Browse — Information Class
636 terms
TermTypeDefinitionClassificationsUpdated
Access Control programnounA documented listing of procedures, schedules, roles and responsibilities, and plans or instructions to be performed to implement access control.ControlRegulatedPCI
Access ListnounRoster of individuals authorized admittance to a controlled area.ArtifactRestrictedPII
access lognounA log that lists who has been permitted to physically or logically gain access.ArtifactRegulatedCUI
access revocation programnounA documented listing of procedures, schedules, roles and responsibilities, and plans to be performed to revoke access privileges.ProcessRegulatedCDI
Account Balancing Monitoring System (ABMS)nounThe Federal Reserve's computing system providing reserve account information to the Federal Reserve Banks and depository institutions on an intraday basis. ABMS serves both as an informational source and a monitoring tool. This information includes opening balances, funds and securities transfers, accounting activity, and depository institutions cap and collateral limits.SystemRegulatedCUI
Account-To-Account Payment (A2A)nounPayment system that allows the consumer to direct transfer of funds from one account to another account at a different financial institution.ProcessRegulatedPCI
Accounting Legend CodenounNumeric code used to indicate the minimum accounting controls required for items of accountable communications security (COMSEC) material within the COMSEC Material Control System.RequirementRegulatedCUI
Accounting NumbernounNumber assigned to an item of COMSEC material to facilitate its control.ArtifactRegulatedCDI
Accreditation PackagenounProduct comprised of a System Security Plan (SSP) and a report documenting the basis for the accreditation decision.ArtifactRegulatedCUI
Acquirer FeenounFee paid to the acquirer of the merchant sales draft. The acquirer of the sales draft collects a merchant discount fee (or processing fee) from the merchant for the costs associated with processing the transaction.RequirementRegulatedPCI
action plannounSteps that must be taken, or activities that must be performed well, for a strategy to succeed. An action plan has three major elements: (1) Specific tasks: what will be done and by whom. (2) Time horizon: when will it be done. (3) Resource allocation: what specific funds are available for specific activities.ArtifactCUI
actionable intelligencenounInformation that can be acted upon to address, prevent or mitigate a cyber threat. The sum of an information system’s characteristics in the broad categories (software, hardware, network, processes and human) which allows an attacker to probe, enter, attack or maintain a presence in the system and potentially cause damage to an FMI. A smaller attack surface means that the FMI is less exploitable and an attack less likely.CapabilityRestrictedCUI
Activation DatanounPrivate data, other than keys, that are required to access cryptographic modules.DataRegulatedCUI
activity reportingnounThe action of providing an description of an account holder's activity.ArtifactRegulatedPII
Address Verification Service (AVS)nounBankcard company service that verifies the customer-provided billing address matches the billing address on their credit card account. The bankcard companies will not support merchants that opt for not using AVS if those transactions are disputed and will charge the merchant an additional 1.25% on those sales.CapabilityRegulatedPCI
Administrative SafeguardsnounAdministrative actions, policies, and procedures to manage the selection, development, implementation, and maintenance of security measures to protect electronic health information and to manage the conduct of the covered entity's workforce in relation to protecting that information.ControlRegulatedPHI
Advanced Key ProcessornounA cryptographic device that performs all cryptographic functions for a management client node and contains the interfaces to 1) exchange information with a client platform, 2) interact with fill devices, and 3) connect a client platform securely to the primary services node (PRSN).PhysicalRegulatedCUI
AgencynounAny executive department, military department, government corporation, government-controlled corporation, or other establishment in the executive branch of the government (including the Executive Office of the President), or any independent regulatory agency, but does not include: 1) the Government Accountability Office; 2) the Federal Election Commission; 3) the governments of the District of Columbia and of the territories and possessions of the United States, and their various subdivisions; or 4) government-owned contractor-operated facilities, including laboratories engaged in national defense research and production activities.OrganizationRegulatedCUI
Agency Certification AuthoritynounA CA that acts on behalf of an agency and is under the operational control of an agency.CapabilityRegulatedCUI
All Source IntelligencenounIn the NICE Workforce Framework, cybersecurity work where a person: Analyzes threat information from multiple sources, disciplines, and agencies across the Intelligence Community. Synthesizes and places intelligence information in context; draws insights about the possible implications.CapabilityRestrictedCUI
anomalous transactionnounA transaction that deviates from the standards, procedures, and processes used to create a transaction.EventRegulatedPCI
Anti-jamnounCountermeasures ensuring that transmitted information can be received despite deliberate jamming attempts.ControlRegulatedCUI
Approval to OperatenounThe official management decision issued by a DAA or PAA to authorize operation of an information system and to explicitly accept the residual risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals.ArtifactRegulatedCUI
Approved Mode of OperationnounA mode of the cryptographic module that employs only Approved security functions (not to be confused with a specific mode of an Approved security function, e.g., Data Encryption Standard Cipher-Block Chaining (DES CBC) mode).ControlRegulatedCUI
Assessment FindingsnounAssessment results produced by the application of an assessment procedure to a security control or control enhancement to achieve an assessment objective; the execution of a determination statement within an assessment procedure by an assessor that results in either a satisfied or other than satisfied condition.FindingRestrictedCUI
Asset Reporting FormatnounSCAP data model for expressing the transport format of information about assets (components) and the relationships between assets and reports.ArtifactRegulatedCUI
Assured Information SharingnounThe ability to confidently share information with those who need it, when and where they need it, as determined by operational need and an acceptable level of security risk.CapabilityRegulatedCUI
Attribute AuthoritynounAn entity, recognized by the Federal Public Key Infrastructure (PKI) Policy Authority or comparable agency body as having the authority to verify the association of attributes to an identity.OrganizationRegulatedCUI
Audit Log eventnounAny of the various triggering actions that cause an application to write a new entry into the log.ArtifactRegulatedCUI
audit recordnounAn individual entry in an audit log related to an audited event.ArtifactRegulatedCUI
Audit ReviewnounThe assessment of an information system to evaluate the adequacy of implemented security controls, assure that they are functioning properly, identify vulnerabilities, and assist in implementation of new security controls where required. This assessment is conducted annually or whenever significant change has occurred and may lead to recertification of the information system.ProcessRegulatedCUI
Authentication PeriodnounThe maximum acceptable period between any initial authentication process and subsequent reauthentication processes during a single terminal session or during the period data is being accessed.RequirementRegulatedCUI
Authorization (ACH)nounA written or oral agreement between the originator and a receiver that allows payments processed through the ACH network to be deposited in, or withdrawn from, the receiver's account at a financial institution.RequirementRegulatedPCI
authorization recordnounA document or identifier which provides evidence of authorization.ArtifactRegulatedCUI
Authorization to operatenounThe official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls.ArtifactRegulatedCUI
Automated Clearing House (ACH)nounAn electronic clearing system in which a data processing center handles payment orders that are exchanged among financial institutions, primarily via telecommunications networks. ACH systems process large volumes of individual payments electronically. Typical ACH payments include salaries, consumer and corporate bill payments, interest and dividend payments, and Social Security payments.SystemRegulatedPCI
automated clearing house activitynounAny transaction made through the Automated Clearing House network.EventRegulatedPCI
automated clearing house capturenounA service that allows a user to transmit automated clearing house data to a bank for posting and clearing.CapabilityRegulatedPCI
Automated Teller Machine (ATM)nounAn electronic funds transfer (EFT) terminal that allows customers using a PIN-based debit (ATM) card to initiate transactions (e.g., deposits, withdrawals, account balance inquiries).PhysicalRegulatedPCI
Automatic Remote RekeyingnounProcedure to rekey a distant crypto-equipment electronically without specific actions by the receiving terminal operator. See Manual Remote Rekeying.ProcessRegulatedCUI
Back Office Conversion (BOC)nounUnder NACHA rules, BOC allows retailers and billers that accept checks at the point-of-sale or at manned bill payment locations to convert eligible checks to ACH debits in the back-office.ProcessRegulatedPCI
backgroundnounA persons previous experience, education, or social circumstances.ArtifactRegulatedPII
Bank Identification Number/Interbank Card Company (BIN/ICA)nounA series of assigned numbers used to identify the settling financial institution for both acquiring and issuing bankcard transactions.DataRegulatedPCI
BankcardnounA general-purpose credit card, issued by a financial institution under agreement with the bankcard associations (Visa and MasterCard), which customers can use to purchase goods and services and to obtain cash against a line of credit established by the bankcard issuer.DataRegulatedPCI
Bankcard CompaniesnounVisa and MasterCard International, Inc. are bankcard companies established as bank service companies. Financial institutions must be members of a bankcard company in order to offer their credit card services. The companies have established membership rights and obligations, and membership is limited to financial institutions.OrganizationInternalPCI
Basic AuthenticationnounBasic Authentication is the simplest web-based authentication scheme that works by sending the username and password with each request.CredentialRestrictedPII
Batch ProcessingnounThe transmission or processing of a group of related payment instructions.ProcessRegulatedPCI
BLACKnounDesignation applied to encrypted information and the information systems, the associated areas, circuits, components, and equipment processing that information. See also RED.CapabilityRestrictedCUI
Black CorenounA communication network architecture in which user data traversing a global Internet Protocol (IP) network is end-to-end encrypted at the IP layer. Related to striped core.NetworkRegulatedCUI
Body of EvidencenounThe set of data that documents the information system’s adherence to the security controls applied. The BoE will include a Requirements Verification Traceability Matrix (RVTM) delineating where the selected security controls are met and evidence to that fact can be found. The BoE content required by an Authorizing Official will be adjusted according to the impact levels selected.ArtifactRegulatedCUI
Bulk Electric System Cyber SystemnounOne or more Bulk Electric System (BES) Cyber Assets logically grouped by a responsible entity to perform one or more reliability tasks for a functional entity.SystemRegulatedCUI
Bulk Electric System Cyber System InformationnounInformation about the BES Cyber System that could be used to gain unauthorized access or pose a security threat to the BES Cyber System. BES Cyber System Information does not include individual pieces of information that by themselves do not pose a threat or could not be used to allow unauthorized access to BES Cyber Systems, such as, but not limited to, device names, individual IP addresses without context, ESP names, or policy statements. Examples of BES Cyber System Information may include, but are not limited to, security procedures or security information about BES Cyber Systems, Physical Access Control Systems, and Electronic Access Control or Monitoring Systems that is not publicly available and could be used to allow unauthorized access or unauthorized distribution; collections of network addresses; and network topology of the BES Cyber System.DataRegulatedCUI
business strategynounA term used in business planning that implies a careful selection and application of resources to obtain a competitive advantage in anticipation of future events or trends.ProcessIP
Business ValuenounHow much a business is worth. Business value is a highly subjective measure because it involves estimating the value of intangible assets like trade secrets and brand recognition. It adds to this the value of tangible assets like machinery and stockholder equity. Business value is especially important for potential investors or buyers.MetricConfidentialIP
Call TreenounA documented list of employees and external entities that should be contacted in the event of an emergency declaration.ArtifactInternalPII
CanisternounType of protective package used to contain and dispense keying material in punched or printed tape form.PhysicalRegulatedCUI
Capstone PoliciesnounThose policies that are developed by governing or coordinating institutions of Health Information Exchanges (HIEs). They provide overall requirements and guidance for protecting health information within those HIEs. Capstone Policies must address the requirements imposed by: (1) all laws, regulations, and guidelines at the federal, state, and local levels; (2) business needs; and (3) policies at the institutional and HIE levels.RequirementRegulatedPHI
