Acronyms
One of the most daunting aspects of joining government is the massive amount of jargon and acronyms. A simple phrase can contain a large amount of history, and the use of these are often ways of separating “in-groups” from “out-groups.” As such, it’s important to rapidly get up-to-speed on the local language in any given agency environment.
The summary below contains the most common government-wide terms, but each agency has its own series of abbreviations for various offices, systems, and processes. It’s a good idea to ask if your agency has a list documented already - digital service teams also often create one (e.g.s, IRS, VA, EIS).
Many of these acronyms are initialisms, where each letter is said out loud, but some are pronounced as words - think of the difference between “EPA” and “NASA.” Pronunciations are noted below where applicable.
Agencies and Offices
There are thousands of individual departments, agencies, and offices, but these are some of the most commonly referenced with regard to government IT.
| Acronym | Name | Notes |
|---|---|---|
| CISA | The Cybersecurity and Infrastructure Security Agency (CISA) | Agency under The Department of Homeland Security. Pronounced “SIH-zha” |
| DHS | The Department of Homeland Security (DHS) | Not to be confused with the Department of Health and Human Services (HHS). |
| DOC | The Department of Commerce (DOC) | Also referred to as “Commerce.” |
| DOD | The Department of Defense (DOD) | |
| DOEd | The Department of Education (DOEd) | Most commonly referred to as just “Ed.” Not to be confused with DOE (Energy). |
| DOE | The Department of Energy (DOE) | Not to be confused with DOEd (Education). |
| DOI | The Department of the Interior (DOI) | Also referred to as “Interior.” |
| DOJ | The Department of Justice (DOJ) | |
| DOL | The Department of Labor (DOL) | |
| DOS | The Department of State (DOS) | |
| DOT | The Department of Transportation (DOT) | Not to be mistaken with the Department of the Treasury (USDT) |
| EOP | The Executive Office of the President (EOP) | This is the office more commonly known as The White House. |
| EPA | The Environmental Protection Agency (EPA) | |
| GAO | The Government Accountability Office (GAO) | |
| GSA | The General Services Administration (GSA) | |
| HHS | The Department of Health and Human Services (HHS) | Not to be confused with the Department of Homeland Security (DHS). |
| HUD | The Department of Housing and Urban Development (HUD) | Pronounced “HUH-d” |
| NARA | The National Archives and Records Administration (NARA) | Pronounced “NAH-rah” |
| NASA | The National Aeronautics and Space Administration (NASA) | |
| NIH | National Institutes of Health (NIH) | Agency under the Department of Health and Human Services. |
| NIST | The National Institute of Standards and Technology (NIST) | Agency under The Department of Commerce. Pronounced “NIH-st” |
| NRC | The Nuclear Regulatory Commission (NRC) | |
| NSF | The National Science Foundation (NSF) | |
| ODNI | The Office of the Director of National Intelligence (ODNI) | Office under the Executive Office of the President. |
| OFCIO | The Office of the Federal Chief Information Officer (OFCIO) | Part of The Office of Management and Budget. |
| OFFM | The Office of Federal Financial Management (OFFM) | Part of The Office of Management and Budget |
| OFPP | The Office of Federal Procurement Policy (OFPP) | Part of The Office of Management and Budget |
| OGE | The U.S. Office of Government Ethics (OGE) | |
| OIRA | The Office of Information and Regulatory Affairs (OIRA) | Part of The Office of Management and Budget. Pronounced “oh-EYE-rah.” |
| OMB | The Office of Management and Budget (OMB) | Office under the Executive Office of the President |
| OSTP | The Office of Science and Technology Policy (OSTP) | Office under the Executive Office of the President |
| OPM | The Office of Personnel Management (OPM) | |
| PPM | The Office of Performance and Personnel Management (PPM) | Part of the Office of Management and Budget |
| SBA | The Small Business Administration (SBA) | |
| SSA | The Social Security Administration (SSA) | |
| TTS | The Technology Transformation Services (TTS) | Part of the General Services Administration |
| USACE | The US Army Corps of Engineers (USACE) | Part of the U.S. Army (Department of Defense), but has both civilian and military roles. |
| USAID | The Agency for International Development (USAID) | |
| USDA | The Department of Agriculture (USDA) | |
| USDS | The United States Digital Service (USDS) | Part of The Office of Management and Budget |
| USDT | The Department of the Treasury (USDT) | Also referred to as “Treasury.” |
| VA | The Department of Veterans Affairs (VA) | |
| 18F | 18F | The digital services team at GSA, part of the Technology Transformation Services. Not an acronym; GSA’s headquarters is at 1800 F St NW. |
Laws and Policies
| Acronym | Name | Notes |
|---|---|---|
