Browse — Entity Type · Control
allDataSystemNetworkIdentityCredentialPhysicalProcessCapabilityOrganizationFrameworkEventMetricVulnerabilityThreatControlFindingRequirementRoleArtifactUnknown
318 terms
TermTypeDefinitionClassificationsUpdated
access controlnounA system or measures that limit the retrieving, obtaining, or examining of information, or information processing resources, to persons or applications authorized by the system or data classification.Control
Access control listnounAn internal computerized table of access rules regarding the levels of computer access permitted to logon IDs and computer terminals Scope Note: Also referred to as access control tablesControl
access control mechanismnounSecurity measures designed to detect and deny unauthorized access and permit authorized access to an information system or a physical facility.Control
Access Control programnounA documented listing of procedures, schedules, roles and responsibilities, and plans or instructions to be performed to implement access control.ControlRegulatedPCI
Access Control ServicenounA security service that provides protection of system resources against unauthorized access. The two basic mechanisms for implementing this service are ACLs and tickets.Control
Access ProfilenounAssociation of a user with a list of protected objects the user may access.Control
Add-on SecuritynounIncorporation of new hardware, software, or firmware safeguards in an operational information system.Control
Administrative SafeguardsnounAdministrative actions, policies, and procedures to manage the selection, development, implementation, and maintenance of security measures to protect electronic health information and to manage the conduct of the covered entity's workforce in relation to protecting that information.ControlRegulatedPHI
Advanced Encryption StandardnounThe Advanced Encryption Standard specifies a U.S. government-approved cryptographic algorithm that can be used to protect electronic data. The AES algorithm is a symmetric block cipher that can encrypt (encipher) and decrypt (decipher) information. This standard specifies the Rijndael algorithm, a symmetric block cipher that can process data blocks of 128 bits, using cipher keys with lengths of 128, 192, and 256 bits.ControlRegulated
Air-gapped environmentnounSecurity measure that isolates a secure network from unsecure networks physically, electrically, and electromagnetically.Control
Anti-jamnounCountermeasures ensuring that transmitted information can be received despite deliberate jamming attempts.ControlRegulatedCUI
Anti-spoofnounCountermeasures taken to prevent the unauthorized use of legitimate Identification & Authentication (I&A) data, however it was obtained, to mimic a subject different from the attacker.Control
Antivirus softwarenounA program that monitors a computer or network to identify all major types of malware and prevent or contain malware incidents.Control
application controlnounControls related to transactions and data within application systems. Application controls ensure the completeness and accuracy of the records and the validity of the entries made resulting from both programmed processing and manual data entry. Examples of application controls include data input validation, agreement of batch totals and encryption of data transmitted.ControlRegulated
application whitelistingnounApplication whitelisting is a computer administration practice used to prevent unauthorized programs from running. The purpose is primarily to protect computers and networks from harmful applications, and, to a lesser extent, to prevent unnecessary demand for resources. The whitelist is a simple list of applications that have been granted permission by the user or an administrator. When an application tries to execute, it is automatically checked against the list and, if found, allowed to run. An integrity check measure, such as hashing, is generally added to ensure that the application is in fact the authorized program and not a malicious or otherwise inappropriate one with the same name.Control
Approved Mode of OperationnounA mode of the cryptographic module that employs only Approved security functions (not to be confused with a specific mode of an Approved security function, e.g., Data Encryption Standard Cipher-Block Chaining (DES CBC) mode).ControlRegulatedCUI
asset physical securitynounThe protection of assets from theft, vandalism, natural disasters, and accidental damage.ControlRegulated
Attribute-Based Access ControlnounAccess control based on attributes associated with and about subjects, objects, targets, initiators, resources, or the environment. An access control rule set defines the combination of attributes under which an access may take place.Control
Attribute-Based AuthorizationnounA structured process that determines when a user is authorized to access information, systems, or services based on attributes of the user and of the information, system, or service.Control
authentication controlnounOne of several systems which restrict user access to a network.ControlRegulated
authentication mechanismnounHardware or software-based mechanisms that forces users, devices, or processes to prove their identity before accessing data on an information system.Control
authentication methodnounA method of Verifying the identity of a user, such as a challenge password or a digital certificate.ControlRegulated
Authentication ModenounA block cipher mode of operation that can provide assurance of the authenticity and, therefore, the integrity of data.Control
authorizationnounAccess privileges granted to a user, program, or process or the act of granting those privileges.Control
authorized accessnounAccess to system components that (a) has been approved by a person designated to do so by management and (b) does not compromise segregation of duties, confidentiality commitments, or otherwise increase risk to the system beyond the levels approved by management (that is, access is appropriate).ControlRegulated
Automated ControlsnounSoftware routines designed into programs to ensure the validity, accuracy, completeness, and availability of input, processed, and stored data.ControlRegulated
Backtracking ResistancenounBacktracking resistance is provided relative to time T if there is assurance that an adversary who has knowledge of the internal state of the Deterministic Random Bit Generator (DRBG) at some time subsequent to time T would be unable to distinguish between observations of ideal random bitstrings and (previously unseen) bitstrings that were output by the DRBG prior to time T. The complementary assurance is called Prediction Resistance.ControlRegulated
beforenounThis limits a Control or Mandate's secondary verb to be put into play prior to the event taking place.ControlRegulated
Bilateral Key SecuritynounA multi-level data encryption system, based on the exchange of Bilateral Keys, allowing users of SWIFT to create, send, and receive SWIFT messages. Bilateral Keys are unique authenticator keys possessed by only the two parties (either the provider or recipient of a message) involved and provide confirmation in both directions of the legitimacy of a message sent via SWIFT.ControlRegulated
Black holingnounA method typically used by ISPs to stop a DDoS attack on one of its customers. This approach to block DDoS attacks makes the site in question completely inaccessible to all traffic, both malicious attack traffic and legitimate user traffic.Control
blacklistnounA list of discrete entities, such as hosts or applications, that have been previously determined to be associated with malicious activity.Control
