Appendex A GLOSSARY - NIST-SP-800-53-R5/NIST-SP-800-53-R5.github.io GitHub Wiki

APPENDIX A

GLOSSARY

COMMON TERMS AND DEFINITIONS

Appendix A provides definitions for terminology used in NIST Special Publication 800-53. Sources for terms used in this publication are cited as applicable. Where no citation is noted, the source of the definition is Special Publication 800-53.

access control [FIPS 201-2] The process of granting or denying specific requests for obtaining and using information and related information processing services; and to enter specific physical facilities (e.g., Federal buildings, military establishments, and border crossing entrances).

adequate security [OMB A-130] Security protections commensurate with the risk resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information. This includes ensuring that information hosted on behalf of an agency and information systems and applications used by the agency operate effectively and provide appropriate confidentiality, integrity, and availability protections through the application of cost-effective security controls.

advanced persistent threat
[SP 800-39]
An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors, including cyber, physical, and deception. These objectives typically include establishing and extending footholds within the IT infrastructure of the targeted organizations for purposes of exfiltrating information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future. The advanced persistent threat pursues its objectives repeatedly over an extended period; adapts to defenders’ efforts to resist it; and is determined to maintain the level of interaction needed to execute its objectives.

agency
[OMB A-130]
Any executive agency or department, military department, Federal Government corporation, Federal Government- controlled corporation, or other establishment in the Executive Branch of the Federal Government, or any independent regulatory agency. See executive agency.

all-source intelligence
[DODTERMS]
Intelligence products and/or organizations and activities that incorporate all sources of information, most frequently including human resources intelligence, imagery intelligence, measurement and signature intelligence, signals intelligence, and open-source data in the production of finished intelligence.

application
[SP 800-37]
A software program hosted by an information system.

assessment
See control assessment or risk assessment.

assessment plan
The objectives for the security and privacy control assessments and a detailed roadmap of how to conduct such assessments.

assessor
The individual, group, or organization responsible for conducting a security or privacy control assessment.

assignment operation
A control parameter that allows an organization to assign a specific, organization-defined value to the control or control enhancement (e.g., assigning a list of roles to be notified or a value for the frequency of testing). See organization-defined control parameters and selection operation.

assurance
[ISO/IEC 15026, Adapted]
Grounds for justified confidence that a [security or privacy] claim has been or will be achieved.

Note 1: Assurance is typically obtained relative to a set of specific claims. The scope and focus of such claims may vary (e.g., security claims, safety claims) and the claims themselves may be interrelated.
Note 2: Assurance is obtained through techniques and methods that generate credible evidence to substantiate claims.

attack surface
The set of points on the boundary of a system, a system component, or an environment where an attacker can try to enter, cause an effect on, or extract data from, that system, component, or environment.

audit
[CNSSI 4009]
Independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures.

audit log
[CNSSI 4009]
A chronological record of system activities, including records of system accesses and operations performed in a given period.

audit record
An individual entry in an audit log related to an audited event.

audit record reduction A process that manipulates collected audit information and organizes it into a summary format that is more meaningful to analysts.

audit trail
A chronological record that reconstructs and examines the sequence of activities surrounding or leading to a specific operation, procedure, or event in a security-relevant transaction from inception to result.

authentication
[FIPS 200]
Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in a system.

authenticator
Something that the claimant possesses and controls (typically a cryptographic module or password) that is used to authenticate the claimant’s identity. This was previously referred to as a token.

authenticity
The property of being genuine and being able to be verified and trusted; confidence in the validity of a transmission, message, or message originator. See authentication.

authorization [CNSSI 4009] Access privileges granted to a user, program, or process or the act of granting those privileges.

authorization boundary
[OMB A-130]
All components of an information system to be authorized for operation by an authorizing official. This excludes separately authorized systems to which the information system is connected.

authorization to operate
[OMB A-130]
The official management decision given by a senior Federal official or officials to authorize operation of an information system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security and privacy controls. Authorization also applies to common controls inherited by agency information systems.

authorizing official
[OMB A-130]
A senior Federal official or executive with the authority to authorize (i.e., assume responsibility for) the operation of an information system or the use of a designated set of common controls at an acceptable level of risk to agency operations (including mission, functions, image, or reputation), agency assets, individuals, other organizations, and the Nation.

availability
[FISMA]
Ensuring timely and reliable access to and use of information.

baseline
See control baseline.

baseline configuration
[SP 800-128, Adapted]
A documented set of specifications for a system, or a configuration item within a system, that has been formally reviewed and agreed on at a given point in time, and which can be changed only through change control procedures.

boundary
[CNSSI 4009]
Physical or logical perimeter of a system. See also authorization boundary and interface.

boundary protection
Monitoring and control of communications at the external interface to a system to prevent and detect malicious and other unauthorized communications using boundary protection devices.

boundary protection device
A device (e.g., gateway, router, firewall, guard, or encrypted tunnel) that facilitates the adjudication of different system security policies for connected systems or provides boundary protection. The boundary may be the authorization boundary for a system, the organizational network boundary, or a logical boundary defined by the organization.

breach
[OMB M-17-12]
The loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or any similar occurrence where: a person other than an authorized user accesses or potentially accesses personally identifiable information; or an authorized user accesses personally identifiable information for another than authorized purpose.

breadth
[SP 800-53A]
An attribute associated with an assessment method that addresses the scope or coverage of the assessment objects included with the assessment.

capability
A combination of mutually reinforcing security and/or privacy controls implemented by technical, physical, and procedural means. Such controls are typically selected to achieve a common information security- or privacy-related purpose.

central management
The organization-wide management and implementation of selected security and privacy controls and related processes. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed security and privacy controls and processes.

checksum
[IETF 4949]
A value that (a) is computed by a function that is dependent on the contents of a data object and (b) is stored or transmitted together with the object, for detecting changes in the data.

