One of the most daunting aspects of joining government is the massive amount of jargon and acronyms. A simple phrase can contain a large amount of history, and the use of these are often ways of separating “in-groups” from “out-groups.” As such, it’s important to rapidly get up-to-speed on the local language in any given agency environment.

The summary below contains the most common government-wide terms, but each agency has its own series of abbreviations for various offices, systems, and processes. It’s a good idea to ask if your agency has a list documented already - digital service teams also often create one (e.g.s, IRS, VA, EIS).

Many of these acronyms are initialisms, where each letter is said out loud, but some are pronounced as words - think of the difference between “EPA” and “NASA.” Pronunciations are noted below where applicable.

Agencies and Offices

There are thousands of individual departments, agencies, and offices, but these are some of the most commonly referenced with regard to government IT.

AcronymNameNotes
CISA The Cybersecurity and Infrastructure Security Agency (CISA)

Agency under The Department of Homeland Security. Pronounced “SIH-zha”

DHS The Department of Homeland Security (DHS)

Not to be confused with the Department of Health and Human Services (HHS).

DOC The Department of Commerce (DOC)

Also referred to as “Commerce.”

DOD The Department of Defense (DOD)
DOEd The Department of Education (DOEd)

Most commonly referred to as just “Ed.” Not to be confused with DOE (Energy).

DOE The Department of Energy (DOE)

Not to be confused with DOEd (Education).

DOI The Department of the Interior (DOI)

Also referred to as “Interior.”

DOJ The Department of Justice (DOJ)
DOL The Department of Labor (DOL)
DOS The Department of State (DOS)
DOT The Department of Transportation (DOT)

Not to be mistaken with the Department of the Treasury (USDT)

EOP The Executive Office of the President (EOP)

This is the office more commonly known as The White House.

EPA The Environmental Protection Agency (EPA)
GAO The Government Accountability Office (GAO)
GSA The General Services Administration (GSA)
HHS The Department of Health and Human Services (HHS)

Not to be confused with the Department of Homeland Security (DHS).

HUD The Department of Housing and Urban Development (HUD)

Pronounced “HUH-d”

NARA The National Archives and Records Administration (NARA)

Pronounced “NAH-rah”

NASA The National Aeronautics and Space Administration (NASA)
NIH National Institutes of Health (NIH)

Agency under the Department of Health and Human Services.

NIST The National Institute of Standards and Technology (NIST)

Agency under The Department of Commerce. Pronounced “NIH-st”

NRC The Nuclear Regulatory Commission (NRC)
NSF The National Science Foundation (NSF)
ODNI The Office of the Director of National Intelligence (ODNI)

Office under the Executive Office of the President.

OFCIO The Office of the Federal Chief Information Officer (OFCIO)

Part of The Office of Management and Budget.

OFFM The Office of Federal Financial Management (OFFM)

Part of The Office of Management and Budget

OFPP The Office of Federal Procurement Policy (OFPP)

Part of The Office of Management and Budget

OGE The U.S. Office of Government Ethics (OGE)
OIRA The Office of Information and Regulatory Affairs (OIRA)

Part of The Office of Management and Budget. Pronounced “oh-EYE-rah.”

OMB The Office of Management and Budget (OMB)

Office under the Executive Office of the President

OSTP The Office of Science and Technology Policy (OSTP)

Office under the Executive Office of the President

OPM The Office of Personnel Management (OPM)
PPM The Office of Performance and Personnel Management (PPM)

Part of the Office of Management and Budget

SBA The Small Business Administration (SBA)
SSA The Social Security Administration (SSA)
TTS The Technology Transformation Services (TTS)

Part of the General Services Administration

USACE The US Army Corps of Engineers (USACE)

Part of the U.S. Army (Department of Defense), but has both civilian and military roles.

USAID The Agency for International Development (USAID)
USDA The Department of Agriculture (USDA)
USDS The United States Digital Service (USDS)

Part of The Office of Management and Budget

USDT The Department of the Treasury (USDT)

Also referred to as “Treasury.”

