1- term: Assessment
  2  definition: (1) the process of determining whether an outcome meets the actor's intent; or (2) an atomic process within an Evaluation used to determine a resource's Compliance with an Assessment Requirement
  3  references: ["Layer 5"]
  4- term: Assessment Requirement
  5  definition: a tightly scoped, verifiable condition that must be satisfied and confirmed by an evaluator
  6  references: ["Layer 2"]
  7- term: Audit
  8  definition: a formal, opinionated review of an organization's Policies and posture, conducted at a specific point in time to verify that established requirements are met
  9  references: ["Layer 7"]
 10- term: Behavior Evaluation
 11  definition: an opinionated observation of simulated or real-world activities
 12  references: ["Layer 5"]
 13- term: Capability
 14  definition: a feature or function of a system; the primary component comprising an attack surface
 15  references: ["Layer 2"]
 16- term: Catalog
 17  definition: a structured set of related prose and relevant metadata
 18  references: ["Layer 1", "Layer 2", "Layer 3"]
 19- term: Continuous Monitoring
 20  definition: a multi-system process designed to collect Evaluation and operational data on an ongoing basis to better detect malicious action and non-compliance, enable Remediative Enforcement, and observe trends over time
 21  references: ["Layer 7"]
 22- term: Control
 23  definition: (1) an organization's ability to fully assert desired state on a system, resource, or state; or (2) a mechanism, such as a safeguard or countermeasure, that asserts desired state; or (3) prose describing the Objective and Assessment Requirements associated with a desired state
 24  references: ["Layer 2"]
 25- term: Compliance
 26  definition: adherence to a Rule or set of Rules
 27  references: []
 28- term: Evaluation
 29  definition: the manual or automated process of forming an opinion on the state of Compliance, guided by a set of Assessment Requirements
 30  references: ["Layer 5"]
 31- term: Enforcement
 32  definition: an action taken in response to non-compliance findings and their causes
 33  references: ["Layer 6"]
 34- term: Evaluation Finding
 35  definition: the evidence and opinionated result of an Assessment
 36  references: ["Layer 5"]
 37- term: Guidance
 38  definition: prose intended to help bring about a desired outcome for a topic or generalized scenario, based on knowledge of relevant Vectors
 39  references: ["Layer 1"]
 40- term: Guideline
 41  definition: atomic element of a Guidance Catalog; often includes explanatory context and recommendations for designing optimal implementations
 42  references: ["Layer 1"]
 43- term: GRC
 44  definition: (1) the Governance, Risk, and Compliance domain within the cybersecurity field; or (2) a coordinated program dedicated to these elements within a business unit
 45  references: []
 46- term: Governance
 47  definition: strategic oversight of an organization and its activities
 48  references: []
 49- term: Intent Evaluation
 50  definition: an Evaluation ensuring that a resource is prepared in alignment with Policy, such as through proper training, configuration, or code
 51  references: ["Layer 5"]
 52- term: Organization
 53  definition: any logical grouping of human, physical, virtual, and information resources such as a company, business unit, or team
 54  references: ["Layer 3"]
 55- term: Threat
 56  definition: a circumstance or event where the concepts of a vector are applied to a Capability in a specific context, resulting in the potential for negative impact
 57  references: ["Layer 2"]
 58- term: Objective
 59  definition: a unified statement of intent, which may encompass multiple situationally applicable statements or requirements
 60  references: ["Layer 2"]
 61- term: Opinion
 62  definition: a firmly held approximation of reality formed within the constraints of an evaluator's philosophy, perspective, and capabilities
 63  references: ["Layer 5", "Layer 6", "Layer 7"]
 64- term: Policy
 65  definition: a clearly-scoped set of rules based on an organization's Risk Appetite
 66  references: ["Layer 3"]
 67- term: Preventive Enforcement
 68  definition: any action that interrupts another process which would otherwise cause non-compliance
 69  references: ["Layer 6"]
 70- term: Remediative Enforcement
 71  definition: corrective action in response to non-compliance in a deployed activity
 72  references: ["Layer 6"]
 73- term: Residual Risk
 74  definition: the Risk remaining after Risk Mitigation and Enforcement actions have been implemented
 75  references: ["Layer 3"]
 76- term: Risk
 77  definition: the potential for loss or damage when a Threat is actualized, determined by calculating the impact of an event to an organization and the likelihood of its occurrence
 78  references: ["Layer 3"]
 79- term: Risk Catalog
 80  definition: a group of related Risks relevant to an organization; used to determine when and how Policies are created for the organization
 81  references: ["Layer 3"]
 82- term: Risk Appetite
 83  definition: the level of Risk an organization is willing to accept in pursuit of its objectives
 84  references: ["Layer 3"]
 85- term: Risk Assessment
 86  definition: the process of identifying the potential or actual Risks introduced by a system
 87  references: ["Layer 3"]
 88- term: Risk Mitigation
 89  definition: the process of developing actions to prevent Threats or reduce their impact on organization objectives
 90  references: ["Layer 3"]
 91- term: Risk Acceptance
 92  definition: a clearly documented decision to accept an unmitigated Risk as necessary or unavoidable
 93  references: ["Layer 3"]
 94- term: Rule
 95  definition: an active, enforceable Policy, regulation, or law
 96  references: ["Layer 1", "Layer 2", "Layer 3"]
 97- term: Sensitive Activity
 98  definition: a type of action that introduces Risk to an organization
 99  references: ["Layer 4"]
100- term: Vector
101  definition: (1) an opportunity for an attacker to exploit a vulnerability in the system; or (2) a path by which neglect could result in unintentional negative outcomes
102  references: ["Layer 1"]
103- term: Vulnerability
104  definition: (1) a weakness in a system inherent in or associated with a Capability that can be exploited when used in unintended ways; or (2) a lack of Control or gap in defense, introduced intentionally or unintentionally, which can be leveraged to cause harm
105  references: ["Layer 2", "Layer 4"]