Term
|
Definition
| Ensuring timely and reliable access to and use of information. [44 U.S.C., SEC. 3542] |
|
|
Term
|
Definition
Preserving authorized restrictions on information access and disclosure,
including means for protecting personal privacy and proprietary information. [44 U.S.C., SEC. 3542] |
|
|
Term
|
Definition
An executive department specified in 5 U.S.C., SEC. 101; a military department
specified in 5 U.S.C., SEC. 102; an independent establishment as defined in 5 U.S.C., SEC. 104(1); and a wholly owned Government corporation fully subject to the provisions of 31 U.S.C., CHAPTER 91. [41
U.S.C., SEC. 403] |
|
|
Term
| FEDERAL INFORMATION SYSTEM |
|
Definition
| An information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency. [40 U.S.C., SEC. 11331] |
|
|
Term
|
Definition
| An instance of an information type |
|
|
Term
|
Definition
| Information and related resources, such as personnel, equipment, funds, and information technology. [44 U.S.C., SEC. 3502] |
|
|
Term
|
Definition
| The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability. [44 U.S.C., SEC. 3542] |
|
|
Term
|
Definition
A discrete set of information resources organized for the collection,
processing, maintenance, use, sharing, dissemination, or disposition of information. [44 U.S.C., SEC.
3502] |
|
|
Term
|
Definition
Any equipment or interconnected system or subsystem of equipment
that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the executive agency. For purposes of the preceding sentence, equipment is used by an executive agency if the equipment is used by the executive agency directly or is used by a contractor under a contract with the
executive agency |
|
|
Term
|
Definition
A specific category of information (e.g., privacy, medical, proprietary,
financial, investigative, contractor sensitive, security management), defined by an organization, or in some instances, by a specific law, Executive Order, directive, policy, or regulation. |
|
|
Term
|
Definition
| Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. [44 U.S.C., SEC. 3542] |
|
|
Term
|
Definition
Any information system (including any telecommunications system)
used or operated by an agency or by a contractor of an agency, or other organization on behalf of an
agency |
|
|
Term
|
Definition
The characterization of information or an information system based on an
assessment of the potential impact that a loss of confidentiality, integrity, or availability of such information or information system would have on organizational operations, organizational assets, or individuals. |
|
|
Term
|
Definition
| The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information |
|
|
Term
|
Definition
| Confidentiality, integrity, or availability |
|
|
Term
|
Definition
| Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system |
|
|
Term
|
Definition
| The official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals, based on the implementation of an agreed-upon set of security controls |
|
|
Term
|
Definition
| Security commensurate with the risk and the magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information. [OMB Circular A-130, Appendix III] |
|
|
Term
|
Definition
| A comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system |
|
|
Term
|
Definition
| Actions, devices, procedures, techniques, or other measures that reduce the vulnerability of an information system. [CNSS Instruction 4009] Synonymous with security controls and safeguards. |
|
|
Term
|
Definition
| Aggregate of external procedures, conditions, and objects affecting the development, operation, and maintenance of an information system. [CNSS Instruction 4009] |
|
|
Term
| FEDERAL INFORMATION SYSTEM |
|
Definition
| An information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency. [40 U.S.C., SEC. 11331] |
|
|
Term
|
Definition
| The security controls (i.e., safeguards or countermeasures) for an information system that focus on the management of risk and the management of information system security. |
|
|
Term
| NATIONAL SECURITY INFORMATION |
|
Definition
| Information that has been determined pursuant to Executive Order 12958 as amended by Executive Order 13292, or any predecessor order, or by the Atomic Energy Act of 1954, as amended, to require protection against unauthorized disclosure and is marked to indicate its classified status |
|
|
Term
|
Definition
| The security controls (i.e., safeguards or countermeasures) for an information system that primarily are implemented and executed by people (as opposed to systems). |
|
|
Term
|
Definition
| The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect, a serious adverse effect, or a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. [FIPS Publication 199] |
|
|
Term
|
Definition
| The level of impact on organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals resulting from the operation of an information system given the potential impact of a threat and the likelihood of that threat occurring. |
|
|
Term
|
Definition
The process of managing risks to organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals resulting from the operation of an information system, and includes:
(i) the conduct of a risk assessment;
(ii) the implementation of a risk mitigation strategy; and (iii) employment of techniques and procedures for the continuous monitoring of the security state of the information system |
|
|
Term
|
Definition
| Protective measures prescribed to meet the security requirements (i.e., confidentiality, integrity, and availability) specified for an information system. Safeguards may include security features, management constraints, personnel security, and security of physical structures, areas, and devices. [CNSS Instruction 4009 Adapted] Synonymous with security controls and countermeasures. |
|
|
Term
| SECURITY CONTROL BASELINE |
|
Definition
| The set of minimum security controls defined for a low-impact, moderate-impact, or high-impact information system. |
|
|
Term
|
Definition
| The security controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, or firmware components of the system |
|
|
Term
|
Definition
Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. Also, the potential for a threat-source to successfully exploit a particular information system vulnerability. [CNSS Instruction 4009 Adapted] |
|
|
Term
|
Definition
The intent and method targeted at the intentional exploitation of a vulnerability or a situation and method that may accidentally trigger a vulnerability. Synonymous with threat agent |
|
|
Term
|
Definition
| Individual or (system) process authorized to access an information system. [CNSS Instruction 4009] |
|
|
Term
|
Definition
| Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source. [CNSS Instruction 4009 Adapted] |
|
|
Term
|
Definition
The process an organization employs to determine whether security controls are defined as system-specific, hybrid, or common.