VA The Department of Veterans Affairs (VA)
18F 18F

The digital services team at GSA, part of the Technology Transformation Services. Not an acronym; GSA’s headquarters is at 1800 F St NW.

Laws and Policies

AcronymNameNotes
CFO Act Chief Financial Officers Act of 1990 (CFO Act)

A law that established the role of Chief Financial Officers at some agencies.

CIPSEA Confidential Information Protection and Statistical Efficiency Act (CIPSEA)

A law that sets requirements on statistical agencies with regard to the confidential handling of data collected for statistical purposes.

CPIC Capital Planning and Investment Control (CPIC)

A federal process for IT financial management required by The Clinger-Cohen Act. Pronounced “SEE-pick.”

DCOI The Data Center Optimization Initiative (DCOI)

A policy from the Office of Management and Budget directing federal agencies to consolidate data centers, as required by FITARA. Very rarely, pronounced like the word “DECOY,” but far more often spelled out.

FedRAMP The Federal Risk and Authorization Management Program (FedRAMP) (FedRAMP)

A government-wide program that provides a standardized approach to security assessment.

FAR Federal Acquisition Regulations (FAR)

Regulations concerning how products and services can be purchased. Pronounced like the word “FAR.”

FDCCI The Federal Data Center Consolidation Initiative (FDCCI)

The old name for the Data Center Optimization Initiative

FERPA The Family Educational Rights and Privacy Act of 1974 (FERPA)

A law that protects the privacy of student education records. Pronounced “FUR-pah.”

FISMA The Federal Information Security Management Act (FISMA)

The main cybersecurity law. Pronounced “FISS-mah.”

FITARA The Federal Information Technology Acquisition Reform Act (FITARA)

One of the main laws regarding IT management. Pronounced “fih-TAHR-ah.”

FOIA Freedom of Information Act (FOIA)

A law allowing the public to request information and records from federal agencies. This term often is also used to refer to the process of requesting these records as well. Pronounced “FOY-uh.”

HIPAA The Health Insurance Portability and Accountability Act (HIPAA)

A law that includes privacy requirements for personal medical information. Pronounced “HIP-ah.”

NDAA The National Defense Authorization Act (NDAA)

The annual appropriations bill for the Department of Defense. It usually contains a number of unrelated rider bills, sometimes on IT policy.

PRA Paperwork Reduction Act (PRA)

A law which requires that agencies recieve approval from the Office of Information and Regulatory Affairs before they collect any data from the public.

TIC Trusted Internet Connections (TIC)

A policy regarding how government systems are allowed to connect to the external internet. Main TIC article.

Miscellaneous

AcronymNameNotes
ARB Architecture Review Board (ARB)

An agency board to review the architecture of software and systems, usually as part of the investment review process. Usually overseen by the Chief Enterprise Architect. Some agencies call this Technology Review Board, or they may be separate boards.

ASL Approved Software List (ASL)

An agency-specific list of software that has been approved (usually) by the Enterprise Architecture and Security teams for general use.

ATT Authorization to Test (ATT)

A security approval that is often a precursor to a full ATO

ATO Authorization to Operate (ATO)

A full security review & approval to use a system.

BOD Binding Operational Directive (BOD)

A policy type, most often issued by the Cybersecurity and Infrastructure Security Agency.

BPA Blanket Purchasing Agreement (BPA)

A type of purchasing agreement where multiple orders can be made over time for recurring requests, avoiding the need for multiple small contracts. Contrast with a Indefinite Quantity, Indefinite Delivery contract. (Sometimes called a Bulk Purchasing Agreement.)

CAC Common Access Card (CAC)

A standard-issue government keycard used to gain access to buildings or computer systems used by the Department of Defense.

CBJ Congressional Budget Justification (CBJ)

The document an agency prepares for Congress outlining their funding needs for appropriations. Part of the Federal budget process.

CDM Continuous Diagnostics and Mitigation (CDM)

A CISA-run program to monitor network traffic.

CDOC The Federal Chief Data Officers Council (CDOC)

The federal council of Chief Data Officers.

CDO Chief Data Officer (CDO)

The officer responsible for data management and practices in an agency.

