COMSEC equipment |
Equipment designed to provide security to telecommunications by converting information to a form unintelligible to an unauthorized interceptor and, subsequently, by reconverting such information to its original form for authorized recipients; also, equipment designed specifically to aid in, or as an essential element of, the conversion process. COMSEC equipment includes cryptographic-equipment, crypto-ancillary equipment, cryptographic production equipment, and authentication equipment. |
|
|
COMSEC facility |
The space used for generating, storing, repairing, or using COMSEC material. The COMSEC material may be in either physical or electronic form. Unless otherwise noted, the term "COMSEC facility" refers to all types of COMSEC facilities, including telecommunications facilities, and includes platforms such as ships, aircraft, and vehicles. |
|
|
COMSEC incident |
Any occurrence that potentially jeopardizes the security of COMSEC material or the secure transmission of national security information. COMSEC Incident includes Cryptographic Incident, Personnel Incident, Physical Incident, and Protective Technology/Package Incident. |
|
|
COMSEC Incident Monitoring Activity (CIMA) |
The office within a department or agency maintaining a record of COMSEC incidents caused by elements of that department or agency, and ensuring all actions required of those elements are completed. |
|
|
COMSEC insecurity |
A COMSEC incident that has been investigated, evaluated, and determined to jeopardize the security of COMSEC material or the secure transmission of information. |
|
|
COMSEC manager (C.F.D.) |
Individual who manages the COMSEC resources of an organization. |
|
|
COMSEC material |
Item(s) designed to secure or authenticate telecommunications. COMSEC material includes, but is not limited to key, equipment, modules, devices, documents, hardware, firmware, or software that embodies or describes cryptographic logic and other items that perform COMSEC functions. This includes Controlled Cryptographic Item (CCI) equipment, Cryptographic High Value Products (CHVP) and other Suite B equipment, etc. |
|
|
COMSEC module (C.F.D.) |
Removable component that performs COMSEC functions in a telecommunications equipment or system. |
|
|
COMSEC monitoring |
The act of listening to, copying, or recording transmissions of one's own official telecommunications to provide material for analysis in order to determine the degree of security being provided to those transmissions. |
|
|
COMSEC profile (C.F.D.) |
Statement of COMSEC measures and materials used to protect a given operation, system, or organization. |
|
|
COMSEC service authority |
See service authority. |
|
|
COMSEC software |
Includes all types of COMSEC material, except key, in electronic or physical form. This includes all classifications of unencrypted software, and all associated data used to design, create, program, or run that software. It also, includes all types of source/executable/object code and associated files that implement, execute, embody, contain, or describe cryptographic mechanisms, functions, capabilities, or requirements. COMSEC software also includes transmission security (TRANSEC) software and may include any software used for purposes of providing confidentiality, integrity, authentication, authorization, or availability services to information in electronic form. |
|
|
COMSEC survey (C.F.D.) |
Organized collection of COMSEC and communications information relative to a given operation, system, or organization. |
|
|
COMSEC system data (C.F.D.) |
Information required by a COMSEC equipment or system to enable it to properly handle and control key. |
|
|
COMSEC training |
Teaching of skills relating to COMSEC accounting and the use of COMSEC aids. |
|
|
concept of operations (CONOP) |
See security concept of operations. |
|
|
confidentiality |
Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. |
|
|
configuration control |
Process of controlling modifications to hardware, firmware, software, and documentation to protect the information system against improper modifications prior to, during, and after system implementation. |
|
|
configuration control board (CCB) |
Establishment of and charter for a group of qualified people with responsibility for the process of controlling and approving changes throughout the development and operational lifecycle of products and systems; may also be referred to as a change control board. |
|
|
configuration item |
An aggregation of information system components that is designated for configuration management and treated as a single entity in the configuration management process. |
|
|
configuration management |
A collection of activities focused on establishing and maintaining the integrity of information technology products and information systems, through control of processes for initializing, changing, and monitoring the configurations of those products and systems throughout the system development life cycle. |
|
|
configuration settings |
The set of parameters that can be changed in hardware, software, or firmware that affect the security posture and/or functionality of the information system. |
|
|
consent banner |
See security banner (also known as notice and consent banners) |
|
|
contamination |
See spillage. |
|
|
content signing certificate |
A certificate issued for the purpose of digitally signing information (content) to confirm the author and guarantee that the content has not been altered or corrupted since it was signed by use of a cryptographic hash. |
|
|
contingency key |
Key held for use under specific operational conditions or in support of specific contingency plans. |
|
|
contingency plan |
Management policy and procedures used to guide an enterprise response to a perceived loss of mission capability. The Contingency Plan is the first plan used by the enterprise risk managers to determine what happened, why, and what to do. It may point to the continuity of operations plan (COOP) or disaster recovery plan (DRP) for major disruptions. |
|
|
continuity of government (COG) |
A coordinated effort within the Federal Government's executive branch to ensure that national essential functions continue to be performed during a catastrophic emergency. |
|
|
continuity of operations plan |
A predetermined set of instructions or procedures that describe how an organization’s mission-essential functions will be sustained within 12 hours and for up to 30 days as a result of a disaster event before returning to normal operations. |
|
|
continuous monitoring |
Maintaining ongoing awareness to support organizational risk decisions. |
|
|
control correlation identifier (CCI) |
Decomposition of a National Institute of Standards and Technology (NIST) control into a single, actionable, measurable statement. |
|
|
controlled access area |
The complete building or facility area under direct physical control within which unauthorized persons are denied unrestricted access and are either escorted by authorized personnel or are under continuous physical or electronic surveillance. |
|
|
controlled access protection (C.F.D.) |
Minimum set of security functionality that enforces access control on individual users and makes them accountable for their actions through login procedures, auditing of security-relevant events, and resource isolation. |
|
|
controlled area |
Any area or space for which the organization has confidence that the physical and procedural protections provided are sufficient to meet the requirements established for protecting the information and/or information system. |
|
|
controlled cryptographic item (CCI) |
Secure telecommunications or information system, or associated cryptographic component, that is unclassified and handled through the COMSEC material control system (CMCS), an equivalent material control system, or a combination of the two that provides accountability and visibility. Such items are marked “Controlled Cryptographic Item”, or, where space is limited, “CCI”. |
|
|
controlled cryptographic item (CCI) assembly |
A device approved by the National Security Agency (NSA) as a controlled cryptographic item, that embodies a cryptographic logic or other cryptographic design, and performs the entire COMSEC function, but is dependent upon the host equipment to operate. |
|
|
controlled cryptographic item (CCI) component |
A device approved by the National Security Agency as a controlled cryptographic item that embodies a cryptographic logic or other cryptographic design, and does not perform the entire the COMSEC function but is dependent upon a host equipment or assembly, to complete and operate the COMSEC function. |
|
|
controlled cryptographic item (CCI) equipment |
A telecommunications or information handling equipment that embodies a CCI component or CCI assembly and performs the entire COMSEC function without dependence on host equipment to operate. |
|
|
controlled interface |
A boundary with a set of mechanisms that enforces the security policies and controls the flow of information between interconnected information systems. |
|
|
controlled space |
Three-dimensional space surrounding information system equipment, within which unauthorized individuals are denied unrestricted access and are either escorted by authorized individuals or are under continuous physical or electronic surveillance. |
|
|
controlled unclassified information (CUI) |
Information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended. |
|
|
controlled |
The online repository of information and policy regarding how authorized holders of CUI should handle such information. |
|
|
controlling authority (CONAUTH) |
The official responsible for directing the operation of a cryptonet using traditional key and for managing the operational use and control of keying material assigned to the cryptonet. |