Card IssuernounA financial institution that issues general-purpose credit cards carrying one of the two bankcard company logos. The issuing financial institution establishes the credit relationship with the consumer.OrganizationRegulatedPCI
Card Verification Code (CVC2)nounNumeric security code printed on the back of MasterCard credit cards. CVC2 reduces credit card fraud and chargeback instances significantly when used in conjunction with AVS. (See Address verification service).CredentialRegulatedPCI
Card Verification Value (CVV2)nounThree-digit security number that is printed on the back of most Visa credit cards. CVV2 reduces credit card fraud and chargeback instances significantly when used in conjunction with AVS.CredentialRegulatedPCI
CardholdernounAn individual possessing an issued Personal Identity Verification (PIV) card.IdentityRegulatedCUI
CascadingnounDownward flow of information through a range of security levels greater than the accreditation range of a system, network, or component.EventRegulatedCUI
Cash LetternounA group of checks accompanied by a paper listing sent to a clearinghouse, a Federal Reserve Bank, or another institution. A cash letter contains a number of negotiable items, mostly checks, accompanied by a letter that lists the amounts and instructions for transmittal to another bank. May also be called a transmittal letter. An incoming cash letter is one that is received by an institution from a clearinghouse, a Federal Reserve Bank, or another institution and contains checks written on accounts at the institution that were cashed elsewhere. An outgoing cash letter is one that is being sent to a clearinghouse, a Federal Reserve Bank, or another institution and contains checks deposited at the institution, which are written on accounts at other institutions.ArtifactRegulatedPII
CategorynounRestrictive label applied to classified or unclassified information to limit access.RequirementRegulatedCUI
Central Office of RecordnounOffice of a federal department or agency that keeps records of accountable COMSEC material held by elements subject to its oversightOrganizationRegulatedCUI
Central Services NodenounThe Key Management Infrastructure core node that provides central security management and data management services.SystemRestrictedCUI
Certification authoritynoun1. For Certification and Accreditation (C&A) (C&A Assessment): Official responsible for performing the comprehensive evaluation of the security features of an information system and determining the degree to which it meets its security requirements 2. For Public Key Infrastructure (PKI): A trusted third party that issues digital certificates and verifies the identity of the holder of the digital certificate.OrganizationRegulatedCUI
Certification PackagenounProduct of the certification effort documenting the detailed results of the certification activities.ArtifactRegulatedCUI
Certified TEMPEST Technical AuthoritynounAn experienced, technically qualified U.S. government employee who has met established certification requirements in accordance with CNSS-approved criteria and has been appointed by a U.S. government department or agency to fulfill CTTA responsibilities.RoleRegulatedCUI
Chain of EvidencenounA process and record that shows who obtained the evidence; where and when the evidence was obtained; who secured the evidence; and who had control or possession of the evidence. The “sequencing” of the chain of evidence follows this order: collection and identification; analysis; storage; preservation; presentation in court; return to owner.ProcessRegulatedCUI
ChargebacknounA transaction generated when a cardholder disputes a transaction or when the merchant does not follow bankcard company procedures. The issuer and acquirer research the facts to determine which party is responsible for the transaction. If the merchant is unable to pay, the acquirer will have to cover the chargeback.EventRegulatedPCI
ChecknounA written order from one party (payer) to another (payee) requiring the payer's financial institution to pay a specified sum on demand to the payee or to a third party specified by the payeeArtifactRegulatedPCI
Check 21 ActnounFormally known as the Check Clearing for the 21st Century Act. Creates a new document, the IRD (image replacement document or substitute check) that is the legal equivalent of the original check and should be accepted as such. The act does not require institutions to accept electronic images instead of checks or IRDs, but does require the acceptance of IRDs instead of paper checks. The exchange of electronic images is optional and will be done by agreements between individual institutions, groups of institutions, or clearinghouses.FrameworkRegulatedPCI
Check ImagenounElectronic or digital image of an original check that is created by a depositor, a bank or other participant in the check collection process. Check images can be exchanged electronically by financial institutions, printed for customer statement purposes, displayed on Internet banking websites, and used to create substitute checks.DataRegulatedPCI
Check TruncationnounThe practice of holding a check at the institution where it was deposited (or at an intermediary institution) and electronically forwarding the essential information on the check to the institution on which it was written. A truncated check is not returned to the writer.ProcessRegulatedPCI
Check WordnounCipher text generated by cryptographic logic to detect failures in cryptography.ControlRegulatedCUI
CIP exceptional circumstancenounA situation that involves or threatens to involve one or more of the following, or similar, conditions that impact safety or Bulk Electric System (BES) reliability: a risk of injury or death; a natural disaster; civil unrest; an imminent or existing hardware, software, or equipment failure; a Cyber Security Incident requiring emergency assistance; a response by emergency services; the enactment of a mutual assistance agreement; or an impediment of large scale workforce availability.RequirementRegulatedCUI
CIP Senior ManagernounA single senior management official with overall authority and responsibility for leading and managing implementation of and continuing adherence to the requirements within the NERC CIP Standards, CIP-002 through CIP-011.RoleRegulatedCUI
ClaimantnounAn entity which is or represents a principal for the purposes of authentication, together with the functions involved in an authentication exchange on behalf of that entity. A claimant acting on behalf of a principal must include the functions necessary for engaging in an authentication exchange. (e.g., a smartcard [claimant] can act on behalf of a human user [principal])IdentityRegulatedPII
Classified InformationnounInformation that has been determined: (i) pursuant to Executive Order 12958 as amended by Executive Order 13292, or any predecessor Order, to be classified national security information; or (ii) pursuant to the Atomic Energy Act of 1954, as amended, to be Restricted Data (RD).DataRestrictedCUI
Classified Information SpillagenounSecurity incident that occurs whenever classified data is spilled either onto an unclassified information system or to an information system with a lower level of classification.EventRegulatedCUI
Classified National Security InformationnounInformation that has been determined pursuant to Executive Order 13526 or any predecessor order to require protection against unauthorized disclosure and is marked to indicate its classified status when in documentary form.DataRegulatedCUI
ClearancenounFormal certification of authorization to have access to classified information other than that protected in a special access program (including SCI). Clearances are of three types: confidential, secret, and top secret. A top secret clearance permits access to top secret, secret, and confidential material; a secret clearance, to secret and confidential material; and a confidential clearance, to confidential material.CredentialRegulatedCUI
ClearingnounRemoval of data from an information system, its storage devices, and other peripheral devices with storage capacity, in such a way that the data may not be reconstructed using common system capabilities (i.e., through the keyboard); however, the data may be reconstructed using laboratory methods.ProcessRegulatedCUI
Closed Security EnvironmentnounEnvironment providing sufficient assurance that applications and equipment are protected against the introduction of malicious logic during an information system life cycle. Closed security is based upon a system's developers, operators, and maintenance personnel having sufficient clearances, authorization, and configuration control.SystemRegulatedCUI
Closed StoragenounStorage of classified information within an accredited facility, in General Services Administration-approved secure containers, while the facility is unoccupied by authorized personnel.ControlRegulatedCUI
Code BooknounDocument containing plain text and code equivalents in a systematic arrangement, or a technique of machine encryption using a word substitution technique.ArtifactRestrictedCUI
Code GroupnounGroup of letters, numbers, or both in a code system used to represent a plain text word, phrase, or sentence.DataRegulatedCUI
coding standardnounA set of standards and guidelines which are/should be used when writing the source code for a program.RequirementIP
Commercial COMSEC Evaluation ProgramnounRelationship between NSA and industry in which NSA provides the COMSEC expertise (i.e., standards, algorithms, evaluations, and guidance) and industry provides design, development, and production capabilities to produce a type 1 or type 2 product. Products developed under the CCEP may include modules, subsystems, equipment, systems, and ancillary devices.ProcessRegulatedCUI
Common Access CardnounStandard identification/smart card issued by the Department of Defense that has an embedded integrated chip storing public key infrastructure (PKI) certificates.CredentialRegulatedCUI
Common Attack Pattern Enumeration and ClassificationnounA catalogue of attack patterns as an abstraction mechanism for helping describe how an attack against vulnerable systems or networks is executed published by the MITRE CorporationFrameworkPublicPublicInfo
Competitive IntelligencenounCompetitive Intelligence is espionage using legal, or at least not obviously illegal, means.ThreatIP
Compliance Enforcement AuthoritynounThe North American Electric Reliability Corporation (NERC) or the Regional Entity in their respective roles of monitoring and enforcing compliance with the NERC Reliability Standards.OrganizationRegulatedCUI
Compromising EmanationsnounUnintentional signals that, if intercepted and analyzed, would disclose the information transmitted, received, handled, or otherwise processed by information systems equipment. See TEMPEST.VulnerabilityRegulatedCUI
Computer Network AttacknounActions taken through the use of computer networks to disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves.ThreatRegulatedCUI
Computer Network ExploitationnounEnabling operations and intelligence collection capabilities conducted through the use of computer networks to gather data from target or adversary information systems or networks.ThreatRegulatedCUI
Computer Network OperationsnounComprised of computer network attack, computer network defense, and related computer network exploitation enabling operations.CapabilityRestrictedCUI
COMSEC AccountnounAdministrative entity, identified by an account number, used to maintain accountability, custody, and control of COMSEC material.IdentityRegulatedCUI
COMSEC Account AuditnounExamination of the holdings, records, and procedures of a COMSEC account ensuring all accountable COMSEC material is properly handled and safeguarded.ProcessRegulatedCUI
COMSEC AidnounCOMSEC material that assists in securing telecommunications and is required in the production, operation, or maintenance of COMSEC systems and their components. COMSEC keying material, callsign/frequency systems, and supporting documentation, such as operating and maintenance manuals, are examples of COMSEC aids.DataRegulatedCUI
COMSEC AssemblynounGroup of parts, elements, subassemblies, or circuits that are removable items of COMSEC equipment.PhysicalRegulatedCUI
COMSEC BoundarynounDefinable perimeter encompassing all hardware, firmware, and software components performing critical COMSEC functions, such as key generation, handling, and storage.ControlRegulatedCUI
COMSEC Control ProgramnounComputer instructions or routines controlling or affecting the externally performed functions of key generation, key distribution, message encryption/decryption, or authentication.ControlRegulatedCUI
COMSEC DemilitarizationnounProcess of preparing COMSEC equipment for disposal by extracting all CCI, classified, or cryptographic (CRYPTO) marked components for their secure destruction, as well as defacing and disposing of the remaining equipment hulk.ProcessRegulatedCUI
COMSEC ElementnounRemovable item of COMSEC equipment, assembly, or subassembly; normally consisting of a single piece or group of replaceable parts.PhysicalRegulatedCUI
COMSEC End-itemnounEquipment or combination of components ready for use in a COMSEC application.PhysicalRegulatedCUI
COMSEC EquipmentnounEquipment designed to provide security to telecommunications by converting information to a form unintelligible to an unauthorized interceptor and, subsequently, by reconverting such information to its original form for authorized recipients; also, equipment designed specifically to aid in, or as an essential element of, the conversion process. COMSEC equipment includes crypto-equipment, crypto-ancillary equipment, cryptographic production equipment, and authentication equipment.PhysicalRegulatedCUI
COMSEC FacilitynounAuthorized and approved space used for generating, storing, repairing, or using COMSEC material.PhysicalRegulatedCUI