| CFO Act | Chief Financial Officers Act of 1990 (CFO Act) | A law that established the role of Chief Financial Officers at some agencies. |
| CIPSEA | Confidential Information Protection and Statistical Efficiency Act (CIPSEA) | A law that sets requirements on statistical agencies with regard to the confidential handling of data collected for statistical purposes. |
| CPIC | Capital Planning and Investment Control (CPIC) | A federal process for IT financial management required by The Clinger-Cohen Act. Pronounced “SEE-pick.” |
| DCOI | The Data Center Optimization Initiative (DCOI) | A policy from the Office of Management and Budget directing federal agencies to consolidate data centers, as required by FITARA. Very rarely, pronounced like the word “DECOY,” but far more often spelled out. |
| FedRAMP | The Federal Risk and Authorization Management Program (FedRAMP) (FedRAMP) | A government-wide program that provides a standardized approach to security assessment. |
| FAR | Federal Acquisition Regulations (FAR) | Regulations concerning how products and services can be purchased. Pronounced like the word “FAR.” |
| FDCCI | The Federal Data Center Consolidation Initiative (FDCCI) | The old name for the Data Center Optimization Initiative |
| FERPA | The Family Educational Rights and Privacy Act of 1974 (FERPA) | A law that protects the privacy of student education records. Pronounced “FUR-pah.” |
| FISMA | The Federal Information Security Management Act (FISMA) | The main cybersecurity law. Pronounced “FISS-mah.” |
| FITARA | The Federal Information Technology Acquisition Reform Act (FITARA) | One of the main laws regarding IT management. Pronounced “fih-TAHR-ah.” |
| FOIA | Freedom of Information Act (FOIA) | A law allowing the public to request information and records from federal agencies. This term often is also used to refer to the process of requesting these records as well. Pronounced “FOY-uh.” |
| HIPAA | The Health Insurance Portability and Accountability Act (HIPAA) | A law that includes privacy requirements for personal medical information. Pronounced “HIP-ah.” |
| NDAA | The National Defense Authorization Act (NDAA) | The annual appropriations bill for the Department of Defense. It usually contains a number of unrelated rider bills, sometimes on IT policy. |
| PRA | Paperwork Reduction Act (PRA) | A law which requires that agencies recieve approval from the Office of Information and Regulatory Affairs before they collect any data from the public. |
| TIC | Trusted Internet Connections (TIC) | A policy regarding how government systems are allowed to connect to the external internet. Main TIC article. |
Miscellaneous
| Acronym | Name | Notes |
|---|---|---|
| ARB | Architecture Review Board (ARB) | An agency board to review the architecture of software and systems, usually as part of the investment review process. Usually overseen by the Chief Enterprise Architect. Some agencies call this Technology Review Board, or they may be separate boards. |
| ASL | Approved Software List (ASL) | An agency-specific list of software that has been approved (usually) by the Enterprise Architecture and Security teams for general use. |
| ATT | Authorization to Test (ATT) | A security approval that is often a precursor to a full ATO |
| ATO | Authorization to Operate (ATO) | A full security review & approval to use a system. |
| BOD | Binding Operational Directive (BOD) | A policy type, most often issued by the Cybersecurity and Infrastructure Security Agency. |
| BPA | Blanket Purchasing Agreement (BPA) | A type of purchasing agreement where multiple orders can be made over time for recurring requests, avoiding the need for multiple small contracts. Contrast with a Indefinite Quantity, Indefinite Delivery contract. (Sometimes called a Bulk Purchasing Agreement.) |
| CAC | Common Access Card (CAC) | A standard-issue government keycard used to gain access to buildings or computer systems used by the Department of Defense. |
| CBJ | Congressional Budget Justification (CBJ) | The document an agency prepares for Congress outlining their funding needs for appropriations. Part of the Federal budget process. |
| CDM | Continuous Diagnostics and Mitigation (CDM) | A CISA-run program to monitor network traffic. |
| CDOC | The Federal Chief Data Officers Council (CDOC) | The federal council of Chief Data Officers. |
| CDO | Chief Data Officer (CDO) | The officer responsible for data management and practices in an agency. |
| CEA | Chief Enterprise Architect (CEA) | The officer responsible for overseeing enterprise-wide technology selection and architecture decisions for the agency. Required by Clinger-Cohen. |
| CFOC | The Chief Financial Officers Council (CFOC) | The federal council of Chief Financial Officers. |
| CFO | Chief Financial Officer (CFO) | The highest ranking budget officer for a federal agency. |