Boundary ProtectionnounMonitoring and control of communications at the external boundary of an information system to prevent and detect malicious and other unauthorized communication, through the use of boundary protection devices (e.g., proxies, gateways, routers, firewalls, guards, encrypted tunnels).ControlRegulated
Bulk EncryptionnounSimultaneous encryption of all channels of a multichannel telecommunications link.Control
Call Admission ControlnounThe inspection and control all inbound and outbound voice network activity by a voice firewall based on user-defined policies.Control
Challenge and Reply AuthenticationnounPrearranged procedure in which a subject requests authentication of another and the latter establishes validity with a correct reply.Control
Challenge-Response ProtocolnounAn authentication protocol where the verifier sends the claimant a challenge (usually a random value or a nonce) that the claimant combines with a secret (often by hashing the challenge and a shared secret together, or by applying a private key operation to the challenge) to generate a response that is sent to the verifier. The verifier can independently verify the response generated by the Claimant (such as by re-computing the hash of the challenge and the shared secret and comparing to the response, or performing a public key operation on the response) and establish that the Claimant possesses and controls the secret.Control
Check WordnounCipher text generated by cryptographic logic to detect failures in cryptography.ControlRegulatedCUI
CiphernounAny cryptographic system in which arbitrary symbols or groups of symbols, represent units of plain text, or in which units of plain text are rearranged, or both.Control
Cipher Block Chaining-Message Authentication CodenounA secret-key block-cipher algorithm used to encrypt data and to generate a Message Authentication Code (MAC) to provide assurance that the payload and the associated data are authentic.Control
Cipher Text Auto-KeynounCryptographic logic that uses previous cipher text to generate a key stream.Control
Closed StoragenounStorage of classified information within an accredited facility, in General Services Administration-approved secure containers, while the facility is unoccupied by authorized personnel.ControlRegulatedCUI
Computer Security ObjectnounA resource, tool, or mechanism used to maintain a condition of security in a computerized environment. These objects are defined in terms of attributes they possess, operations they perform or are performed on them, and their relationship with other objects.Control
COMSEC BoundarynounDefinable perimeter encompassing all hardware, firmware, and software components performing critical COMSEC functions, such as key generation, handling, and storage.ControlRegulatedCUI
COMSEC Control ProgramnounComputer instructions or routines controlling or affecting the externally performed functions of key generation, key distribution, message encryption/decryption, or authentication.ControlRegulatedCUI
contractual protectionnounA measure in a contract intended to shield an individual or entity from harm, injury, or liability.Control
Controlled Access ProtectionnounMinimum set of security functionality that enforces access control on individual users and makes them accountable for their actions through login procedures, auditing of security-relevant events, and resource isolation.Control
Controlled InterfacenounA boundary with a set of mechanisms that enforces the security policies and controls the flow of information between interconnected information systems.Control
ControlsnounThis record category contains standards used as a comparison for checking and verifying results of a survey or experiment or contains policies, procedures, practices, and organizational structures designed to provide reasonable assurance that the business objectives will be achieved and undesired events will be prevented or detected.Control
Corrective controlnounA mitigating technique designed to lessen the impact to the institution when adverse events occur.Control
Counter with Cipher Block Chaining-Message Authentication CodenounA mode of operation for a symmetric key block cipher algorithm. It combines the techniques of the Counter (CTR) mode and the Cipher Block Chaining-Message Authentication Code (CBC-MAC) algorithm to provide assurance of the confidentiality and the authenticity of computer data.Control
CountermeasurenounActions, devices, procedures, or techniques that meet or oppose (i.e., counters) a threat, a vulnerability, or an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that corrective action can be taken.Control
Cover-CodingnounA technique to reduce the risks of eavesdropping by obscuring the information that is transmitted.Control
Cross-Domain SolutionnounA form of controlled interface that provides the ability to manually and/or automatically access and/or transfer information between different security domains.ControlRegulatedCUI
cryptographic algorithmnounA well-defined computational procedure that takes variable inputs, including a cryptographic key, and produces an output.Control
Cryptographic Algorithm or HashnounAn algorithm that employs the science of cryptography, including encryption algorithms, cryptographic hash algorithms, digital signature algorithms, and key agreement algorithms.Control
Cryptographic BindingnounAssociating two or more related elements of information using cryptographic techniques.Control
Cryptographic BoundarynounAn explicitly defined continuous perimeter that establishes the physical bounds of a cryptographic module and contains all the hardware, software, and/or firmware components of a cryptographic module.ControlRegulated
cybersecurity controlnounPractices and procedures established to protect organizational assets, user assets, and the cyber environment from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality, and availability.ControlRegulated
Cyclic Redundancy ChecknounSometimes called "cyclic redundancy code." A type of checksum algorithm that is not a cryptographic hash but is used to implement data integrity service where accidental changes to data are expected.Control
Cyclical Redundancy ChecknounError checking mechanism that verifies data integrity by computing a polynomial algorithm based checksum.Control
data controlnounThe function responsible for seeing that all data necessary for processing is present and that all output is complete and distributed properly. This function is generally responsible for reconciling record counts and control totals submitted by users with similar counts and totals generated during processing.Control
data encryptionnounThe reversible transformation of data from the original, plain text, version to a difficult-to-interpret format for security purposes.Control
Data Encryption AlgorithmnounThe DEA cryptographic engine that is used by the Triple Data Encryption Algorithm (TDEA).ControlRegulated
Data Encryption StandardnounCryptographic algorithm designed for the protection of unclassified data and published by the National Institute of Standards and Technology (NIST) in Federal Information Processing Standard (FIPS) Publication 46. (FIPS 46-3 withdrawn 19 May 2005) See Triple DES.ControlRegulated
Data Origin AuthenticationnounThe process of verifying that the source of the data is as claimed and that the data has not been modified.Control
defence in depthnounThe security controls deployed throughout the various layers of the network to provide for resiliency in the event of the failure or the exploitation of a vulnerability of another control (may also be referred to as “layered protection”).Control