|
|
controlling domain |
The domain that assumes the greater risk and thus enforces the most restrictive policy. |
|
|
cookie |
A piece of state information supplied by a Web server to a browser, in a response for a requested resource, for the browser to store temporarily and return to the server on any subsequent visits or requests. |
|
|
cooperative key generation (CKG) |
Electronically exchanging functions of locally generated, random components, from which both terminals of a secure circuit construct traffic encryption key or key encryption key for use on that circuit. See per-call key. |
|
|
cooperative remote rekeying |
Synonymous with manual remote rekeying. |
|
|
correctness proof |
A mathematical proof of consistency between a specification and its implementation. |
|
|
counterintelligence |
Counterintelligence means information gathered and activities conducted to identify, deceive, exploit, disrupt, or protect against espionage, other intelligence activities, sabotage, or assassinations conducted for or on behalf of foreign powers, organizations, or persons, or their agents, or international terrorist organizations or activities. |
|
|
countermeasures |
Actions, devices, procedures, techniques, or other measures that reduce the vulnerability of an information system. Synonymous with security controls and safeguards. |
|
|
courier |
A duly authorized and trustworthy individual who has been officially designated to transport/carry material, and if the material is classified, is cleared to the level of material being transported. |
|
|
course of action (risk response) |
A time-phased or situation-dependent combination of risk response measures. See risk response. |
|
|
cover (TRANSEC) |
Result of measures used to obfuscate message externals to resist traffic analysis. |
|
|
coverage |
An attribute associated with an assessment method that addresses the scope or breadth of the assessment objects included in the assessment (e.g., types of objects to be assessed and the number of objects to be assessed by type). The values for the coverage attribute, hierarchically from less coverage to more coverage, are basic, focused, and comprehensive. |
|
|
covert channel |
An unintended or unauthorized intra-system channel that enables two cooperating entities to transfer information in a way that violates the system's security policy but does not exceed the entities' access authorizations. |
|
|
covert channel analysis |
Determination of the extent to which the security policy model and subsequent lower-level program descriptions may allow unauthorized access to information. |
|
|
covert storage channel |
A system feature that enables one system entity to signal information to another entity by directly or indirectly writing a storage location that is later directly or indirectly read by the second entity. See: covert channel. |
|
|
covert timing channel |
A system feature that enables one system entity to signal information to another by modulating its own use of a system resource in such a way as to affect system response time observed by the second entity. See: covert channel. |
|
|
credential |
1. 1. Evidence or testimonials that support a claim of identity or assertion of an attribute and usually are intended to be used more than once. 2. 2. Evidence attesting to one’s right to credit or authority. Source: FIPS PUB 201-1 Source: NIST SP 800-63-2 |
|
|
credential service provider (CSP) |
A trusted entity that issues or registers subscriber tokens and issues electronic credentials to subscribers. The CSP may encompass registration authorities (RAs) and verifiers that it operates. A CSP may be an independent third party, or may issue credentials for its own use. |
|
|
critical component |
A component which is or contains information and communications technology (ICT), including hardware, software, and firmware, whether custom, commercial, or otherwise developed, and which delivers or protects mission critical functionality of a system or which, because of the system’s design, may introduce vulnerability to the mission critical functions of an applicable system. |
|
|
critical infrastructure |
System and assets, whether physical or virtual, so vital to the U.S. that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters. |
|
|
critical infrastructure sectors |
Information technology; telecommunications; chemical; transportation systems, including mass transit, aviation, maritime, ground/surface, and rail and pipeline systems; emergency services; and postal and shipping. |
|
|
critical security parameter |
Security-related information (e.g., secret and private cryptographic keys, and authentication data such as passwords and personal identification numbers (PINs)) whose disclosure or modification can compromise the security of a cryptographic module. |
|
|
criticality |
A measure of the degree to which an organization depends on the information or information system for the success of a mission or of a business function. |
|
|
criticality analysis |
An end-to-end functional decomposition performed by systems engineers to identify mission critical functions and components. Includes identification of system missions, decomposition into the functions to perform those missions, and traceability to the hardware, software, and firmware components that implement those functions. Criticality is assessed in terms of the impact of function or component failure on the ability of the component to complete the system missions(s). |
|
|
criticality level |
Refers to the (consequences of) incorrect behavior of a system. The more serious the expected direct and indirect effects of incorrect behavior, the higher the criticality level. |
|
|
cross certificate |
A certificate issued from a certificate authority (CA) that signs the public key of another CA not within its trust hierarchy that establishes a trust relationship between the two CAs. |
|
|
cross domain |
The act of manually and/or automatically accessing and/or transferring information between different security domains. |
|
|
cross domain baseline list |
A list managed by the unified cross domain services management office (UCDSMO) that identifies CDSs that are available for deployment within the Department of Defense (DoD) and intelligence community (IC). |
|
|
cross domain capabilities |
The set of functions that enable the transfer of information between security domains in accordance with the policies of the security domains involved. |
|
|
cross domain enabled |
Applications/services that exist on and are capable of interacting across two or more different security domains. |
|
|
cross domain portal |
A single web-site providing access to cross domain services. |
|
|
cross domain service |
Services that provide access and/or transfer of information between different security domains. |
|
|
cross domain solution (CDS) |
A form of controlled interface that provides the ability to manually and/or automatically access and/or transfer information between different security domains. |
|
|
cross domain solution (CDS) filtering |
The process of inspecting data as it traverses a cross domain solution and determines if the data meets pre-defined policy. |
|
|
cross domain sunset list |
A list managed by the unified cross domain services management office (UCDSMO) that identifies cross domain solutions (CDSs) that are or have been in operation, but are no longer available for additional deployment and need to be replaced within a specified period of time. |
|
|
cross-certificate |
1. A certificate used to establish a trust relationship between two certification |
|
|
cryptanalysis |
1. Operations performed in defeating cryptographic protection without an initial knowledge of the key employed in providing the protection. |
|
|
CRYPTO |
The marking or designator identifying unencrypted COMSEC keying material used to secure or authenticate telecommunications carrying classified or sensitive U.S. Government or U.S. Government-derived information. This includes non-split keying material used to encrypt/decrypt COMSEC critical software and software based algorithms. |
|
|
cryptographic |
Pertaining to, or concerned with, cryptography. |
|
|
cryptographic alarm |
Circuit or device that detects failures or aberrations in the logic or operation of cryptographic equipment. Crypto-alarm may inhibit transmission or may provide a visible and/or audible alarm. |
|
|
cryptographic algorithm (crypto-algorithm) |
1. A well-defined computational procedure that takes variable inputs, including a cryptographic key, and produces an output. |
|
|
cryptographic ancillary equipment (crypto-ancillary equipment) |
Equipment designed specifically to facilitate efficient or reliable operation of cryptographic equipment, but which does not itself perform cryptographic functions. |
|
|
cryptographic binding |
Associating two or more related elements of information using cryptographic techniques. |
|
|
cryptographic boundary |
Explicitly defined continuous perimeter that establishes the physical and/or logical bounds of a cryptographic module and contains all the hardware, software, and/or firmware components of a cryptographic module. |
|
|
cryptographic component |
The hardware or firmware embodiment of the cryptographic logic in a secure telecommunications or automated information processing system. A cryptographic component may be a modular assembly, a printed wiring assembly (PWA), a microcircuit, or a combination of these items. |
|
|
cryptographic equipment (cryptoequipment) |
Equipment that embodies a cryptographic logic. |
|
|
cryptographic erase |
A method of sanitization in which the media encryption key (MEK) for the encrypted Target Data is sanitized, making recovery of the decrypted Target Data infeasible. |
