Alphabetical navigation: A · B · C · D · F · G · I · J · L · M · N · O · P · R · S · T · U · W · Z
A
ATO — Authorization to Operate
The formal federal decision that a system may operate and that its residual risk is accepted by a designated authorizing official. No federal system handling federal data reaches production without an ATO (or an interim authorization). The ATO process is driven by NIST RMF.
Agentic AI
AI systems that autonomously plan and execute multi-step tasks using tools and external systems. In federal contexts this raises additional review concerns about action authorization, audit trails, and bounded authority.
B
BAA — Broad Agency Announcement
A federal solicitation mechanism for research and development, used heavily by DARPA, the service labs, and others. Wider in scope than a traditional RFP, allowing offerors to propose approaches to a stated research area.
BAA (HIPAA) — Business Associate Agreement
A separate concept sharing the acronym. Under HIPAA, a written agreement between a covered entity and a business associate that handles Protected Health Information on its behalf. Context determines which BAA is meant.
C
CAGE — Commercial and Government Entity code
A five-character unique identifier assigned to entities doing business with the federal government. Issued by the Defense Logistics Agency in the U.S. Required for federal contracting alongside UEI.
CISA — Cybersecurity and Infrastructure Security Agency
DHS component charged with leading federal civilian cybersecurity and protecting critical infrastructure. CISA issues binding operational directives (BODs) that federal civilian agencies must follow.
CMMC — Cybersecurity Maturity Model Certification
DoD's tiered cybersecurity certification for defense contractors handling FCI and CUI. Levels 1, 2, and 3 define increasing rigor. Required before certain DoD contract awards.
CUI — Controlled Unclassified Information
Sensitive but unclassified federal information requiring specific handling. Replaces older markings like FOUO and SBU. Handling governed by 32 CFR Part 2002 and NIST SP 800-171.
D
DFARS
Defense Federal Acquisition Regulation Supplement. DoD-specific contract clauses layered on top of the FAR. DFARS 252.204-7012 is the clause most federal contractors know, requiring safeguarding of covered defense information.
DIB — Defense Industrial Base
The ecosystem of companies, primes through small businesses, that supply the Department of Defense. CMMC, CUI handling, and cyber reporting obligations all attach to DIB participation.
DoD Impact Levels (IL2, IL4, IL5, IL6)
DoD's cloud computing impact levels defining data sensitivity tiers: IL2 (public / non-critical), IL4 (Controlled Unclassified Information), IL5 (higher-sensitivity CUI and National Security Systems), IL6 (classified up to SECRET). Each tier requires progressively stronger controls and approved cloud services.
DSIP — DoD SBIR Innovation Portal
The DoD's primary portal for SBIR/STTR topics, company registration, and proposal submission. Registration is multi-step; plan ahead of any cycle deadline.
F
FAR — Federal Acquisition Regulation
The core body of regulations governing U.S. government procurement. Organized in Parts, with FAR Part 12 (commercial items), Part 15 (negotiated procurement), and Part 52 (contract clauses) among the most-cited.
FedRAMP (Low, Moderate, High)
Federal Risk and Authorization Management Program. Standardized assessment and authorization for cloud services used by federal agencies. Baselines map to data sensitivity: Low, Moderate, and High. A FedRAMP-authorized service carries an ATO that other agencies can reuse.
FISMA — Federal Information Security Modernization Act
The statutory basis for the federal information security program. FISMA requires each agency to develop, document, and implement an agency-wide program to provide information security for systems supporting its operations.
FOUO — For Official Use Only
A legacy sensitivity marking largely superseded by CUI. Still encountered in older documents and some continuing practice.
G
GSA — General Services Administration
The federal agency that provides common services and acquisition vehicles across the government. GSA Schedules (Multiple Award Schedules) are a primary contracting vehicle for professional services.
I
IDIQ — Indefinite Delivery, Indefinite Quantity
A contract type that provides for an indefinite quantity of supplies or services during a fixed period. Task orders are issued against the IDIQ as needs arise.
IaC — Infrastructure as Code
The practice of provisioning and managing infrastructure through machine-readable definition files (Terraform, CloudFormation, etc.) rather than manual console operations. Essential discipline for federal reproducibility and audit.
J
JADC2 — Joint All-Domain Command and Control
DoD concept for connecting sensors and shooters across domains (land, sea, air, space, cyber) into a unified command and control fabric. A major driver of data and AI requirements across the services.
L
LLM — Large Language Model
A class of AI model trained on large text corpora to generate and reason over natural language. Federal adoption raises specific concerns about data handling, model provenance, hallucination, and prompt injection.
M
MLOps
Operational practice for deploying, monitoring, and maintaining machine learning models in production. In federal contexts, MLOps must align with ATO and continuous monitoring obligations.