chief information officer
[OMB A-130]
The senior official that provides advice and other assistance to the head of the agency and other senior management personnel of the agency to ensure that IT is acquired and information resources are managed for the agency in a manner that achieves the agency’s strategic goals and information resources management goals; and is responsible for ensuring agency compliance with, and prompt, efficient, and effective implementation of, the information policies and information resources management responsibilities, including the reduction of information collection burdens on the public.

chief information security officer
See senior agency information security officer.

classified information
See classified national security information.

classified national security information
[EO 13526]
Information that has been determined pursuant to Executive Order (E.O.) 13526 or any predecessor order to require protection against unauthorized disclosure and is marked to indicate its classified status when in documentary form.

commodity service
A system service provided by a commercial service provider to a large and diverse set of consumers. The organization acquiring or receiving the commodity service possesses limited visibility into the management structure and operations of the provider, and while the organization may be able to negotiate service-level agreements, the organization is typically not able to require that the provider implement specific security or privacy controls.

common carrier
A telecommunications company that holds itself out to the public for hire to provide communications transmission services.

common control
[OMB A-130]
A security or privacy control that is inherited by multiple information systems or programs.

common control provider
[SP 800-37]
An organizational official responsible for the development, implementation, assessment, and monitoring of common controls (i.e., security or privacy controls inheritable by systems).

common criteria
[CNSSI 4009]
Governing document that provides a comprehensive, rigorous method for specifying security function and assurance requirements for products and systems.

common secure configuration
[SP 800-128]
A recognized standardized and established benchmark that stipulates specific secure configuration settings for a given information technology platform.

compensating controls
The security and privacy controls employed in lieu of the controls in the baselines described in NIST Special Publication 800-53B that provide equivalent or comparable protection for a system or organization.

component
See system component.

confidentiality
[FISMA]
Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.

configuration control
[SP 800-128]
Process for controlling modifications to hardware, firmware, software, and documentation to protect the system against improper modifications before, during, and after system implementation.

configuration item
[SP 800-128]
An aggregation of system components that is designated for configuration management and treated as a single entity in the configuration management process.

configuration management
[SP 800-128]
A collection of activities focused on establishing and maintaining the integrity of information technology products and systems, through control of processes for initializing, changing, and monitoring the configurations of those products and systems throughout the system development life cycle.

configuration settings
[SP 800-128]
The set of parameters that can be changed in hardware, software, or firmware that affect the security posture and/or functionality of the system.

continuous monitoring
[SP 800-137]
Maintaining ongoing awareness to support organizational risk decisions.

control
See security control or privacy control.

control assessment
[SP 800-37]
The testing or evaluation of the controls in an information system or an organization to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security or privacy requirements for the system or the organization.

control assessor
See assessor.

control baseline
[SP 800-53B]
Predefined sets of controls specifically assembled to address the protection needs of groups, organizations, or communities of interest. See privacy control baseline or security control baseline.

control effectiveness
A measure of whether a security or privacy control contributes to the reduction of information security or privacy risk.

control enhancement
Augmentation of a security or privacy control to build in additional but related functionality to the control, increase the strength of the control, or add assurance to the control.

control inheritance
A situation in which a system or application receives protection from security or privacy controls (or portions of controls) that are developed, implemented, assessed, authorized, and monitored by entities other than those responsible for the system or application; entities either internal or external to the organization where the system or application resides. See common control.

control parameter See organization-defined control parameter.

controlled area
Any area or space for which an organization has confidence that the physical and procedural protections provided are sufficient to meet the requirements established for protecting the information and/or information system.

controlled interface An interface to a system with a set of mechanisms that enforces the security policies and controls the flow of information between connected systems.

controlled unclassified information
[32 CFR 2002]
Information that the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. However, CUI does not include classified information or information a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency.

counterfeit
[SP 800-161-1]
An unauthorized copy or substitute that has been identified, marked, and/or altered by a source other than the item's legally authorized source and has been misrepresented to be an authorized item of the legally authorized source.

countermeasures
[FIPS 200]
Actions, devices, procedures, techniques, or other measures that reduce the vulnerability of a system. Synonymous with security controls and safeguards.

covert channel
[CNSSI 4009]
An unintended or unauthorized intra-system channel that enables two cooperating entities to transfer information in a way that violates the system's security policy but does not exceed the entities' access authorizations.

covert channel analysis
[CNSSI 4009]
Determination of the extent to which the security policy model and subsequent lower-level program descriptions may allow unauthorized access to information.

covert storage channel
[CNSSI 4009]
A system feature that enables one system entity to signal information to another entity by directly or indirectly writing to a storage location that is later directly or indirectly read by the second entity.

covert timing channel
[CNSSI 4009, Adapted]
A system feature that enables one system entity to signal information to another by modulating its own use of a system resource in such a way as to affect system response time observed by the second entity.

credential
[SP 800-63-3]
An object or data structure that authoritatively binds an identity, via an identifier or identifiers, and (optionally) additional attributes, to at least one authenticator possessed and controlled by a subscriber.

critical infrastructure
[USA PATRIOT]
Systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.

cross domain solution
[CNSSI 1253]
A form of controlled interface that provides the ability to manually and/or automatically access and/or transfer information between different security domains.

cryptographic module
[FIPS 140-3]
The set of hardware, software, and/or firmware that implements Approved security functions (including cryptographic algorithms and key generation) and is contained within the cryptographic boundary.

cybersecurity
[OMB A-130]
Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation.

cyberspace
[CNSSI 4009]
The interdependent network of information technology infrastructures that includes the Internet, telecommunications networks, computer systems, and embedded processors and controllers in critical industries.

data action
[IR 8062]
A system operation that processes personally identifiable information.

data mining
An analytical process that attempts to find correlations or patterns in large data sets for the purpose of data or knowledge discovery.

de-identification
[ISO 25237]
General term for any process of removing the association between a set of identifying data and the data subject.

defense in breadth
[CNSSI 4009]
A planned, systematic set of multidisciplinary activities that seek to identify, manage, and reduce risk of exploitable vulnerabilities at every stage of the system, network, or subcomponent life cycle, including system, network, or product design and development; manufacturing; packaging; assembly; system integration; distribution; operations; maintenance; and retirement.