|
|
cryptographic high value product (CHVP) |
NSA-approved products incorporating only UNCLASSIFIED components and UNCLASSIFIED cryptographic algorithms. This does include COTS, products approved by NSA, but does not include composed commercial solutions or their components, unless an individual component has been approved as a CHVP. Unkeyed CHVPs are not classified or designated as controlled cryptographic item (CCI). |
|
|
cryptographic ignition key (CIK) |
Device or electronic key used to unlock the secure mode of cryptographic equipment. |
|
|
cryptographic incident |
Any uninvestigated or unevaluated equipment malfunction or operator or COMSEC Account Manager error that has the potential to jeopardize the cryptographic security of a machine, off-line manual cryptosystem OR any investigated or evaluated occurrence that has been determined as not jeopardizing the cryptographic security of a cryptosystem. |
|
|
cryptographic initialization |
Function used to set the state of a cryptographic logic prior to key generation, encryption, or other operating mode. |
|
|
cryptographic logic |
The embodiment of one (or more) cryptographic algorithm(s) along with alarms, checks, and other processes essential to effective and secure performance of the cryptgraphic process(es). |
|
|
cryptographic material (cryptomaterial) |
All material, including documents, devices, or equipment that contains cryptographic information and is essential to the encryption, decryption, or authentication of telecommunications. |
|
|
cryptographic net (cryptonet) |
Stations that hold a common key. |
|
|
cryptographic period (cryptoperiod) |
The time span during which each key setting remains in effect. |
|
|
cryptographic product |
A cryptographic key (public, private, or shared) or public key certificate, used for encryption, decryption, digital signature, or signature verification; and other items, such as compromised key lists (CKL) and certificate revocation lists (CRL), obtained by trusted means from the same source which validate the authenticity of keys or certificates. Protected software which generates or regenerates keys or certificates may also be considered a cryptographic product. |
|
|
cryptographic randomization |
Function that randomly determines the transmit state of a cryptographic logic. |
|
|
cryptographic security (cryptosecurity) |
Component of COMSEC that results from the provision of technically sound cryptographic systems and their proper use. |
|
|
cryptographic solution |
The generic term for a cryptographic device, COMSEC equipment, or combination of such devices/equipment containing either a classified algorithm or an unclassified algorithm. |
|
|
cryptographic synchronization |
Process by which a receiving decrypting cryptographic logic attains the same internal state as the transmitting encrypting logic. |
|
|
cryptology |
The mathematical science that deals with cryptanalysis and cryptography. |
|
|
cryptonet evaluation report |
A free form message from the electronic key management system (EKMS) Tier 1 that includes the Controlling Authority’s ID and Name, Keying Material Information, Description/Cryptonet Name, Remarks, and Authorized User Information. |
|
|
cyber incident |
Actions taken through the use of an information system or network that result in an actual or potentially adverse effect on an information system, network, and/or the information residing therein. See incident. See also event, security-relevant event, and intrusion. |
|
|
cybersecurity |
Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation. |
|
|
cyberspace |
The interdependent network of information technology infrastructures, and includes the Internet, telecommunications networks, computer systems, and embedded processors and controllers in critical industries. |
|
|
cyberspace attack |
Cyberspace actions that create various direct denial effects (i.e. degradation, disruption, or destruction) and manipulation that leads to denial that is hidden or that manifests in the physical domains. |
|
|
cyberspace capability |
A device, computer program, or technique, including any combination of software, firmware, or hardware, designed to create an effect in or through cyberspace. |
|
|
cyberspace defense |
Actions normally created within DoD cyberspace for securing, operating, and defending the DoD information networks. Specific actions include protect, detect, characterize, counter, and mitigate. |
|
|
cyberspace operations (CO) |
The employment of cyberspace capabilities where the primary purpose is to achieve objectives in or through cyberspace. |
|
|
cyberspace superiority |
The degree of dominance in cyberspace by one force that permits |
|
|
cyclic redundancy check (CRC) |
A type of checksum algorithm that is not a cryptographic hash but is used to implement data integrity service where accidental changes to data are expected. |
|
|
data |
Information in a specific representation, usually as a sequence of symbols that have meaning. |
|
|
data aggregation |
Compilation of individual data systems and data that could result in the totality of the information being classified, or classified at a higher level, or of beneficial use to an adversary. |
|
|
data asset |
1. Any entity that is comprised of data. For example, a database is a data asset that is comprised of data records. A data asset may be a system or application output file, database, document, or web page. A data asset also includes a service that may be provided to access data from an application. For example, a service that returns individual records from a database would be a data asset. Similarly, a web site that returns data in response to specific queries (e.g., www.weather.com) would be a data asset. |
|
|
data element |
A basic unit of information that has a unique meaning and subcategories (data items) of distinct value. Examples of data elements include gender, race, and geographic location. |
|
|
data flow control |
See with information flow control. |
|
|
data governance |
A set of processes that ensures that data assets are formally managed throughout the enterprise. A data governance model establishes authority and management and decision making parameters related to the data produced or managed by the enterprise. |
|
|
data integrity |
The property that data has not been altered in an unauthorized manner. Data integrity covers data in storage, during processing, and while in transit. |
|
|
data loss |
The exposure of proprietary, sensitive, or classified information through either data theft or data leakage. |
|
|
data loss prevention |
A systems ability to identify, monitor, and protect data in use (e.g. endpoint actions), data in motion (e.g. network actions), and data at rest (e.g. data storage) through deep packet content inspection, contextual security analysis of transaction (attributes of originator, data object, medium, timing, recipient/destination, etc.), within a centralized management framework. Data loss prevention capabilities are designed to detect and prevent the unauthorized use and transmission of NSS information. |
|
|
data mining |
An analytical process that attempts to find correlations or patterns in large data sets for the purpose of data or knowledge discovery. |
|
|
data origin authentication |
The corroboration that the source of data received is as claimed. |
|
|
may be used to trace the origin of a piece of information processed by community resources. |
|||
data spillage |
See spillage. |
||
data tag |
A non-hierarchical keyword or term assigned to a piece of information which helps describe an item and allows it to be found or processed automatically. |
||
data transfer device (DTD) (COMSEC) |
Fill device designed to securely store, transport, and transfer electronically both COMSEC and TRANSEC key, designed to be backward compatible with the previous generation of COMSEC common fill devices, and programmable to support modern mission systems. |
||
data transfer solution |
Interconnect networks or information systems that operate in different security domains and transfer data between them. |
||
decertification |
Revocation of the certification of an information system item or equipment for cause. |
||
decipher |
Convert enciphered text to plain text by means of a cryptographic system. |
||
decode |
Convert encoded data back to its original form of representation. |
||
decrypt |
A generic term encompassing decoding and deciphering. |
||
default classification |
Classification reflecting the highest classification being processed in an information system. Default classification is included in the caution statement affixed to an object. |
||
defense-in-breadth |
A planned, systematic set of multi-disciplinary activities that seek to identify, manage, and reduce risk of exploitable vulnerabilities at every stage of the system, network, or sub-component lifecycle (system, network, or product design and development; manufacturing; packaging; assembly; system integration; distribution; operations; maintenance; and retirement). |
||
defense-in-depth |
Information Security strategy integrating people, technology, and operations capabilities to establish variable barriers across multiple layers and missions of the organization. |
||
defensive cyberspace operations (DCO) |
Passive and active cyberspace operations intended to preserve the ability to utilize friendly cyberspace capabilities and protect data, networks, net-centric capabilities, and other designated systems. |
||
defensive cyberspace operation response action (DCO-RA) |
Deliberate, authorized defensive measures or activities taken outside of the defended network to protect and defend Department of Defense (DoD) cyberspace capabilities or other designated systems. |
||
degauss |