CEA Chief Enterprise Architect (CEA)

The officer responsible for overseeing enterprise-wide technology selection and architecture decisions for the agency. Required by Clinger-Cohen.

CFOC The Chief Financial Officers Council (CFOC)

The federal council of Chief Financial Officers.

CFO Chief Financial Officer (CFO)

The highest ranking budget officer for a federal agency.

CIGIE The Council of the Inspectors General on Integrity and Efficiency (CIGIE)

The council for Inspectors General across the federal government.

CIOC The Chief Information Officers Council (CIOC)

The federal council of Chief Information Officers.

CIO Chief Information Officer (CIO)

The highest ranking technology officer for a federal agency. Not be confused with a Chief Innovation Officer.

CISOC The Chief Information Security Officer Council (CISOC)

The federal council of Chief Information Security Officers..

CISO Chief Information Security Officer (CISO)

The highest ranking information security officer for a federal agency. Usually reports directly to the Chief Information Officer.

CHCOC The Chief Human Capital Officers Council (CHCOC)

The federal council of Chief Human Capital Officers..

CHCO Chief Human Capital Officer (CHCO)

The highest ranking human resources officer for a federal agency.

COO Chief Operating Officer (COO)

Typically the highest ranking officer overseeing the various administrative offices of an agency. However, the exact nature of the post varies, e.g. at the SEC this is the highest ranking non-political officer.

COR Contracting Officer's Representative (COR)

In a government acquisition, this is the staff member who represents the program office. Pronounced “core,” like the middle of an apple.

COTS Commercial-Off-The-Shelf Software (COTS)

A common phrase in procurement for readily-available software that does not need to be customized to be used. Pronounced “cots,” like small beds.

CO Contracting Officer (CO)

In a government acquisition, this is the member of the acquisition team who oversees the procurement process.

CTO Chief Technology Officer (CTO)

This role varies dramatically from agency to agency, ranging from pure policy roles to directly overseeing technology services. Typically reports directly to the Chief Information Officer.

CUI Controlled Unclassified Information (CUI)

Government-created or -owned information that requires safeguarding or dissemination controls but which is not classified information.

CX Customer Experience (CX)

A broad methodology for comprehensively measuring design & delivery for all services from the perspective of the customer. Main customer experience article

EA Enterprise Architecture (EA)

A technology management practice which sets a roadmap across the organization for technology, intended to reduce duplicative purchasing and “shadow IT.” Required by law by the Clinger-Cohen Act.

EO Executive Order (EO)

A type of presidential action.

FCIO Federal Chief Information Officer (FCIO)

The political official in charge of issuing technology policy for the whole government, located within the Office of Management and Budget. In law, this role is referred to officially as the Administrator of the Office of E-Government and Information Technology.

FCISO The Federal Chief Information Security Officer (FCISO)

Historically, the political official in charge of issuing cybersecurity policy for the whole government, located within the Office of Management and Budget. Today the National Cyber Director is in charge of cybersecurity policy, with the Federal Chief Information Security Officer as their deputy.

FFP Firm Fixed Price (FFP)

A type of contract that covers the entire cost of the work being done, regardless of labor hours. There are several types of fixed-price contracts but this is the most common. In contrast to a “time-and-materials” or “labor hour” contract, which is based on hours of work done.

FIPS Federal Information Processing Standards (FIPS)

The NIST series of documents relating to usage and protection of information in government agencies.

FOUO For Official Use Only (FOUO)

This is the old term for what is now known as Controlled Unclassified Information. You may still see it on older documents and templates.

HCD Human-Centered Design (HCD)

A design methodology that emphasizes testing with real users of a system or service, either digital or physical.

HCOR The House Committee on Oversight and Reform (HCOR)

The primary government oversight committee for the House of Representatives. The Government Operations subcommittee underneath it is responsible for creating many of the government’s technology laws.

HSGAC The Senate Homeland Security and Governmental Affairs Committee (HSGAC)

The Senate committee responsible for creating many federal technology and cybersecurity laws.