The process an organization employs to assign security controls to specific information system components responsible for
providing a particular security capability (e.g., router, server, remote sensor). |
|
|
Term
| Authorization (to operate) |
|
Definition
The official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations (including mission, functions, image, or reputation),
organizational assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls |
|
|
Term
|
Definition
All components of an information system to be authorized for operation by an authorizing official and excludes separately authorized systems, to which the information system is connected. |
|
|
Term
|
Definition
A security control that is inherited by one or more organizational
information systems. See Security Control Inheritance. |
|
|
Term
| Compensating Security Controls |
|
Definition
The management, operational, and technical controls (i.e.,
safeguards or countermeasures) employed by an organization in
lieu of the recommended controls in the low, moderate, or high
baselines described in NIST Special Publication 800-53, that
provide equivalent or comparable protection for an information
system. |
|
|
Term
Configuration Control [CNSSI 4009] |
|
Definition
| Process for controlling modifications to hardware, firmware, software, and documentation to protect the information system against improper modifications before, during, and after system implementation. |
|
|
Term
|
Definition
A boundary with a set of mechanisms that enforces the security policies and controls the flow of information between interconnected information systems. |
|
|
Term
| Information Security Policy |
|
Definition
Aggregate of directives, regulations, rules, and practices that
prescribes how an organization manages, protects, and distributes information. |
|
|
Term
|
Definition
| A form of controlled interface that provides the ability to manually and/or automatically access and/or transfer information between different security domains. |
|
|
Term
|
Definition
An environment or context that includes a set of system resources and a set of system entities that have the right to access the resources as defined by a common security policy, security model, or security architecture. See Security Domain. |
|
|
Term
|
Definition
| A subsystem that is not continually present during the execution phase of an information system. Service-oriented architectures and cloud computing architectures are examples of architectures that employ ?????. |
|
|
Term
|
Definition
The physical surroundings in which an information system
processes, stores, and transmits information |
|
|
Term
External Information
System (or Component) |
|
Definition
An information system or component of an information system that is outside of the authorization boundary established by the organization and for which the organization typically has no direct control over the application of required security controls or the assessment of security control effectiveness. |
|
|
Term
| External Information System Service |
|
Definition
| An information system service that is implemented outside of the authorization boundary of the organizational information system (i.e., a service that is used by, but not a part of, the organizational information system) and for which the organization typically has no direct control over the application of required security controls or the assessment of security control effectiveness. |
|
|
Term
|
Definition
A security control that is implemented in an information system in part as a common control and in part as a system-specific control.