To reduce the magnetic flux to virtual zero by applying a reverse magnetizing field. Also called demagnetizing. |
||
deleted file |
A file that has been logically, but not necessarily physically, erased from the operating system, perhaps to eliminate potentially incriminating evidence. Deleting files does not always necessarily eliminate the possibility of recovering all or part of the original data. |
||
delivery-only client (DOC) (C.F.D.) |
A configuration of a client node that enables a DOA agent to access a primary services node (PRSN) to retrieve KMI products and access KMI services. A DOC consists of a client platform but does not include an AKP. |
||
demilitarize |
The process of preparing National Security System equipment for disposal by extracting all CCI, classified, or CRYPTO-marked components for their secure destruction, as well as defacing and disposing of the remaining equipment hulk. |
||
demilitarized zone (DMZ) |
1. Perimeter network segment that is logically between internal and external networks. Its purpose is to enforce the internal network’s Information Assurance (IA) policy for external information exchange and to provide external, untrusted sources with restricted access to releasable information while shielding the internal networks from outside attacks. |
||
denial of service (DoS) |
The prevention of authorized access to resources or the delaying of time- critical operations. (Time-critical may be milliseconds or it may be hours, depending upon the service provided.) |
||
Department of Defense information network operations |
Operations to design, build, configure, secure, operate, maintain, and sustain Department of Defense networks to create and preserve information assurance on the Department of Defense information networks. |
||
Department of Defense information networks (DODIN) |
The globally interconnected, end-to-end set of information capabilities, and associated processes for collecting, processing, storing, disseminating, and managing information on-demand to warfighters, policy makers, and support personnel, including owned and leased communications and computing systems and services, software (including applications), data, security services, other associated services, and national security systems. |
||
depth |
An attribute associated with an assessment method that addresses the rigor and level of detail associated with the application of the method. The values for the depth attribute, hierarchically from less depth to more depth, are basic, focused, and comprehensive. |
||
derived credential |
A credential issued based on proof of possession and control of a token associated with a previously issued credential, so as not to duplicate the identity proofing process. |
||
designated approval authority |
Official with the authority to formally assume responsibility for operating a system at an acceptable level of risk. This term is synonymous with authorizing official, designated accrediting authority, and delegated accrediting authority. |
||
destroy |
A method of sanitization that renders Target Data recovery infeasible using state of the art laboratory techniques and results in the subsequent inability to use the media for storage of data. |
||
developer |
A general term that includes: (i) developers or manufacturers of information systems, system components, or information system services; (ii) systems integrators; (iii) vendors; (iv) and product resellers. Development of systems, components, or services can occur internally within organizations (i.e., in-house development) or through external entities. |
||
device distribution profile |
An approval-based access control list (ACL) for a specific product that 1) names the user devices in a specific KMI operating account (KOA) to which primary services nodes (PRSNs) distribute the product and 2) states conditions of distribution for each device. |
||
device registration manager |
The management role that is responsible for performing activities related to registering users that are devices. |
||
digital forensics |
In its strictest connotation, the application of computer science and investigative procedures involving the examination of digital evidence - following proper search authority, chain of custody, validation with mathematics, use of validated tools, repeatability, reporting, and possibly expert testimony. |
||
digital media |
A form of electronic media where data are stored in digital (as opposed to analog) form. |
||
digital signature |
The result of a cryptographic transformation of data that, when properly implemented, provides the services of: 1. origin authentication, 2. data integrity, and 3. signer non-repudiation. |
||
direct BLACK wireline |
A BLACK metallic wireline that directly leaves the inspectable space in a continuous electrical path with no signal interruption or isolation. Continuous wirelines may be patched or spliced. Examples of wirelines that directly leave the inspectable space are analog telephone lines, commercial television cables, and alarm lines. Wirelines that do not leave the inspectable space are wirelines that pass through a digital switch or converter that reestablishes the signal level or reformats the signaling. Examples of BLACK wirelines that do not directly leave the inspectable space are telephone lines that connect to digital telephone switches, Ethernet lines that connect to digital network routers and alarm lines that connect to an alarm panel. |
||
directory service (D/S) |
Repository of account registration. |
||
dirty word list |
List of words that have been pre-defined as being unacceptable for transmission and may be used in conjunction with a clean word list to avoid false negatives (e.g., secret within secretary). |
||
disaster recovery plan (DRP) |
1. Management policy and procedures used to guide an enterprise response to a major loss of enterprise capability or damage to its facilities. The DRP is the second plan needed by the enterprise risk managers and is used when the enterprise must recover (at its original facilities) from a loss of capability over a period of hours or days. See continuity of operations plan (COOP) and contingency plan. |
||
(DAC) |
An access control policy that is enforced over all subjects and objects in an information system where the policy specifies that a subject that has been granted access to information can do one or more of the following: (i) pass the information to other subjects or objects; (ii) grant its privileges to other subjects; (iii) change security attributes on subjects, objects, information systems, or system components; (iv) choose the security attributes to be associated with newly-created or revised objects; or (v) change the rules governing access control. Mandatory access controls restrict this capability. |
||
disruption |
An unplanned event that causes the general system or major application to be inoperable for an unacceptable length of time (e.g., minor or extended power outage, extended unavailable network, or equipment or facility damage or destruction). |
||
distinguished name (DN) |
An identifier that uniquely represents an object in the X.500 directory information tree. |
||
distinguishing identifier |
Information which unambiguously distinguishes an entity in the authentication process. |
||
distributed denial of service (DDoS) |
A denial of service technique that uses numerous hosts to perform the attack. |
||
DoD information |
Any information that has not been cleared for public release in accordance with Department of Defense (DoD) Directive 5230.09, “Clearance of DoD Information for Public Release”, and that has been collected, developed, received, transmitted, used, or stored by DoD, or by a non-DoD entity in support of an official DoD activity. |
||
domain |
An environment or context that includes a set of system resources and a set of system entities that have the right to access the resources as defined by a common security policy, security model, or security architecture. See security domain. |
||
dynamic subsystem |
A subsystem that is not continually present during the execution phase of an information system. Service-oriented architectures and cloud computing architectures are examples of architectures that employ dynamic subsystems. |
||
e-government (e-gov) (C.F.D.) |
The use by the U.S. Government of web-based Internet applications and other information technology. |
||
effective period |
Time span during which each COMSEC key edition (i.e., multiple key segments) remains in effect. |
||
electronic authentication (e- authentication) |
The process of establishing confidence in user identities electronically presented to an information system. |
||
electronic business (e-business) (C.F.D.) |
Doing business online. |
||
electronic credentials |
Digital documents used in authentication that bind an identity or an attribute to a subscriber's authenticator. |
||
electronic fill device (EFD) |
A COMSEC item used to transfer or store key in electronic form or to insert key into cryptographic equipment. |
||
electronic key management system (EKMS) |
An interoperable collection of systems that automate the planning, ordering, generating, distributing, storing, filling, using, and destroying of electronic key and management of other types of COMSEC material. |
||
electronic messaging services |
Services providing interpersonal messaging capability; meeting specific functional, management, and technical requirements; and yielding a business- quality electronic mail service suitable for the conduct of official government business. |
||
electronic signature (C.F.D.) |
See digital signature. |
||
electronically generated key |
Key generated in a COMSEC device by introducing (either mechanically or electronically) a seed key into the device and then using the seed, together with a software algorithm stored in the device, to produce the desired key. |
