patch management, hardware/software inventory, performance monitoring (CPU, memory, disk, network), remote shell/desktop access, software deployment, and policy-based automation. MSPs use RMM as the central management plane — all other tooling (AV, EDR, backup) is typically deployed and monitored through it. Leading platforms: NinjaRMM, ConnectWise Automate, Datto RMM, N-able N-central. Security concern: RMM agents have SYSTEM-level access — a compromised MSP RMM is the blast radius of every client simultaneously (see: Kaseya VSA ransomware incident, 2021).

A system that not only backs up your data but has a tested plan to get your business running again after a major failure — ransomware, hardware crash, fire, flood, or anything else catastrophic. "Backup" means your data is copied. "Disaster recovery" means you've actually tested getting it back and know how long it takes. Most businesses have the former without the latter.

Integrated data protection and recovery platform combining scheduled backup jobs with documented, tested recovery procedures. Technical components: backup agent (image-based or file-level), deduplication and compression, encrypted transmission to immutable cloud storage and/or offsite appliance, and recovery orchestration. Key architectural requirement: the 3-2-1 rule — 3 copies of data, on 2 different media types, with 1 offsite. Ransomware resilience requires immutable backups (WORM storage, object lock) that cannot be encrypted or deleted by compromised credentials. Critical gap in most SMB implementations: backups exist but restores are never tested — actual RTO/RPO are unknown until the incident. Platforms: Datto BCDR, Veeam, Acronis, Axcient. Test quarterly minimum; document restore procedures.

A team (or facility) that monitors IT infrastructure around the clock — servers, networks, internet connections, applications — and responds to performance issues and outages. NOC is focused on keeping systems available and running, not specifically on security threats. Many MSPs have or contract a NOC to provide 24/7 infrastructure monitoring for their clients. When your IT provider says they have "24/7 NOC coverage," it typically means someone is watching your systems at 2am and will alert you to an outage.

Centralized operations team providing 24/7 monitoring, incident response, and management of IT infrastructure. NOC responsibilities: network performance monitoring (bandwidth, latency, packet loss), server health monitoring (CPU, memory, disk, process alerts), event correlation and triage, incident escalation per defined runbooks, patch deployment coordination, and change management during maintenance windows. NOC tooling: RMM platforms (NinjaRMM, N-central), network monitoring (PRTG, SolarWinds, Auvik), ITSM ticketing (ConnectWise Manage, ServiceNow). Distinction from SOC: NOC monitors for availability and performance; SOC monitors for security threats. Many MSPs outsource NOC to white-label providers (Ntiva, Continuum/ConnectWise NOC, Ntiva) — ask your MSP whether their NOC is in-house or outsourced and what SLAs govern escalation.

A team dedicated specifically to detecting, investigating, and responding to cybersecurity threats — 24/7. Different from a NOC (which focuses on uptime) — a SOC focuses on attacks. For most small and mid-size businesses, running an internal SOC is prohibitively expensive. MDR (Managed Detection and Response) services are effectively outsourced SOC coverage — analysts at the MDR provider's SOC watch your environment for you.

Dedicated security function providing continuous threat monitoring, detection, investigation, and incident response. SOC operations: continuous SIEM/EDR/XDR alert monitoring, threat hunting, incident triage and investigation, containment and remediation, threat intelligence operationalization, and post-incident review. SOC tiers: L1 (alert triage, initial investigation, escalation), L2 (deeper analysis, malware reverse engineering, threat hunting), L3 (advanced threat hunting, red team, intelligence). Internal SOC cost: $500K–$1M+/year for 24/7 coverage (staffing, tooling, SIEM licensing). SMB alternative: MDR services provide L1/L2 SOC capability as a managed service for $15–$40/endpoint/month — dramatically lower cost than internal SOC. Evaluation criteria for MDR/SOC providers: MTTD, MTTR, alert fidelity (false positive rate), threat hunting frequency, and incident response SLA.