Defense-in-BreadthnounA planned, systematic set of multidisciplinary activities that seek to identify, manage, and reduce risk of exploitable vulnerabilities at every stage of the system, network, or sub-component life cycle (system, network, or product design and development; manufacturing; packaging; assembly; system integration; distribution; operations; maintenance; and retirement).Control
Detective controlnounA mitigating technique designed to recognize an event and alert management when events occur.Control
Device Distribution ProfilenounAn approval-based Access Control List (ACL) for a specific product that 1) names the user devices in a specific key management infrastructure (KMI) Operating Account (KOA) to which PRSNs distribute the product, and 2) states conditions of distribution for each device.ControlRegulatedCUI
Digest AuthenticationnounDigest Authentication allows a web client to compute MD5 hashes of the password to prove it has the password.ControlPII
digital rights managementnounA form of access control technology to protect and manage use of digital content or devices in accordance with the content or device provider's intentions.Control
Discretionary access controlnounA means of restricting access to objects (e.g., files, data entities) based on the identity and need-to-know of subjects (e.g., users, processes) and/or groups to which the object belongs. The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject (unless restrained by mandatory access control).Control
Domain Name System security extensions (DNSSEC)nounA technology that was developed to, among other things, protect against such attacks by digitally 'signing' data so you can be assured it is valid.Control
Dual controlnounDividing the responsibility of a task into separate, accountable actions to ensure the integrity of the process.Control
electronic accessnounThe right or opportunity to use or retrieve something or enter a place through electronic means.ControlRegulated
electronic access controlnounA cyber asset that performs electronic access control of the Electronic Security Perimeter(s) or BES Cyber Systems.ControlRegulatedCUI
elevated accessnounRoles or permissions that, if misused or compromised, could allow a person to exploit the system for his or her own gain or illicit purpose.ControlRegulated
Emanations SecuritynounProtection resulting from measures taken to deny unauthorized individuals information derived from intercept and analysis of compromising emissions from crypto-equipment or an information system. See TEMPEST.ControlRegulatedCUI
Embedded CryptographynounCryptography engineered into an equipment or system whose basic function is not cryptographic.Control
employee accessnounThe privileges to gain entry to somewhere or to use something given only to employees.ControlRegulated
EncapsulationnounThe inclusion of one data structure within another structure so that the first data structure is hidden for the time being.Control
EncryptionnounThe process of changing plaintext into ciphertext for the purpose of security or privacy.Control
Encryption algorithmnounSet of mathematically expressed rules for rendering data unintelligible by executing a series of conversions controlled by a key.Control
End-to-End EncryptionnounCommunications encryption in which data is encrypted when being passed through a network, but routing information remains visible.Control
End-to-End SecuritynounSafeguarding information in an information system from point of origin to point of destination.Control
EntrapmentnounDeliberate planting of apparent flaws in an IS for the purpose of detecting attempted penetrations.ControlRestricted
environmental controlnounA mechanism that prevents or mitigates damage to facilities and interruptions in service. Smoke detectors, fire alarms and extinguishers, and uninterruptible power supplies are some examples of environmental controls.Control
Error Detection CodenounA code computed from data and comprised of redundant bits of information designed to detect, but not correct, unintentional changes in the data.ControlRegulated
existing controlnounControls that are already present in an organization to protect against the identified threats and vulnerabilities.Control
Exponential Backoff AlgorithmnounAn exponential backoff algorithm is used to adjust TCP timeout values on the fly so that network devices don't continue to timeout sending data over saturated links.Control
Extended ACLsnounExtended ACLs are a more powerful form of Standard ACLs on Cisco routers. They can make filtering decisions based on IP addresses (source or destination), Ports (source or destination), protocols, and whether a session is established.Control
Extraction ResistancenounCapability of crypto-equipment or secure telecommunications equipment to resist efforts to extract key.ControlRegulated
Fail SafenounAutomatic protection of programs and/or processing systems when hardware or software failure is detected.Control
Fail SoftnounSelective termination of affected nonessential processing when hardware or software failure is determined to be imminent.Control
Failure ControlnounMethodology used to detect imminent hardware or software failure and provide fail safe or fail soft recovery.Control
File EncryptionnounThe process of encrypting individual files on a storage medium and permitting access to the encrypted data only after proper authentication is provided.Control
File ProtectionnounAggregate of processes and procedures designed to inhibit unauthorized access, contamination, elimination, modification, or destruction of a file or any of its contents.Control
File SecuritynounMeans by which access to computer files is limited to authorized users only.Control
filternounIn Computing: a piece of software that transforms data in some way, such as removing unwanted spaces from text or formats it for use in another application.Control
FIPS-Approved Security MethodnounA security method (e.g., cryptographic algorithm, cryptographic key generation algorithm or key distribution technique, random number generator, authentication technique, or evaluation criteria) that is either a) specified in a FIPS, or b) adopted in a FIPS.ControlRegulatedCUI
FIPS-Validated CryptographynounA cryptographic module validated by the Cryptographic Module Validation Program (CMVP) to meet requirements specified in FIPS 140-2 (as amended). As a prerequisite to CMVP validation, the cryptographic module is required to employ a cryptographic algorithm implementation that has successfully passed validation testing by the Cryptographic Algorithm Validation Program (CAVP). See NSA-Approved Cryptography.ControlRegulated
Forensically CleannounDigital media that is completely wiped of all data, including nonessential and residual data, scanned for malware, and verified before use.Control
Form-Based AuthenticationnounForm-Based Authentication uses forms on a webpage to ask a user to input username and password information.Control
Formal Access ApprovalnounA formalization of the security determination for authorizing access to a specific type of classified or sensitive information, based on specified access requirements, a determination of the individual’s security eligibility and a determination that the individual’s official duties require the individual be provided access to the information.ControlRegulatedCUI
Formal MethodnounMathematical argument which verifies that the system satisfies a mathematically-described security policy.Control
Forward CiphernounOne of the two functions of the block cipher algorithm that is determined by the choice of a cryptographic key. The term “forward cipher operation” is used for TDEA, while the term “forward transformation” is used for DEA.Control