COMSEC IncidentnounOccurrence that potentially jeopardizes the security of COMSEC material or the secure electrical transmission of national security information or information governed by 10 U.S.C. Section 2315.EventRegulatedCUI
COMSEC InsecuritynounCOMSEC incident that has been investigated, evaluated, and determined to jeopardize the security of COMSEC material or the secure transmission of information.EventRegulatedCUI
COMSEC MaterialnounItem designed to secure or authenticate telecommunications. COMSEC material includes, but is not limited to key, equipment, devices, documents, firmware, or software that embodies or describes cryptographic logic and other items that perform COMSEC functions.DataRegulatedCUI
COMSEC Material Control SystemnounLogistics and accounting system through which COMSEC material marked "CRYPTO" is distributed, controlled, and safeguarded. Included are the COMSEC central offices of record, crypto logistic depots, and COMSEC accounts. COMSEC material other than key may be handled through the CMCS.SystemRegulatedCUI
COMSEC ModulenounRemovable component that performs COMSEC functions in a telecommunications equipment or system.PhysicalRegulatedCUI
COMSEC MonitoringnounAct of listening to, copying, or recording transmissions of one's own official telecommunications to analyze the degree of security.ProcessRegulatedCUI
COMSEC ProfilenounStatement of COMSEC measures and materials used to protect a given operation, system, or organization.ArtifactRegulatedCUI
COMSEC SurveynounOrganized collection of COMSEC and communications information relative to a given operation, system, or organization.ArtifactRestrictedCUI
COMSEC System DatanounInformation required by a COMSEC equipment or system to enable it to properly handle and control key.DataRegulatedCUI
COMSEC TrainingnounTeaching of skills relating to COMSEC accounting, use of COMSEC aids, or installation, use, maintenance, and repair of COMSEC equipment.ProcessRegulatedCUI
ConsumernounUsually refers to an individual engaged in non-commercial transactions.IdentityRegulatedPII
Consumer AccountnounA deposit account held by a participating depository financial institution and established by a natural person primarily for personal, family, or household use and not for commercial purposes.DataRegulatedPII
Consumer informationnounFor purposes of the Information Security Standards, “consumer information” means any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report that is maintained by or on behalf of a financial institution for a business purpose, such as information that an institution obtains about a loan applicant or a prospective employee from a consumer report.DataRegulatedPII
contact informationnounInformation usually containing the person's telephone number(s), fax number, address, and electronic mail address(es).DataRegulatedPII
ContaminationnounType of incident involving the introduction of data of one security classification or security category into data of a lower security classification or different security category.EventRegulatedCUI
Contingency KeynounKey held for use under specific operational conditions or in support of specific contingency plans. See Reserve Keying Material.CredentialRegulatedCUI
Contingency PlannounManagement policy and procedures used to guide an enterprise response to a perceived loss of mission capability. The Contingency Plan is the first plan used by the enterprise risk managers to determine what happened, why, and what to do. It may point to the Continuity of Operations Plan (COOP) or Disaster Recovery Plan for major disruptions.RequirementRestrictedCUI
Continuity of GovernmentnounA coordinated effort within the federal government's executive branch to ensure that national essential functions continue to be performed during a catastrophic emergency.ProcessRestrictedCUI
Continuous MonitoringnounThe process implemented to maintain a current security status for one or more information systems or for the entire suite of information systems on which the operational mission of the enterprise depends. The process includes: 1) The development of a strategy to regularly evaluate selected IA controls/metrics, 2) Recording and evaluating IA relevant events and the effectiveness of the enterprise in dealing with those events, 3) Recording changes to IA controls, or changes that affect IA risks, and 4) Publishing the current security status to enable information-sharing decisions involving the enterprise.ProcessRegulatedCUI
Control InformationnounInformation that is entered into a cryptographic module for the purposes of directing the operation of the module.DataRestrictedCUI
Controlled Cryptographic ItemnounSecure telecommunications or information system, or associated cryptographic component, that is unclassified and handled through the COMSEC Material Control System (CMCS), an equivalent material control system, or a combination of the two that provides accountability and visibility. Such items are marked “Controlled Cryptographic Item,” or, where space is limited, “CCI”.PhysicalRegulatedCUI
Controlled Cryptographic Item AssemblynounDevice embodying a cryptographic logic or other COMSEC design that NSA has approved as a Controlled Cryptographic Item (CCI). It performs the entire COMSEC function, but depends upon the host equipment to operate.PhysicalRegulatedCUI
Controlled Cryptographic Item ComponentnounPart of a Controlled Cryptographic Item (CCI) that does not perform the entire COMSEC function but depends upon the host equipment, or assembly, to complete and operate the COMSEC function.PhysicalRegulatedCUI
Controlled Cryptographic Item EquipmentnounTelecommunications or information handling equipment that embodies a Controlled Cryptographic Item (CCI) component or CCI assembly and performs the entire COMSEC function without dependence on host equipment to operate.PhysicalRegulatedCUI
Controlled Unclassified InformationnounA categorical designation that refers to unclassified information that does not meet the standards for National Security Classification under Executive Order 12958, as amended, but is (i) pertinent to the national interests of the United States or to the important interests of entities outside the federal government, and (ii) under law or policy requires protection from unauthorized disclosure, special handling safeguards, or prescribed limits on exchange or dissemination. Henceforth, the designation CUI replaces "Sensitive But Unclassified" (SBU).RequirementRegulatedCUI
Controlling AuthoritynounOfficial responsible for directing the operation of a cryptonet and for managing the operational use and control of keying material assigned to the cryptonet.RoleRegulatedCUI
Correctness ProofnounA mathematical proof of consistency between a specification and its implementation.ArtifactIP
Covert ChannelnounAn unauthorized communication path that manipulates a communications medium in an unexpected, unconventional, or unforeseen way in order to transmit information without detection by anyone other than the entities operating the covert channel.VulnerabilityRestrictedCUI
Covert Channel AnalysisnounDetermination of the extent to which the security policy model and subsequent lower-level program descriptions may allow unauthorized access to information.ProcessRestrictedCUI
Covert Storage ChannelnounCovert channel involving the direct or indirect writing to a storage location by one process and the direct or indirect reading of the storage location by another process. Covert storage channels typically involve a finite resource (e.g., sectors on a disk) that is shared by two subjects at different security levels.VulnerabilityRegulatedCUI
Credit CardnounA card indicating the holder has been granted a line of credit. It enables the holder to make purchases or withdraw cash up to a prearranged ceiling. The credit granted can be settled in full by the end of a specified period or can be settled in part, with the balance taken as extended credit. Interest is charged based on the terms of the credit card agreement and the holder is sometimes charged an annual fee.DataRegulatedPCI
Credit EntrynounAn entry to the record of an account that represents the transfer or placement of funds into the account.ArtifactRegulatedPCI
criminal records checknounThe purpose of this task is to determine if a person has been convicted of a crime.ProcessRegulatedPII
Critical infrastructurenounSystem and assets, whether physical or virtual, so vital to the U.S. that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters. [Critical Infrastructures Protection Act of 2001, 42 U.S.C. 5195c(e)]SystemRegulatedCUI
Critical Security ParameternounSecurity-related information (e.g., secret and private cryptographic keys, and authentication data such as passwords and Personal Identification Numbers [PINs]) whose disclosure or modification can compromise the security of a cryptographic module.DataRestrictedCUI
Cross-Domain SolutionnounA form of controlled interface that provides the ability to manually and/or automatically access and/or transfer information between different security domains.ControlRegulatedCUI
Cryptographic AlarmnounCircuit or device that detects failures or aberrations in the logic or operation of crypto-equipment. Crypto-alarm may inhibit transmission or may provide a visible and/or audible alarm.EventRegulatedCUI
Cryptographic Ancillary EquipmentnounEquipment designed specifically to facilitate efficient or reliable operation of cryptographic equipment, without performing cryptographic functions itself.PhysicalRegulatedCUI
Cryptographic ComponentnounHardware or firmware embodiment of the cryptographic logic. A cryptographic component may be a modular assembly, a printed wiring assembly, a microcircuit, or a combination of these items.PhysicalRegulatedCUI
Cryptographic Ignition KeynounDevice or electronic key used to unlock the secure mode of crypto-equipment.CredentialRegulatedCUI
Cryptographic MaterialnounCOMSEC material used to secure or authenticate information.CredentialRegulatedCUI
Cryptographic Module Validation ProgramnounValidates cryptographic modules to Federal Information Processing Standard (FIPS) 140-2 and other cryptography-based standards. The CMVP is a joint effort between National Institute of Standards and Technology (NIST) and the Communications Security Establishment (CSE) of the government of Canada. Products validated as conforming to FIPS 140-2 are accepted by the federal agencies of both countries for the protection of sensitive information (United States) or Designated Information (Canada). The goal of the CMVP is to promote the use of validated cryptographic modules and provide federal agencies with a security metric to use in procuring equipment containing validated cryptographic modules.CapabilityRegulatedCUI
Cryptographic ProductnounA cryptographic key (public, private, or shared) or public key certificate, used for encryption, decryption, digital signature, or signature verification; and other items, such as compromised key lists (CKL) and certificate revocation lists (CRL), obtained by trusted means from the same source which validate the authenticity of keys or certificates. Protected software which generates or regenerates keys or certificates may also be considered a cryptographic product.CredentialRestrictedCUI
Cryptographic SecuritynounComponent of COMSEC resulting from the provision of technically sound cryptographic systems and their proper use.CapabilityRegulatedCUI
Cryptographic System AnalysisnounProcess of establishing the exploitability of a cryptographic system, normally by reviewing transmitted traffic protected or secured by the system under study.ProcessRegulatedCUI
Cryptographic System ReviewnounExamination of a cryptographic system by the controlling authority ensuring its adequacy of design and content, continued need, and proper distribution.ProcessRegulatedCUI
customer accountnounA client's formal contract with an individual or organization whereby the client receives goods or services.IdentityRegulatedPII
customer data privacynounThe ability an organization or individual has to determine what customer data in a computer system can be shared with third parties.RequirementRegulatedPII
customer informationnounA term used in the Information Security Standards to mean any record containing non-public personal information about a customer, whether in paper, electronic, or other form, that is maintained by or on behalf of a financial institution.DataRegulatedPII
customer information systemnounFor purposes of the Information Security Standards, “customer information systems” means any methods used to access, collect, store, use, transmit, protect, or dispose of customer information.SystemRegulatedPII
cyber assetnounProgrammable electronic devices and communication networks including hardware, software and data.SystemRegulatedCUI
Cyber OperationsnounIn the NICE Workforce Framework, cybersecurity work where a person: Performs activities to gather evidence on criminal or foreign intelligence entities in order to mitigate possible or real-time threats, protect against espionage or insider threats, foreign sabotage, international terrorist activities, or to support other intelligence activities.CapabilityRestrictedCUI
Cyber Operations Planningnounin the NICE Workforce Framework, cybersecurity work where a person: Performs in-depth joint targeting and cyber planning process. Gathers information and develops detailed Operational Plans and Orders supporting requirements. Conducts strategic and operational-level planning across the full range of operations for integrated information and cyberspace operationsProcessRestrictedCUI
cyber system recovery plannounA step-by-step outline of the processes and procedures to be performed to bring a cyber system back to working order after an incident has occurred.ProcessRegulatedCUI
CyberespionagenounActivities conducted in the name of security, business, politics or technology to find information that ought to remain secret. It is not inherently military.ThreatRestrictedCUI
cybersecurity plannounFormal document that provides an overview of the cybersecurity requirements for an Information Technology and industrial control system and describes the cybersecurity controls in place or planned for meeting those requirements.RequirementRegulatedCUI