||
emission security (EMSEC) |
The component of communications security that results from all measures taken to deny unauthorized persons information of value that might be derived from intercept and analysis of compromising emanations from cryptoequipment and information systems. See TEMPEST. |
||
embedded computer (C.F.D.) |
Computer system that is an integral part of a larger system. |
||
emergency action plan (EAP) |
A plan developed to prevent loss of national intelligence; protect personnel, facilities, and communications; and recover operations damaged by terrorist attack, natural disaster, or similar events. |
||
encipher |
See encrypt. |
||
encryption certificate |
A certificate containing a public key that can encrypt or decrypt electronic messages, files, documents, or data transmissions, or establish or exchange a session key for these same purposes. Key management sometimes refers to the process of storing protecting and escrowing the private component of the key pair associated with the encryption certificate. |
||
enclave |
A set of system resources that operate in the same security domain and that share the protection of a single, common, continuous security perimeter. |
||
enclave boundary |
Point at which an enclave’s internal network service layer connects to an external network’s service layer, i.e., to another enclave or to a wide area network (WAN). |
||
encode |
Use a system of symbols to represent information, which might originally have some other representation. Example: Morse code. |
||
encrypt |
Cryptographically transform data to produce cipher text. |
||
encrypted key |
Key that has been encrypted in a system approved by the National Security Agency (NSA) for key encryption. |
||
encryption |
The cryptographic transformation of data to produce ciphertext. |
||
encryption algorithm |
Set of mathematically expressed rules for rendering data unintelligible by executing a series of conversions controlled by a key. |
||
encryption certificate |
A certificate containing a public key that can encrypt or decrypt electronic messages, files, documents, or data transmissions, or establish or exchange a session key for these same purposes. Key management sometimes refers to the process of storing protecting and escrowing the private component of the key pair associated with the encryption certificate. |
||
end cryptographic unit (ECU) |
Device that 1) performs cryptographic functions, 2) typically is part of a larger system for which the device provides security services, and 3) from the viewpoint of a supporting security infrastructure (e.g., a key management system) is the lowest level of identifiable component with which a management transaction can be conducted. |
||
end-item accounting |
Accounting for all the accountable components of a COMSEC equipment configuration by a single short title. |
||
end-to-end encryption |
Communications encryption in which data is encrypted when being passed through a network, but routing information remains visible. |
||
end-to-end security |
Safeguarding information in an information system from point of origin to point of destination. |
||
enrollment manager |
The management role that is responsible for assigning user identities to management and non-management roles. |
||
enterprise |
An organization with a defined mission/goal and a defined boundary, using information systems to execute that mission, and with responsibility for managing its own risks and performance. An enterprise may consist of all or some of the following business aspects: acquisition, program management, financial management (e.g., budgets), human resources, security, and information systems, information and mission management. |
||
enterprise architecture (EA) |
A strategic information asset base that defines the mission, the information necessary to perform the mission, the technologies necessary for performing the mission, and the transitional process for implementing new technologies in response to changing mission needs. The EA includes a baseline architecture, target architecture, and sequencing plan. |
||
enterprise cross domain services (ECDS) |
A cross domain solution provided as a system across an enterprise infrastructure, fully integrated to provide the ability to access or transfer information between two or more security domains. |
||
enterprise cross domain services (ECDS) provider |
An organization that establishes, manages and maintains the overall infrastructure and security posture offering automated capabilities to users and applications within an enterprise environment for information sharing across and among security domains. |
||
enterprise-hosted cross domain solutions |
A point-to-point cross domain solution (CDS) that is managed by an enterprise cross domain service (ECDS) provider that may be available to additional users within the enterprise with little or no modifications. |
||
enterprise risk management |
The methods and processes used by an enterprise to manage risks to its mission and to establish the trust necessary for the enterprise to support shared missions. It involves the identification of mission dependencies on enterprise capabilities, the identification and prioritization of risks due to defined threats, the implementation of countermeasures to provide both a static risk posture and an effective dynamic response to active threats; and it assesses enterprise performance against threats and adjusts countermeasures as necessary |
||
enterprise service |
A set of one or more computer applications and middleware systems hosted on computer hardware that provides standard information systems capabilities to end users and hosted mission applications and services. |
||
environment of operation |
The physical, technical, and organizational setting in which an information system operates, including but not limited to: missions/business functions; mission/business processes; threat space; vulnerabilities; enterprise and information security architectures; personnel; facilities; supply chain relationships; information technologies; organizational governance and culture; acquisition and procurement processes; organizational policies and procedures; organizational assumptions, constraints, risk tolerance, and priorities/trade-offs). |
||
erasure |
Process intended to render magnetically stored information irretrievable by normal means. |
||
error detection code |
A code computed from data and comprised of redundant bits of information designed to detect, but not correct, unintentional changes in the data. |
||
evaluated products list (EPL) (C.F.D.) |
List of validated products that have been successfully evaluated under the National Information Assurance Partnership (NIAP) Common Criteria Evaluation and Validation Scheme (CCEVS). |
||
evaluating authority |
The official responsible for evaluating a reported COMSEC incident for the possibility of compromise. |
||
evaluation assurance level (EAL) (C.F.D.) |
Set of assurance requirements that represent a point on the Common Criteria predefined assurance scale. |
||
event |
Any observable occurrence in a network or system. |
||
examine |
A type of assessment method that is characterized by the process of checking, inspecting, reviewing, observing, studying, or analyzing one or more assessment objects to facilitate understanding, achieve clarification, or obtain evidence, the results of which are used to support the determination of security control effectiveness over time. |
||
executive agency |
An executive department specified in 5 U.S.C., Sec. 101; a military department specified in 5 U.S.C., Sec. 102; an independent establishment as defined in 5 U.S.C., Sec. 104(1); and a wholly owned Government corporation fully subject to the provisions of 31 U.S.C., Chapter 91. |
||
exfiltration |
The unauthorized transfer of information from an information system. |
||
expected output |
Any data collected from monitoring and assessments as part of the information security continuous monitoring (ISCM) strategy. |
||
exploitable channel |
Channel that allows the violation of the security policy governing an information system and is usable or detectable by subjects external to the trusted computing base. See covert channel. |
||
eXtensible configuration checklist description format (XCCDF) |
A language for authoring security checklists/benchmarks and for reporting results of evaluating them. |
||
external information system (or component) |
An information system or component of an information system that is outside of the authorization boundary established by the organization and for which the organization typically has no direct control over the application of required security controls or the assessment of security control effectiveness. |
||
external information system service |
An information system service that is implemented outside of the authorization boundary of the organizational information system (i.e., a service that is used by, but not a part of, the organizational information system) and for which the organization typically has no direct control over the application of required security controls or the assessment of security control effectiveness. |
||
external information system service provider |
A provider of external information system services to an organization through a variety of consumer-producer relationships, including but not limited to: joint ventures; business partnerships; outsourcing arrangements (i.e., through contracts, interagency agreements, lines of business arrangements); licensing agreements; and/or supply chain exchanges. |
||
external network |
A network not controlled by the organization. |
||
external operational management role |