Frequency HoppingnounRepeated switching of frequencies during radio transmission according to a specified algorithm, to minimize unauthorized interception or jamming of telecommunications.ControlRegulatedCUI
Full Disk EncryptionnounThe process of encrypting all the data on the hard disk drive used to boot a computer, including the computer’s operating system, and permitting access to the data only after successful authentication with the full disk encryption product.ControlRegulated
general controlnounControls, other than application controls, that relate to the environment within which application systems are developed, maintained, and operated, and that are therefore applicable to all the applications at an institution. The objectives of general controls are to ensure the proper development and implementation of systems, and the integrity of program and data files and of computer operations.Control
GuardnounA mechanism limiting the exchange of information between information systems or subsystems.Control
Hash functionnounA function that maps a bit string of arbitrary length to a fixed length bit string. Approved hash functions are specified in FIPS 180 and are designed to satisfy the following properties: 1. (One-way) It is computationally infeasible to find any input that maps to any new prespecified output, and 2. (Collision resistant) It is computationally infeasible to find any two distinct inputs that map to the same output.Control
Hash-based Message Authentication CodenounA message authentication code that uses a cryptographic key in conjunction with a hash function.ControlRegulated
Horizontal defense-in depthnounControls are placed in various places in the path to access an asset (this is functionally equivalent to concentric ring model above).Control
Hybrid EncryptionnounAn application of cryptography that combines two or more encryption algorithms, particularly a combination of symmetric and asymmetric encryption.Control
Hybrid Security ControlnounA security control that is implemented in an information system in part as a common control and in part as a system-specific control. See also Common Control and System-Specific Security Control.Control
Identity ValidationnounTests enabling an information system to authenticate users or resources.Control
Identity-Based Access ControlnounAccess control based on the identity of the user (typically relayed as a characteristic of the process acting on behalf of that user) where access authorizations to specific objects are assigned based on user identity.Control
Information Flow ControlnounProcedure to ensure that information transfers within an information system are not made in violation of the security policy.ControlRegulatedCUI
information security controlnounPractices and procedures established to protect information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality, and availability.Control
Information Technology controlnounRefers to the internal controls over security management, system development and change management, information processing, communications networks and management of technology service providers.ControlRegulated
IntegritynounGuarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.Control
integrity check mechanismnounAny software, hardware, or methodology that checks a program, system, or records for unauthorized modifications.Control
Integrity Check ValuenounChecksum capable of detecting modification of an information system.Control
Integrity Star PropertynounIn Integrity Star Property a user cannot read data of a lower integrity level then their own.Control
internal controlnounThe purpose of this task is to provide reasonable assurance that operations are effective and efficient, financial reporting is reliable, and applicable laws and regulations are being followed.ControlRegulated
Internal Security ControlsnounHardware, firmware, or software features within an information system that restrict access to resources only to authorized subjects.Control
Internet Protocol SecuritynounA developing standard for security at the network or packet processing layer of network communication.Control
JitternounJitter or Noise is the modification of fields in a database while preserving the aggregate characteristics of that make the database useful in the first place.ControlRegulatedPII
key controlnounA type of internal control designed to detect errors or fraud in financial statements.ControlRegulated
Key WrapnounA method of encrypting keying material (along with associated integrity information) that provides both confidentiality and integrity protection using a symmetric key algorithm.ControlRestricted
Keyed-hash based message authentication codenounA message authentication code that uses a cryptographic key in conjunction with a hash function.ControlRegulated
Labeled Security ProtectionsnounAccess control protection features of a system that use security labels to make access control decisions.ControlRegulated
Lattice TechniquesnounLattice Techniques use security designations to determine access to information.Control
layered protectionnounAs relying on any single defence against a cyber threat may be inadequate, an FMI can use a series of different defences to cover the gaps in and reinforce other protective measures. For example, the use of firewalls, intrusion detection systems, malware scanners, integrity auditing procedures and local storage encryption tools can serve to protect information assets in a complementary and mutually reinforcing manner. May also be referred to as “defence in depth”.Control
Line ConditioningnounElimination of unintentional signals or noise induced or conducted on a telecommunications or information system signal, power, control, indicator, or other external interface line.Control
Link EncryptionnounLink encryption encrypts all of the data along a communications path (e.g., a satellite link, telephone circuit, or T1 line). Since link encryption also encrypts routing data, communications nodes need to decrypt the data to continue routing.Control
List Based Access ControlnounList Based Access Control associates a list of users and their privileges with each object.Control
List-OrientednounInformation system protection in which each protected object has a list of all subjects authorized to access it.Control
LockoutnounThe action of temporarily revoking network or application access privileges, normally due to repeated unsuccessful logon attempts.Control
logical accessnounThe ability to interact with data through access control procedures such as identification, authentication, and authorization.Control
Logical access controlsnounThe policies, procedures, organizational structure, and electronic access controls designed to restrict access to computer software and data files.Control
logical securitynounLogical Security consists of software safeguards for an organization's systems, including user identification and password access, authenticating, access rights and authority levels. These measures are to ensure that only authorized users are able to perform actions or access information in a network or a workstation.ControlRegulated
Low Probability of DetectionnounResult of measures used to hide or disguise intentional electromagnetic transmissions.ControlRegulatedCUI
Low Probability of InterceptnounResult of measures to prevent the intercept of intentional electromagnetic transmissions. The objective is to minimize an adversary’s capability of receiving, processing, or replaying an electronic signal.ControlRegulatedCUI
Malicious Code PreventionnounThis purpose of policy is to prevent malicious code attacks from happening, and if they should happen, to quarantine the infected systems and eradicate the malicious code before it spreads further.ControlRegulated