defense in depth
An information security strategy that integrates people, technology, and operations capabilities to establish variable barriers across multiple layers and missions of the organization.

depth
[SP 800-53A]
An attribute associated with an assessment method that addresses the rigor and level of detail associated with the application of the method.

developer
A general term that includes developers or manufacturers of systems, system components, or system services; systems integrators; vendors; and product resellers. The development of systems, components, or services can occur internally within organizations or through external entities.

digital media
A form of electronic media where data is stored in digital (as opposed to analog) form.

discretionary access control
An access control policy that is enforced over all subjects and objects in a system where the policy specifies that a subject that has been granted access to information can do one or more of the following: pass the information to other subjects or objects; grant its privileges to other subjects; change the security attributes of subjects, objects, systems, or system components; choose the security attributes to be associated with newly- created or revised objects; or change the rules governing access control. Mandatory access controls restrict this capability.

disassociability
[IR 8062]
Enabling the processing of personally identifiable information or events without association to individuals or devices beyond the operational requirements of the system.

domain
An environment or context that includes a set of system resources and a set of system entities that have the right to access the resources as defined by a common security policy, security model, or security architecture. See security domain.

enterprise
[CNSSI 4009]
An organization with a defined mission/goal and a defined boundary, using systems to execute that mission, and with responsibility for managing its own risks and performance. An enterprise may consist of all or some of the following business aspects: acquisition, program management, human resources, financial management, security, and systems, information and mission management. See organization.

enterprise architecture
[OMB A-130]
A strategic information asset base, which defines the mission; the information necessary to perform the mission; the technologies necessary to perform the mission; and the transitional processes for implementing new technologies in response to changing mission needs; and includes a baseline architecture; a target architecture; and a sequencing plan.

environment of operation
[OMB A-130]
The physical surroundings in which an information system processes, stores, and transmits information.

event
[SP 800-61, Adapted]
Any observable occurrence in a system.

executive agency
[OMB A-130]
An executive department specified in 5 U.S.C., Sec. 101; a military department specified in 5 U.S.C., Sec. 102; an independent establishment as defined in 5 U.S.C., Sec. 104(1); and a wholly owned Government corporation fully subject to the provisions of 31 U.S.C., Chapter 91.

exfiltration
The unauthorized transfer of information from a system.

external system (or component) A system or component of a system that is used by but is not a part of an organizational system and for which the organization has no direct control over the implementation of required security and privacy controls or the assessment of control effectiveness.

external system service
A system service that is provided by an external service provider and for which the organization has no direct control over the implementation of required security and privacy controls or the assessment of control effectiveness.

external system service provider
A provider of external system services to an organization through a variety of consumer-producer relationships, including joint ventures, business partnerships, outsourcing arrangements (i.e., through contracts, interagency agreements, lines of business arrangements), licensing agreements, and/or supply chain exchanges.

external network
A network not controlled by the organization.

failover
The capability to switch over automatically (typically without human intervention or warning) to a redundant or standby system upon the failure or abnormal termination of the previously active system.

federal information system
[OMB A-130]
An information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency.

FIPS-validated cryptography
A cryptographic module validated by the Cryptographic Module Validation Program (CMVP) to meet requirements specified in FIPS Publication 140-3 (as amended). As a prerequisite to CMVP validation, the cryptographic module is required to employ a cryptographic algorithm implementation that has successfully passed validation testing by the Cryptographic Algorithm Validation Program (CAVP). See NSA-approved cryptography.

firmware
[CNSSI 4009]
Computer programs and data stored in hardware - typically in read-only memory (ROM) or programmable read-only memory (PROM) - such that the programs and data cannot be dynamically written or modified during execution of the programs. See hardware and software.

hardware
[CNSSI 4009]
The material physical components of a system. See software and firmware.

high-impact system
[FIPS 200]
A system in which at least one security objective (i.e., confidentiality, integrity, or availability) is assigned a FIPS Publication 199 potential impact value of high.

hybrid control
[OMB A-130]
A security or privacy control that is implemented for an information system in part as a common control and in part as a system-specific control.

identifier
[FIPS 201-2]
Unique data used to represent a person’s identity and associated attributes. A name or a card number are examples of identifiers. A unique label used by a system to indicate a specific entity, object, or group.

impact
The effect on organizational operations, organizational assets, individuals, other organizations, or the Nation (including the national security interests of the United States) of a loss of confidentiality, integrity, or availability of information or a system.

impact value
[FIPS 199]
The assessed worst-case potential impact that could result from a compromise of the confidentiality, integrity, or availability of information expressed as a value of low, moderate or high.

incident
[FISMA]
An occurrence that actually or imminently jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.

industrial control system [SP 800-82]
General term that encompasses several types of control systems, including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other control system configurations such as programmable logic controllers (PLC) found in the industrial sectors and critical infrastructures. An industrial control system consists of combinations of control components (e.g., electrical, mechanical, hydraulic, pneumatic) that act together to achieve an industrial objective (e.g., manufacturing, transportation of matter or energy).

information
[OMB A-130]
Any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, electronic, or audiovisual forms.

information flow control
Controls to ensure that information transfers within a system or organization are not made in violation of the security policy.

information leakage
The intentional or unintentional release of information to an untrusted environment.

information owner
[SP 800-37]
Official with statutory or operational authority for specified information and responsibility for establishing the controls for its generation, collection, processing, dissemination, and disposal.

information resources
[OMB A-130]
Information and related resources, such as personnel, equipment, funds, and information technology.

information security
[OMB A-130]
The protection of information and systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.

information security architecture
[OMB A-130]
An embedded, integral part of the enterprise architecture that describes the structure and behavior of the enterprise security processes, security systems, personnel and organizational subunits, showing their alignment with the enterprise’s mission and strategic plans.

information security policy
[CNSSI 4009]
Aggregate of directives, regulations, rules, and practices that prescribes how an organization manages, protects, and distributes information.