A role intended to be performed by a manager who is typically a member of a key management infrastructure (KMI) customer organization. |
||
extranet |
A computer network that an organization uses for application data traffic between the organization and its business partners. |
||
fail safe |
A mode of termination of system functions that prevents damage to specified system resources and system entities (i.e., specified data, property, and life) when a failure occurs or is detected in the system (but the failure still might cause a security compromise). |
||
fail secure |
A mode of termination of system functions that prevents loss of secure state when a failure occurs or is detected in the system (but the failure still might cause damage to some system resource or system entity). |
||
fail soft |
Selective termination of affected, non-essential system functions when a failure occurs or is detected in the system. |
||
failover |
The capability to switch over automatically (typically without human intervention or warning) to a redundant or standby information system upon the failure or abnormal termination of the previously active system. |
||
failure access |
Type of incident in which unauthorized access to data results from hardware or software failure. |
||
failure control |
Methodology used to detect imminent hardware or software failure and provide fail safe or fail soft recovery. |
||
false acceptance |
When a biometric system incorrectly identifies a biometric subject or incorrectly authenticates a biometric subject against a claimed identity. |
||
false accept rate (FAR) |
Proportion of verification transactions with wrongful claims of identity that are incorrectly confirmed. |
||
false rejection |
The failure of a biometric system to identify a biometric subject or to verify the legitimate claimed identity of a biometric subject. |
||
false reject rate (FRR) |
Proportion of verification transactions with truthful claims of identity that are incorrectly denied. |
||
fault tree analysis |
A top-down, deductive failure analysis in which an undesired state of a system (top event) is analyzed using Boolean logic to combine a series of lower-level events. An analytical approach whereby an undesired state of a system is specified and the system is then analyzed in the context of its environment of operation to find all realistic ways in which the undesired event (top event) can occur. |
||
federal agency |
See executive agency. |
||
federal bridge certification authority (FBCA) |
The Federal Bridge certification authority (CA) consists of a collection of public key infrastructure (PKI) components (Certificate Authorities, Directories, Certificate Policies and Certificate Practice Statements) that are used to provide peer to peer interoperability among Agency Principal Certification Authorities. |
||
federal enterprise architecture (FEA) |
A business-based framework that the Office of Management and Budget (OMB) developed for government-wide improvement in developing enterprise architectures (EAs) by providing a common framework to identify opportunities for simplifying processes and unifying work across the Federal Government. |
||
federal information processing |
A standard for adoption and use by Federal agencies that has been developed within the Information Technology Laboratory and published by the National Institute of Standards and Technology, a part of the U.S. Department of Commerce. A FIPS covers some topic in information technology in order to achieve a common level of quality or some level of interoperability. |
||
Federal Information Processing Standards (FIPS)-validated cryptography |
A cryptographic module validated by the Cryptographic Module Validation Program (CMVP) to meet requirements specified in FIPS 140-2 (as amended). As a prerequisite to CMVP validation, the cryptographic module is required to employ a cryptographic algorithm implementation that has successfully passed validation testing by the Cryptographic Algorithm Validation Program (CAVP). See NSA-approved cryptography. |
||
Federal Information Security |
Title III of the E-Government Act requiring each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. |
||
federal information system |
An information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency. |
||
file protection |
Aggregate of processes and procedures designed to inhibit unauthorized access, contamination, elimination, modification, or destruction of a file or any of its contents. |
||
fill device |
A COMSEC item used to transfer or store key in electronic form or to insert key into cryptographic equipment. The “Common Fill Devices” are the KYK-13, and KYK-15. Electronic fill devices include, but are not limited to, the DTD, SKL, SDS, and RASKI. |
||
FIREFLY |
Key management protocol based on public key cryptography. |
||
FIREFLY credential manager |
The key management entity (KME) responsible for removing outdated modern key credentials from the directory servers. |
||
firewall |
A gateway that limits access between networks in accordance with local security policy. |
||
firmware |
Computer programs and data stored in hardware - typically in read-only memory (ROM) or programmable read-only memory (PROM) - such that the programs and data cannot be dynamically written or modified during execution of the programs. |
||
fixed COMSEC facility |
COMSEC facility located in an immobile structure or aboard a ship. |
||
flooding |
An attack that attempts to cause a failure in a system by providing more input than the system can process properly. |
||
focused observation |
The act of directed (focused) attention to a party or parties alleged to have violated Department/Agency (D/A) acceptable use' policies and agreements for NSS. The alleged violation may be caused by the aggregation of triggers indicating anomalous activity on a National Security System (NSS). The violation thresholds are arrived at by trigger events that meet established thresholds of anomalous activity or the observed violation of 'acceptable use' policies. |
||
focused testing |
A test methodology that assumes some knowledge of the internal structure and implementation detail of the assessment object. Also known as gray box testing. |
||
forensic copy |
An accurate bit-for-bit reproduction of the information contained on an electronic device or associated media, whose validity and integrity has been verified using an accepted algorithm. |
||
forensics |
The practice of gathering, retaining, and analyzing computer-related data for investigative purposes in a manner that maintains the integrity of the data. |
||
formal access approval |
A formalization of the security determination for authorizing access to a specific type of classified or controlled unclassified information (CUI) categories or subcategories based on specified access requirements, a determination of the individual’s security eligibility, and a determination that the individual’s official duties require the individual be provided access to the information. |
||
formal method |
Software engineering method used to specify, develop, and verify the software through application of a rigorous mathematically based notation and language. |
||
formal policy model |
A description of specific behaviors or security policies using formal languages, thus enabling the correctness of those behaviors/policies to be formally proven. |
||
frequency hopping |
Repeated switching of frequencies during radio transmission according to a specified algorithm, to minimize unauthorized interception or jamming of telecommunications. |
||
full/depot maintenance (COMSEC) |
Complete diagnostic repair, modification, and overhaul of COMSEC equipment, including repair of defective assemblies by piece part replacement. See limited maintenance. |
||
functional testing |
Segment of quality assurance testing in which advertised security mechanisms of an information system are tested against a specification. |
||
gateway |
An intermediate system (interface, relay) that attaches to two (or more) computer networks that have similar functions but dissimilar implementations and that enables either one-way or two-way communication between the networks. |
||
general support system (GSS) |
An interconnected set of information resources under the same direct management control that shares common functionality. It normally includes hardware, software, information, data, applications, communications, and people. |
||
global information grid (GIG) (C.F.D.) |
The globally interconnected, end-to-end set of information capabilities for collecting, processing, storing, disseminating, and managing information on demand to warfighters, policy makers, and support personnel. The GIG includes owned and leased communications and computing systems and services, software (including applications), data, security services, other associated services, and National Security Systems. Non-GIG information technology (IT) includes stand-alone, self-contained, or embedded IT that is not, and will not be, connected to the enterprise network. |
||
government off the shelf (GOTS) |
A software and/or hardware product that is developed by the technical staff of a Government organization for use by the U.S. Government. GOTS software and hardware may be developed by an external entity, with specification from the Government organization to meet a specific Government purpose, and can normally be shared among Federal agencies without additional cost. GOTS products and systems are not commercially available to the general public. Sales and distribution of GOTS products and systems are controlled by the Government. |
||
gray box testing |
See focused testing. |
||
gray market |
Distribution channels which, while legal, are unofficial, unauthorized, or unintended by the original manufacturer. |
||
group authenticator |