Management ControlsnounActions taken to manage the development, maintenance, and use of the system, including system-specific policies, procedures and rules of behavior, individual roles and responsibilities, individual accountability, and personnel security decisions.Control
Management Security ControlsnounThe security controls (i.e., safeguards or countermeasures) for an information system that focus on the management of risk and the management of information systems security.ControlRestrictedCUI
Mandatory access controlnounA means of restricting access to objects based on the sensitivity (as represented by a security label) of the information contained in the objects and the formal authorization (i.e., clearance, formal access approvals, and need-to-know) of subjects to access information of such sensitivity.Control
Mandatory ModificationnounChange to a COMSEC end-item that NSA requires to be completed and reported by a specified date. See Optional Modification.ControlRegulatedCUI
MaskingnounA computerized technique of blocking out the display of sensitive information, such as passwords, on a computer terminal or reportControl
MechanismsnounAn assessment object that includes specific protection-related items (e.g., hardware, software, or firmware) employed within or at the boundary of an information system.Control
Message authentication codenounA cryptographic checksum on data that uses a symmetric key to detect both accidental and intentional modifications of the data. MACs provide authenticity and integrity protection, but not non-repudiation protection.Control
mitigationnounThe application of one or more measures to reduce the likelihood of an unwanted occurrence and/or lessen its consequences.Control
mitigation actionnounAn action taken by an organization to reduce the impact of a possible problem or incident.Control
moving target defensenounThe presentation of a dynamic attack surface, increasing an adversary's work factor necessary to probe, attack, or maintain presence in a cyber target.Control
Multi-factor authenticationnounThe process of using two or more factors to achieve authentication. Factors include something you know (e.g., password or personal identification number); something you have (e.g., cryptographic identification device or token); and something you are (e.g., biometric).Control
Mutual AuthenticationnounOccurs when parties at both ends of a communication activity authenticate each other.Control
Network Access ControlnounA feature provided by some firewalls that allows access based on a user’s credentials and the results of health checks performed on the telework client device.Control
Network segmentationnounA common technique to implement network security is to segment an organization’s network into separate zones that can be separately controlled, monitored and protected.Control
network segregationnounDeveloping and enforcing a ruleset controlling which computing devices are permitted to communicate with which other computing devices.Control
No-Lone ZonenounArea, room, or space that, when staffed, must be occupied by two or more appropriately cleared individuals who remain within sight of each other. See Two-Person Integrity.ControlRegulatedCUI
NullnounDummy letter, letter symbol, or code group inserted into an encrypted message to delay or prevent its decryption or to complete encrypted groups for transmission or transmission security purposes.ControlRegulatedCUI
ObfuscationnounThe deliberate act of creating source or machine code that is difficult for humans to understandControlIP
Object ReusenounReassignment and reuse of a storage medium containing one or more objects after ensuring no residual data remains on the storage medium.ControlRegulated
One-Way EncryptionnounIrreversible transformation of plaintext to cipher text, such that the plaintext cannot be recovered from the cipher text by other than exhaustive procedures even if the cryptographic key is known.Control
One-Way FunctionnounA (mathematical) function, f, which is easy to compute the output based on a given input. However given only the output value it is impossible (except for a brute force attack) to figure out what the input value is.Control
One-Way Hash AlgorithmnounHash algorithms which map arbitrarily long inputs into a fixed-size output such that it is very difficult (computationally infeasible) to find two different hash inputs that produce the same output. Such algorithms are an essential part of the process of producing fixed-size digital signatures that can both authenticate the signer and provide for data integrity checking (detection of input modification after signature).Control
operational controlnounThe day-to-day security procedures and mechanisms to protect operational systems. The operational controls consist of the physical, environmental and personnel security controls. These controls deal with the everyday operation of a company or organization to ensure all objectives are achieved.ControlRegulated
Optional ModificationnounNSA-approved modification not required for universal implementation by all holders of a COMSEC end-item. This class of modification requires all of the engineering/doctrinal control of mandatory modification but is usually not related to security, safety, TEMPEST, or reliability. See Mandatory Modification.ControlRegulatedCUI
Out-of-bandnounActivity outside of the primary means of interfacing with the customer. For example, if a user is performing activity online, he or she may be authenticated through a one-time password sent via text message.ControlRegulated
Packet FilternounA routing device that provides access control functionality for host addresses and communication sessions.Control
Packet filteringnounControlling access to a network by analyzing the attributes of the incoming and outgoing packets and either letting them pass, or denying them, based on a list of rulesControl
Passive responsenounA response option in intrusion detection in which the system simply reports and records the problem detected, relying on the user to take subsequent actionControl
PermutationnounPermutation keeps the same letters but changes the position within a text to scramble the message.Control
physical accessnounThe ability of people to physically gain access to a computer system or facility.ControlRegulated
physical access controlnounA mechanism, system, or barrier that prevents unauthorized physical access to an area or a facility.Control
physical access control systemnounPhysical access control enables an authority to control admission to areas and resources in a physical facility. A physical access control system may restrict access via swipe cards, Personal Identity Verification (PIV) 'Smart' cards, and biometric (i.e. fingerprint) readers. Physical access control systems are generally seen as the second layer in the security of a physical facility after fences, doors and barriers.ControlRegulated
Physical Access Control system maintenance and testing programnounA documented listing of procedures, schedules, roles and responsibilities, and plans to be performed to ensure continued maintenance and testing of the Physical Access Control System.ControlRegulatedCUI
physical securitynounThe protection of personnel, hardware, programs, networks, and data from physical circumstances and events that could cause serious losses or damage to an enterprise, agency, or institution. This includes protection from fire, natural disasters, burglary, theft, vandalism, and terrorism.ControlRegulated