CyberwarfarenounActivities supported by military organizations with the purpose to threat the survival and well-being of society/foreign entityThreatRegulatedCUI
data aggregationnounCompilation of individual data systems and data that could result in the totality of the information being classified, or classified at a higher level, or of beneficial use to an adversary.ProcessRegulatedCUI
Data ElementnounA basic unit of information that has a unique meaning and subcategories (data items) of distinct value. Examples of data elements include gender, race, and geographic location.DataPII
data lossnounThe exposure of proprietary, sensitive, or classified information through either data theft or data leakage.EventRegulatedIP
Data Transfer DevicenounFill device designed to securely store, transport, and transfer electronically both COMSEC and TRANSEC key, designed to be backward compatible with the previous generation of COMSEC common fill devices, and programmable to support modern mission systems.PhysicalRegulatedCUI
Debit cardnounA payment card issued as either a PIN-based debit (ATM) card or as a signature-based debit card from one of the bankcard associations. A payment card issued to a person for purchasing goods and services through an electronic transfer of funds from a demand deposit account rather than using cash, checks, or drafts at the point-of-sale.PhysicalRegulatedPCI
Dedicated ModenounInformation systems security mode of operation wherein each user, with direct or indirect access to the system, its peripherals, remote terminals, or remote hosts, has all of the following: 1. valid security clearance for all information within the system, 2. formal access approval and signed nondisclosure agreements for all the information stored and/or processed (including all compartments, subcompartments, and/or special access programs), and 3. valid need-to-know for all information contained within the information system. When in the dedicated security mode, a system is specifically and exclusively dedicated to and controlled for the processing of one particular type or classification of information, either for full-time operation or for a specified period of time.RequirementRegulatedCUI
Default ClassificationnounClassification reflecting the highest classification being processed in an information system. Default classification is included in the caution statement affixed to an object.RequirementRegulatedCUI
DegaussnounProcedure that reduces the magnetic flux to virtual zero by applying a reverse magnetizing field. Also called demagnetizing.ProcessRegulatedCUI
Delegated Development ProgramnounINFOSEC program in which the Director, NSA, delegates, on a case-by-case basis, the development and/or production of an entire telecommunications product, including the INFOSEC portion, to a lead department or agency.ProcessRegulatedCUI
DepositorynounAn institution that holds funds or marketable securities for safekeeping. Depositories may be privately or publicly operated and allow securities transfers through book-entry and offer funds accounts permitting funds transfers as a means of payment.PhysicalRegulatedPCI
Depository bank (Check 21)nounAlso known as Bank of First Deposit (BOFD). The first bank to which a check is transferred even though it is also the paying bank or the payee. A check deposited in an account is deemed to be transferred to the financial institution holding the account into which the check is deposited, even though the check is physically received and endorsed first by another financial institution.OrganizationRegulatedPCI
Descriptive Top-Level SpecificationnounA natural language descriptive of a system’s security requirements, an informal design notation, or a combination of the two.RequirementRegulatedCUI
Device Distribution ProfilenounAn approval-based Access Control List (ACL) for a specific product that 1) names the user devices in a specific key management infrastructure (KMI) Operating Account (KOA) to which PRSNs distribute the product, and 2) states conditions of distribution for each device.ControlRegulatedCUI
Digest AuthenticationnounDigest Authentication allows a web client to compute MD5 hashes of the password to prove it has the password.ControlPII
Direct debitnounElectronic transfer, usually through ACH, out of an individual's checking (or savings) account to pay bills, such as mortgage payments, insurance premiums, and utility payments. Also referred to as "direct payment."DataRegulatedPII
Direct depositnounElectronic deposits or credit, usually through ACH, to an individual's deposit account. Common uses of direct deposit include payroll payments, Social Security benefits, and income from investments such as CDs, annuities, and mutual funds.DataRegulatedPII
Direct ShipmentnounShipment of COMSEC material directly from NSA to user COMSEC accounts.ProcessRegulatedCUI
disposalnounThe purpose of this task is to address the final disposition of regulated data by discarding media with no other sanitization considerations or transferring records to their final state: either destruction or transfer to an archive.ProcessRegulatedCUI
Distinguishing IdentifiernounInformation which unambiguously distinguishes an entity in the authentication process.CredentialRestrictedPII
Drop AccountabilitynounProcedure under which a COMSEC account custodian initially receipts for COMSEC material, and provides no further accounting for it to its central office of record. Local accountability of the COMSEC material may continue to be required. See Accounting Legend Code.ProcessRegulatedCUI
Dumpster DivingnounDumpster Diving is obtaining passwords and corporate directories by searching through discarded media.ThreatRestrictedIP
Duplicate Digital EvidencenounA duplicate is an accurate digital reproduction of all data objects contained on the original physical item and associated media.ArtifactRegulatedCUI
E-BankingnounThe remote delivery of new and traditional banking products and services through electronic delivery channels.SystemRegulatedPCI
E-GovernmentnounThe use by the U.S. government of Web-based Internet applications and other information technology.CapabilityRegulatedCUI
Electricity Sector Information Sharing and Analysis CenternounThe Electricity Sector Information Sharing and Analysis Center (ES-ISAC) shares critical information with industry participants about infrastructure protection. The ES-ISAC serves the electricity sector by facilitating communications between electricity sector participants, federal governments, and other critical infrastructures. It is the job of the ES-ISAC to promptly disseminate threat indications, vulnerabilities, analyses, and warnings, together with interpretations, to help electricity sector participants take protective actions.OrganizationRegulatedCUI
electronic access controlnounA cyber asset that performs electronic access control of the Electronic Security Perimeter(s) or BES Cyber Systems.ControlRegulatedCUI
Electronic Access PointnounA Cyber Asset interface on an Electronic Security Perimeter that allows routable communication between Cyber Assets outside an Electronic Security Perimeter and Cyber Assets inside an Electronic Security Perimeter.NetworkRegulatedCUI
Electronic Benefits Transfer (EBT)nounA type of EFT system involving the transfer of public entitlement payments, such as welfare or food stamps, through direct deposit or point-of-sale technology (see POS). The recipient can be given an identification card, similar to a benefit card, and a PIN allowing access to the benefits through an electronic network.SystemRegulatedPII
Electronic bill presentment and payment (EBPP)nounAn electronic alternative to traditional bill payment, allowing a merchant or utility to present its customers with an electronic bill and the payer to pay the bill electronically. EBPP systems usually fall within two models: direct and consolidation-aggregation. In the direct model, the merchant or utility generates an electronic version of the consumer's billing information, and notifies the consumer of a pending bill, generally via e-mail. The consumer can initiate payment of the electronically presented bill using a variety of payment mechanisms, typically a credit card. In the consolidation-aggregation model, the consumer's bills are consolidated by a consolidator acting on behalf of merchants and utilities (or aggregated on behalf of the consumer), combining data from multiple bills and presenting a single source for the consumer to initiate payment. Some consolidators present bills at their own web sites, typically most support the aggregation of bills by consumer service providers such an Internet portals, financial institutions, and brokerage web sites.SystemRegulatedPCI
Electronic check conversionnounThe process by which a check is used as a source of information for the check number, the customer's account number, and the number that identifies the financial institution. The information is used to make a one-time electronic payment from the customer's account -- an electronic fund transfer. The check itself is not the method of payment.ProcessRegulatedPII
Electronic check presentment (ECP)nounCheck truncation methodology in which the paper check's MICR line information is captured and stored electronically for presentment. The physical checks may or may not be presented after the electronic files are delivered, depending on the type of ECP service that is used.ProcessRegulatedPCI
Electronic CredentialsnounDigital documents used in authentication that bind an identity or an attribute to a subscriber's token.CredentialRestrictedCUI
Electronic data capture (EDC)nounProcess used for capturing and transferring the encoded information on the magnetic strip from a bankcard or debit card at the point-of-sale to the processor's database.ProcessRegulatedPCI
electronic funds transfernounThe use of telecommunications networks to transfer funds from one financial institution, as a bank, to another, or to withdraw funds from one's own account to deposit in a creditor's.ProcessRegulatedPCI
Electronic funds transfer (EFT)nounA generic term describing any transfer of funds between parties or depository institutions through electronic data systems.ProcessRegulatedPCI
electronic funds transfer activitynounAny transfer of funds which is initiated through an electronic terminal, telephonic instrument, computer, or magnetic tape so as to order, instruct, or authorize a financial institution to debit or credit an account. ... These are normally considered retail funds transfer systems.DataRegulatedPCI
Electronic funds transfer point of sale equipmentnounAny, instruments or machinery required for an electric transfer of money to take place.PhysicalRegulatedPCI
Electronic Key EntrynounThe entry of cryptographic keys into a cryptographic module using electronic methods such as a smart card or a key-loading device. (The operator of the key may have no knowledge of the value of the key being entered.)ProcessRegulatedCUI
Electronic Key Management SystemnounInteroperable collection of systems being developed by services and agencies of the U.S. government to automate the planning, ordering, generating, distributing, storing, filling, using, and destroying of electronic key and management of other types of COMSEC material.SystemRegulatedCUI
Electronic Messaging ServicesnounServices providing interpersonal messaging capability; meeting specific functional, management, and technical requirements; and yielding a business-quality electronic mail service suitable for the conduct of official government business.CapabilityRegulatedCUI
Electronic Security PerimeternounThe logical border surrounding a network to which Critical Cyber Assets are connected and for which access is controlled.NetworkRegulatedCUI
Electronically Generated KeynounKey generated in a COMSEC device by introducing (either mechanically or electronically) a seed key into the device and then using the seed, together with a software algorithm stored in the device, to produce the desired key.CredentialRegulatedCUI
Electronically-created payment ordersnounThese are payment orders received by merchants from consumers, typically by telephone or the Internet. These payment orders are processed through the check processing system although they were not initiated as paper checks. These payment orders are not subject to check law and are not warranted by the Federal Reserve Banks.DataRegulatedPCI
Emanations AnalysisnounGaining direct knowledge of communicated data by monitoring and resolving a signal that is emitted by a system and that contains the data but is not intended to communicate the data.CapabilityRestrictedCUI
Emanations SecuritynounProtection resulting from measures taken to deny unauthorized individuals information derived from intercept and analysis of compromising emissions from crypto-equipment or an information system. See TEMPEST.ControlRegulatedCUI
Embedded Cryptographic SystemnounCryptosystem performing or controlling a function as an integral element of a larger system or subsystem.SystemRegulatedCUI
Encrypted KeynounA cryptographic key that has been encrypted using an Approved security function with a key encrypting key, a PIN, or a password in order to disguise the value of the underlying plaintext key.CredentialRegulatedCUI
Encryption keynounA piece of information, in a digitized form, used by an encryption algorithm to convert the plaintext to the ciphertextCredentialRestrictedCUI
End Cryptographic UnitnounDevice that (1) performs cryptographic functions, (2) typically is part of a larger system for which the device provides security services, and (3) from the viewpoint of a supporting security infrastructure (e.g., a key management system), is the lowest level of identifiable component with which a management transaction can be conducted.SystemRegulatedCUI
End-Item AccountingnounAccounting for all the accountable components of a COMSEC equipment configuration by a single short title.ProcessRegulatedCUI
Evaluation Products ListnounList of validated products that have been successfully evaluated under the National Information Assurance Partnership (NIAP) Common Criteria Evaluation and Validation Scheme (CCEVS).ArtifactPublicPublicInfo
