Compliance Glossary

Plain-language definitions of operational compliance terms. Every entry cites the regulator and CFR or USC section. Updated for 2026 inflation-adjusted penalty figures.

Total terms: 65. Last updated: 2026-05-07.

Core Compliance Concepts

Audit Binder — An audit binder is a structured package of compliance documents organized in the format a specific regulator expects to …
Audit Readiness — Audit readiness is the state of being able to produce, on demand, the documentation a regulator or auditor would request…
Compliance Dashboard — A compliance dashboard is a centralized visual interface that displays an organization's real-time compliance status acr…
Compliance Management System (CMS) — A Compliance Management System (CMS) is the integrated set of policies, processes, controls, and tools that an organizat…
Compliance Maturity Model — A compliance maturity model is a tiered framework that describes how mature an organization's compliance program is, typ…
Compliance Program — A compliance program is the written set of policies, procedures, training, monitoring activities, and corrective actions…
Compliance Score — A compliance score is a quantitative metric that summarizes an organization's adherence to applicable regulatory require…
Operational Compliance — Operational compliance is the discipline of running day-to-day business activities so that every required document, trai…
Regulatory Compliance — Regulatory compliance is the act of conforming to laws, rules, and standards issued by federal, state, and local governm…

FMCSA / Trucking

CSA (Compliance, Safety, Accountability) — CSA stands for Compliance, Safety, Accountability — FMCSA's safety measurement and enforcement program for motor carrier…
Driver Qualification File (DQF) — A Driver Qualification File (DQF) is the personnel file that motor carriers must maintain for every commercial driver un…
Electronic Logging Device (ELD) — An Electronic Logging Device (ELD) is hardware connected to a commercial motor vehicle's engine that automatically recor…
FMCSA Drug and Alcohol Clearinghouse — The FMCSA Drug and Alcohol Clearinghouse is a federal database, operated by FMCSA under 49 CFR Part 382 Subpart G, that …
Hours of Service (HOS) — Hours of Service (HOS) regulations limit the time commercial motor vehicle drivers can spend driving and on duty, intend…
Out-of-Service Order (OOS) — An out-of-service (OOS) order is a regulatory action that prohibits a driver, commercial motor vehicle, or motor carrier…

OSHA / Workplace Safety

Fall Protection — Fall protection refers to the systems, equipment, and procedures used to prevent or arrest worker falls from elevated wo…
Lockout/Tagout (LOTO) — Lockout/Tagout (LOTO) refers to procedures and devices that prevent the unexpected energization, startup, or release of …
OSHA 300 Log — The OSHA 300 Log (Form 300, 'Log of Work-Related Injuries and Illnesses') is the workplace recordkeeping document requir…
Safety Data Sheet (SDS) — A Safety Data Sheet (SDS) is a structured document containing information about a hazardous chemical, including its iden…

Healthcare / HIPAA / CMS

340B Drug Pricing Program — The 340B Drug Pricing Program at Section 340B of the Public Health Service Act (42 USC 256b) requires drug manufacturers…
Anti-Kickback Statute (AKS) — The Anti-Kickback Statute at 42 USC 1320a-7b(b) makes it a felony to knowingly and willfully offer, pay, solicit, or rec…
Deemed Status (Medicare Accreditation) — Deemed status is the recognition by CMS that a healthcare organization accredited by an approved accrediting organizatio…
EMTALA (Emergency Medical Treatment and Labor Act) — The Emergency Medical Treatment and Labor Act (EMTALA) at 42 USC 1395dd requires Medicare-participating hospitals with e…
F-Tag (CMS Survey Citation) — F-Tag is the citation code system used by CMS (Centers for Medicare and Medicaid Services) state surveyors to identify d…
FPPE / OPPE (Performance Evaluation) — Focused Professional Practice Evaluation (FPPE) and Ongoing Professional Practice Evaluation (OPPE) are Joint Commission…
HIPAA (Health Insurance Portability and Accountability Act) — HIPAA, the Health Insurance Portability and Accountability Act of 1996, is the US federal law that establishes national …
HIPAA Security Rule — The HIPAA Security Rule at 45 CFR Part 164 Subpart C establishes national standards for protecting electronic Protected …
Joint Commission Accreditation — The Joint Commission is an independent, nonprofit organization that accredits healthcare organizations and programs in t…
QAPI (Quality Assessment and Performance Improvement) — Quality Assessment and Performance Improvement (QAPI) is the data-driven and proactive approach to quality improvement r…
Stark Law (Physician Self-Referral) — The Physician Self-Referral Law (commonly 'Stark Law') at 42 USC 1395nn and 42 CFR 411.350-389 prohibits physicians from…