physical security controlnounDevices that relies on the proper application of physical barriers and deterrents to control behavior. It's through the use of physical controls that an organization controls physical access to facilities and systems. They also assist in maintaining the operating environments necessary to continue information processing and delivery activities.Control
Poison ReversenounSplit horizon with poisoned reverse (more simply, poison reverse) does include such routes in updates, but sets their metrics to infinity. In effect, advertising the fact that there routes are not reachable.Control
policies and controlsnounA program that focuses on the policies and management of those policies.Control
Policy-Based Access ControlnounA form of access control that uses an authorization policy that is flexible in the types of evaluated parameters (e.g., identity, role, clearance, operational need, risk, and heuristics).Control
PolyinstantiationnounPolyinstantiation is the ability of a database to maintain multiple records with the same key. It is used to prevent inference attacks.Control
Positive paynounA technique that can reduce check fraud by requesting businesses to send electronic files of information to the financial institution on all checks the business has issued.ControlRegulated
Prediction ResistancenounPrediction resistance is provided relative to time T if there is assurance that an adversary who has knowledge of the internal state of the DRBG at some time prior to T would be unable to distinguish between observations of ideal random bitstrings and bitstrings output by the DRBG at or subsequent to time T. The complementary assurance is called Backtracking Resistance.ControlRegulated
Principle of least privilege/accessnounControls used to allow the least privilege access needed to complete a taskControl
Print SuppressionnounEliminating the display of characters in order to preserve their secrecy.ControlRegulated
Promiscuous ModenounA configuration setting for a network interface card that causes it to accept all incoming packets that it sees, regardless of their intended destinations.Control
protective measurenounAny precautionary action, procedure or installation conceived or undertaken to guard or defend from harm persons, property or the environment.Control
Protective PackagingnounPackaging techniques for COMSEC material that discourage penetration, reveal a penetration has occurred or was attempted, or inhibit viewing or copying of keying material prior to the time it is exposed for use.ControlRegulatedCUI
Protective TechnologiesnounSpecial tamper-evident features and materials employed for the purpose of detecting tampering and deterring attempts to compromise, modify, penetrate, extract, or substitute information processing equipment and keying material.ControlRegulatedCUI
protective technologynounSpecial tamper-evident features and materials employed for the purpose of detecting tampering and deterring attempts to compromise, modify, penetrate, extract, or substitute information processing equipment and keying material.ControlRegulated
Public-Key Forward SecrecynounFor a key agreement protocol based on asymmetric cryptography, the property that ensures that a session key derived from a set of long-term public and private keys will not be compromised if one of the private keys is compromised in the future.Control
QuarantinenounStore files containing malware in isolation for future disinfection or examination.Control
Red/Black ConceptnounSeparation of electrical and electronic circuits, components, equipment, and systems that handle unencrypted information (Red), in electrical form, from those that handle encrypted information (Black) in the same form.ControlRegulatedCUI
redundancynounAdditional or alternative systems, sub-systems, assets, or processes that maintain a degree of overall functionality in case of loss or failure of another system, sub-system, asset, or process.Control
Redundant sitenounA recovery strategy involving the duplication of key IT components, including data or other key business processes, whereby fast recovery can take placeControl
Reference MonitornounThe security engineering term for IT functionality that— 1) controls all access, 2) cannot be bypassed, 3) is tamper-resistant, and 4) provides confidence that the other three items are true.Control
Reflexive ACLsnounReflexive ACLs for Cisco routers are a step towards making the router act like a stateful firewall. The router will make filtering decisions based on whether connections are a part of established traffic or not.Control
remedial actionnounAction taken to implement long-term restoration of environmental quality.ControlRegulated
Repair ActionnounNSA-approved change to a COMSEC end-item that does not affect the original characteristics of the end-item and is provided for optional application by holders. Repair actions are limited to minor electrical and/or mechanical improvements to enhance operation, maintenance, or reliability. They do not require an identification label, marking, or control but must be fully documented by changes to the maintenance manual.ControlRegulatedCUI
Resource EncapsulationnounMethod by which the reference monitor mediates accesses to an information system resource. Resource is protected and not directly accessible by a subject. Satisfies requirement for accurate auditing of resource usage.Control
Risk acceptancenounIf the risk is within the enterprise's risk tolerance or if the cost of otherwise mitigating the risk is higher than the potential loss, the enterprise can assume the risk and absorb any lossesControl
risk management controlnounControls associated with instruments that introduce risks that require effective adherence to the relevant clearing house, association, interchange, and regulatory requirements.ControlRegulated
Risk mitigationnounPrioritizing, evaluating, and implementing the appropriate risk-reducing controls/countermeasures recommended from the risk management process.Control
Risk Mitigation PlannounThis record contains detailed proposals intended to reduce the risks to a critical asset, typically including actions or countermeasures designed to counter the threats to assets.ControlRegulatedCUI
Risk-Adaptable Access ControlnounA form of access control that uses an authorization policy that takes into account operational need, risk, and heuristics.Control
risk-based authenticationnounAny risk-based system of authentication that detects anomalies or changes in the normal use patterns of a Person and require s additional verification of the Person’s identity when such deviations or changes are detected, such as through the use of challenge questions.ControlRegulatedPII
Role Based Access ControlnounRole based access control assigns users to roles based on their organizational functions and determines authorization based on those roles.Control
Rule Set Based Access ControlnounRule Set Based Access Control targets actions based on rules for entities operating on objects.Control
RulesetnounA set of directives that govern the access control functionality of a firewall. The firewall uses these directives to determine how packets should be routed between its interfaces.ControlRegulated
S-boxnounNonlinear substitution table used in several byte substitution transformations and in the Key Expansion routine to perform a one-for-one substitution of a byte value.Control
S/MIMEnounA set of specifications for securing electronic mail. Secure/ Multipurpose Internet Mail Extensions (S/MIME) is based upon the widely used MIME standard and describes a protocol for adding cryptographic security services through MIME encapsulation of digitally signed and encrypted objects. The basic security services offered by S/MIME are authentication, non-repudiation of origin, message integrity, and message privacy. Optional security services include signed receipts, security labels, secure mailing lists, and an extended method of identifying the signer’s certificate(s).Control