information security program plan
[OMB A-130]
Formal document that provides an overview of the security requirements for an organization-wide information security program and describes the program management controls and common controls in place or planned for meeting those requirements.

information security risk
[SP 800-30]
The risk to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation due to the potential for unauthorized access, use, disclosure, disruption, modification, or destruction of information and/or systems.

information steward
[SP 800-37]
An agency official with statutory or operational authority for specified information and responsibility for establishing the controls for its generation, collection, processing, dissemination, and disposal.

information system
[USC 3502]
A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.

information technology
[USC 11101]
Any services, equipment, or interconnected system(s) or subsystem(s) of equipment, that are used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the agency. For purposes of this definition, such services or equipment if used by the agency directly or is used by a contractor under a contract with the agency that requires its use; or to a significant extent, its use in the performance of a service or the furnishing of a product. Information technology includes computers, ancillary equipment (including imaging peripherals, input, output, and storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services (including cloud computing and help-desk services or other professional services which support any point of the life cycle of the equipment or service), and related resources. Information technology does not include any equipment that is acquired by a contractor incidental to a contract which does not require its use.

information technology product
See system component.

information type
[FIPS 199]
A specific category of information (e.g., privacy, medical, proprietary, financial, investigative, contractor-sensitive, security management) defined by an organization or in some instances, by a specific law, Executive Order, directive, policy, or regulation.

insider
[CNSSI 4009, Adapted]
Any person with authorized access to any organizational resource, to include personnel, facilities, information, equipment, networks, or systems.

insider threat
[CNSSI 4009, Adapted]
The threat that an insider will use her/his authorized access, wittingly or unwittingly, to do harm to the security of organizational operations and assets, individuals, other organizations, and the Nation. This threat can include damage through espionage, terrorism, unauthorized disclosure of national security information, or through the loss or degradation of organizational resources or capabilities.

insider threat program
[CNSSI 4009, Adapted]
A coordinated collection of capabilities authorized by the organization and used to deter, detect, and mitigate the unauthorized disclosure of information.

interface
[CNSSI 4009]
Common boundary between independent systems or modules where interactions take place.

integrity
[FISMA]
Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.

internal network
A network where the establishment, maintenance, and provisioning of security controls are under the direct control of organizational employees or contractors. Cryptographic encapsulation or similar security technology implemented between organization-controlled endpoints provides the same effect (at least regarding confidentiality and integrity). An internal network is typically organization-owned yet may be organization-controlled while not being organization-owned.

label See security label.

least privilege
[CNSSI 4009]
The principle that a security architecture is designed so that each entity is granted the minimum system resources and authorizations that the entity needs to perform its function.

local access Access to an organizational system by a user (or process acting on behalf of a user) communicating through a direct connection without the use of a network.

logical access control system
An automated system that controls an individual’s ability to access one or more computer system resources, such as a workstation, network, application, or database. A logical access control system requires the validation of an individual’s identity through some mechanism, such as a PIN, card, biometric, or other token. It has the capability to assign different access privileges to different individuals depending on their roles and responsibilities in an organization.

low-impact system
[FIPS 200]
A system in which all three security objectives (i.e., confidentiality, integrity, and availability) are assigned a FIPS Publication 199 potential impact value of low.

malicious code Software or firmware intended to perform an unauthorized process that will have adverse impacts on the confidentiality, integrity, or availability of a system. A virus, worm, Trojan horse, or other code-based entity that infects a host. Spyware and some forms of adware are also examples of malicious code.

managed interface
An interface within a system that provides boundary protection capabilities using automated mechanisms or devices.

mandatory access control
An access control policy that is uniformly enforced across all subjects and objects within a system. A subject that has been granted access to information is constrained from: passing the information to unauthorized subjects or objects; granting its privileges to other subjects; changing one or more security attributes on subjects, objects, the system, or system components; choosing the security attributes to be associated with newly created or modified objects; or changing the rules for governing access control. Organization-defined subjects may explicitly be granted organization-defined privileges (i.e., they are trusted subjects) such that they are not limited by some or all of the above constraints. Mandatory access control is considered a type of nondiscretionary access control.

marking See security marking.

matching agreement
[OMB A-108]
A written agreement between a recipient agency and a source agency (or a non-Federal agency) that is required by the Privacy Act for parties engaging in a matching program.

media
[FIPS 200]
Physical devices or writing surfaces including magnetic tapes, optical disks, magnetic disks, Large-Scale Integration memory chips, and printouts (but excluding display media) onto which information is recorded, stored, or printed within a system.

metadata Information that describes the characteristics of data, including structural metadata that describes data structures (i.e., data format, syntax, semantics) and descriptive metadata that describes data contents (i.e., security labels).

mobile code
Software programs or parts of programs obtained from remote systems, transmitted across a network, and executed on a local system without explicit installation or execution by the recipient.

mobile code technologies
Software technologies that provide the mechanisms for the production and use of mobile code.

mobile device
A portable computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection (e.g., wirelessly transmit or receive information); possesses local, non-removable data storage; and is powered on for extended periods of time with a self-contained power source. Mobile devices may also include voice communication capabilities, on-board sensors that allow the device to capture (e.g., photograph, video, record, or determine location) information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones, tablets, and e-readers.

moderate-impact system
[FIPS 200]
A system in which at least one security objective (i.e., confidentiality, integrity, or availability) is assigned a FIPS Publication 199 potential impact value of moderate and no security objective is assigned a potential impact value of high.

multi-factor authentication
[SP 800-63-3]
An authentication system or an authenticator that requires more than one authentication factor for successful authentication. Multi-factor authentication can be performed using a single authenticator that provides more than one factor or by a combination of authenticators that provide different factors. The three authentication factors are something you know, something you have, and something you are. See authenticator.

multilevel security
[CNSSI 4009]
Concept of processing information with different classifications and categories that simultaneously permits access by users with different security clearances and denies access to users who lack authorization.

multiple security levels
[CNSSI 4009]
Capability of a system that is trusted to contain, and maintain separation between, resources (particularly stored data) of different security domains.