HOGR The House Committee on Oversight and Government Reform (HOGR)

The old name for the House Committee on Oversight and Reform before it was renamed. The Government Operations subcommittee underneath it is responsible for creating many of the government’s technology laws.

HVA High Value Asset (HVA)

A type of security categorization for a system.

IAA Interagency Agreement (IAA)

A type of policy memo or contract between two federal agencies. In many cases the agreement itself will use the Treasury Department standard form 7600A and 7600B.

ICAM Identity, Credential, and Access Management (ICAM)

A collection of security practices to ensure that only the right person with the right privileges can access the right information at the right time.

IDIQ Indefinite Delivery, Indefinite Quantity (IDIQ)

A type of contract for services that does not have a value limit, only a time limit. Especially useful for agency-wide service contracts that might be used by different programs.

IGCE Independent Government Cost Estimate (IGCE)

As part of any contract, the government must come up with an initial estimate.

IG Inspector General (IG)

An auditor within each federal agency with independent authority to oversee operations and report to Congress & the public. This most often refers to the Office of the Inspector General in an agency, rather than the person who holds the title. Each agency has their own individual Office of Inspector General, this is not a government-wide office.

IRB Investment Review Board (IRB)

An agency board responsible for reviewing investments, usually IT-related, and either approves or rejects them. Frequently has different names at each agency.

ISO International Organization for Standardization (ISO)

An independent, international standards organization. In many ways similar to NIST. Notably, their documents generally must be purchased for a fee. These documents are usually referred to by the number, e.g. ISO 20000 on IT management or 27000 on Cybersecurity management.

ITIL IT Infrastructure Library (ITIL)

A popular framework for IT service management, both in government and the private sector. A similar framework is ISO 20000.

JAB The Joint Authorization Board (JAB)

The FedRAMP board which approves cloud products for use.

MOU Memoranda of Understanding (MOU)

A type of policy memo or contract between multiple parties; in this context, frequently between two federal agencies. Sometimes MOA, for Memorandum of Agreement.

MFA Multi-Factor Authentication (MFA)

A cybersecurity methodology requiring multiple credentials to gain access to a system. Main identity article

NITAAC NIH Information Technology Acquisition and Assessment Center (NITAAC)

An office under the National Institutes of Health (NIH), but more commonly the procurement vehicle for information technology run by this office.

NOC Network Operations Center (NOC)

A team within the IT office of an agency, responsible for constantly monitoring systems to make sure they’re up. Works closely with the Security Operations Center and Help Desk.

OCIO Office of the Chief Information Officer (OCIO)

Each agency has an IT office which the Chief Information Officer is the head of. The name for this office may vary from agency to agency but OIT and OCIO are the most common names.

OIG Office of the Inspector General (OIG)

Each agency has their own individual Office of Inspector General, this is not a government-wide office.

OIT Office of Information Technology (OIT)

Each agency has an IT office which the Chief Information Officer is the head of. The name for this office may vary from agency to agency but OIT and OCIO are the most common names.

PIA Privacy Impact Assessments (PIA)

A required assessment for federal systems to determine if personal information is properly protected. Main privacy article

PIV Personal Identity Verification card (PIV)

A standard-issue government keycard used to gain access to buildings or computer systems used in civilian agencies. Sometimes pronounced “PIH-v.”

POAM Plan of Action & Milestones (POAM)

Most often, an issue with a system found by the cybersecurity team that needs to be fixed. Sometimes appears as POA&M. Sometimes pronounced “POH-am.”

PWS Performance Work Statement (PWS)

A document in an acquisition that lists outcomes and measurable standards for evaluation for work to be done by a vendor on a government contract. It generally may be considered a combination of a Statement of Objectives and a Statement of Work.

QSMO Quality Service Management Offices (QSMOs)

An agency that has been designated by the Office of Management and Budget to provide a specific shared service to all other agencies. Sometimes pronounced “QUIZ-moh” or “CUE-smoh.”

RFI Request for Information (RFI)

An optional part of the acquisition process, where the government requests information from the vendor community about the solution they are considering.