SandboxingnounA method of isolating application modules into distinct fault domains enforced by software. The technique allows untrusted programs written in an unsafe language, such as C, to be executed safely within the single virtual address space of an application. Untrusted machine interpretable code modules are transformed so that all memory accesses are confined to code and data segments within their fault domain. Access to system resources can also be controlled through a unique identifier associated with each domain.Control
secure coding practicenounA method used as part of the software development life cycle risk management so that software applications are designed and implemented with appropriate security requirements.Control
Secure Communication ProtocolnounA communication protocol that provides the appropriate confidentiality, authentication, and content-integrity protection.Control
Secure ErasenounAn overwrite technology using firmware-based process to overwrite a hard drive. Is a drive command defined in the ANSI ATA and SCSI disk drive interface specifications, which runs inside drive hardware. It completes in about 1/8 the time of 5220 block erasure.ControlRegulated
Secure Multipurpose Internet Mail ExtensionsnounProvides cryptographic security services for electronic messaging applications: authentication, message integrity and non-repudiation of origin (using digital signatures) and privacy and data security (using encryption) to provide a consistent way to send and receive MIME data. (RFC 2311)Control
Secure StatenounCondition in which no subject can access any object in an unauthorized manner.Control
Secure/Multipurpose Internet Mail ExtensionsnounA set of specifications for securing electronic mail. S/MIME is based upon the widely used MIME standard [MIME] and describes a protocol for adding cryptographic security services through MIME encapsulation of digitally signed and encrypted objects. The basic security services offered by S/MIME are authentication, non-repudiation of origin, message integrity, and message privacy. Optional security services include signed receipts, security labels, secure mailing lists, and an extended method of identifying the signer’s certificate(s).ControlRegulated
Security AssociationnounA relationship established between two or more entities to enable them to protect data they exchange.Control
Security BannernounA banner at the top or bottom of a computer screen that states the overall classification of the system in large, bold type. Also can refer to the opening screen that informs users of the security implications of accessing a computer resource.ControlRegulatedCUI
security controlnounA safeguard or countermeasure to avoid, counteract or minimize security risks relating to personal property, or any company property. For business-to-business facing organizations whose service may affect the financial statements of the other company, the prospect may require successful audit reports of policy controls.ControlRegulated
Security Control AssessmentnounThe testing and/or evaluation of the management, operational, and technical security controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.ControlRegulatedCUI
Security Control BaselinenounOne of the sets of minimum security controls defined for federal information systems in NIST Special Publication 800-53 and CNSS Instruction 1253.ControlRegulated
Security Control EnhancementsnounStatements of security capability to: (i) build in additional, but related, functionality to a security control; and/or (ii) increase the strength of the control.Control
Security Control InheritancenounA situation in which an information system or application receives protection from security controls (or portions of security controls) that are developed, implemented, assessed, authorized, and monitored by entities other than those responsible for the system or application; entities either internal or external to the organization where the system or application resides. See Common Control.Control
Security FilternounA secure subsystem of an information system that enforces security policy on the data passing through it.Control
Security LabelnounInformation that represents or designates the value of one or more security relevant-attributes (e.g., classification) of a system resource.ControlRegulated
Security MechanismnounA device designed to provide one or more security services usually rated in terms of strength of service and assurance of the design.Control
security patchnounComputer code intended to repair or lessen the impact of vulnerabilities within application software.ControlRegulated
Security perimeternounA physical or logical boundary that is defined for a system, domain, or enclave, within which a particular security policy or security architecture is applied.Control
Security SafeguardsnounProtective measures and controls prescribed to meet the security requirements specified for an information system. Safeguards may include security features, management constraints, personnel security, and security of physical structures, areas, and devices.Control
Segregation/separation of dutiesnounA basic internal control that prevents or detects errors and irregularities by assigning to separate individuals the responsibility for initiating and recording transactions and for the custody of assets Scope Note: Segregation/separation of duties is commonly used in large IT organizations so that no single person is in a position to introduce fraudulent or malicious code without detection.Control
Separation of DutiesnounSeparation of duties is the principle of splitting privileges among multiple individuals or systems.Control
separation of dutynounPractice of dividing steps in a function among different individuals, so as to keep a single individual from being able to subvert the process.Control
Signature ValidationnounThe (mathematical) verification of the digital signature and obtaining the appropriate assurances (e.g., public key validity, private key possession, etc.).ControlRegulated
Simple Integrity PropertynounIn Simple Integrity Property a user cannot write data to a higher integrity level than their own.Control
Single factor authenticationnounAuthentication process that requires only the user ID and password to grant accessControl
software security controlnounThe software and procedures used to assist in the protection of information systems and the files created, communicated and stored by individuals and organization.Control
Software-Based Fault IsolationnounA method of isolating application modules into distinct fault domains enforced by software. The technique allows untrusted programs written in an unsafe language, such as C, to be executed safely within the single virtual address space of an application. Untrusted machine interpretable code modules are transformed so that all memory accesses are confined to code and data segments within their fault domain. Access to system resources can also be controlled through a unique identifier associated with each domain.Control
Split HorizonnounSplit horizon is a algorithm for avoiding problems caused by including routes in updates sent to the gateway from which they were learned.Control
Split Knowledgenoun1. Separation of data or information into two or more parts, each part constantly kept under control of separate authorized individuals or teams so that no one individual or team will know the whole data. 2. A process by which a cryptographic key is split into multiple key components, individually sharing no knowledge of the original key, which can be subsequently input into, or output from, a cryptographic module by separate entities and combined to recreate the original cryptographic key.ControlRegulatedCUI