The business management software that MSPs use internally to run their operations: ticketing system, time tracking, invoicing, contract management, project management, and customer communication. ConnectWise Manage, Autotask, and HaloPSA are common PSA platforms. Relevant to you as a client because the PSA is where your tickets live — it's how your MSP tracks and responds to your requests. If you've ever used a client portal to check on a ticket, you were accessing the MSP's PSA.

Business management platform for IT service organizations integrating: service desk (ticket lifecycle management, SLA tracking, escalation workflows), time and materials tracking (billable vs. non-billable labor capture, project time reporting), contract management (agreement tracking, recurring billing, per-seat pricing automation), project management (Gantt, resource allocation), procurement/quoting, and customer communication. PSA integrates bidirectionally with RMM — alerts from RMM auto-generate PSA tickets; technician time logged in PSA populates billing. Major platforms: ConnectWise Manage, Datto Autotask, HaloPSA, Syncro. Evaluation indicator: PSAs with robust SLA reporting (automated breach notifications, time-in-status tracking) enable data-driven accountability — request SLA performance exports from your MSP monthly.

How long your business can afford to be completely offline after a disaster before it becomes a serious financial or operational problem. Your IT provider's BDR solution should be designed to meet your RTO. If your RTO is "4 hours" and your backup takes 48 hours to restore, you have a planning problem. Ask your IT provider what your RTO is — if they can't answer, that's a red flag.

Maximum tolerable downtime metric that defines the upper bound for system/service restoration after a disaster event. Expressed in hours or minutes; informs infrastructure investment decisions (warm standby vs. cold standby vs. active-active). RTO drives BDR platform selection: image-based backup with instant VM boot (Datto BCDR, Axcient) achieves RTOs of minutes by running workloads directly from backup appliance while full restore completes. File-level backup to cloud with no recovery orchestration may have RTOs measured in days. RTO is determined by business impact analysis (BIA) — not by IT — and must be validated by actual recovery tests. Untested RTO assumptions are the primary cause of recovery failure.

How much data your business can afford to lose in a disaster, measured in time. If your backups run nightly and your RPO is "24 hours," you could lose an entire day of work. If that's unacceptable, you need more frequent backups. RPO and RTO are the two questions every business should have answered before a disaster happens — not after.

Maximum acceptable data loss metric, expressed as the age of the most recent recoverable data point relative to the failure event. RPO directly determines backup frequency: RPO of 1 hour requires hourly snapshots or continuous replication; RPO of 24 hours allows nightly backup jobs. In practice, RPO is constrained by the rate of change of data (RoC) and the performance impact/cost of frequent snapshot intervals. High-frequency RPOs (sub-hour) typically require either application-aware snapshot agents integrated with databases (VSS writers for SQL/Exchange) or continuous data protection (CDP) solutions. RPO also governs retention period requirements — shorter RPO with longer retention increases storage costs proportionally. Determine business-defined RPO per application tier, not globally.

A company that manages your IT infrastructure and end-user systems under a proactive, ongoing contract. The key word is "managed" — meaning they're monitoring, maintaining, and improving your systems continuously, not just showing up when something breaks. MSPs charge a predictable monthly fee (usually per user or per device). The alternative is break-fix IT, where you pay only when things go wrong — but that model incentivizes the opposite of prevention.

IT service delivery model in which an external provider assumes ongoing operational responsibility for defined IT functions under a contract with documented SLAs and pricing. Core MSP services: RMM (endpoint monitoring/management), patch management, help desk, backup management, security tooling deployment/monitoring, and vendor management. Differentiation from break-fix: MSP incentive structure is aligned with stability (lower incident volume = higher margin); break-fix incentive structure rewards incidents. MSP tiering: Tier 1 (basic help desk and monitoring; limited proactive security); Tier 2 (includes security stack, vCISO advisory, compliance support); Tier 3 (full SOC/MDR integration, compliance program management). MSP size implications: very small MSPs (<10 staff) typically lack 24/7 coverage and specialized security depth; very large MSPs may lack client-specific attention and responsiveness. Industry consolidation accelerating: PE-backed MSP rollups (Ntiva, Agio, Resultant) — ask about ownership and support tier access post-acquisition.

Like an MSP, but focused specifically on cybersecurity services rather than general IT management. An MSSP typically provides security monitoring, SIEM management, vulnerability management, compliance reporting, and incident response — often without touching the general IT helpdesk or patch management work that an MSP handles. Some businesses use both an MSP for day-to-day IT and an MSSP for security oversight. Others use an MSP that has integrated MSSP capabilities (essentially MDR).

Specialized managed services provider delivering outsourced security operations: SIEM management and alert response, firewall/IDS management, vulnerability scanning and reporting, threat intelligence feeds, dark web monitoring, compliance reporting (HIPAA, PCI, SOC 2 evidence collection), and incident response retainer. MSSP historically differentiated from MDR by delivery model: MSSP = alert forwarding and reporting to client security team; MDR = hands-on investigation and containment by provider analysts. Modern usage blurs this distinction as MSSPs add MDR capabilities. Procurement consideration: MSSP contracts often bundle tool licensing with managed service — evaluate total cost vs. MSP + standalone MDR. Conflict of interest risk: MSSPs that also sell remediation services (IR engagements billed T&M) may have marginal incentive to delay containment — assess contract structure for misaligned incentives.

An MSP pricing model where you pay one flat monthly fee per user that covers everything: help desk support, monitoring, patching, security tools, and labor — regardless of how much you use. Predictable budgeting, no surprise invoices. Often the best fit for businesses that generate a lot of IT tickets or want a simple fixed cost.

Per-seat, all-inclusive managed services pricing model in which a flat monthly rate covers the full scope of managed services: RMM, patch management, EDR/MDR, backup monitoring, help desk labor (all incidents and service requests), and vendor management. From the MSP's perspective, AYCE creates inverse incentive alignment — provider profitability improves when the environment is stable and ticket volume is low, incentivizing proactive maintenance and standardization. Client benefit: fully predictable IT cost line, no variable labor exposure. Contract scope definition is critical: AYCE agreements must explicitly define what's included (endpoints only? servers? network devices? onsite visits?) to prevent scope disputes. Typical range: $100–$200/seat/month for full-stack SMB coverage.

An MSP pricing model where your monthly cost covers the security and management tooling (RMM, MDR, etc.) required to properly manage your environment, and labor is billed separately at an hourly rate only when work is actually performed. Can be significantly more cost-effective for leaner businesses that don't need constant support. Less predictable month-to-month, but you only pay for what you use.

MSP engagement model in which platform costs (RMM licensing, EDR/MDR, backup tooling) are charged as a fixed monthly fee reflecting actual vendor pass-through costs, while labor is billed at a defined hourly rate (or block-hour retainer) upon consumption. T&M aligns MSP revenue directly with work performed — no smoothing mechanism, no utilization risk for the provider. Client exposure: unpredictable monthly invoice driven by incident frequency and project scope. Common structure: $X/endpoint/month for tooling stack + $Y/hour for labor (typically $125–$200/hr for SMB MSPs). Advantages for lean environments: no paying for unused help desk capacity in months with zero tickets. Disadvantages: no cost ceiling; major incidents generate large invoices at the moment of highest financial stress. DCG Technical Solutions LLC uses this model.

The contract that defines what your IT provider is actually committing to: response times, resolution times, support hours, uptime guarantees, and what happens if they miss those targets. An SLA without financial penalties for missed commitments is a wish list, not a contract. Always ask to see the SLA before signing with any provider.

Contractual document specifying measurable service commitments between MSP and client, including: initial response time SLAs by ticket priority tier (P1 critical: 15–30 min; P2 high: 1–4 hr; P3 normal: next business day), resolution time targets, supported hours (business hours vs. 24/7), escalation procedures, excluded scopes (out-of-warranty hardware, third-party vendor delays), and remedies for SLA breach (service credits, termination rights). Key evaluation criteria: (1) how priority tiers are defined — client-reported priority vs. MSP-determined creates disputes; (2) whether response = acknowledgment or active work begins; (3) financial remedy magnitude — service credits of 1 month's fees against a 3-year contract are not meaningful recourse. Enforce monitoring: require monthly SLA performance reports with ticket-level data, not summary claims.