Executive AgencynounAn executive department specified in 5 United States Code (U.S.C.), Sec. 101; a military department specified in 5 U.S.C., Sec. 102; an independent establishment as defined in 5 U.S.C., Sec. 104(1); and a wholly owned government corporation fully subject to the provisions of 31 U.S.C., Chapter 91.OrganizationRegulatedCUI
Exercise KeynounCryptographic key material used exclusively to safeguard communications transmitted over-the-air during military or organized civil training exercises.CredentialRegulatedCUI
Expected OutputnounAny data collected from monitoring and assessments as part of the Information Security Continuous Monitoring (ISCM) strategy.DataInternalCUI
Federal Bridge Certification AuthoritynounThe Federal Bridge Certification Authority consists of a collection of Public Key Infrastructure components (Certificate Authorities, Directories, Certificate Policies and Certificate Practice Statements) that are used to provide peer-to-peer interoperability among Agency Principal Certification Authorities.SystemRegulatedCUI
Federal Bridge Certification Authority MembranenounThe Federal Bridge Certification Authority Membrane consists of a collection of Public Key Infrastructure components including a variety of Certification Authority PKI products, Databases, CA specific Directories, Border Directory, Firewalls, Routers, Randomizers, etc.SystemRegulatedCUI
Federal Bridge Certification Authority Operational AuthoritynounThe Federal Bridge Certification Authority Operational Authority is the organization selected by the Federal Public Key Infrastructure Policy Authority to be responsible for operating the Federal Bridge Certification Authority.OrganizationRegulatedCUI
Federal Information Processing StandardnounA standard for adoption and use by federal departments and agencies that has been developed within the Information Technology Laboratory and published by the National Institute of Standards and Technology, a part of the U.S. Department of Commerce. A FIPS covers some topic in information technology in order to achieve a common level of quality or some level of interoperability.FrameworkRegulatedCUI
Federal Information SystemnounAn information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency.SystemRegulatedCUI
Fill DevicenounCOMSEC item used to transfer or store key in electronic form or to insert key into cryptographic equipment.PhysicalRegulatedCUI
FIN (Financial Application)nounThe SWIFT application within which all SWIFT user-to-user messages are input and output.SystemRegulatedPCI
FinalitynounIrrevocable and unconditional transfer of payment during settlement.RequirementRegulatedPCI
Financial EDI (FEDI)nounFinancial electronic data interchange. An instrument for settling invoices by initiating payments, processing remittance data and automating reconciliation, through the exchange of electronic messages.DataRegulatedPII
FingernounA protocol to lookup user information on a given host. A Unix program that takes an e-mail address as input and returns information about the user who owns that e-mail address. On some systems, finger only reports whether the user is currently logged on. Other systems return additional information, such as the user's full name, address, and telephone number. Of course, the user must first enter this information into the system. Many e-mail programs now have a finger utility built into them.NetworkPII
FIPS PUBnounAn acronym for Federal Information Processing Standards Publication. FIPS publications (PUB) are issued by NIST after approval by the Secretary of Commerce.FrameworkRegulatedCUI
FIPS-Approved Security MethodnounA security method (e.g., cryptographic algorithm, cryptographic key generation algorithm or key distribution technique, random number generator, authentication technique, or evaluation criteria) that is either a) specified in a FIPS, or b) adopted in a FIPS.ControlRegulatedCUI
Fixed COMSEC FacilitynounCOMSEC facility located in an immobile structure or aboard a ship.PhysicalRegulatedCUI
FlowchartsnounTraditional flowcharts involve the use of geometric symbols, such as diamonds, ovals, and rectangles to represent the sequencing of program logic. Software packages are available that automatically chart programs or enable a programmer to chart a program without the need to draw it manually.ArtifactIP
Formal Access ApprovalnounA formalization of the security determination for authorizing access to a specific type of classified or sensitive information, based on specified access requirements, a determination of the individual’s security eligibility and a determination that the individual’s official duties require the individual be provided access to the information.ControlRegulatedCUI
formal contractnounAn officially recognized agreement between two or more parties.RequirementConfidentialIP
Frequency HoppingnounRepeated switching of frequencies during radio transmission according to a specified algorithm, to minimize unauthorized interception or jamming of telecommunications.ControlRegulatedCUI
Full MaintenancenounComplete diagnostic repair, modification, and overhaul of COMSEC equipment, including repair of defective assemblies by piece part replacement. See Limited Maintenance.ProcessRestrictedCUI
funds transfer terminalnounAn information processing device used for the purpose of executing deposit account transactions between financial institutions and their customers by either the direct transmission of electronic impulses or the recording of electronic impulses for delayed processing.SystemRegulatedPCI
Global Information GridnounThe globally interconnected, end-to-end set of information capabilities for collecting, processing, storing, disseminating, and managing information on demand to warfighters, policy makers, and support personnel. The GIG includes owned and leased communications and computing systems and services, software (including applications), data, security services, other associated services, and National Security Systems. Non-GIG IT includes stand-alone, self-contained, or embedded IT that is not, and will not be, connected to the enterprise network.SystemRegulatedCUI
Government Emergency Telecommunications Service (GETS)nounAcronym for the Government Emergency Telecommunications Service card program. GETS cards provide emergency access and priority processing for voice communications services in emergency situations.CapabilityRegulatedCUI
Gramm-Leach-Bliley Act (GLBA)nounThe act, also known as the Financial Services Modernization Act of 1999, (Pub.L. 106-102, 113 Stat. 1338, enacted November 12, 1999), required the federal banking agencies to establish information security standards for financial institutions.FrameworkRegulatedPII
Hard Copy KeynounPhysical keying material, such as printed key lists, punched or printed key tapes, or programmable, read-only memories (PROM).PhysicalRegulatedCUI
Health Information ExchangenounA health information organization that brings together healthcare stakeholders within a defined geographic area and governs health information exchange among them for the purpose of improving health and care in that community.OrganizationRegulatedPHI
High Assurance GuardnounA guard that has two basic functional capabilities: a Message Guard and a Directory Guard. The Message Guard provides filter service for message traffic traversing the Guard between adjacent security domains. The Directory Guard provides filter service for directory access and updates traversing the Guard between adjacent security domains.SystemRegulatedCUI
High ImpactnounThe loss of confidentiality, integrity, or availability that could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, individuals, other organizations, or the national security interests of the United States; (i.e., 1) causes a severe degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; 2) results in major damage to organizational assets; 3) results in major financial loss; or 4) results in severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries).MetricRegulatedCUI
high impact Bulk Electric System Cyber SystemnounA Bulk Electric System Cyber System in which at least one security objective (i.e., confidentiality, integrity, or availability) is assigned a potential impact value of high.SystemRegulatedCUI
High-Impact SystemnounAn information system in which at least one security objective (i.e., confidentiality, integrity, or availability) is assigned a FIPS 199 potential impact value of high.SystemRegulatedCUI
IA InfrastructurenounThe underlying security framework that lies beyond an enterprise’s defined boundary, but supports its IA and IA-enabled products, its security posture and its risk management plan.SystemRegulatedCUI
IdentifiernounA data object - often, a printable, non-blank character string - that definitively represents a specific identity of a system entity, distinguishing that identity from all others.DataPII
identitynounThe set of attribute values (i.e., characteristics) by which an entity is recognizable and that, within the scope of an identity manager’s responsibility, is sufficient to distinguish that entity from any other entity.IdentityRegulatedPII
Identity BindingnounBinding of the vetted claimed identity to the individual (through biometrics) according to the issuing authority.ProcessRegulatedPII
identity managementnounThe purpose of this task is to implement a set of functions and capabilities used for assurance of identity information (e.g., identifiers, credentials, attributes).CapabilityRegulatedPII
Identity ProofingnounThe process by which a Credentials Service Provider (CSP) and a Registration Authority (RA) collect and verify information about a person for the purpose of issuing credentials to that person.ProcessRegulatedPII
Identity RegistrationnounThe process of making a person’s identity known to the Personal Identity Verification (PIV) system, associating a unique identifier with that identity, and collecting and recording the person’s relevant attributes into the system.ProcessRegulatedPII
Identity VerificationnounThe process of confirming or denying that a claimed identity is correct by comparing the credentials (something you know, something you have, something you are) of a person requesting access with those previously proven and stored in the PIV Card of system and associated with the identity being claimed.ProcessRegulatedCUI
Image archive (Check 21)nounDatabase for storage and easy retrieval of check images.DataRegulatedPII
Image capture (Check 21)nounThe process of digitizing both sides of physical items and their assorted MICR information as they are processed at the Federal Reserve Bank. Also includes storage of the images for up to 60 days.ProcessRegulatedPII
Image exchange (Check 21)nounExchange of some or all of the digitized images of a check.ProcessRegulatedPCI
Imitative Communications DeceptionnounIntroduction of deceptive messages or signals into an adversary's telecommunications signals. See also Communications Deception and Manipulative Communications Deception.ThreatRegulatedCUI
ImplantnounElectronic device or electronic equipment modification designed to gain unauthorized interception of information-bearing emanations.ThreatRegulatedCUI
Independent sales organizationnounA non-financial institution organization that provides a variety of merchant processing functions on behalf of the acquirer. These functions include soliciting new merchant accounts, arranging for terminal purchases or leases, and providing backroom services. An Independent sales organization is also referred to as a member service provider (MSP). The acquirer must register all Independent sales organization/MSPs with the bankcard associations.OrganizationRegulatedPCI
Independent Validation AuthoritynounEntity that reviews the soundness of independent tests and system compliance with all stated security controls and risk mitigation actions. IVAs will be designated by the Authorizing Official as needed.OrganizationRegulatedCUI
individualnounA citizen of the United States or an alien lawfully admitted for permanent residence. Agencies may, consistent with individual practice, choose to extend the protections of the Privacy Act and E-Government Act to businesses, sole proprietors, aliens, etc.IdentityRegulatedPII
Industrial Control SystnounAn information system used to control industrial processes such as manufacturing, product handling, production, and distribution or to control infrastructure assets.SystemRegulatedCUI
Industrial Control SystemnounAn information system used to control industrial processes such as manufacturing, product handling, production, and distribution. Industrial control systems include supervisory control and data acquisition systems (SCADA) used to control geographically dispersed assets, as well as distributed control systems (DCS) and smaller control systems using programmable logic controllers to control localized processes.SystemRegulatedCUI
Information Assurance ComponentnounAn application (hardware and/or software) that provides one or more Information Assurance capabilities in support of the overall security and operational objectives of a system.CapabilityRegulatedCUI
Information Assurance Vulnerability AlertnounNotification that is generated when an Information Assurance vulnerability may result in an immediate and potentially severe threat to DoD systems and information; this alert requires corrective action because of the severity of the vulnerability risk.VulnerabilityRegulatedCDI
Information Flow ControlnounProcedure to ensure that information transfers within an information system are not made in violation of the security policy.ControlRegulatedCUI
Information OperationsnounThe integrated employment of the core capabilities of electronic warfare, computer network operations, psychological operations, military deception, and operations security, in concert with specified supporting and related capabilities, to influence, disrupt, corrupt, or usurp adversarial human and automated decision-making process, information, and information systems while protecting our own.CapabilityRegulatedCUI
