Compliance and Security Glossary.

The defined perimeter around an information system that establishes the scope for security assessment and authorization. Everything inside the boundary is subject to the system's security controls, risk acceptance, and compliance obligations. Authorization boundaries are central to CMMC scoping and FedRAMP authorization packages.

Sensitive but unclassified federal information that requires safeguarding under executive order and agency policy. CUI encompasses over 100 categories including technical data, export-controlled information, and privacy records. Protecting CUI is the primary objective of NIST 800-171 and CMMC Level 2 certification.

A security strategy employing multiple layers of overlapping controls so that failure of any single layer does not compromise the system. Each layer covers the gaps of another: network segmentation, endpoint hardening, access controls, monitoring, and encryption work together. Defense in depth is the foundation of the Fortify pillar and a core principle of secure operations architecture.

Unintended divergence between the actual state of infrastructure, configurations, or controls and their intended state. Drift occurs through manual changes, failed deployments, expired credentials, or configuration updates that bypass change management. Left undetected, drift erodes security posture and invalidates compliance evidence.

Continuous monitoring that identifies when systems diverge from their intended configuration or security baseline. Effective drift detection compares live system state against a known-good reference and alerts when deviations occur. Sentinel performs automated drift detection across infrastructure, configurations, and control implementations.

Cryptographic protection of stored data using algorithms such as AES-256. Encryption at rest ensures that data remains unreadable if physical storage media is compromised or improperly decommissioned. Required by most compliance frameworks including CMMC, FedRAMP, HIPAA, and PCI-DSS for sensitive data stores.

Cryptographic protection of data as it moves between systems, typically using TLS 1.3+ for network communications. Encryption in transit prevents interception, tampering, and eavesdropping during data transfer. All API communications, inter-service traffic, and client connections should enforce current TLS standards.

The process of configuring systems to reduce their attack surface by removing unnecessary services, applying security patches, enforcing access controls, and setting restrictive defaults. Hardening transforms a default installation into a defensible asset. DISA STIGs and CIS Benchmarks provide prescriptive hardening guidance for specific platforms.

The structured process for detecting, containing, eradicating, and recovering from security incidents. Includes preparation, identification, containment, eradication, recovery, and lessons learned. A documented incident response plan is required by most compliance frameworks.

The principle of granting users, services, and processes only the minimum access permissions necessary to perform their intended function. Least privilege limits the blast radius of compromised accounts and reduces the risk of accidental or intentional data exposure. Enforcing least privilege is a requirement across virtually every compliance framework.

A security model that eliminates implicit trust and requires continuous verification of every user, device, and network flow regardless of location. Zero Trust assumes breach and enforces strict identity verification, micro-segmentation, and least-privilege access at every layer. See NIST 800-207 and CISA Zero Trust Maturity Model for implementation frameworks.

The ongoing process of identifying, classifying, prioritizing, and remediating security vulnerabilities across systems and applications. Vanguard scanning and Sentinel monitoring provide continuous vulnerability data.

An accredited organization that conducts independent security assessments for FedRAMP authorization. The 3PAO evaluates a cloud service provider's security controls, tests their effectiveness, and produces the Security Assessment Report (SAR).

A network or system with no direct connectivity to the internet or external networks. Air-gapped environments require all data transfer through controlled import/export workflows such as encrypted media or data diodes. Common in defense, intelligence, and critical infrastructure where data exposure risk must be eliminated entirely.

The 93 reference controls in ISO 27001:2022 organized into four themes: Organizational, People, Physical, and Technological. Organizations select applicable controls through a Statement of Applicability.

A continuous evaluation of security controls against a framework's requirements to determine their implementation status and effectiveness. Assessments are performed by the organization itself or by authorized assessors on an ongoing basis. This differs from a formal audit, which is a point-in-time examination conducted by a certified third party such as a C3PAO or SOC 2 auditor.

A formal authorization granted by an authorizing official that permits an information system to operate at an accepted level of risk. ATO is the culmination of the Risk Management Framework process and is required for federal systems under FISMA. FedRAMP extends the ATO concept to cloud service providers serving federal agencies.