national security system
[OMB A-130]
Any system (including any telecommunications system) used or operated by an agency or by a contractor of an agency, or other organization on behalf of an agency—(i) the function, operation, or use of which involves intelligence activities; involves cryptologic activities related to national security; involves command and control of military forces; involves equipment that is an integral part of a weapon or weapons system; or is critical to the direct fulfillment of military or intelligence missions (excluding a system that is to be used for routine administrative and business applications, for example, payroll, finance, logistics, and personnel management applications); or (ii) is protected at all times by procedures established for information that have been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy.

network
A system implemented with a collection of connected components. Such components may include routers, hubs, cabling, telecommunications controllers, key distribution centers, and technical control devices.

network access
Access to a system by a user (or a process acting on behalf of a user) communicating through a network, including a local area network, a wide area network, and the Internet.

nonce
[SP 800-63-3]
A value used in security protocols that is never repeated with the same key. For example, nonces used as challenges in challenge- response authentication protocols are not repeated until the authentication keys are changed. Otherwise, there is a possibility of a replay attack.

nondiscretionary access control
See mandatory access control.

nonlocal maintenance
Maintenance activities conducted by individuals who communicate through either an internal or external network.

non-organizational user
A user who is not an organizational user (including public users).

non-repudiation
Protection against an individual who falsely denies having performed a certain action and provides the capability to determine whether an individual took a certain action, such as creating information, sending a message, approving information, or receiving a message.

NSA-approved cryptography
Cryptography that consists of an approved algorithm, an implementation that has been approved for the protection of classified information and/or controlled unclassified information in a specific environment, and a supporting key management infrastructure.

object
Passive system-related entity, including devices, files, records, tables, processes, programs, and domains that contain or receive information. Access to an object (by a subject) implies access to the information it contains. See subject.

operations security
[CNSSI 4009]
Systematic and proven process by which potential adversaries can be denied information about capabilities and intentions by identifying, controlling, and protecting generally unclassified evidence of the planning and execution of sensitive activities. The process involves five steps: identification of critical information, analysis of threats, analysis of vulnerabilities, assessment of risks, and application of appropriate countermeasures.

organization
[FIPS 200, Adapted]
An entity of any size, complexity, or positioning within an organizational structure, including federal agencies, private enterprises, academic institutions, state, local, or tribal governments, or as appropriate, any of their operational elements.

organization-defined control parameter The variable part of a control or control enhancement that is instantiated by an organization during the tailoring process by either assigning an organization-defined value or selecting a value from a predefined list provided as part of the control or control enhancement. See assignment operation and selection operation.

organizational user An organizational employee or an individual whom the organization deems to have equivalent status of an employee, including a contractor, guest researcher, or individual detailed from another organization. Policies and procedures for granting the equivalent status of employees to individuals may include need-to-know, relationship to the organization, and citizenship.

overlay
[OMB A-130]
A specification of security or privacy controls, control enhancements, supplemental guidance, and other supporting information employed during the tailoring process, that is intended to complement (and further refine) security control baselines. The overlay specification may be more stringent or less stringent than the original security control baseline specification and can be applied to multiple information systems. See tailoring.

parameter
See organization-defined control parameter.

penetration testing
A test methodology in which assessors, typically working under specific constraints, attempt to circumvent or defeat the security features of a system.

periods processing
A mode of system operation in which information of different sensitivities is processed at distinctly different times by the same system with the system being properly purged or sanitized between periods.

personally identifiable information
[OMB A-130]
Information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.

personally identifiable information processing
[ISO/IEC 29100, Adapted]
An operation or set of operations performed upon personally identifiable information that can include, but is not limited to, the collection, retention, logging, generation, transformation, use, disclosure, transfer, and disposal of personally identifiable information.

personally identifiable information processing permissions The requirements for how personally identifiable information can be processed or the conditions under which personally identifiable information can be processed.

personnel security
The discipline of assessing the conduct, integrity, judgment, loyalty, reliability, and stability of individuals for duties and responsibilities that require trustworthiness.

physical access control system
[SP 800-116]
An electronic system that controls the ability of people or vehicles to enter a protected area by means of authentication and authorization at access control points.

plan of action and milestones
A document that identifies tasks that need to be accomplished. It details resources required to accomplish the elements of the plan, milestones for meeting the tasks, and the scheduled completion dates for the milestones.

portable storage device
A system component that can communicate with and be added to or removed from a system or network and that is limited to data storage—including text, video, audio or image data—as its primary function (e.g., optical discs, external or removable hard drives, external or removable solid-state disk drives, magnetic or optical tapes, flash memory devices, flash memory cards, and other external or removable disks).

potential impact
[FIPS 199]
The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect (FIPS Publication 199 low); a serious adverse effect (FIPS Publication 199 moderate); or a severe or catastrophic adverse effect (FIPS Publication 199 high) on organizational operations, organizational assets, or individuals.

privacy architecture
[SP 800-37]
An embedded, integral part of the enterprise architecture that describes the structure and behavior for an enterprise’s privacy protection processes, technical measures, personnel and organizational sub-units, showing their alignment with the enterprise’s mission and strategic plans.

privacy control
[OMB A-130]
The administrative, technical, and physical safeguards employed within an agency to ensure compliance with applicable privacy requirements and manage privacy risks.

privacy control baseline
The set of privacy controls selected based on the privacy selection criteria that provide a starting point for the tailoring process.

privacy domain
A domain that implements a privacy policy.

privacy impact assessment
[OMB A-130]
An analysis of how information is handled to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy; to determine the risks and effects of creating, collecting, using, processing, storing, maintaining, disseminating, disclosing, and disposing of information in identifiable form in an electronic information system; and to examine and evaluate protections and alternate processes for handling information to mitigate potential privacy concerns. A privacy impact assessment is both an analysis and a formal document detailing the process and the outcome of the analysis.

privacy plan
[OMB A-130]
A formal document that details the privacy controls selected for an information system or environment of operation that are in place or planned for meeting applicable privacy requirements and managing privacy risks, details how the controls have been implemented, and describes the methodologies and metrics that will be used to assess the controls.