Used, sometimes in addition to a sign-on authenticator, to allow access to specific data or functions that may be shared by all members of a particular group. |
||
guard (system) |
A computer system that (a) acts as gateway between two information systems operating under different security policies and (b) is trusted to mediate information data transfers between the two. |
||
hacker |
Unauthorized user who attempts to or gains access to an information system. |
||
hand receipt |
A document used to record temporary transfer of COMSEC material from a COMSEC Account Manager to a user or maintenance facility and acceptance by the recipient of the responsibility for the proper storage, control, and accountability of the COMSEC material. |
||
hand receipt holder |
A user to whom COMSEC material has been issued a hand receipt. Known in EKMS and KMI as a Local Element. |
||
handshake |
Protocol dialogue between two systems for identifying and authenticating themselves to each other, or for synchronizing their operations with each other. |
||
hard copy key |
Physical keying material, such as printed key lists, punched or printed key tapes, or programmable, read-only memories (PROMs). |
||
hardware |
The material physical components of an information system. See firmware and software. |
||
hardwired key |
Key that is permanently installed. |
||
hash value/result |
See message digest. |
||
hash-based message authentication code (HMAC) |
A message authentication code that uses a cryptographic key in conjunction with a hash function. |
||
hashing |
The process of using a mathematical algorithm against data to produce a numeric value that is representative of that data. |
||
hashword (C.F.D.) |
Memory address containing hash total. |
||
High Assurance Internet Protocol Encryptor (HAIPE) |
Device that provides networking, traffic protection, and management features that provide information assurance (IA) services in an IPv4/IPv6 network. |
||
High Assurance Internet Protocol Encryptor Interoperability Specification (HAIPE-IS) |
Suite of documents containing the traffic protection, networking, and interoperability functional requirements necessary to ensure the interoperability of HAIPE compliant devices. This policy applies to HAIPE-IS Version 3.0.2 and all subsequent HAIPE-IS versions. |
||
high impact |
The loss of confidentiality, integrity, or availability that could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, individuals, other organizations, or the national security interests of the United States; (i.e., 1) causes a severe degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; 2) results in major damage to organizational assets; 3) results in major financial loss; or 4) results in severe or catastrophic harm to individuals involving loss of life or serious life-threatening injuries.) |
||
high-impact system |
An information system in which at least one security objective (i.e., confidentiality, integrity, or availability) is assigned a FIPS PUB 199 potential impact value of high. |
||
high-power transmitter |
For the purposes of determining separation between RED equipment/lines and RF transmitters, high-power is that which exceeds 100 m Watt (20dBm) emitted isotropic radiated power (EIRP). See low-power transmitter. |
||
honeypot |
A system (e.g., a web server) or system resource (e.g., a file on a server) that is designed to be attractive to potential crackers and intruders, like honey is attractive to bears. |
||
host |
A host is any hardware device that has the capability of permitting access to a network via a user interface, specialized software, network address, protocol stack, or any other means. Some examples include, but are not limited to, computers, personal electronic devices, thin clients, and multi-functional devices. |
||
host-based security |
A set of capabilities that provide a framework to implement a wide-range of security solutions on hosts. This framework includes a trusted agent and a centralized management function that together provide automated protection to detect, respond, and report host-based vulnerabilities and incidents. |
||
hot site |
A fully operational offsite data processing facility equipped with hardware and software, to be used in the event of an information system disruption. |
||
hybrid security control |
A security control that is implemented in an information system in part as a common control and in part as a system-specific control. See common control and system-specific security control. |
||
IA architecture |
A description of the structure and behavior for an enterprise’s security processes, information security systems, personnel and organizational sub- units, showing their alignment with the enterprise’s mission and strategic plans. |
||
IA infrastructure |
The underlying security framework that lies beyond an enterprise’s defined boundary, but supports its information assurance (IA) and IA-enabled products, its security posture and its risk management plan. |
||
IA product |
Product whose primary purpose is to provide security services (e.g., confidentiality, authentication, integrity, access control, non-repudiation of data); correct known vulnerabilities; and/or provide layered defense against various categories of non-authorized or malicious penetrations of information systems or networks. |
||
IA-enabled information technology product (C.F.D.) |
Product or technology whose primary role is not security, but which provides security services as an associated feature of its intended operating capabilities. Examples include such products as security-enabled web browsers, screening routers, trusted operating systems, and security-enabled messaging systems. |
||
IA-enabled product |
Product whose primary role is not security, but provides security services as an associated feature of its intended operating capabilities. |
||
identification |
The process of discovering the true identity (i.e., origin, initial history) of a person or item from the entire collection of similar persons or items. |
||
identifier |
Unique data used to represent a person’s identity and associated attributes. A name or a card number are examples of identifiers. |
||
identity |
The set of physical and behavioral characteristics by which an individual is uniquely recognizable. |
||
identity-based access control |
Access control based on the identity of the user (typically relayed as a characteristic of the process acting on behalf of that user) where access authorizations to specific objects are assigned based on user identity. |
||
identity certificate |
A certificate that provides authentication of the identity claimed. Within the National Security System (NSS) public key infrastructure (PKI), identity certificates may be used only for authentication or may be used for both authentication and digital signatures. |
||
Identity, Credential, and Access Management (ICAM) |
Programs, processes, technologies, and personnel used to create trusted digital identity representations of individuals and non-person entities (NPEs), bind those identities to credentials that may serve as a proxy for the individual or NPE in access transactions, and leverage the credentials to provide authorized access to an agency‘s resources. |
||
identity registration |
The process of making a person’s identity known to the personal identity verification (PIV) system, associating a unique identifier with that identity, and collecting and recording the person’s relevant attributes into the system. |
||
identity token |
Smart card, metal key, or other physical object used to authenticate identity. |
||
impact |
The effect on organizational operations, organizational assets, individuals, other organizations, or the Nation (including the national security interests of the United States) of a loss of confidentiality, integrity, or availability of information or an information system. |
||
impact level |
The magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information or information system availability. |
||
impact value |
The assessed potential impact resulting from a compromise of the confidentiality, integrity, or availability of an information type, expressed as a value of low, moderate, or high. |
||
implant |
Electronic device or electronic equipment modification designed to gain unauthorized interception of information-bearing emanations. |
||
inadvertent disclosure |
Type of incident involving accidental exposure of information to an individual not authorized access. |
||
incident |
An occurrence that results in actual or potential jeopardy to the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies. See cyber incident. See also event, security-relevant, and intrusion. |
||
incident handling |
The mitigation of violations of security policies and recommended practices. |
||
incident response |
See incident handling. |
||
incident response plan |
The documentation of a predetermined set of instructions or procedures to detect, respond to, and limit consequences of a malicious cyber attacks against an organization’s information systems(s). |
||
independent validation authority (IVA) |
Entity that reviews the soundness of independent tests and system compliance with all stated security controls and risk mitigation actions. IVAs will be designated by the authorizing official as needed. |
||
independent verification & validation (IV&V) |
A comprehensive review, analysis, and testing, (software and/or hardware) performed by an objective third party to confirm (i.e., verify) that the requirements are correctly defined, and to confirm (i.e., validate) that the system correctly implements the required functionality and security requirements. |
||
indicator |
Recognized action, specific, generalized, or theoretical, that an adversary might be expected to take in preparation for an attack. |