Information Security Program PlannounFormal document that provides an overview of the security requirements for an organization-wide information security program and describes the program management controls and common controls in place or planned for meeting those requirements.ArtifactRestrictedCUI
Information Security risknounThe risk to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation due to the potential for unauthorized access, use, disclosure, disruption, modification, or destruction of information and/or information systems. See Risk.MetricRegulatedCUI
Information Sharing Environmentnoun1. An approach that facilitates the sharing of terrorism and homeland security information; or 2. ISE in its broader application enables those in a trusted partnership to share, discover, and access controlled information.SystemRegulatedCUI
Information System Contingency PlannounManagement policy and procedures designed to maintain or restore business operations, including computer operations, possibly at an alternate location, in the event of emergencies, system failures, or disasters.ProcessRegulatedCUI
Information Systems Security Equipment ModificationnounModification of any fielded hardware, firmware, software, or portion thereof, under NSA configuration control. There are three classes of modifications: mandatory (to include human safety); optional/special mission modifications; and repair actions. These classes apply to elements, subassemblies, equipment, systems, and software packages performing functions such as key generation, key distribution, message encryption, decryption, authentication, or those mechanisms necessary to satisfy security policy, labeling, identification, or accountability.ProcessRegulatedCUI
Inspectable SpacenounThree dimensional space surrounding equipment that processes classified and/or sensitive information within which TEMPEST exploitation is not considered practical or where legal authority to identify and remove a potential TEMPEST exploitation exists. Synonymous with zone of control.PhysicalRegulatedCUI
Intangible assetnounAn asset that is not physical in nature Scope Note: Examples include: intellectual property (patents, trademarks, copyrights, processes), goodwill, and brand recognitionArtifactConfidentialIP
intellectual propertynounCreations of the mind such as musical, literary, and artistic works; inventions; and symbols, names, images, and designs used in commerce, including copyrights, trademarks, patents, and related rights. Under intellectual property law, the holder of one of these abstract “properties” has certain exclusive rights to the creative work, commercial symbol, or invention by which it is covered.DataRestrictedIP
interactive remote accessnounUser-initiated access by a person employing a remote access client or other remote access technology using a routable protocol. Remote access originates from a Cyber Asset that is not an Intermediate System and not located within any of the Responsible Entity’s Electronic Security Perimeter(s) or at a defined Electronic Access Point (EAP). Remote access may be initiated from: 1) Cyber Assets used or owned by the Responsible Entity, 2) Cyber Assets used or owned by employees, and 3) Cyber Assets used or owned by vendors, contractors, or consultants. Interactive remote access does not include system-to-system process communications.ProcessRegulatedCUI
InterchangenounExchange of transactions between financial institutions participating in a bank card network, based on a common set of rules. Card interchange allows a financial institution's customers to use a bank credit card at any card honoring merchant and to gain access to multiple ATM systems from a single ATM.ProcessRegulatedPCI
Interconnection Security AgreementnounA document that regulates security-relevant aspects of an intended connection between an agency and an external system. It regulates the security interface between any two systems operating under two different distinct authorities. It includes a variety of descriptive, technical, procedural, and planning information. It is usually preceded by a formal MOA/MOU that defines high-level roles and responsibilities in management of a cross-domain connection.RequirementRegulatedCUI
Interface Control DocumentnounTechnical document describing interface controls and identifying the authorities and responsibilities for ensuring the operation of such controls. This document is baselined during the preliminary design review and is maintained throughout the information system life cycle.ArtifactRegulatedCUI
Interim Approval to OperatenounTemporary authorization granted by a DAA for an information system to process information based on preliminary results of a security evaluation of the system. (To be replaced by ATO and POA&M)ArtifactRegulatedCUI
Interim Approval to TestnounTemporary authorization to test an information system in a specified operational information environment within the time frame and under the conditions or constraints enumerated in the written authorization.RequirementRegulatedCUI
intermediate systemnounA Cyber Asset or collection of Cyber Assets performing access control to restrict Interactive Remote Access to only authorized users. The Intermediate System must not be located inside the Electronic Security Perimeter.SystemRegulatedCUI
InterrogationnounUsed to obtain prior indicators or relationships, including telephone numbers, IP addresses and names of individuals, from extracted dataProcessRegulatedPII
IT Security Awareness and Training ProgramnounExplains proper rules of behavior for the use of agency information systems and information. The program communicates IT security policies and procedures that need to be followed (i.e., NSTISSD 501, NIST SP 800-50).ProcessRegulatedCUI
JitternounJitter or Noise is the modification of fields in a database while preserving the aggregate characteristics of that make the database useful in the first place.ControlRegulatedPII
keynounA parameter used in conjunction with a cryptographic algorithm that determines its operation. Examples applicable to this Standard include: 1. The computation of a digital signature from data, and 2. The verification of a digital signature.CredentialRestrictedCUI
Key Distribution CenternounCOMSEC facility generating and distributing key in electronic form.SystemRegulatedCUI
Key Escrownoun1. The processes of managing (e.g., generating, storing, transferring, auditing) the two components of a cryptographic key by two key component holders. 2. A key recovery technique for storing knowledge of a cryptographic key, or parts thereof, in the custody of one or more third parties called "escrow agents," so that the key can be recovered and used in specified circumstances.ProcessRegulatedCUI
Key Escrow SystemnounA system that entrusts the two components comprising a cryptographic key (e.g., a device unique key) to two key component holders (also called "escrow agents").SystemRegulatedCUI
Key EstablishmentnounThe process by which cryptographic keys are securely established among cryptographic modules using manual transport methods (e.g., key loaders), automated methods (e.g., key transport and/or key agreement protocols), or a combination of automated and manual methods (consists of key transport plus key agreement).ProcessRestrictedCUI
Key fobnounA small portable device equipped with chip technology allowing the holder the ability to access network systems, such as those used for payments, and to store personal data.PhysicalRegulatedPII
Key Generation MaterialnounRandom numbers, pseudo-random numbers, and cryptographic parameters used in generating cryptographic keys.DataRegulatedCUI
Key ListnounPrinted series of key settings for a specific cryptonet. Key lists may be produced in list, pad, or printed tape format.ArtifactRegulatedCUI
Key LoadernounA self-contained unit that is capable of storing at least one plaintext or encrypted cryptographic key or a component of a key that can be transferred, upon request, into a cryptographic module.PhysicalRegulatedCUI
Key ManagementnounThe activities involving the handling of cryptographic keys and other related security parameters (e.g., IVs and passwords) during the entire life cycle of the keys, including their generation, storage, establishment, entry and output, and zeroization.ProcessRegulatedCUI
Key Management InfrastructurenounAll parts – computer hardware, firmware, software, and other equipment and its documentation; facilities that house the equipment and related functions; and companion standards, policies, procedures, and doctrine that form the system that manages and supports the ordering and delivery of cryptographic material and related information products and services to users.SystemRegulatedCUI
Key Production KeynounKey used to initialize a keystream generator for the production of other electronically generated key.CredentialRestrictedCUI
Key RecoverynounMechanisms and processes that allow authorized parties to retrieve the cryptographic key used for data confidentiality.ProcessRestrictedCUI
Key StreamnounSequence of symbols (or their electrical or mechanical equivalents) produced in a machine or auto-manual cryptosystem to combine with plain text to produce cipher text, control transmission security processes, or produce key.DataRestrictedCUI
Key TagnounIdentification information associated with certain types of electronic key.ArtifactRegulatedCUI
Key TapenounPunched or magnetic tape containing key. Printed key in tape form is referred to as a key list.PhysicalRegulatedCUI
Keying MaterialnounKey, code, or authentication information in physical, electronic, or magnetic form.CredentialRestrictedCUI
Keystroke MonitoringnounThe process used to view or record both the keystrokes entered by a computer user and the computer’s response during an interactive session. Keystroke monitoring is usually considered a special case of audit trails.ProcessRegulatedCUI
KiosknounA publicly accessible computer terminal that permits customers to directly communicate with the financial institution via a network.SystemInternalPCI
KMI Operating AccountnounA KMI business relationship that is established 1) to manage the set of user devices that are under the control of a specific KMI customer organization, and 2) to control the distribution of KMI products to those devices.OrganizationRegulatedCUI
KMI Protected ChannelnounA KMI Communication Channel that provides 1) Information Integrity Service; 2) either Data Origin Authentication Service or Peer Entity Authentication Service, as is appropriate to the mode of communications; and 3) optionally, Information Confidentiality Service.NetworkRegulatedCUI
KMI-Aware DevicenounA user device that has a user identity for which the registration has significance across the entire KMI (i.e., the identity’s registration data is maintained in a database at the PRSN level of the system, rather than only at an MGC) and for which a product can be generated and wrapped by a PSN for distribution to the specific device.SystemRegulatedCUI
Knowledge ManagementnounIn the NICE Workforce Framework, cybersecurity work where a person: Manages and administers processes and tools that enable the organization to identify, document, and access intellectual capital and information content.ProcessIP
KOA AgentnounA user identity that is designated by a KOA manager to access PRSN product delivery enclaves for the purpose of retrieving wrapped products that have been ordered for user devices that are assigned to that KOA.IdentityRegulatedCUI
KOA ManagernounThe Management Role that is responsible for the operation of one or KOA’s (i.e., manages distribution of KMI products to the end cryptographic units, fill devices, and ADPs that are assigned to the manager’s KOA).RoleRegulatedCUI
Laboratory AttacknounUse of sophisticated signal recovery equipment in a laboratory environment to recover information from data storage media.ThreatRegulatedCUI
Level of ConcernnounRating assigned to an information system indicating the extent to which protection measures, techniques, and procedures must be applied. High, Medium, and Basic are identified levels of concern. A separate Level-of-Concern is assigned to each information system for confidentiality, integrity, and availability.MetricRegulatedCUI
Level of ProtectionnounExtent to which protective measures, techniques, and procedures must be applied to information systems and networks based on risk, threat, vulnerability, system interconnectivity considerations, and information assurance needs. Levels of protection are: 1. Basic: information systems and networks requiring implementation of standard minimum security countermeasures. 2. Medium: information systems and networks requiring layering of additional safeguards above the standard minimum security countermeasures. 3. High: information systems and networks requiring the most stringent protection and rigorous security countermeasures.RequirementRegulatedCUI
Limited MaintenancenounCOMSEC maintenance restricted to fault isolation, removal, and replacement of plug-in assemblies. Soldering or unsoldering usually is prohibited in limited maintenance. See Full Maintenance.ProcessRestrictedCUI
Line ConductionnounUnintentional signals or noise induced or conducted on a telecommunications or information system signal, power, control, indicator, or other external interface line.VulnerabilityRegulatedCUI
Local Management Device/Key ProcessornounEKMS platform providing automated management of COMSEC material and generating key for designated users.SystemRegulatedCUI
Local Registration AuthoritynounA Registration Authority with responsibility for a local community in a PKI-enabled environment.OrganizationRegulatedCUI
LockboxnounDeposit mechanism used by commercial firms and businesses to facilitate their deposit transaction volume. Typically, commercial firms and businesses direct customers to send payments directly to a financial institution address or post office box controlled by the institution. Financial institution personnel record payments received and prepare deposit slips, and subsequent processing proceeds as with other deposit taking activities.PhysicalRegulatedPCI
Log ClippingnounLog clipping is the selective removal of log entries from a system log to hide a compromise.ThreatRegulatedCUI