Cybersecurity / Cyber Compliance

C3PAO (Certified Third-Party Assessor Organization) — A C3PAO (Certified Third-Party Assessor Organization) is an organization authorized by Cyber AB (the CMMC Accreditation …
CMMC (Cybersecurity Maturity Model Certification) — The Cybersecurity Maturity Model Certification (CMMC) is the US Department of Defense framework for verifying that defen…
Controlled Unclassified Information (CUI) — Controlled Unclassified Information (CUI) is information requiring safeguarding or dissemination controls per laws, regu…
DFARS 252.204-7012 — DFARS 252.204-7012 ('Safeguarding Covered Defense Information and Cyber Incident Reporting') is the contract clause in t…
DIBCAC (Defense Industrial Base Cybersecurity Assessment Center) — The Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) is the Department of Defense government assessment …
Federal Contract Information (FCI) — Federal Contract Information (FCI) is information not intended for public release that is provided by or generated for t…
ISO 27001 — ISO/IEC 27001 is the international standard for an Information Security Management System (ISMS). It specifies requireme…
NIST SP 800-171 — NIST Special Publication 800-171 ('Protecting Controlled Unclassified Information in Nonfederal Systems and Organization…
Plan of Action & Milestones (POAM) — A Plan of Action & Milestones (POAM) is a formal document tracking security weaknesses or controls that are not yet full…
SOC 2 (Service Organization Control 2) — SOC 2 (Service Organization Control 2) is an attestation framework developed by the American Institute of Certified Publ…
System Security Plan (SSP) — A System Security Plan (SSP) is a comprehensive document describing how an organization implements security requirements…

Cannabis / METRC

Cannabis Recall — A cannabis recall is the regulated removal of cannabis products from the supply chain due to potential health risks (fai…
Cannabis Regulatory Authority (CRA) — A Cannabis Regulatory Authority (CRA) is the state-level government agency that licenses and regulates the cultivation, …
Cannabis Transport Manifest — A cannabis transport manifest is the document required by state Cannabis Regulatory Authorities that accompanies every t…
Cannabis Vault Storage — Cannabis vault storage refers to the secured storage area required by state Cannabis Regulatory Authorities for keeping …
Certificate of Analysis (COA) — A Certificate of Analysis (COA) is the laboratory-issued document that reports the results of required testing for a can…
IRS 280E (Cannabis Federal Tax Rule) — Section 280E of the Internal Revenue Code disallows ordinary business deductions for any trade or business that consists…
METRC (Cannabis Track and Trace) — METRC (Marijuana Enforcement Tracking Reporting Compliance) is the seed-to-sale tracking system used by most US state ca…
Responsible Vendor Training — Responsible Vendor Training is state-mandated education that cannabis dispensary employees must complete before serving …
Seed-to-Sale Tracking — Seed-to-sale tracking is the cannabis industry term for the comprehensive surveillance of every cannabis plant and produ…

EPA / Environmental

e-Manifest (Hazardous Waste) — EPA's e-Manifest system (also known as the Hazardous Waste Electronic Manifest System) is the national electronic platfo…
EPCRA Tier II Reporting — EPCRA Tier II is the annual hazardous chemical inventory report required under Section 312 of the Emergency Planning and…
RCRA (Resource Conservation and Recovery Act) — The Resource Conservation and Recovery Act (RCRA) is the principal US federal law governing the disposal of solid and ha…
SPCC (Spill Prevention, Control, and Countermeasure) — An SPCC (Spill Prevention, Control, and Countermeasure) Plan is a written plan required under EPA's Oil Pollution Preven…
Stormwater NPDES Permit — Stormwater NPDES (National Pollutant Discharge Elimination System) permits regulate stormwater discharges to surface wat…
Title V Air Permit — Title V of the Clean Air Act establishes federal operating permits for major stationary sources of air pollution. Major …
Underground Storage Tank (UST) — Underground Storage Tanks (USTs) are tanks (or tank-and-piping systems) with at least 10% of the volume below ground sur…
Used Oil (40 CFR Part 279) — Used oil is petroleum-based or synthetic oil that has been used and contaminated by physical or chemical impurities. EPA…

Aviation / FAA

A&P Mechanic / Inspection Authorization (IA) — An Airframe and Powerplant (A&P) mechanic is an individual certificated under 14 CFR Part 65 to perform maintenance and …
Airworthiness Directive (AD) — An Airworthiness Directive is an FAA-issued legally binding document under 14 CFR Part 39 requiring inspection, modifica…
FAA Part 135 (On-Demand Charter) — 14 CFR Part 135 ('Operating Requirements: Commuter and On-Demand Operations') governs commercial commuter and on-demand …
FAA Part 145 (Repair Station) — 14 CFR Part 145 governs FAA-certificated repair stations — the regulatory framework for maintenance, repair, and overhau…
FAA Part 91 (General Aviation) — 14 CFR Part 91 ('General Operating and Flight Rules') is the foundational FAA regulation for civil aircraft operations i…
Remote Pilot Certificate (Part 107) — A Remote Pilot Certificate is the FAA certification required under 14 CFR Part 107 to operate small unmanned aircraft (d…