| CIGIE | The Council of the Inspectors General on Integrity and Efficiency (CIGIE) | The council for Inspectors General across the federal government. |
| CIOC | The Chief Information Officers Council (CIOC) | The federal council of Chief Information Officers. |
| CIO | Chief Information Officer (CIO) | The highest ranking technology officer for a federal agency. Not be confused with a Chief Innovation Officer. |
| CISOC | The Chief Information Security Officer Council (CISOC) | The federal council of Chief Information Security Officers.. |
| CISO | Chief Information Security Officer (CISO) | The highest ranking information security officer for a federal agency. Usually reports directly to the Chief Information Officer. |
| CHCOC | The Chief Human Capital Officers Council (CHCOC) | |
| CHCO | Chief Human Capital Officer (CHCO) | The highest ranking human resources officer for a federal agency. |
| COO | Chief Operating Officer (COO) | Typically the highest ranking officer overseeing the various administrative offices of an agency. However, the exact nature of the post varies, e.g. at the SEC this is the highest ranking non-political officer. |
| COR | Contracting Officer's Representative (COR) | In a government acquisition, this is the staff member who represents the program office. Pronounced “core,” like the middle of an apple. |
| COTS | Commercial-Off-The-Shelf Software (COTS) | A common phrase in procurement for readily-available software that does not need to be customized to be used. Pronounced “cots,” like small beds. |
| CO | Contracting Officer (CO) | In a government acquisition, this is the member of the acquisition team who oversees the procurement process. |
| CTO | Chief Technology Officer (CTO) | This role varies dramatically from agency to agency, ranging from pure policy roles to directly overseeing technology services. Typically reports directly to the Chief Information Officer. |
| CUI | Controlled Unclassified Information (CUI) | Government-created or -owned information that requires safeguarding or dissemination controls but which is not classified information. |
| CX | Customer Experience (CX) | A broad methodology for comprehensively measuring design & delivery for all services from the perspective of the customer. Main customer experience article |
| EA | Enterprise Architecture (EA) | A technology management practice which sets a roadmap across the organization for technology, intended to reduce duplicative purchasing and “shadow IT.” Required by law by the Clinger-Cohen Act. |
| EO | Executive Order (EO) | A type of presidential action. |
| FCIO | Federal Chief Information Officer (FCIO) | The political official in charge of issuing technology policy for the whole government, located within the Office of Management and Budget. In law, this role is referred to officially as the Administrator of the Office of E-Government and Information Technology. |
| FCISO | The Federal Chief Information Security Officer (FCISO) | Historically, the political official in charge of issuing cybersecurity policy for the whole government, located within the Office of Management and Budget. Today the National Cyber Director is in charge of cybersecurity policy, with the Federal Chief Information Security Officer as their deputy. |
| FFP | Firm Fixed Price (FFP) | A type of contract that covers the entire cost of the work being done, regardless of labor hours. There are several types of fixed-price contracts but this is the most common. In contrast to a “time-and-materials” or “labor hour” contract, which is based on hours of work done. |
| FIPS | Federal Information Processing Standards (FIPS) | The NIST series of documents relating to usage and protection of information in government agencies. |
| FOUO | For Official Use Only (FOUO) | This is the old term for what is now known as Controlled Unclassified Information. You may still see it on older documents and templates. |
| HCD | Human-Centered Design (HCD) | A design methodology that emphasizes testing with real users of a system or service, either digital or physical. |
| HCOR | The House Committee on Oversight and Reform (HCOR) | The primary government oversight committee for the House of Representatives. The Government Operations subcommittee underneath it is responsible for creating many of the government’s technology laws. |
| HSGAC | The Senate Homeland Security and Governmental Affairs Committee (HSGAC) | The Senate committee responsible for creating many federal technology and cybersecurity laws. |
| HOGR | The House Committee on Oversight and Government Reform (HOGR) | The old name for the House Committee on Oversight and Reform before it was renamed. The Government Operations subcommittee underneath it is responsible for creating many of the government’s technology laws. |
| HVA | High Value Asset (HVA) | A type of security categorization for a system. |