See Common Control and System-Specific Security Control. |
|
|
Term
| Information Security Program Plan or Security Plan |
|
Definition
Formal document that provides an overview of the security requirements for an organization-wide information security program and describes the program management controls and common controls in place or planned for meeting those requirements. |
|
|
Term
| Information System Security Engineering |
|
Definition
Process that captures and refines information security
requirements and ensures their integration into information technology component products and information systems through purposeful security design or configuration. |
|
|
Term
| Information System-related Security Risks |
|
Definition
Information system-related security risks are those risks that arise through the loss of confidentiality, integrity, or availability of
information or information systems and consider impacts to the
organization (including assets, mission, functions, image, or
reputation), individuals, other organizations, and the Nation. |
|
|
Term
|
Definition
A complex system of systems composed of subsystems and services that are part of a continuously evolving, complex community of people, devices, information and services interconnected by a network that enhances information sharing and collaboration. Subsystems and services may or may not be developed or owned by the same entity, and, in general, will not be continually present during the full life cycle of the system of systems. Examples of this architecture include service-oriented architectures and cloud computing architectures. |
|
|
Term
Organization
[FIPS 200, Adapted] |
|
Definition
| An entity of any size, complexity, or positioning within an organizational structure (e.g., a federal agency or, as appropriate, any of its operational elements). |
|
|
Term
Plan of Action and Milestones [OMB Memorandum 02-01] |
|
Definition
A document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones. |
|
|
Term
|
Definition
| Mutual agreement among participating organizations to accept each other’s security assessments in order to reuse information system resources and/or to accept each other’s assessed security posture in order to share information. |
|
|
Term
|
Definition
The process of identifying risks to organizational operations(including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place. Synonymous with risk analysis. |
|
|
Term
|
Definition
The process of determining the security category for information or an information system. Security categorization methodologies are described in CNSS Instruction 1253 for national security systems and in FIPS 199 for other than national security systems. |
|
|
Term
Security Control Assessment |
|
Definition
The testing and/or evaluation of the management, operational, and technical security controls in an information system todetermine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. |
|
|
Term
| Security Control Inheritance |
|
Definition
A situation in which an information system or application
receives protection from security controls (or portions of security
controls) that are developed, implemented, assessed, authorized,
and monitored by entities other than those responsible for the
system or application; entities either internal or external to the
organization where the system or application resides. See
Common Control. |
|
|
Term
|
Definition
The analysis conducted by an organizational official to determine the extent to which changes to the information system have affected the security state of the system. |
|
|
Term
|
Definition
| A set of criteria for the provision of security services |
|
|
Term
Security Requirements
[FIPS 200] |
|
Definition
Requirements levied on an information system that are derived from applicable laws, Executive Orders, directives, policies, standards, instructions, regulations, procedures, or organizational mission/business case needs to ensure the confidentiality,integrity, and availability of the information being processed, stored, or transmitted. |
|
|
Term
| System-Specific Security Control |
|
Definition
A security control for an information system that has not been
designated as a common security control or the portion of a
hybrid control that is to be implemented within an information
system |
|
|
Term
| Tailored Security Control Baseline |
|
Definition
A set of security controls resulting from the application of
tailoring guidance to the security control baseline. |
|
|
Term
|
Definition
The process by which a security control baseline is modified based on: (i) the application of scoping guidance;
(ii) the specification of compensating security controls, if needed; and
(iii) the specification of organization-defined parameters in the
security controls via explicit assignment and selection statements. |
|
|
Term
| Attribute-Based Access Control |
|
Definition
| Access control based on attributes associated with and about subjects, objects, targets, initiators, resources, or the environment. An access control rule set defines the combination of attributes under which an access may take place. |
|
|
Term
|
Definition
Monitoring and control of communications at the external boundary of an information system to prevent and detect malicious and other unauthorized communications, through the use of boundary protection devices (e.g., proxies, gateways, routers, firewalls, guards, encrypted tunnels). |
|
|
Term
| Boundary Protection Device |
|
Definition
A device with appropriate mechanisms that:
(i) facilitates the adjudication of different interconnected system security policies (e.g., controlling the flow of information into or out of an interconnected system); and/or
(ii) provides information system boundary protection. |
|
|
Term
|
Definition
An information system service (e.g., telecommunications service)
provided by a commercial service provider typically to a large
and diverse set of consumers. |
|
|
Term
|
Definition
Information security strategy integrating people, technology, and operations capabilities to establish variable barriers across multiple layers and missions of the organization. |
|
|
Term
| Identity-Based Access Control |
|
Definition
Access control based on the identity of the user (typically relayed as a characteristic of the process acting on behalf of that user) where access authorizations to specific objects are assigned based on user identity |
|
|
Term
| Industrial Control System |
|
Definition
An information system used to control industrial processes such
as manufacturing, product handling, production, and distribution.
Industrial control systems include supervisory control and data
acquisition (SCADA) systems used to control geographically
dispersed assets, as well as distributed control systems (DCSs) and smaller control systems using programmable logic controllers to control localized processes. |
|
|
Term
|
Definition
Software or firmware intended to perform an unauthorized process that will have adverse impact on the confidentiality, integrity, or availability of an information system. A virus,worm, Trojan horse, or other code-based entity that infects a host. Spyware and some forms of adware are also examples of malicious code. |
|
|