privacy program plan
[OMB A-130]
A formal document that provides an overview of an agency’s privacy program, including a description of the structure of the privacy program, the resources dedicated to the privacy program, the role of the Senior Agency Official for Privacy and other privacy officials and staff, the strategic goals and objectives of the privacy program, and the program management controls and common controls in place or planned for meeting applicable privacy requirements and managing privacy risks.

privileged account
A system account with the authorizations of a privileged user.

privileged command
A human-initiated command executed on a system that involves the control, monitoring, or administration of the system, including security functions and associated security-relevant information.

privileged user
[CNSSI 4009]
A user that is authorized (and therefore, trusted) to perform security-relevant functions that ordinary users are not authorized to perform.

protected distribution system
[CNSSI 4009]
Wire line or fiber optic system that includes adequate safeguards and/or countermeasures (e.g., acoustic, electric, electromagnetic, and physical) to permit its use for the transmission of unencrypted information through an area of lesser classification or control.

provenance
The chronology of the origin, development, ownership, location, and changes to a system or system component and associated data. It may also include the personnel and processes used to interact with or make modifications to the system, component, or associated data.

public key infrastructure
[CNSSI 4009]
The architecture, organization, techniques, practices, and procedures that collectively support the implementation and operation of a certificate-based public key cryptographic system. Framework established to issue, maintain, and revoke public key certificates.

purge
[SP 800-88]
A method of sanitization that applies physical or logical techniques that render target data recovery infeasible using state of the art laboratory techniques.

reciprocity
[SP 800-37]
Agreement among participating organizations to accept each other’s security assessments to reuse system resources and/or to accept each other’s assessed security posture to share information.

records
[OMB A-130]
All recorded information, regardless of form or characteristics, made or received by a Federal agency under Federal law or in connection with the transaction of public business and preserved or appropriate for preservation by that agency or its legitimate successor as evidence of the organization, functions, policies, decisions, procedures, operations, or other activities of the United States Government or because of the informational value of data in them.

red team exercise
An exercise, reflecting real-world conditions that is conducted as a simulated adversarial attempt to compromise organizational missions or business processes and to provide a comprehensive assessment of the security capabilities of an organization and its systems.

reference monitor A set of design requirements on a reference validation mechanism that, as a key component of an operating system, enforces an access control policy over all subjects and objects. A reference validation mechanism is always invoked (i.e., complete mediation), tamperproof, and small enough to be subject to analysis and tests, the completeness of which can be assured (i.e., verifiable).

regrader
[CNSSI 4009]
A trusted process explicitly authorized to re-classify and re-label data in accordance with a defined policy exception. Untrusted or unauthorized processes are such actions by the security policy.

remote access Access to an organizational system by a user (or a process acting on behalf of a user) communicating through an external network.

remote maintenance
Maintenance activities conducted by individuals communicating through an external network.

replay attack
[SP 800-63-3]
An attack in which the Attacker is able to replay previously captured messages (between a legitimate Claimant and a Verifier) to masquerade as that Claimant to the Verifier or vice versa.

replay resistance
Protection against the capture of transmitted authentication or access control information and its subsequent retransmission with the intent of producing an unauthorized effect or gaining unauthorized access.

resilience
[OMB A-130]
The ability of an information system to operate under adverse conditions or stress, even if in a degraded or debilitated state, while maintaining essential operational capabilities, and to recover to an effective operational posture in a time frame consistent with mission needs.

restricted data
[ATOM54]
All data concerning (i) design, manufacture, or utilization of atomic weapons; (ii) the production of special nuclear material; or (iii) the use of special nuclear material in the production of energy, but shall not include data declassified or removed from the Restricted Data category pursuant to Section 142 [of the Atomic Energy Act of 1954].

risk
[OMB A-130]
A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically is a function of: (i) the adverse impact, or magnitude of harm, that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.

risk assessment
[SP 800-39]
[IR 8062, adapted]
The process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of a system.
Risk management includes threat and vulnerability analyses as well as analyses of adverse effects on individuals arising from information processing and considers mitigations provided by security and privacy controls planned or in place. Synonymous with risk analysis.

risk executive (function)
[SP 800-37]
An individual or group within an organization that helps to ensure that security risk-related considerations for individual systems, to include the authorization decisions for those systems, are viewed from an organization-wide perspective with regard to the overall strategic goals and objectives of the organization in carrying out its mission and business functions; and managing risk from individual systems is consistent across the organization, reflects organizational risk tolerance, and is considered along with other organizational risks affecting mission or business success.

risk management
[OMB A-130]
The program and supporting processes to manage risk to agency operations (including mission, functions, image, reputation), agency assets, individuals, other organizations, and the Nation, and includes: establishing the context for risk-related activities; assessing risk; responding to risk once determined; and monitoring risk over time.

risk mitigation
[CNSSI 4009]
Prioritizing, evaluating, and implementing the appropriate risk- reducing controls/countermeasures recommended from the risk management process.

risk response
[OMB A-130]
Accepting, avoiding, mitigating, sharing, or transferring risk to agency operations, agency assets, individuals, other organizations, or the Nation.

risk tolerance
[SP 800-39]
The level of risk or the degree of uncertainty that is acceptable to an organization.

role-based access control
Access control based on user roles (i.e., a collection of access authorizations that a user receives based on an explicit or implicit assumption of a given role). Role permissions may be inherited through a role hierarchy and typically reflect the permissions needed to perform defined functions within an organization. A given role may apply to a single individual or to several individuals.

runtime The period during which a computer program is executing.

sanitization
[SP 800-88]
A process to render access to target data on the media infeasible for a given level of effort. Clear, purge, and destroy are actions that can be taken to sanitize media.

scoping considerations A part of tailoring guidance that provides organizations with specific considerations on the applicability and implementation of security and privacy controls in the control baselines. Considerations include policy or regulatory, technology, physical infrastructure, system component allocation, public access, scalability, common control, operational or environmental, and security objective.