low impact Bulk Electric System Cyber SystemnounA Bulk Electric System Cyber System in which at least one security objective (i.e., confidentiality, integrity, or availability) is assigned a potential impact value of low, and none are assigned a potential impact value of medium or high.SystemRegulatedCUI
Low Impact Bulk Electric System Cyber System Electronic Access PointnounA Cyber Asset interface that controls Low Impact External Routable Connectivity. The Cyber Asset containing the LEAP may reside at a location external to the asset or assets containing low impact Bulk Electric System (BES) Cyber Systems.SystemRegulatedCUI
Low Impact External Routable ConnectivitynounDirect user-initiated interactive access or a direct device-to-device connection to a low impact BES Cyber System(s) from a Cyber Asset outside the asset containing those low impact BES Cyber System(s) via a bi-directional routable protocol connection. Point-to-point communications between intelligent electronic devices that use routable communication protocols for time-sensitive protection or control functions between Transmission station or substation assets containing low impact BES Cyber Systems are excluded from this definition (examples of this communication include, but are not limited to, IEC 61850 GOOSE or vendor proprietary protocols).NetworkRegulatedCDI
Low Probability of DetectionnounResult of measures used to hide or disguise intentional electromagnetic transmissions.ControlRegulatedCUI
Low Probability of InterceptnounResult of measures to prevent the intercept of intentional electromagnetic transmissions. The objective is to minimize an adversary’s capability of receiving, processing, or replaying an electronic signal.ControlRegulatedCUI
Magnetic ink character recognition (MICR)nounMagnetic codes found on the bottom of checks, deposit slips, and general ledger debit and credit tickets that allow a machine to scan (capture) the information. MICR encoding on a check includes the account number, the routing number, the serial number of the check, and the amount of the check. The amount of the check is encoded when the proof department processes the check.DataRegulatedPII
Magnetic RemanencenounMagnetic representation of residual information remaining on a magnetic medium after the medium has been cleared. See Clearing.VulnerabilityRegulatedCUI
Maintenance HooknounSpecial instructions (trapdoors) in software allowing easy maintenance and additional feature development. Since maintenance hooks frequently allow entry into the code without the usual checks, they are a serious security risk if they are not removed prior to live implementation.VulnerabilityRegulatedCUI
Major ApplicationnounAn application that requires special attention to security due to the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application. Note: All federal applications require some level of protection. Certain applications, because of the information in them, however, require special management oversight and should be treated as major. Adequate security for other applications should be provided by security of the systems in which they operate.SystemRegulatedCUI
Major Information SystemnounAn information system that requires special management attention because of its importance to an agency mission; its high development, operating, or maintenance costs; or its significant role in the administration of agency programs, finances, property, or other resources.SystemRegulatedCUI
Management ClientnounA configuration of a client node that enables a KMI external operational manager to manage KMI products and services by either 1) accessing a PRSN, or 2) exercising locally provided capabilities. An MGC consists of a client platform and an advanced key processor (AKP).SystemRegulatedCUI
Management Security ControlsnounThe security controls (i.e., safeguards or countermeasures) for an information system that focus on the management of risk and the management of information systems security.ControlRestrictedCUI
Mandatory ModificationnounChange to a COMSEC end-item that NSA requires to be completed and reported by a specified date. See Optional Modification.ControlRegulatedCUI
Manipulative Communications DeceptionnounAlteration or simulation of friendly telecommunications for the purpose of deception. See Communications Deception and Imitative Communications Deception.ThreatRegulatedCUI
Manual CryptosystemnounCryptosystem in which the cryptographic processes are performed without the use of crypto-equipment or auto-manual devices.SystemRegulatedCUI
Manual Key TransportnounA non-automated means of transporting cryptographic keys by physically moving a device, document, or person containing or possessing the key or key component.ProcessRegulatedCUI
Manual Remote RekeyingnounProcedure by which a distant crypto-equipment is rekeyed electronically, with specific actions required by the receiving terminal operator. Synonymous with cooperative remote rekeying. See also Automatic Remote Keying.ProcessRegulatedCUI
Master Cryptographic Ignition KeynounKey device with electronic logic and circuits providing the capability for adding more operational CIKs to a keyset.PhysicalRegulatedCUI
Match/matchingnounThe process of comparing biometric information against a previously stored template(s) and scoring the level of similarity.ProcessRegulatedPII
medium impact Bulk Electric System Cyber SystemnounA Bulk Electric System Cyber System in which at least one security objective (i.e., confidentiality, integrity, or availability) is assigned a potential impact value of medium, and none are assigned a potential impact value of high.SystemRegulatedCUI
Memorandum of Understanding/AgreementnounA document established between two or more parties to define their respective responsibilities in accomplishing a particular goal or mission. In this guide, an MOU/A defines the responsibilities of two or more organizations in establishing, operating, and securing a system interconnection.ArtifactInternalCUI
Merchant acquirernounBankcard association members that initiate and maintain contractual agreements with merchants for the purpose of accepting and processing bankcard transactions.OrganizationRegulatedPCI
Merchant processingnounActivity for the acceptance and settlement of bankcard products and transactions from merchants through the payment system.ProcessRegulatedPCI
Message IndicatornounSequence of bits transmitted over a communications system for synchronizing cryptographic equipment.DataRegulatedCUI
Mission Assurance CategorynounA Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) term primarily used to determine the requirements for availability and integrity.RequirementRegulatedCDI
Mission CriticalnounAny telecommunications or information system that is defined as a national security system (Federal Information Security Management Act of 2002 - FISMA) or processes any information the loss, misuse, disclosure, or unauthorized access to or modification of, would have a debilitating impact on the mission of an agency.RequirementRegulatedCUI
Mobile financial servicesnounThe products and services that a financial institution provides to its customers through mobile devices.CapabilityRegulatedPII
Mode of OperationnounDescription of the conditions under which an information system operates based on the sensitivity of information processed and the clearance levels, formal access approvals, and need-to-know of its users. Four modes of operation are authorized for processing or transmitting information: dedicated mode, system high mode, compartmented/partitioned mode, and multilevel mode.RequirementRegulatedCUI
Moderate ImpactnounThe loss of confidentiality, integrity, or availability that could be expected to have a serious adverse effect on organizational operations, organizational assets, individuals, other organizations, or the national security interests of the United States; (i.e., 1) causes a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; 2) results in significant damage to organizational assets; 3) results in significant financial loss; or 4) results in significant harm to individuals that does not involve loss of life or serious life threatening injuries).MetricRegulatedCUI
Multi-ReleasablenounA characteristic of an information domain where access control mechanisms enforce policy-based release of information to authorized users within the information domain.RequirementRegulatedCUI
Multilevel DevicenounEquipment trusted to properly maintain and separate data of different security domains.SystemRegulatedCUI
Multilevel ModenounMode of operation wherein all the following statements are satisfied concerning the users who have direct or indirect access to the system, its peripherals, remote terminals, or remote hosts: 1) some users do not have a valid security clearance for all the information processed in the information system; 2) all users have the proper security clearance and appropriate formal access approval for that information to which they have access; and 3) all users have a valid need-to-know only for information to which they have access.ProcessRegulatedCUI
Multilevel SecuritynounConcept of processing information with different classifications and categories that simultaneously permits access by users with different security clearances and denies access to users who lack authorization.CapabilityRegulatedCUI
Multiple Security LevelsnounCapability of an information system that is trusted to contain, and maintain separation between, resources (particularly stored data) of different security domains.CapabilityRegulatedCUI
multiple sourcesnounInformation classified based on two or more source documents, classification guides or combination of both.DataRegulatedCUI
namenounThe word or phrase by which an individual, family, organization, or thing is known or referred to.ArtifactPII
National Security Emergency Preparedness Telecommunications ServicesnounTelecommunications services that are used to maintain a state of readiness or to respond to and manage any event or crisis (local, national, or international) that causes or could cause injury or harm to the population, damage to or loss of property, or degrade or threaten the national security or emergency preparedness posture of the United States.CapabilityRegulatedCUI
National Security InformationnounInformation that has been determined pursuant to Executive Order 12958 as amended by Executive Order 13292, or any predecessor order, or by the Atomic Energy Act of 1954, as amended, to require protection against unauthorized disclosure and is marked to indicate its classified status.DataRegulatedCUI
National Security SystemnounAny information system (including any telecommunications system) used or operated by an agency or by a contractor of any agency, or other organization on behalf of an agency, the function, operation, or use of which: I. involves intelligence activities; II. involves cryptologic activities related to national security; III. Involves command and control of military forces; IV. involves equipment that is an integral part of a weapon or weapon system; or V. subject to subparagraph (B), is critical to the direct fulfillment of military or intelligence missions; or is protected at all times by procedures established for information that have been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy. Subparagraph (B). Does not include a system that is to be used for routine administrative and business applications (including payroll, finance, logistics, and personnel management applications). (Title 44 U.S. Code Section 3542, Federal Information Security Management Act of 2002.)SystemRegulatedCUI
need to knownounAn administrative action officially declaring a particular individual requires access to specified sensitive or classified information in order to perform their assigned duties.RequirementRegulatedCUI
Need To Know DeterminationnounDecision made by an authorized holder of official information that a prospective recipient requires access to specific official information to carry out official duties.ProcessRegulatedCUI
network activity baselinenounEstablishing a trusted baseline document involves identifying the following: - network data points of interest - length of the baseline data collection period - methods and tools used to collect and store data Suggested network data points of interest include the following: - a list of predetermined devices a given workstation or server should communicate with - VPN usage, including access times, bandwidth and resources used, source IP addresses, and geolocation information - the known set of ports and protocols in use by the network - firewall and intrusion detection system logs - normal traffic patterns and flows.ArtifactInternalCUI
No-Lone ZonenounArea, room, or space that, when staffed, must be occupied by two or more appropriately cleared individuals who remain within sight of each other. See Two-Person Integrity.ControlRegulatedCUI
non-compliance informationnounInformation regarding a failure to act in accordance with applicable standards and regulations.FindingRegulatedCUI
NullnounDummy letter, letter symbol, or code group inserted into an encrypted message to delay or prevent its decryption or to complete encrypted groups for transmission or transmission security purposes.ControlRegulatedCUI
ObfuscationnounThe deliberate act of creating source or machine code that is difficult for humans to understandControlIP
Object codenounThe machine code generated by a source code language processor such as an assembler or compiler. A file of object code may be executable immediately or it may require linking with other object code files (e.g., libraries, to produce a complete executable program).DataIP
Object IdentifiernounA specialized formatted number that is registered with an internationally recognized standards organization. The unique alphanumeric/numeric identifier registered under the ISO registration standard to reference a specific object or object class. In the federal government PKI, they are used to uniquely identify each of the four policies and cryptographic algorithms supported.ArtifactRegulatedCUI
Object ProgramnounA program that has been translated into machine language and is ready to be run (i.e., executed) by the computer.ArtifactIP