| IAA | Interagency Agreement (IAA) | A type of policy memo or contract between two federal agencies. In many cases the agreement itself will use the Treasury Department standard form 7600A and 7600B. |
| ICAM | Identity, Credential, and Access Management (ICAM) | A collection of security practices to ensure that only the right person with the right privileges can access the right information at the right time. |
| IDIQ | Indefinite Delivery, Indefinite Quantity (IDIQ) | A type of contract for services that does not have a value limit, only a time limit. Especially useful for agency-wide service contracts that might be used by different programs. |
| IGCE | Independent Government Cost Estimate (IGCE) | As part of any contract, the government must come up with an initial estimate. |
| IG | Inspector General (IG) | An auditor within each federal agency with independent authority to oversee operations and report to Congress & the public. This most often refers to the Office of the Inspector General in an agency, rather than the person who holds the title. Each agency has their own individual Office of Inspector General, this is not a government-wide office. |
| IRB | Investment Review Board (IRB) | An agency board responsible for reviewing investments, usually IT-related, and either approves or rejects them. Frequently has different names at each agency. |
| ISO | International Organization for Standardization (ISO) | An independent, international standards organization. In many ways similar to NIST. Notably, their documents generally must be purchased for a fee. These documents are usually referred to by the number, e.g. ISO 20000 on IT management or 27000 on Cybersecurity management. |
| ITIL | IT Infrastructure Library (ITIL) | A popular framework for IT service management, both in government and the private sector. A similar framework is ISO 20000. |
| JAB | The Joint Authorization Board (JAB) | The FedRAMP board which approves cloud products for use. |
| MOU | Memoranda of Understanding (MOU) | A type of policy memo or contract between multiple parties; in this context, frequently between two federal agencies. Sometimes MOA, for Memorandum of Agreement. |
| MFA | Multi-Factor Authentication (MFA) | A cybersecurity methodology requiring multiple credentials to gain access to a system. Main identity article |
| NITAAC | NIH Information Technology Acquisition and Assessment Center (NITAAC) | An office under the National Institutes of Health (NIH), but more commonly the procurement vehicle for information technology run by this office. |
| NOC | Network Operations Center (NOC) | A team within the IT office of an agency, responsible for constantly monitoring systems to make sure they’re up. Works closely with the Security Operations Center and Help Desk. |
| OCIO | Office of the Chief Information Officer (OCIO) | Each agency has an IT office which the Chief Information Officer is the head of. The name for this office may vary from agency to agency but OIT and OCIO are the most common names. |
| OIG | Office of the Inspector General (OIG) | Each agency has their own individual Office of Inspector General, this is not a government-wide office. |
| OIT | Office of Information Technology (OIT) | Each agency has an IT office which the Chief Information Officer is the head of. The name for this office may vary from agency to agency but OIT and OCIO are the most common names. |
| PIA | Privacy Impact Assessments (PIA) | A required assessment for federal systems to determine if personal information is properly protected. Main privacy article |
| PIV | Personal Identity Verification card (PIV) | A standard-issue government keycard used to gain access to buildings or computer systems used in civilian agencies. Sometimes pronounced “PIH-v.” |
| POAM | Plan of Action & Milestones (POAM) | Most often, an issue with a system found by the cybersecurity team that needs to be fixed. Sometimes appears as POA&M. Sometimes pronounced “POH-am.” |
| PWS | Performance Work Statement (PWS) | A document in an acquisition that lists outcomes and measurable standards for evaluation for work to be done by a vendor on a government contract. It generally may be considered a combination of a Statement of Objectives and a Statement of Work. |
| QSMO | Quality Service Management Offices (QSMOs) | An agency that has been designated by the Office of Management and Budget to provide a specific shared service to all other agencies. Sometimes pronounced “QUIZ-moh” or “CUE-smoh.” |
| RFI | Request for Information (RFI) | An optional part of the acquisition process, where the government requests information from the vendor community about the solution they are considering. |
| RFQ | Request for Quotation (RFQ) | A part of the acquisition process, where the government asks the vendor pool to bid for a contract. An Request for Quotation is used when the agency knows exactly what they want to buy; contrast with a Request for Proposal. |