security
[CNSSI 4009]
A condition that results from the establishment and maintenance of protective measures that enable an organization to perform its mission or critical functions despite risks posed by threats to its use of systems. Protective measures may involve a combination of deterrence, avoidance, prevention, detection, recovery, and correction that should form part of the organization’s risk management approach.

security attribute
An abstraction that represents the basic properties or characteristics of an entity with respect to safeguarding information. Typically associated with internal data structures— including records, buffers, and files within the system—and used to enable the implementation of access control and flow control policies; reflect special dissemination, handling or distribution instructions; or support other aspects of the information security policy.

security categorization
The process of determining the security category for information or a system. Security categorization methodologies are described in CNSS Instruction 1253 for national security systems and in FIPS Publication 199 for other than national security systems. See security category.

security category
[OMB A-130]
The characterization of information or an information system based on an assessment of the potential impact that a loss of confidentiality, integrity, or availability of such information or information system would have on agency operations, agency assets, individuals, other organizations, and the Nation.

security control
[OMB A-130]
The safeguards or countermeasures prescribed for an information system or an organization to protect the confidentiality, integrity, and availability of the system and its information.

security control baseline
[OMB A-130]
The set of minimum security controls defined for a low-impact, moderate-impact, or high-impact information system.

security domain
[CNSSI 4009]
A domain that implements a security policy and is administered by a single authority.

security functionality The security-related features, functions, mechanisms, services, procedures, and architectures implemented within organizational information systems or the environments in which those systems operate.

security functions The hardware, software, or firmware of the system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based.

security impact analysis
[SP 800-128]
The analysis conducted by qualified staff within an organization to determine the extent to which changes to the system affect the security posture of the system.

security kernel
[CNSSI 4009]
Hardware, firmware, and software elements of a trusted computing base implementing the reference monitor concept. Security kernel must mediate all accesses, be protected from modification, and be verifiable as correct.

security label
The means used to associate a set of security attributes with a specific information object as part of the data structure for that object.

security marking
The means used to associate a set of security attributes with objects in a human-readable form in order to enable organizational, process-based enforcement of information security policies.

security objective
[FIPS 199]
Confidentiality, integrity, or availability.

security plan
A formal document that provides an overview of the security requirements for an information system or an information security program and describes the security controls in place or planned for meeting those requirements. The system security plan describes the system components that are included within the system, the environment in which the system operates, how the security requirements are implemented, and the relationships with or connections to other systems. See system security plan.

security policy A set of criteria for the provision of security services.

[SP 800-160-1 adapted]
A set of rules that governs all aspects of security-relevant system and system component behavior.

security policy filter
A hardware and/or software component that performs one or more of the following functions: content verification to ensure the data type of the submitted content; content inspection to analyze the submitted content and verify that complies with a defined policy; malicious content checker that evaluates the content for malicious code; suspicious activity checker that evaluates or executes the content in a safe manner, such as in a sandbox or detonation chamber and monitors for suspicious activity; or content sanitization, cleansing, and transformation, which modifies the submitted content to comply with a defined policy.

security requirement
[FIPS 200, Adapted]
A requirement levied on an information system or an organization that is derived from applicable laws, executive orders, directives, regulations, policies, standards, procedures, or mission/business needs to ensure the confidentiality, integrity, and availability of information that is being processed, stored, or transmitted. Note: Security requirements can be used in a variety of contexts from high- level policy-related activities to low-level implementation-related activities in system development and engineering disciplines.

security service
[SP 800-160-1]
A security capability or function provided by an entity that supports one or more security objectives.

security-relevant information
Information within the system that can potentially impact the operation of security functions or the provision of security services in a manner that could result in failure to enforce the system security policy or maintain isolation of code and data.

selection operation
A control parameter that allows an organization to select a value from a list of predefined values provided as part of the control or control enhancement (e.g., selecting to either restrict an action or prohibit an action).
See assignment operation and organization-defined control parameter.

senior agency information security officer
Official responsible for carrying out the Chief Information Officer responsibilities under FISMA and serving as the Chief Information Officer’s primary liaison to the agency’s authorizing officials, information system owners, and information system security officers.

Note: Organizations subordinate to federal agencies may use the term senior information security officer or chief information security officer to denote individuals who fill positions with similar responsibilities to senior agency information security officers.

senior agency official for privacy
[OMB A-130]
Senior official, designated by the head of each agency, who has agency-wide responsibility for privacy, including implementation of privacy protections; compliance with Federal laws, regulations, and policies relating to privacy; management of privacy risks at the agency; and a central policy-making role in the agency’s development and evaluation of legislative, regulatory, and other policy proposals.

senior information security officer
See senior agency information security officer.

sensitive compartmented information
[CNSSI 4009]
Classified information concerning or derived from intelligence sources, methods, or analytical processes, which is required to be handled within formal access control systems established by the Director of National Intelligence.

service-oriented architecture
A set of principles and methodologies for designing and developing software in the form of interoperable services. These services are well-defined business functions that are built as software components (i.e., discrete pieces of code and/or data structures) that can be reused for different purposes.

shared control
A security or privacy control that is implemented for an information system in part as a common control and in part as a system-specific control. See hybrid control.

software
[CNSSI 4009]
Computer programs and associated data that may be dynamically written or modified during execution.

spam
The abuse of electronic messaging systems to indiscriminately send unsolicited bulk messages.

special access program
[CNSSI 4009]
A program established for a specific class of classified information that imposes safeguarding and access requirements that exceed those normally required for information at the same classification level.

split tunneling
The process of allowing a remote user or device to establish a non-remote connection with a system and simultaneously communicate via some other connection to a resource in an external network. This method of network access enables a user to access remote devices, and simultaneously, access uncontrolled networks.

spyware
Software that is secretly or surreptitiously installed into an information system to gather information on individuals or organizations without their knowledge; a type of malicious code.

subject
An individual, process, or device that causes information to flow among objects or change to the system state. Also see object.

subsystem
A major subdivision or component of an information system consisting of information, information technology, and personnel that performs one or more specific functions.

