Glossary
The compliance, infrastructure, and platform terms our customers and their auditors actually use — explained without jargon.
A contract required under HIPAA between a covered entity and any vendor that handles Protected Health Information (PHI). FencePencil signs BAAs with health-tech customers and chains BAAs through to our hosting and monitoring sub-processors.
The Department of Defense framework for protecting Controlled Unclassified Information (CUI) in the defense industrial base. Most contracts now require Level 2 (which maps closely to NIST 800-171). Assessments are performed by certified third-party assessors (C3PAOs).
Sensitive but unclassified information the federal government creates or owns that requires safeguarding. CMMC and NIST 800-171 are the primary frameworks for protecting it in non-government environments.
A contract required under GDPR between a data controller (your customer) and a data processor (you) describing what personal data is processed, why, and how it is protected. FencePencil ships a standard DPA template you can offer to enterprise buyers.
The ongoing process of capturing artifacts that prove a control is operating — screenshots, ticket exports, configuration snapshots, access reviews, and so on. Modern compliance programs automate this against the live environment instead of doing it once a quarter manually.
The US federal program for authorizing cloud services for use by federal agencies. Authorization is granted at Low, Moderate, or High impact levels. The Authority to Operate (ATO) process is multi-year; most teams target FedRAMP-authorized service inheritance instead.
The European Union privacy regulation governing how personal data of EU residents may be collected, processed, and stored. Applies to any organization that targets EU users regardless of where the organization is based.
US law that requires safeguards for Protected Health Information (PHI). The Security Rule defines administrative, physical, and technical controls. The Privacy Rule defines acceptable uses and disclosures.
A health-care-focused certification framework that maps HIPAA, NIST CSF, ISO 27001, and other standards into a unified certifiable program. Often required by large health systems for vendors handling PHI at scale.
AWS pattern for granting EKS Kubernetes service accounts temporary IAM credentials via OpenID Connect. Replaces long-lived access keys for in-cluster workloads. Azure has Workload Identity, GCP has Workload Identity Federation.
The international standard for information security management systems (ISMS). Certification involves a multi-year cycle of internal audits, risk assessments, and external surveillance audits. Often required for European enterprise sales.
The newest ISO standard, published 2023, for AI Management Systems (AIMS). Provides a certifiable framework for managing AI risks, governance, and lifecycle. Expected to become a buyer requirement for AI/ML platform vendors.
The US federal standard for protecting Controlled Unclassified Information (CUI) in non-federal systems. CMMC Level 2 maps directly to its 110 controls.
The catalog of security and privacy controls used by US federal information systems. FedRAMP authorizations are built on a tailored subset of NIST 800-53 controls.
A voluntary US framework organized around five functions: Identify, Protect, Detect, Respond, Recover. Often used as a high-level mapping layer that translates to other frameworks (SOC 2, ISO 27001, etc.).
The contractual standard required by card brands for any system that stores, processes, or transmits cardholder data. Scope reduction (using tokenization or hosted payment fields) is the most common compliance strategy.
Individually identifiable health information protected by HIPAA. Includes the obvious (medical records) and the less obvious (an IP address tied to a health-app user).
A formal document tracking remediation of identified security gaps with owners, target dates, and status. Required for FedRAMP and CMMC programs; useful for any framework with open findings.
AICPA-defined audit framework covering five Trust Services Criteria: Security (required), Availability, Processing Integrity, Confidentiality, and Privacy. Type I is a point-in-time attestation; Type II covers a 6 to 12 month operating period and is what enterprise buyers actually want.
A vendor that processes personal data on behalf of a data processor (you), creating a chain. GDPR requires you to disclose your sub-processors and pass through equivalent contractual obligations. Trust Centers usually publish a sub-processor list.
HashiCorp open-source tool for declarative infrastructure-as-code. FencePencil uses Terraform across AWS, Azure, and GCP so customer environments are reproducible, auditable, and versioned. State is stored in cloud-native backends with KMS encryption and locking.
Replacing sensitive data (typically a card number) with a non-sensitive token that maps back to the original in a separate, hardened system. The most effective way to reduce PCI DSS scope.
A public or gated page that summarizes your security posture: certifications, sub-processors, DPAs, BAAs, recent pen tests, status. Reduces the volume of one-off security questionnaires from prospects.
The Azure (and GCP) equivalent of AWS IRSA — allowing in-cluster workloads to receive short-lived cloud credentials via OIDC instead of static secrets.
We add to this glossary as customers ask us things. Ping us and we'll write it up.