The complete set of documents submitted for an Authority to Operate: System Security Plan, Security Assessment Report, Plan of Action and Milestones, and supporting evidence. Rampart generates authorization packages from observed system state.

A preconfigured set of security controls selected based on the sensitivity of the data a system processes. NIST 800-53 defines three baselines. FedRAMP, RMF, and other frameworks select baselines based on FIPS 199 categorization.

A Certified Third-Party Assessor Organization authorized by the CMMC Accreditation Body (Cyber AB) to conduct CMMC assessments. C3PAOs evaluate whether defense contractors meet the required security practices for their certification level. Organizations pursuing CMMC Level 2 or higher must pass a C3PAO assessment.

Immutable, timestamped evidence collected from running systems that demonstrates a security control is implemented and operating effectively. Compliance proofs differ from compliance reports: proofs are evidence-backed and verifiable, while reports are narrative assertions. Rampart generates compliance proofs on demand from live system data.

The practice of maintaining an Authority to Operate through ongoing monitoring and evidence collection rather than periodic point-in-time reassessments. Continuous authorization requires automated drift detection, real-time control monitoring, and immediate response to security events. FedRAMP's continuous monitoring requirements are a primary driver of this approach.

The practice of maintaining an FedRAMP or RMF authorization through ongoing monitoring rather than periodic re-assessment. Replaces the traditional 3-year re-authorization cycle with continuous posture verification.

An implemented security practice, procedure, or mechanism that can be verified against a framework requirement. A control differs from a requirement: the requirement defines what must be done, while the control is the actual implementation that satisfies it. Controls can be technical (firewall rules), operational (incident response procedures), or management (risk assessments).

A grouping of related security controls within a framework. NIST 800-53 organizes controls into 20 families (AC for Access Control, AU for Audit, SC for System Communications, etc.). Each family addresses a specific security domain.

The ability of a system to claim satisfaction of specific security controls through shared infrastructure or services provided by another system. For example, a system hosted on AWS inherits physical security controls from the cloud provider. Control inheritance reduces duplicated effort but requires documented responsibility matrices and evidence of the provider's compliance.

A regulatory or contractual requirement that data be stored and processed within specific geographic boundaries. Data residency requirements affect cloud architecture decisions, backup strategies, and disaster recovery planning. Common in government (GovCloud regions), healthcare (state-level HIPAA requirements), and international contexts (GDPR).

The organization responsible for accrediting C3PAOs and individual assessors for CMMC assessments. Formerly known as the CMMC Accreditation Body (CMMC-AB).

The lineage relationship between compliance frameworks where one framework derives its controls from another. CMMC derives from NIST 800-171, which derives from NIST 800-53. Understanding derivation chains enables multi-framework efficiency: satisfying a parent control often satisfies its derived controls simultaneously. See Multi-Framework Overhead for strategies.

The DoD organization that conducts CMMC Level 3 assessments and validates the security posture of defense contractors handling the most sensitive programs.

The traceable sequence from a control implementation through evidence collection, storage, and presentation to a finding or compliance determination. A complete evidence chain establishes provenance: what was collected, when, from which system, and how it maps to a specific control requirement. Broken evidence chains undermine assessment credibility.

The degradation of compliance evidence over time as system states change and collected artifacts become stale. A screenshot of a configuration taken six months ago does not prove the configuration is still in place today. Continuous evidence collection combats decay by refreshing artifacts on defined schedules. See Evidence Decay for patterns and mitigation.

A federal statute imposing civil liability on entities that knowingly submit false claims to the government, including false compliance attestations. Organizations that misrepresent their CMMC certification level or security posture on federal contracts face treble damages and per-claim penalties. The False Claims Act has made compliance accuracy a legal obligation, not just a best practice.

Information provided by or generated for the federal government under contract that is not intended for public release. FCI is less sensitive than CUI and requires CMMC Level 1 protection (17 practices). Most organizations handling any federal contract data will have FCI even if they do not process CUI.

Isolated AWS regions (us-gov-west-1 and us-gov-east-1) designed for government workloads with restricted access to U.S. persons. GovCloud provides the infrastructure baseline required for FedRAMP High, DoD Impact Level 4 and 5, and ITAR-controlled workloads. Organizations handling CUI or operating under FedRAMP typically deploy in GovCloud to satisfy data residency and access control requirements.

The primary governance body for FedRAMP, consisting of chief information officers from DoD, DHS, and GSA. Issues Provisional ATOs (P-ATOs) for cloud services used across multiple agencies.

The practice of evaluating a system against multiple compliance frameworks simultaneously by mapping shared controls across framework boundaries. Because frameworks share derivation chains (CMMC, NIST 800-171, and NIST 800-53 overlap significantly), a single control implementation can satisfy requirements across multiple frameworks. This reduces duplicated assessment effort and accelerates compliance timelines.

Open Security Controls Assessment Language, a machine-readable format developed by NIST for expressing security control catalogs, baselines, assessments, and results. OSCAL enables automated compliance data exchange between tools, agencies, and assessors. FedRAMP is adopting OSCAL as its primary format for authorization packages.

A set of controls that modify or extend a base framework to address specific operational contexts, technologies, or regulatory requirements. Overlays can add controls, increase control parameters, or tailor existing controls for a particular environment. See the full catalog of supported overlays at Overlays.

Individually identifiable health information created, received, maintained, or transmitted by a covered entity or business associate. PHI includes medical records, lab results, insurance information, and any data that can identify a patient and relates to their health condition or treatment. HIPAA mandates specific safeguards for PHI in all forms: electronic, paper, and oral.

Any data that can be used to identify a specific individual, either alone or in combination with other information. PII includes names, Social Security numbers, biometric data, email addresses, and IP addresses when linked to an individual. Multiple frameworks require PII protection, with specific guidance in NIST 800-122 and privacy-focused overlays.

A document that identifies security weaknesses, the planned remediation actions, required resources, and scheduled completion dates. POA&Ms are required artifacts in RMF, FedRAMP, and CMMC assessments to track gaps between current posture and full compliance. Rampart manages POA&M lifecycle from creation through remediation tracking to closure.

An approach that builds security posture as the foundation and generates compliance proofs as a byproduct. This inverts the traditional model where organizations start with a compliance checklist and work backward to security controls. Posture-first compliance produces stronger security outcomes and more credible evidence because the controls are real, operational, and continuously verified.

A conditional authorization issued by the FedRAMP JAB indicating a cloud service has met baseline security requirements. Agencies can leverage a P-ATO to issue their own ATO with reduced assessment effort.

The process of determining the impact level (Low, Moderate, High) for a system based on the confidentiality, integrity, and availability of the data it processes. FIPS 199 categorization drives baseline selection in NIST 800-53, FedRAMP, and RMF.

The division of security obligations between a cloud service provider and its customer. The provider secures the infrastructure (physical security, hypervisor, network fabric), while the customer secures what they deploy on it (operating systems, applications, data, access controls). Understanding this boundary is critical for accurate control inheritance and compliance scoping.

The Supplier Performance Risk System score reflecting an organization's self-assessment of NIST 800-171 implementation, ranging from -203 (no controls implemented) to 110 (all 110 controls fully implemented). SPRS scores must be submitted to the DoD before contract award for contracts requiring CUI protection. See NIST 800-171 for scoring methodology.

The authoritative document describing a system's security posture, including its authorization boundary, implemented controls, system architecture, and interconnections. The SSP is the primary artifact reviewed during assessments and must accurately reflect the system's actual state. Rampart maintains SSP documentation with continuous updates from live system data.

A third-party entity that processes data on behalf of a data processor, creating a chain of processing responsibilities. Subprocessors must be disclosed in data processing agreements, and their security practices affect the compliance posture of every organization in the chain. GDPR, SOC 2, and FedRAMP all require subprocessor transparency and oversight.

An architectural guarantee that one tenant's data, configurations, and operations cannot be accessed by or leaked to another tenant in a multi-tenant system. Tenant isolation is enforced through separate encryption keys, database-level partitioning, network segmentation, and access control policies. Required for any platform handling sensitive compliance data across multiple organizations.

The five categories used in SOC 2 assessments: Security (required), Availability, Processing Integrity, Confidentiality, and Privacy (optional). Each criterion maps to specific controls that the auditor evaluates.

A set of 18 prioritized defensive actions (safeguards) developed by the Center for Internet Security to mitigate the most common cyber attacks. CIS Controls organize security practices into implementation groups (IG1, IG2, IG3) based on organizational maturity. See CIS Controls v8 for full coverage details.

A five-pillar framework from the Cybersecurity and Infrastructure Security Agency guiding organizations through Zero Trust implementation across identity, devices, networks, applications, and data. The model defines maturity levels from traditional through optimal, with specific criteria at each stage. See CISA ZTMM for pillar details and implementation guidance.

The Cybersecurity Maturity Model Certification, a DoD framework requiring defense contractors to demonstrate cybersecurity practices at three levels. Level 1 covers basic FCI protection (17 practices). Level 2 aligns with NIST 800-171 for CUI protection (110 practices). Level 3 adds advanced practices from NIST 800-172. See CMMC for assessment preparation and control mapping.

Committee on National Security Systems Instruction 1253, which provides security categorization and control selection guidance for national security systems. CNSSI 1253 extends NIST 800-53 with additional controls and overlays for classified, cross-domain, intelligence, space platform, and industrial control system contexts. See CNSSI 1253 for overlay details.

Organization-defined control frameworks created to address internal policies, industry-specific requirements, or contractual obligations not covered by standard frameworks. Custom frameworks support full control definition, evidence mapping, and assessment workflows. Available at the Enterprise tier. See Custom Frameworks for configuration details.

The Federal Risk and Authorization Management Program, a government-wide program providing a standardized approach for cloud service authorization. FedRAMP defines Low, Moderate, High, and LI-SaaS baselines derived from NIST 800-53. Authorization requires a 3PAO assessment, continuous monitoring, and monthly reporting. See FedRAMP for baseline details and authorization pathways.

The Health Insurance Portability and Accountability Act, a federal law requiring covered entities and business associates to implement safeguards protecting the confidentiality, integrity, and availability of PHI. The Security Rule specifies administrative, physical, and technical safeguards. See HIPAA for control coverage and evidence requirements.

An international standard for information security management systems (ISMS), published by ISO/IEC. ISO 27001:2022 requires organizations to establish, implement, maintain, and continually improve their ISMS through risk assessment and treatment. Certification is granted by accredited certification bodies after a two-stage audit. See ISO 27001 for Annex A control mapping.

The foundational federal security control catalog maintained by NIST, containing over 1,000 controls across 20 families. NIST 800-53 rev5 serves as the parent framework for FedRAMP, RMF, CNSSI 1253, and numerous other compliance programs. Low, Moderate, and High baselines select controls appropriate to system impact levels. See NIST 800-53 for baseline details.

A NIST publication specifying 110 security requirements for protecting CUI in non-federal systems and organizations. NIST 800-171 derives its requirements from the Moderate baseline of NIST 800-53. It is the technical foundation for CMMC Level 2 and DFARS 252.204-7012 compliance. See NIST 800-171 for requirement mapping and SPRS scoring.

The NIST special publication defining Zero Trust Architecture principles, deployment models, and migration approaches. NIST 800-207 establishes the conceptual framework for eliminating implicit trust through continuous verification, micro-segmentation, and least-privilege enforcement. See Zero Trust for architecture patterns and implementation strategies.

The NIST Artificial Intelligence Risk Management Framework (AI 100-1), providing voluntary guidance for managing risks throughout the AI lifecycle. The framework organizes AI risk management into four functions: Govern, Map, Measure, and Manage. See NIST AI RMF for function details and control mapping.

The NIST Cybersecurity Framework version 2.0, a voluntary meta-framework organized around six functions: Govern, Identify, Protect, Detect, Respond, and Recover. CSF 2.0 provides a common language for cybersecurity risk management and maps to more prescriptive frameworks like NIST 800-53. See NIST CSF 2.0 for function categories and implementation tiers.

A NIST interagency report addressing AI supply chain risk management, focusing on threats introduced through third-party AI components, training data, and model dependencies. IR 8596 extends traditional supply chain risk concepts to the unique challenges of AI systems. See NIST IR 8596 for risk categories and mitigation guidance.

The Payment Card Industry Data Security Standard version 4.0, a set of security requirements for organizations that store, process, or transmit cardholder data. PCI-DSS v4.0 introduces customized approach validation alongside the traditional defined approach, adding flexibility to how controls are implemented. See PCI-DSS v4.0 for requirement groups and assessment types.

The Risk Management Framework, a six-step process (Categorize, Select, Implement, Assess, Authorize, Monitor) defined in NIST 800-37 for authorizing federal information systems. RMF is mandatory under FISMA and drives the ATO process across federal agencies. See RMF for step-by-step guidance and artifact requirements.

A vendor security certification based on the AICPA Trust Services Criteria covering security, availability, processing integrity, confidentiality, and privacy. Type I reports assess control design at a point in time. Type II reports assess control operating effectiveness over a period (typically 6 to 12 months). See SOC 2 for trust service criteria and audit preparation.

A state-level cloud authorization program modeled after FedRAMP, providing standardized security verification for cloud service providers serving state and local governments. StateRAMP leverages NIST 800-53 controls and offers reciprocity with FedRAMP authorizations. See StateRAMP for authorization levels and the relationship to TX-RAMP.

Prescriptive platform-specific hardening guidelines published by the Center for Internet Security covering operating systems, cloud platforms, containers, databases, and web servers. Each benchmark provides step-by-step configuration recommendations scored at Level 1 (essential) and Level 2 (defense in depth). See CIS Benchmarks for supported platforms.

AI-specific security controls mapped as NIST 800-53 modifications. Addresses risks unique to AI systems including model integrity, training data protection, and adversarial robustness. See COSAiS.

NIST CSF sector-specific profiles that tailor cybersecurity guidance for critical infrastructure sectors including energy, water, transportation, and communications. These overlays add sector-specific controls and priorities to the base CSF framework. See Critical Infrastructure for sector profiles and control additions.

A Defense Federal Acquisition Regulation Supplement clause requiring DoD contractors to implement NIST 800-171 for CUI protection, report cyber incidents within 72 hours, and provide media access for forensic analysis. DFARS is the contractual mechanism that makes NIST 800-171 and CMMC compliance mandatory for defense contractors. See DFARS for clause requirements and flow-down obligations.

Security Requirements Guides published by the Defense Information Systems Agency providing category-level security guidance for technology classes such as general purpose operating systems, application security, network devices, web servers, databases, and container platforms. SRGs define the requirements that STIGs implement for specific products. See DISA SRGs for supported categories.

Security Technical Implementation Guides published by DISA containing platform-specific hardening checklists derived from SRG requirements. STIGs cover specific products (RHEL 9, Windows Server 2022, PostgreSQL, Kubernetes) with individual findings categorized as CAT I (critical), CAT II (medium), and CAT III (low). See DISA STIGs for supported platforms and scan integration.

The DoD's baseline security requirements for cloud service providers, organized by Impact Level (IL2 through IL6). Defines which data types and missions a cloud environment can support based on its security posture. See DoD Impact Levels.

Department of Defense classifications (IL2, IL4, IL5, IL6) that determine the security controls and hosting requirements for information based on sensitivity. IL2 covers public and non-CUI data. IL4 and IL5 cover CUI and mission-critical data in dedicated environments. IL6 covers classified information. See DoD Impact Levels for control requirements by level.

The Export Administration Regulations, administered by the Bureau of Industry and Security, controlling the export of dual-use commercial items, technology, and software that have both civilian and military applications. EAR compliance requires classification of items against the Commerce Control List and screening of end users and destinations. See EAR for control classification and compliance requirements.

Controls addressing the Family Educational Rights and Privacy Act, which protects the privacy of student education records. FERPA applies to all educational institutions receiving federal funding and governs access, disclosure, and amendment rights for student data. See Education Overlay for technical safeguard requirements.

The European Union regulation establishing a risk-based legal framework for artificial intelligence systems. The EU AI Act classifies AI systems into risk tiers (unacceptable, high, limited, minimal) with corresponding obligations for transparency, human oversight, and technical documentation. See EU AI Act for risk classifications and compliance requirements.

Controls derived from FFIEC (Federal Financial Institutions Examination Council) guidance and GLBA (Gramm-Leach-Bliley Act) requirements for financial institutions. These overlays address information security programs, risk assessments, vendor management, and safeguards specific to the financial services sector. See Financial Overlay for control families and examination preparation.

The General Data Protection Regulation, a European Union regulation governing the collection, processing, and storage of personal data for EU residents. GDPR mandates data protection by design, breach notification within 72 hours, data subject access rights, and documented lawful basis for processing. See GDPR for technical and organizational control requirements.

Controls implementing HIPAA technical safeguards for access control, audit controls, integrity, person or entity authentication, and transmission security. This overlay maps HIPAA Security Rule requirements to specific technical implementations for healthcare organizations and their business associates. See Healthcare Overlay for safeguard mapping and evidence requirements.

The International Traffic in Arms Regulations, administered by the State Department, controlling the export of defense articles, services, and technical data listed on the United States Munitions List. ITAR compliance requires U.S. person access restrictions, physical and logical access controls, and end-use monitoring for all covered technical data. See ITAR for technical control requirements and AWS GovCloud considerations.

The privacy baseline controls from NIST 800-53B that extend the security baselines with privacy-specific requirements. These controls address consent, data minimization, individual participation, privacy impact assessment, and purpose specification. See NIST 800-53B Privacy for privacy control families and implementation guidance.

A NIST guide providing practical recommendations for protecting the confidentiality of personally identifiable information. NIST 800-122 defines PII categories, establishes a confidence level framework for PII identification, and recommends safeguards based on the potential impact of PII disclosure. See NIST 800-122 for PII classification and protection requirements.

A NIST profile addressing risks unique to generative AI systems, including hallucination, data poisoning, prompt injection, and intellectual property concerns. NIST AI 600-1 maps these GenAI-specific risks to the AI RMF functions and provides mitigation strategies for organizations deploying or developing generative AI. See NIST AI 600-1 for risk categories and governance controls.

Automated scanning of API endpoints for vulnerabilities including broken authentication, excessive data exposure, injection flaws, and misconfigured rate limiting. API security testing validates that endpoints enforce proper authorization, input validation, and error handling. Vanguard includes API security testing as part of the DevSecOps workbench.

Analysis of container images to identify known vulnerabilities in base images, installed packages, and application dependencies. Container scanning detects CVEs, misconfigurations, embedded secrets, and non-compliant base image usage before images are deployed to production. Vanguard performs container scanning with support for Docker and OCI image formats.

Automated analysis of source code for maintainability, complexity, duplication, and potential defects beyond security vulnerabilities. Complements SAST by identifying patterns that lead to future security issues. Part of Vanguard scanning.

Ongoing automated observation of systems, configurations, and security controls to detect changes, vulnerabilities, and compliance deviations in near real-time. Continuous monitoring replaces point-in-time snapshots with persistent awareness of system state. Sentinel provides continuous monitoring across infrastructure and compliance posture. See Evidence Decay for why continuous monitoring matters.

A standardized identifier for known security vulnerabilities (e.g., CVE-2024-1234). CVE entries are published in the National Vulnerability Database (NVD) and referenced by scanning tools, advisories, and compliance frameworks.

A community-developed catalog of software and hardware weakness types. CWEs describe categories of vulnerabilities (e.g., CWE-79 for cross-site scripting) rather than specific instances. SAST tools report findings using CWE identifiers.

Dynamic Application Security Testing, a black-box testing method that probes running applications for vulnerabilities by sending crafted requests and analyzing responses. DAST identifies runtime vulnerabilities like SQL injection, cross-site scripting, authentication flaws, and server misconfigurations that static analysis cannot detect. Vanguard includes DAST scanning capabilities.

The automated process of moving infrastructure back to its intended configuration when drift is detected. Desired-state convergence compares the live system state against a declared target state and applies corrective changes to eliminate deviations. This approach treats infrastructure configuration as code and enforces consistency through reconciliation loops rather than manual intervention.

A testing technique that feeds random, malformed, or unexpected input to a program to discover crashes, memory leaks, assertion failures, and undefined behavior. Fuzzing is particularly effective at finding edge cases that structured testing misses, including buffer overflows and format string vulnerabilities. Vanguard supports fuzzing as part of its security testing capabilities.

The practice of defining and managing infrastructure through version-controlled configuration files rather than manual processes. IaC enables repeatable deployments, drift detection, peer review of infrastructure changes, and rollback capabilities. Common tools include Terraform, CloudFormation, and Pulumi. IaC is foundational to security automation because it makes infrastructure auditable and reproducible.

Security analysis of infrastructure-as-code templates (Terraform, CloudFormation, Kubernetes manifests, Helm charts, Docker Compose) to detect misconfigurations before deployment. Part of Vanguard scanning.

Automated static analysis that enforces code quality rules, style conventions, and security patterns before code is committed or merged. Linters catch common issues such as unused variables, unsafe function calls, missing error handling, and non-compliant formatting. Integrating linting into CI/CD pipelines ensures consistent code quality across teams.

The Open Web Application Security Project's list of the ten most critical web application security risks. Updated periodically. Includes injection, broken authentication, sensitive data exposure, and others. A common benchmark for Vanguard DAST scanning.

An enforcement point in a CI/CD pipeline that blocks deployment when security or compliance criteria are not met. Pipeline gates evaluate scan results, policy compliance, and approval requirements before allowing code to proceed to the next stage. Sentinel provides pipeline gate enforcement that integrates with GitHub Actions, GitLab CI, and other CI/CD platforms.

The Static Analysis Results Interchange Format, an OASIS standard JSON format for expressing the output of static analysis tools. SARIF enables interoperability between different scanning tools and reporting platforms by providing a common schema for findings, locations, severity, and fix suggestions. Widely adopted across SAST, SCA, and container scanning tools.

Static Application Security Testing, a white-box analysis method that examines source code, bytecode, or binaries for security vulnerabilities without executing the application. SAST identifies issues like SQL injection, cross-site scripting, buffer overflows, and insecure cryptographic usage early in the development lifecycle. Vanguard provides multi-language SAST scanning.

A Software Bill of Materials, a machine-readable inventory of all components, libraries, and dependencies in a software application. SBOMs are expressed in standard formats (CycloneDX, SPDX) and enable vulnerability tracking, license compliance, and supply chain transparency. Federal executive orders increasingly require SBOMs for software sold to government agencies.

Software Composition Analysis, the process of identifying open-source and third-party components in a codebase and evaluating them for known vulnerabilities, license compliance issues, and maintenance status. SCA tools scan dependency manifests and lock files to build a complete picture of inherited risk. Vanguard includes SCA as part of its dependency analysis capabilities.

Automated detection of credentials, API keys, tokens, and other sensitive values accidentally committed to source code repositories. Secret scanning examines commit history, configuration files, and environment definitions for patterns matching known credential formats. Detecting exposed secrets before they reach production prevents unauthorized access and data breaches.

A framework for ensuring the integrity of software build processes. Defines four levels of build provenance, from basic logging to hermetic, reproducible builds. Addresses supply chain attacks by verifying that artifacts were built from expected sources.

The practice of protecting the integrity and trustworthiness of all components, dependencies, and processes involved in building and delivering software. Supply chain security encompasses dependency verification, build provenance, code signing, SBOM generation, and vendor risk assessment. Attacks targeting the software supply chain exploit trust relationships between producers and consumers of code.

A machine-readable document that communicates whether a product is affected by a known vulnerability. VEX complements SBOMs by indicating whether a CVE found in a dependency is actually exploitable in the specific product context.

The use of domain-specific AI models to assist with compliance workflows including gap analysis, control narrative generation, finding prioritization, and document assembly. AI-guided compliance augments human expertise rather than replacing it; all outputs require human review and approval. See Artificer for the AI guidance layer and AI-Guided Compliance for the approach.

Artificer's ability to reason across the full platform state: control definitions, evidence artifacts, organizational context, assessment progress, and historical decisions. Every AI response is grounded in your actual system data, not generic templates.