supplier
[SP 800-161-1]
Organization or individual that enters into an agreement with the acquirer or integrator for the supply of a product or service. This includes all suppliers in the supply chain, developers or manufacturers of systems, system components, or system services; systems integrators; vendors; product resellers; and third party partners.

supply chain
[SP 800-161-1]
Linked set of resources and processes between and among multiple tiers of organizations, each of which is an acquirer, that begins with the sourcing of products and services and extends through their life cycle.

supply chain element
Organizations, entities, or tools employed for the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of systems and system components.

supply chain risk
[SP 800-161-1]
The potential for harm or compromise that arises as a result of security risks from suppliers, their supply chains, and their products or services. Supply chain risks include exposures, threats, and vulnerabilities associated with the products and services traversing the supply chain as well as the exposures, threats, and vulnerabilities to the supply chain.

supply chain risk assessment
[SP 800-161-1]
A systematic examination of supply chain risks, likelihoods of their occurrence, and potential impacts.

supply chain risk management
[SP 800-161-1]
A systematic process for managing cyber supply chain risk exposures, threats, and vulnerabilities throughout the supply chain and developing risk response strategies to the risks presented by the supplier, the supplied products and services, or the supply chain.

system
[CNSSI 4009]
Any organized assembly of resources and procedures united and regulated by interaction or interdependence to accomplish a set of specific functions.

Note: Systems also include specialized systems such as industrial control systems, telephone switching and private branch exchange (PBX) systems, and environmental control systems.

[ISO 15288]
Combination of interacting elements organized to achieve one or more stated purposes.

Note 1: There are many types of systems. Examples include: general and special-purpose information systems; command, control, and communication systems; crypto modules; central processing unit and graphics processor boards; industrial control systems; flight control systems; weapons, targeting, and fire control systems; medical devices and treatment systems; financial, banking, and merchandising transaction systems; and social networking systems.
Note 2: The interacting elements in the definition of system include hardware, software, data, humans, processes, facilities, materials, and naturally occurring physical entities.
Note 3: System-of-systems is included in the definition of system.

system component
[SP 800-128]
A discrete identifiable information technology asset that represents a building block of a system and may include hardware, software, and firmware.

system of records
[USC 552]
A group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual.

system of records notice
[OMB A-108]
The notice(s) published by an agency in the Federal Register upon the establishment and/or modification of a system of records describing the existence and character of the system.

system owner (or program manager)
Official responsible for the overall procurement, development, integration, modification, operation, and maintenance of a system.

system security officer
[SP 800-37]
Individual with assigned responsibility for maintaining the appropriate operational security posture for a system or program.

system security plan
See security plan.

system service
A capability provided by a system that facilitates information processing, storage, or transmission.

system-related security risk
[SP 800-30]
Risk that arises through the loss of confidentiality, integrity, or availability of information or systems and that considers impacts to the organization (including assets, mission, functions, image, or reputation), individuals, other organizations, and the Nation. See risk.

system-specific control
[OMB A-130]
A security or privacy control for an information system that is implemented at the system level and is not inherited by any other information system.

systems engineering
[SP 800-160-1]
An engineering discipline whose responsibility is creating and executing an interdisciplinary process to ensure that the customer and all other stakeholder needs are satisfied in a high- quality, trustworthy, cost-efficient, and schedule-compliant manner throughout a system’s entire life cycle.

systems security engineering
[SP 800-160-1]
A specialty engineering field strongly related to systems engineering. It applies scientific, engineering, and information assurance principles to deliver trustworthy systems that satisfy stakeholder requirements within their established risk tolerance.

tailored control baseline
A set of controls that result from the application of tailoring guidance to a control baseline. See tailoring.

tailoring
The process by which security control baselines are modified by: identifying and designating common controls, applying scoping considerations on the applicability and implementation of baseline controls, selecting compensating security controls, assigning specific values to organization-defined security control parameters, supplementing baselines with additional security controls or control enhancements, and providing additional specification information for control implementation.

tampering
[CNSSI 4009]
An intentional but unauthorized act resulting in the modification of a system, components of systems, its intended behavior, or data.

threat
[SP 800-30]
Any circumstance or event with the potential to adversely impact organizational operations, organizational assets, individuals, other organizations, or the Nation through a system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.

threat assessment
[CNSSI 4009]
Formal description and evaluation of threat to an information system.

threat modeling
[SP 800-154]
A form of risk assessment that models aspects of the attack and defense sides of a logical entity, such as a piece of data, an application, a host, a system, or an environment.

threat source
[FIPS 200]
The intent and method targeted at the intentional exploitation of a vulnerability or a situation and method that may accidentally trigger a vulnerability. See threat agent.

transmission
[CNSSI 4009]
The state that exists when information is being electronically sent from one location to one or more other locations.

trusted path
A mechanism by which a user (through an input device) can communicate directly with the security functions of the system with the necessary confidence to support the system security policy. This mechanism can only be activated by the user or the security functions of the system and cannot be imitated by untrusted software.

trustworthiness
[CNSSI 4009]
The attribute of a person or enterprise that provides confidence to others of the qualifications, capabilities, and reliability of that entity to perform specific tasks and fulfill assigned responsibilities.

trustworthiness (system)
The degree to which an information system (including the information technology components that are used to build the system) can be expected to preserve the confidentiality, integrity, and availability of the information being processed, stored, or transmitted by the system across the full range of threats. A trustworthy information system is believed to operate within defined levels of risk despite the environmental disruptions, human errors, structural failures, and purposeful attacks that are expected to occur in its environment of operation.

user
Individual, or (system) process acting on behalf of an individual, authorized to access a system. See organizational user and non-organizational user.

virtual private network
[CNSSI 4009]
Protected information system link utilizing tunneling, security controls, and endpoint address translation giving the impression of a dedicated line.

vulnerability
[SP 800-30]
Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.

vulnerability analysis
See vulnerability assessment.

vulnerability assessment [CNSSI 4009] Systematic examination of an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation.