Compliance Glossary

Plain-language definitions of cybersecurity and compliance terms for defense, federal, and regulated teams.

A

Authorization to Operate (ATO)

An ATO is the formal decision by an Authorizing Official (AO) to accept the risk of operating a system, based on its security posture and evidence.

B

BYOAI (Bring Your Own AI)

BYOAI is an architecture that lets an organization choose which AI provider and deployment it uses — commercial or self-hosted — rather than being locked to one.

C

Continuous Authorization (cATO)

cATO is an approach where continuous monitoring, real-time evidence, and active drift management keep a system authorized over time, rather than relying on a periodic point-in-time ATO.

E

N

NIST SP 800-171

NIST SP 800-171 is a security standard of 110 controls for protecting Controlled Unclassified Information (CUI) on non-federal systems.

P

R

Risk Management Framework (RMF)

RMF is NIST's structured, six-step lifecycle (categorize, select, implement, assess, authorize, monitor) for managing security and privacy risk in information systems.

S

SPRS Score

A SPRS score is the number, derived from the DoD Assessment Methodology, that represents how fully a contractor has implemented the NIST 800-171 controls.

System Security Plan (SSP)

An SSP is the document that describes a system's boundary, its components, and how it satisfies each required security control.

T

TRACE Score

TRACE Score is Advisedly's 0–100 vulnerability priority that factors in your specific environment — including threat activity, exposure, asset importance, and compliance impact — rather than a one-size-fits-all severity.