RFQ Request for Quotation (RFQ)

A part of the acquisition process, where the government asks the vendor pool to bid for a contract. An Request for Quotation is used when the agency knows exactly what they want to buy; contrast with a Request for Proposal.

RFP Request for Proposal (RFP)

A part of the acquisition process, where the government asks the vendor pool to bid for a contract. An Request for Quotation is used when the agency does have a precise item that they want to buy; contrast with a Request for Quotation.

RPA Robotic Processing Automation (RPA)

A type of technology tool that can be used to automate basic tasks within a piece of software.

SA&A Security Assessment and Authorization (SA&A)

The process by which a cybersecurity team evaluates a product or system.

SBOM Software Bill of Materials (SBOM)

A requirement within Supply Chain Risk Management to provide the source of all components of a software product. Main supply chain article

SCIF Sensitive Compartmented Information Facility (SCIF)

A location that has been physically and electronically secured against surveillance where classified or otherwise sensitive documents and data are permitted to be viewed and discussed. Pronounced “SKIFF.”

SCRM Supply Chain Risk Management (SCRM)

A cybersecurity requirement to ensure that all components of a given technology hardware or software product are secure and from a reliable source. Main supply chain article

SES Senior Executive Service (SES)

A rank of jobs in the Federal Government denoting senior officers. There are special hiring requirements for these roles.

SEWP NASA Solutions for Enterprise-Wide Procurement (SEWP)

A procurement vehicle for information technology.

SDF Service Delivery Framework (SDF)

The commonly-used name for the lifecycle process of getting an application reviewed by the various governance bodies in an agency.

SOC Security Operations Center (SOC)

A team within the cybersecurity division of an IT office, responsible for monitoring systems for intrusion and other cyberattacks. Works closely with the Network Operations Center and Help Desk.

SOO Statement of Objectives (SOO)

A high-level document in an acquisition that lists the outcomes expected from a vendor performing work on a government contract. It is a more recent replacement for the traditional Statement of Work, and typically a simpler document than a Performance Work Statement.

SOP Standard Operating Procedures (SOP)

The general term for agency-specific policy documents, used to describe the specific implementation of government-wide policies at an agency.

SORN System of Records Notice (SORN)

A public notice that must be filed in the Federal Register whenever an agency wishes to collect data on individuals.

SOW Statement of Work (SOW)

A document in an acquisition that lists the specific work items to be done by a vendor on a government contract. It is the traditional way of writing a contract, but more modern offices tend to prefer a Statement of Objectives or Performance Work Statement.

SSP System Security Plan (SSP)

Most agencies require this documentation as part of the Authorization to Operate process.

TBM Technology Business Management (TBM)

A framework for IT investment categorization, used in Capital Planning and Investment Control.

TRB Technology Review Board (TRB)

An agency board to review the technology choices of software and systems, usually as part of the investment review process. Some agencies call this Architecture Review Board, or they may be separate boards.

TS/SCI Top Secret / Sensitive Compartmented Information (TS/SCI)

A specialized security classification for some types of Top Secret information that require additional controls or special handling due to sensitivity. Also refers to the clearance level a person must have to view these documents.

TS Top Secret (TS)

The highest level of security classification for information in government. Also refers to the clearance level a person must have to view these documents.

T&M Time-and-Materials (T&M)

A type of contract where a vendor is paid based on labor hours. In contrast to Firm Fixed Price.

UX User Experience (UX)

A digital design methodology that leverages human-centered design. Not to be mistaken with Customer Experience.

VAR Value Added Reseller (VAR)

An intermediary company that resells the services of another. For contracts with large vendors, such as software or cloud companies, most agencies require going through a small business Value Added Reseller instead of contracting directly.

ZTA Zero Trust Architecture (ZTA)

A modern cybersecurity methodology involving re-validating a user’s credentials on data access rather than system access. Main Zero Trust article

2210 2210 Cybersecurity Job Code

Not technically an acronym, but a common phrase to refer to cybersecurity job roles, or sometimes any specialized information technology roles.

3PAO Third Party Assessment Organization (3PAO)

An external-to-government organization that evaluates the security of a product, usually as part of the FedRAMP process.