Standard ACLsnounStandard ACLs on Cisco routers make packet filtering decisions based on Source IP address only.Control
Star PropertynounIn Star Property, a user cannot write data to a lower classification level without logging in at that lower classification level.Control
Stateful inspectionnounA firewall inspection technique that examines the claimed purpose of a communication for validity. For example, a communication claiming to respond to a request is compared to a table of outstanding requests.Control
Strong AuthenticationnounThe requirement to use multiple factors for authentication and advanced technology, such as dynamic passwords or digital certificates, to verify an entity’s identity.ControlRegulated
strong cryptographynounCryptographic techniques that make it almost impossible to decrypt without having the key. The strength relies on the cryptographic key used. Effective size of the key should meet the minimum key size of comparable strengths recommendations based on industry-tested and accepted algorithms and strong key lengths. Examples of industry-tested and accepted standards and algorithms for encryption include AES (128 bits and higher), TDES (minimum double-length keys), RSA (1024 bits and higher), ECC (160 bits and higher), and ElGamal (1024 bits and higher). See NIST Special Publication 800-57 (http://csrc.nist.gov/publications/) for more information.ControlRegulated
Suppression MeasurenounAction, procedure, modification, or device that reduces the level of, or inhibits the generation of, compromising emanations in an information system.ControlRegulatedCUI
Symmetric key encryptionnounSystem in which a different key (or set of keys) is used by each pair of trading partners to ensure that no one else can read their messages The same key is used for encryption and decryption. See also Private Key Cryptosystem.Control
traffic light protocolnounA set of designations employing four colors (RED, AMBER, GREEN, and WHITE) used to ensure that sensitive information is shared with the correct audience.Control
Traffic PaddingnounGeneration of mock communications or data units to disguise the amount of real data units being sent.Control
TranquilitynounProperty whereby the security level of an object cannot change while the object is being processed by an information system.Control
Transmission SecuritynounMeasures (security controls) applied to transmissions in order to prevent interception, disruption of reception, communications deception, and/or derivation of intelligence by analysis of transmission characteristics such as signal parameters or message externals. Note: TRANSEC is that field of COMSEC which deals with the security of communication transmissions, rather than that of the information being communicated.ControlRegulatedCUI
Triple DESnounAn implementation of the Data Encryption Standard (DES) algorithm that uses three passes of the DES algorithm instead of one as used in ordinary DES applications. Triple DES provides much stronger encryption than ordinary DES but it is less secure than AES.Control
TrustnounTrust determine which permissions and what actions other systems or users can perform on remote machines.Control
Trusted Identification ForwardingnounIdentification method used in information system networks whereby the sending host can verify an authorized user on its system is attempting a connection to another host. The sending host transmits the required user authentication information to the receiving host.ControlRegulatedCUI
Trusted PathnounA mechanism by which a user (through an input device) can communicate directly with the security functions of the information system with the necessary confidence to support the system security policy. This mechanism can only be activated by the user or the security functions of the information system and cannot be imitated by untrusted software.ControlRegulated
Two-factor authenticationnounThe use of two independent mechanisms for authentication, (e.g., requiring a smart card and a password) typically the combination of something you know, are or haveControl
Two-Person ControlnounContinuous surveillance and control of positive control material at all times by a minimum of two authorized individuals, each capable of detecting incorrect and unauthorized procedures with respect to the task being performed and each familiar with established security and safety requirements.ControlRegulatedCUI
Two-Person IntegritynounSystem of storage and handling designed to prohibit individual access by requiring the presence of at least two authorized individuals, each capable of detecting incorrect or unauthorized security procedures with respect to the task being performed. See No-Lone Zone.ControlRegulatedCUI
unescorted accessnounNot having to be escorted to gain access to a facility, area, or system.ControlRegulated
virtual private network accessnounPermission or ability for an external user to connect to a Virtual Private Network.ControlRegulated
Web Content Filtering SoftwarenounA program that prevents access to undesirable Web sites, typically by comparing a requested Web site address to a list of known bad Web sites.Control
Web of TrustnounA web of trust is the trust that naturally evolves as a user starts to trust other's signatures, and the signatures that they trust.Control
Wi-Fi protected accessnounA class of systems used to secure wireless (Wi-Fi) computer networks. Scope Note: WPA was created in response to several serious weaknesses that researchers found in the previous system, Wired Equivalent Privacy (WEP). WPA implements the majority of the IEEE 802.11i standard, and was intended as an intermediate measure to take the place of WEP while 802.11i was prepared. WPA is designed to work with all wireless network interface cards, but not necessarily with first generation wireless access points. WPA2 implements the full standard, but will not work with some older network cards. Both provide good security with two significant issues. First, either WPA or WPA2 must be enabled and chosen in preference to WEP; WEP is usually presented as the first security choice in most installation instructions. Second, in the personal mode, the most likely choice for homes and small offices, a pass phrase is required that, for full security, must be longer than the typical six to eight character passwords users are taught to employ.Control
Wi-Fi protected access IInounWireless security protocol that supports 802.11i encryption standards to provide greater security. This protocol uses Advanced Encryption Standards (AES) and Temporal Key Integrity Protocol (TKIP) for stronger encryption.Control
Wi-Fi Protected Access-2nounThe approved Wi-Fi Alliance interoperable implementation of the IEEE 802.11i security standard. For federal government use, the implementation must use FIPS-approved encryption, such as AES.ControlRegulated
Wired Equivalent PrivacynounA security protocol, specified in the IEEE 802.11 standard, that is designed to provide a WLAN with a level of security and privacy comparable to what is usually expected of a wired LAN. WEP is no longer considered a viable encryption mechanism due to known weaknesses.Control
Write protectnounThe use of hardware or software to prevent data to be overwritten or deletedControl
ZeroizationnounA method of erasing electronically stored data, cryptographic keys, and Credentials Service Providers (CSPs) by altering or deleting the contents of the data storage to prevent recovery of the data.ControlRegulatedCUI