N
NAICS
North American Industry Classification System. Codes used by federal agencies to classify businesses and solicitations. 541512 (Computer Systems Design Services) is common for federal AI contractors. See our NAICS guide.
NIST CSF — NIST Cybersecurity Framework
A voluntary framework organizing cybersecurity activities into functions (Identify, Protect, Detect, Respond, Recover, and Govern in CSF 2.0). Widely used by federal agencies and contractors.
NIST SP 800-53
NIST Special Publication 800-53. The authoritative catalog of security and privacy controls for federal information systems. Controls are organized into families (AC, AU, SC, SI, etc.) and tailored to baseline impact levels (Low, Moderate, High).
NIST SP 800-171
NIST Special Publication 800-171. Security requirements for protecting CUI when it resides in non-federal systems. The CMMC ecosystem builds on SP 800-171.
O
OTA — Other Transaction Authority
A contracting authority, separate from FAR, used by DoD and some civilian agencies for research, prototype, and production efforts. Consortia like DIU, NSWC Crane, and others use OTAs to move faster than traditional procurement.
P
PIV / CAC
Personal Identity Verification card (civilian agencies) and Common Access Card (DoD). The identity credentials that enable authenticated access to federal systems.
POA&M — Plan of Action and Milestones
A required artifact in the RMF that tracks known control deficiencies, planned remediation, and due dates. Reviewers read POA&Ms closely; empty or stale POA&Ms raise flags.
R
RAG — Retrieval-Augmented Generation
A pattern where an LLM is given retrieved documents as context so its responses ground in authoritative sources. Common in federal chatbot and assistant deployments because it reduces hallucination and enables source citation.
RMF — Risk Management Framework
NIST SP 800-37. The framework federal agencies use to integrate security and risk management into the system life cycle. Its steps (Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor) drive every ATO package.
S
SAM.gov — System for Award Management
The federal government's primary registration system for entities doing business with the government. Active SAM registration is prerequisite to nearly all federal awards.
SBIR — Small Business Innovation Research
Federal program funding small-business R&D with commercialization potential. Reauthorized through 2031 by S. 3971 in April 2026. See our 2026 SBIR calendar.
SBOM — Software Bill of Materials
A formal record of the components in a piece of software. Increasingly required in federal supply-chain attestations; EO 14028 drove broad adoption.
SCIF — Sensitive Compartmented Information Facility
A secure area where SCI may be processed, discussed, or stored. Access requires appropriate clearance and need-to-know.
SDVOSB — Service-Disabled Veteran-Owned Small Business
A federal small-business designation for companies majority-owned and controlled by a service-disabled veteran. Eligible for certain set-asides.
Section 508
Section of the Rehabilitation Act requiring federal electronic and information technology to be accessible to people with disabilities. Federal systems must meet WCAG-aligned conformance.
SSP — System Security Plan
The primary document in an ATO package describing a system, its boundary, and how each applicable control is implemented. A clean SSP makes every downstream review faster.
STIG — Security Technical Implementation Guide
DISA-published configuration standards for operating systems, applications, and network devices used in DoD environments. A system is "STIG-compliant" when its configuration matches the relevant STIG checklists.
STTR — Small Business Technology Transfer
Sibling program to SBIR. Requires formal partnership with a research institution. Same agencies, similar structure, with the partnership as the distinguishing requirement.
T
TIC — Trusted Internet Connections
An OMB initiative and CISA-led program setting requirements for agency connections to the internet. TIC 3.0 updates the program for cloud and remote-work realities.
U
UEI — Unique Entity Identifier
The 12-character alphanumeric identifier assigned in SAM.gov that replaced the DUNS number in 2022. Required for federal contracting and grants.
W
WOSB / EDWOSB
Women-Owned Small Business and Economically Disadvantaged Women-Owned Small Business. SBA-certified designations eligible for certain federal set-asides.
Z
ZTA — Zero Trust Architecture
A security model based on continuous verification, least-privilege access, and the assumption that no implicit trust is granted to assets or user accounts. Federal agencies are aligning to ZTA principles per OMB M-22-09 and CISA's Zero Trust Maturity Model.
Practical Notes
- Acronyms overlap. "BAA" is both Broad Agency Announcement and Business Associate Agreement. "CAC" is Common Access Card in DoD and something else entirely in other contexts. Always read the context.
- Frameworks shift. NIST documents, CMMC rules, FedRAMP baselines, and agency-specific guidance evolve. Definitions here are correct as of 2026 but consult current sources for compliance decisions.
- Culture matters. Knowing the acronym is necessary but not sufficient. Knowing how a given acronym is used in a given agency's culture is what lets a contractor navigate.