Automated generation of compliance packages in multiple formats: OSCAL (machine-readable for FedRAMP), PDF (human-readable for assessors), and HTML (interactive for review). Artificer assembles documents from observed system state and evidence. Human review required before publishing.

Artificer's ability to cross-reference controls against collected evidence, identify where evidence is missing or expired, and produce prioritized gap lists ranked by cross-framework impact. Answers the question: "What do I need to fix first?"

AI-assisted prioritization of security and compliance findings based on severity, exploitability, business context, and remediation effort. Finding triage reduces alert fatigue by surfacing the most impactful findings first and suppressing duplicates and false positives. Human reviewers make final disposition decisions; the AI provides ranked recommendations and contextual analysis.

A design pattern requiring human review and explicit approval before AI-generated outputs are finalized or acted upon. In compliance contexts, human-in-the-loop ensures that control narratives, risk assessments, and remediation actions are validated by qualified personnel before submission. See Human-in-the-Loop for implementation patterns and approval workflows.

The automated creation of control implementation descriptions based on observed system state, configuration data, and evidence artifacts. Narrative generation produces framework-specific prose that describes how a control is implemented rather than asserting compliance. Sentinel provides the observed-state data that feeds narrative generation for SSPs and assessment documentation.

Artificer's monitoring of platform health: scan trends, evidence collection rates, posture score trajectories, and upcoming evidence expirations. Provides proactive recommendations before compliance issues materialize.

Artificer's ranking of security findings by impact: which fix improves the most controls across the most frameworks with the least effort. Considers control weight, evidence freshness, assessment timeline, and operational context.

The trust network capability for managing supply chain compliance, partner posture verification, and external assessor access. Alliance enables organizations to share compliance posture with partners through controlled read-only views and attestation workflows. Available at the Business tier and above. See Alliance for trust network configuration.

The product catalog containing framework packs, Infrastructure as Code modules, capability packs, and consulting services. Armory provides pre-built components that accelerate secure infrastructure deployment and compliance readiness. IaC modules are available individually; capability packs are included with all subscription tiers. See Armory for the full catalog.

The domain-specific AI layer that guides compliance workflows through interactive questioning, gap analysis, narrative generation, and document assembly. Artificer uses framework-specific knowledge to help users understand control requirements and produce implementation documentation. All AI outputs require human review before finalization. See Artificer for guidance capabilities.

The central command dashboard providing an aggregated view across all platform capabilities. Citadel offers lenses for compliance status, risk posture, and operational health with an action queue for pending decisions. Available at all subscription tiers as the primary entry point to the platform. See Citadel for dashboard views and lens configuration.

The connected estate capability that displays live inventory of your infrastructure, resources, and assets as discovered by Sentinel. Garrison provides hardware and software inventory tracking, resource classification, drift protection, and CM-8 compliance for asset management requirements. See Garrison for inventory features and AWS account connection.

Saved scan targets in Vanguard that are not yet connected to a monitored system. Outposts allow teams to scan repositories, containers, and endpoints before promoting them to the connected estate in Garrison. Outpost limits vary by subscription tier. See Outpost for promotion workflows and tier limits.

The compliance workspace for managing assessments, controls, evidence mapping, findings, POA&Ms, and compliance documents. Rampart maps your security posture to any supported framework and generates compliance proofs on demand from live system data. Available at the Guardian tier and above. See Rampart for assessment workflows and document generation.

The automated monitoring engine that performs infrastructure discovery, scheduled DevSecOps scans, pipeline gate enforcement, AWS security service ingestion, evidence collection, posture monitoring, and drift detection. Sentinel is the observation layer that feeds data to every other capability. See Sentinel for monitoring configuration and discovery engine details.

The DevSecOps workbench providing multi-language SAST, secret scanning, linting, dependency analysis (SCA), container scanning, DAST, STIG assessment, CIS Benchmark checks, code quality analysis, coverage tracking, fuzzing, and API security testing. Vanguard produces scan results that feed into Sentinel for trend tracking and Rampart for compliance mapping. See Vanguard for scan types and language support.