||
individuals |
An assessment object that includes people applying specifications, mechanisms, or activities. |
||
individual accountability |
Ability to associate positively the identity of a user with the time, method, and degree of access to an information system. |
||
industrial control system (ICS) |
General term that encompasses several types of control systems, including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other control system configurations such as programmable logic controllers (PLC) often found in the industrial sectors and critical infrastructures. An ICS consists of combinations of control components (e.g., electrical, mechanical, hydraulic, pneumatic) that act together to achieve an industrial objective (e.g., manufacturing, transportation of matter or energy). |
||
information |
1. Facts and ideas, which can be represented (encoded) as various forms of data. |
||
information and communications technology (ICT) |
Includes all categories of ubiquitous technology used for the gathering, storing, transmitting, retrieving, or processing of information (e.g., microelectronics, printed circuit boards, computing systems, software, signal processors, mobile telephony, satellite communications, and networks). |
||
information assurance (IA) |
Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non- repudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities. |
||
information assurance (IA) professional (C.F.D.) |
Individual who works IA issues and has real world experience plus appropriate |
||
information assurance component (IAC) |
An application (hardware and/or software) that provides one or more Information Assurance capabilities in support of the overall security and operational objectives of a system. |
||
information assurance manager (IAM) (C.F.D.) |
See information systems security manager (ISSM). |
||
information assurance officer (IAO) (C.F.D.) |
See information systems security officer (ISSO). |
||
information assurance vulnerability alert (IAVA) |
Notification that is generated when an Information Assurance vulnerability may result in an immediate and potentially severe threat to DoD systems and information; this alert requires corrective action because of the severity of the vulnerability risk. |
||
information assurance vulnerability bulletin (IAVB) |
Addresses new vulnerabilities that do not pose an immediate risk to DoD systems, but are significant enough that noncompliance with the corrective action could escalate the risk. |
||
information domain |
A three-part concept for information sharing, independent of, and across information systems and security domains that 1) identifies information sharing participants as individual members, 2) contains shared information objects, and 3) provides a security policy that identifies the roles and privileges of the members and the protections required for the information objects. |
||
information environment |
The aggregate of individuals, organizations, and systems that collect, process, disseminate, or act on information. |
||
information flow control |
Procedure to ensure that information transfers within an information system are not made in violation of the security policy. |
||
information management |
The planning, budgeting, manipulating, and controlling of information throughout its life cycle. |
||
information operations (IO) |
The integrated employment, during military operations, of information-related capabilities in concert with other lines of operation to influence, disrupt, corrupt, or usurp the decision-making of adversaries and potential adversaries while protecting our own. Also called IO. |
||
information owner |
Official with statutory or operational authority for specified information and responsibility for establishing the controls for its generation, classification, collection, processing, dissemination, and disposal. See information steward. |
||
information resources |
Information and related resources, such as personnel, equipment, funds, and information technology. |
||
information resources management (IRM) |
The planning, budgeting, organizing, directing, training, controlling, and management activities associated with the burden, collection, creation, use, and dissemination of information by agencies. |
||
security |
The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability. |
||
information security architect |
Individual, group, or organization responsible for ensuring that the information security requirements necessary to protect the organization’s core missions and business processes are adequately addressed in all aspects of enterprise architecture including reference models, segment and solution architectures, and the resulting information systems supporting those missions and business processes. |
||
information security continuous monitoring (ISCM) |
Maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. |
||
information security continuous monitoring (ISCM) process |
A process to: |
||
information security continuous monitoring (ISCM) program |
A program established to collect information in accordance with pre-established metrics, utilizing information readily available in part through implemented security controls. |
||
information security policy |
Aggregate of directives, regulations, and rules that prescribe how an organization manages, protects, and distributes information. |
||
information security program plan |
Formal document that provides an overview of the security requirements for an organization-wide information security program and describes the program management controls and common controls in place or planned for meeting those requirements. |
||
information security risk |
The risk to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation due to the potential for unauthorized access, use, disclosure, disruption, modification, or destruction of information and/or information systems. See risk. |
||
information sharing environment (ISE) |
1. An approach that facilitates the sharing of terrorism and homeland security information. |
||
information steward |
Individual or group that helps to ensure the careful and responsible management of federal information belonging to the Nation as a whole, regardless of the entity or source that may have originated, created, or compiled the information. Information stewards provide maximum access to federal information to elements of the federal government and its customers, balanced by the obligation to protect the information in accordance with the provisions of the Federal Information Security Management Act (FISMA) and any associated security-related federal policies, directives, regulations, standards, and guidance. |
||
information system (IS) |
A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. |
||
information system boundary |
See authorization boundary. |
||
information system component |
A discrete, identifiable information technology asset (e.g., hardware, software, firmware) that represents a building block of an information system. Information system components include commercial information technology products. |
||
information system life cycle |
The phases through which an information system passes, typically characterized as initiation, development, operation, and termination (i.e., sanitization, disposal and/or destruction). |
||
information system owner |
Official responsible for the overall procurement, development, integration, modification, or operation and maintenance of an information system. |
||
information system resilience |
The ability of an information system to continue to: (i) operate under adverse conditions or stress, even if in a degraded or debilitated state, while maintaining essential operational capabilities; and (ii) recover to an effective operational posture in a time frame consistent with mission needs. |
||
information system-related security risks |
Risk that arises through the loss of confidentiality, integrity, or availability of information or information systems considering impacts to organizational operations and assets, individuals, other organizations, and the Nation. A subset of information security risk. See risk. |
||
information system service |
A capability provided by an information system that facilitates information processing, storage, or transmission. |
||
information systems security (INFOSEC) |
The protection of information systems against unauthorized access to or modification of information, whether in storage, processing or transit, and against the denial of service to authorized users, including those measures necessary to detect, document, and counter such threats. See information assurance (IA). |
||
information systems security (INFOSEC) boundary |
An imaginary definable perimeter encompassing all the critical functions in an INFOSEC product and separating them from all other functions within the product. |
||
information systems security engineer (ISSE) |
Individual assigned responsibility for conducting information system security engineering activities. |
||
information systems security engineering (ISSE) |
Process that captures and refines information security requirements and ensures their integration into information technology component products and information systems through purposeful security design or configuration. |
||
information systems security manager (ISSM) |
Individual responsible for the information assurance of a program, organization, system, or enclave. |
||
information system security officer (ISSO) |
Individual assigned responsibility by the senior agency information security officer, authorizing official, management official, or information system owner for maintaining the appropriate operational security posture for an information system or program. |
||