| RFP | Request for Proposal (RFP) | A part of the acquisition process, where the government asks the vendor pool to bid for a contract. An Request for Quotation is used when the agency does have a precise item that they want to buy; contrast with a Request for Quotation. |
| RPA | Robotic Processing Automation (RPA) | A type of technology tool that can be used to automate basic tasks within a piece of software. |
| SA&A | Security Assessment and Authorization (SA&A) | The process by which a cybersecurity team evaluates a product or system. |
| SBOM | Software Bill of Materials (SBOM) | A requirement within Supply Chain Risk Management to provide the source of all components of a software product. Main supply chain article |
| SCIF | Sensitive Compartmented Information Facility (SCIF) | A location that has been physically and electronically secured against surveillance where classified or otherwise sensitive documents and data are permitted to be viewed and discussed. Pronounced “SKIFF.” |
| SCRM | Supply Chain Risk Management (SCRM) | A cybersecurity requirement to ensure that all components of a given technology hardware or software product are secure and from a reliable source. Main supply chain article |
| SES | Senior Executive Service (SES) | A rank of jobs in the Federal Government denoting senior officers. There are special hiring requirements for these roles. |
| SEWP | NASA Solutions for Enterprise-Wide Procurement (SEWP) | A procurement vehicle for information technology. |
| SDF | Service Delivery Framework (SDF) | The commonly-used name for the lifecycle process of getting an application reviewed by the various governance bodies in an agency. |
| SOC | Security Operations Center (SOC) | A team within the cybersecurity division of an IT office, responsible for monitoring systems for intrusion and other cyberattacks. Works closely with the Network Operations Center and Help Desk. |
| SOO | Statement of Objectives (SOO) | A high-level document in an acquisition that lists the outcomes expected from a vendor performing work on a government contract. It is a more recent replacement for the traditional Statement of Work, and typically a simpler document than a Performance Work Statement. |
| SOP | Standard Operating Procedures (SOP) | The general term for agency-specific policy documents, used to describe the specific implementation of government-wide policies at an agency. |
| SORN | System of Records Notice (SORN) | A public notice that must be filed in the Federal Register whenever an agency wishes to collect data on individuals. |
| SOW | Statement of Work (SOW) | A document in an acquisition that lists the specific work items to be done by a vendor on a government contract. It is the traditional way of writing a contract, but more modern offices tend to prefer a Statement of Objectives or Performance Work Statement. |
| SSP | System Security Plan (SSP) | Most agencies require this documentation as part of the Authorization to Operate process. |
| TBM | Technology Business Management (TBM) | A framework for IT investment categorization, used in Capital Planning and Investment Control. |
| TRB | Technology Review Board (TRB) | An agency board to review the technology choices of software and systems, usually as part of the investment review process. Some agencies call this Architecture Review Board, or they may be separate boards. |
| TS/SCI | Top Secret / Sensitive Compartmented Information (TS/SCI) | A specialized security classification for some types of Top Secret information that require additional controls or special handling due to sensitivity. Also refers to the clearance level a person must have to view these documents. |
| TS | Top Secret (TS) | The highest level of security classification for information in government. Also refers to the clearance level a person must have to view these documents. |
| T&M | Time-and-Materials (T&M) | A type of contract where a vendor is paid based on labor hours. In contrast to Firm Fixed Price. |
| UX | User Experience (UX) | A digital design methodology that leverages human-centered design. Not to be mistaken with Customer Experience. |
| VAR | Value Added Reseller (VAR) | An intermediary company that resells the services of another. For contracts with large vendors, such as software or cloud companies, most agencies require going through a small business Value Added Reseller instead of contracting directly. |
| ZTA | Zero Trust Architecture (ZTA) | A modern cybersecurity methodology involving re-validating a user’s credentials on data access rather than system access. Main Zero Trust article |
| 2210 | 2210 Cybersecurity Job Code | Not technically an acronym, but a common phrase to refer to cybersecurity job roles, or sometimes any specialized information technology roles. |
| 3PAO | Third Party Assessment Organization (3PAO) | An external-to-government organization that evaluates the security of a product, usually as part of the FedRAMP process. |