Off-CardnounRefers to data that is not stored within the PIV card or computation that is not done by the Integrated Circuit Chip (ICC) of the PIV card.DataRegulatedCUI
Official InformationnounAll information in the custody and control of a U.S. government department or agency that was acquired by U.S. government employees as a part of their official duties or because of their official status and has not been cleared for public release.DataRegulatedCUI
On-CardnounRefers to data that is stored within the PIV card or computation that is done by the ICC of the PIV card.DataRegulatedCUI
On-us checksnounChecks that are deposited into the same institution on which they are drawn.DataRegulatedPII
One-time TapenounPunched paper tape used to provide key streams on a one-time basis in certain machine cryptosystems.PhysicalRegulatedCUI
online terminalnounA web-browser-based access to an acquirer, processor or third party service provider website to authorize payment card transactions, where the merchant manually enters payment card data via a securely connected web browser. Unlike physical terminals, virtual payment terminals do not read data directly from a payment card. Because payment card transactions are entered manually, virtual payment terminals are typically used instead of physical terminals in merchant environments with low transaction volumes.SystemRegulatedPCI
Open StoragenounAny storage of classified national security information outside of approved containers. This includes classified information that is resident on information systems media and outside of an approved storage container, regardless of whether or not that media is in use (i.e., unattended operations).FindingRegulatedCUI
Operational KeynounKey intended for use over-the-air for protection of operational information or for the production or secure electrical transmission of key streams.CredentialRegulatedCUI
Operational Vulnerability InformationnounInformation that describes the presence of an information vulnerability within a specific operational setting or network.VulnerabilityRegulatedCUI
Operational WaivernounAuthority for continued use of unmodified COMSEC end-items pending the completion of a mandatory modification.RequirementRegulatedCUI
Operations CodenounCode composed largely of words and phrases suitable for general communications use.ArtifactRegulatedCUI
Operations SecuritynounSystematic and proven process by which potential adversaries can be denied information about capabilities and intentions by identifying, controlling, and protecting generally unclassified evidence of the planning and execution of sensitive activities. The process involves five steps: identification of critical information, analysis of threats, analysis of vulnerabilities, assessment of risks, and application of appropriate countermeasures.ProcessRegulatedCUI
Optional ModificationnounNSA-approved modification not required for universal implementation by all holders of a COMSEC end-item. This class of modification requires all of the engineering/doctrinal control of mandatory modification but is usually not related to security, safety, TEMPEST, or reliability. See Mandatory Modification.ControlRegulatedCUI
Organizational Registration AuthoritynounEntity within the PKI that authenticates the identity and the organizational affiliation of the users.OrganizationRegulatedPII
origination functionnounAny of the processes required to initiate an automated clearing house transaction.ProcessRegulatedPCI
OriginatornounA person that has authorized an ODFI to transmit a credit or debit entry to the deposit account of a receiver at an RDFI.IdentityRegulatedPII
Over-The-Air Key DistributionnounProviding electronic key via over-the-air rekeying, over-the-air key transfer, or cooperative key generation.ProcessRestrictedCUI
Over-The-Air Key TransfernounElectronically distributing key without changing traffic encryption key used on the secured communications path over which the transfer is accomplished.ProcessRegulatedCUI
Over-The-Air RekeyingnounChanging traffic encryption key or transmission security key in remote cryptographic equipment by sending new key directly to the remote cryptographic equipment over the communications path it secures.ProcessRegulatedCUI
overdraftnounThe amount by which withdrawals exceed deposits, or the extension of credit by a lending institution to allow for such a situation.DataRegulatedPII
Partitioned Security ModenounInformation systems security mode of operation wherein all personnel have the clearance, but not necessarily formal access approval and need-to-know, for all information handled by an information system.RequirementRegulatedCUI
Path HistoriesnounMaintaining an authenticatable record of the prior platforms visited by a mobile software agent, so that a newly visited platform can determine whether to process the agent and what resource constraints to apply.ArtifactInternalCUI
payment cardnounA range of different cards that can be used to access cash assets through point-of-sale terminals or other facilities in order to make payments, receive cash money, exchange currency and perform other actions determined by the card issuer and its terms.PhysicalRegulatedPCI
Payment systemnounThe mechanism, the rules, institutions, people, markets, and agreements that make the exchange of payments possible.SystemRegulatedPCI
Payroll card accountnounA bank account that is established directly or indirectly by an employer on behalf of an employee to which an electronic funds transfers the employee's wages or compensation on a recurring basis. The payroll card, often branded by one of the credit/debit card associations, provides the employee access to the funds.DataRegulatedPII
PCI Security Standards CouncilnounThe governing body, representing key participants of the payment card industry, which establishes and maintains security standards for payment cards.OrganizationRegulatedPCI
Per-Call KeynounUnique traffic encryption key generated automatically by certain secure telecommunications systems to secure single voice or data transmissions. See Cooperative Key Generation.CredentialRegulatedCUI
Perimeternoun(C&A) Encompasses all those components of the system that are to be accredited by the DAA, and excludes separately accredited systems to which the system is connected. (Authorization) Encompasses all those components of the system or network for which a Body of Evidence is provided in support of a formal approval to operate.SystemRegulatedCUI
Periods ProcessingnounThe processing of various levels of classified and unclassified information at distinctly different times. Under the concept of periods processing, the system must be purged of all information from one processing period before transitioning to the next.ProcessRegulatedCUI
PermuternounDevice used in cryptographic equipment to change the order in which the contents of a shift register are used in various nonlinear combining circuits.PhysicalRestrictedCUI
personnounThis role focuses on human individuals, partnerships, corporation, limited liability companies, trusts, estates, cooperatives, associations, sole proprietorships, joint stock companies, joint ventures, or other legal entity. Any process or activity that fits into one of these categories should be assigned to this role.IdentityPII
Person-to-person (P2P) paymentnounOnline payments using electronic mail messages to invoke a transfer of value between the parties over existing proprietary networks as on-us transactions.ProcessRegulatedPCI
Personal identification numbernounA secret that a claimant memorizes and uses to authenticate his or her identity. PINs are generally only decimal digits.CredentialRegulatedPII
personal identification number informationnounInformation containing an account-holder's secret code that is used to verify the identity of their identity when trying to access a computer system, network, credit card account, ATM, etc.DataRegulatedPII
Personal Identifying Information / Personally Identifiable InformationnounThe information that permits the identity of an individual to be directly or indirectly inferred.DataRegulatedPII
Personal Identity VerificationnounThe process of creating and using a governmentwide secure and reliable form of identification for federal employees and contractors, in support of HSPD 12, Policy for a Common Identification Standard for Federal Employees and Contractors.ProcessRegulatedCUI
Personal Identity Verification AccreditationnounThe official management decision to authorize operation of a PIV Card Issuer after determining that the Issuer’s reliability has satisfactorily been established through appropriate assessment and certification processes.ProcessRegulatedCUI
Personal Identity Verification Authorizing OfficialnounAn individual who can act on behalf of an agency to authorize the issuance of a credential to an applicant.RoleRegulatedCUI
Personal Identity Verification CardnounPhysical artifact (e.g., identity card, “smart” card) issued to an individual that contains stored identity credentials (e.g., photograph, cryptographic keys, digitized fingerprint representation, etc.) such that a claimed identity of the cardholder may be verified against the stored credentials by another person (human-readable and verifiable) or an automated process (computer-readable and verifiable).PhysicalRegulatedCUI
Personal Identity Verification IssuernounAn authorized identity card creator that procures FIPS-approved blank identity cards, initializes them with appropriate software and data elements for the requested identity verification and access control application, personalizes the cards with the identity credentials of the authorized subjects, and delivers the personalized card to the authorized subjects along with appropriate instructions for protection and use.OrganizationRegulatedCUI
Personal Identity Verification RegistrarnounAn entity that establishes and vouches for the identity of an applicant to a PIV Issuer. The PIV RA authenticates the applicant’s identity by checking identity source documents and identity proofing, and that ensures a proper background check has been completed, before the credential is issued.OrganizationRegulatedPII
Personal Identity Verification SponsornounAn individual who can act on behalf of a department or agency to request a PIV Card for an applicant.RoleRegulatedCUI
Personally identifiable financial informationnounFor purposes of the Information Security Standards, personally identifiable financial information means information (i) a consumer provides to a financial institution to obtain a financial product or service; (ii) about a consumer resulting from any transaction involving a financial product or service between the financial institution and a consumer; or (iii) that a financial institution otherwise obtains about a consumer in connection with providing a financial product or service, such as account balance information, payment history, overdraft history, and credit or debit card purchase information; or the fact that an individual is one of the financial institution’s customers.DataRegulatedPII
Personally Identifiable InformationnounAny information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.DataRegulatedPII
personnel risk assessmentnounThe purpose of this task is to determine the risk that personnel pose to the organization.ProcessRegulatedPII
pharmingnounThis is a more sophisticated form of MITM attack. A user’s session is redirected to a masquerading website. This can be achieved by corrupting a DNS server on the Internet and pointing a URL to the masquerading website’s IP. Almost all users use a URL like www.worldbank.com instead of the real IP (192.86.99.140) of the website. Changing the pointers on a DNS server, the URL can be redirected to send traffic to the IP of the pseudo website. At the pseudo website, transactions can be mimicked and information like login credentials can be gathered. With this the attacker can access the real www.worldbank.com site and conduct transactions using the credentials of a valid user on that website.ThreatPII
Physical Access Control system maintenance and testing programnounA documented listing of procedures, schedules, roles and responsibilities, and plans to be performed to ensure continued maintenance and testing of the Physical Access Control System.ControlRegulatedCUI
physical security plannounA formal document that provides an overview of the security requirements for a physical security program and describes the security controls in place or planned for meeting those requirements.ArtifactRegulatedCUI
PII Confidentiality Impact LevelnounThe PII confidentiality impact level—low, moderate, or high—indicates the potential harm that could result to the subject individuals and/or the organization if PII were inappropriately accessed, used, or disclosed.MetricRegulatedPII
Plan of Action and MilestonesnounA document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones.ArtifactRegulatedCUI
Point-of-sale (POS) networknounA network of institutions, debit cardholders, and merchants that permit consumers to make direct payment electronically at the place of purchase. The funds are withdrawn from the account of the cardholder.NetworkRegulatedPCI
Portable Electronic DevicenounAny nonstationary electronic apparatus with singular or multiple capabilities of recording, storing, and/or transmitting data, voice, video, or photo images. This includes but is not limited to laptops, personal digital assistants, pocket personal computers, palmtops, MP3 players, cellular telephones, thumb drives, video cameras, and pagers.PhysicalRegulatedCUI
Positive Control MaterialnounGeneric term referring to a sealed authenticator system, permissive action link, coded switch system, positive enable system, or nuclear command and control documents, material, or devices.PhysicalRegulatedCUI
previous residencenounA location where someone was living before where that person is currently living.DataRegulatedPII
Primary Services NodenounA Key Management Infrastructure core node that provides the users’ central point of access to KMI products, services, and information.SystemRegulatedCUI
Principal Accrediting AuthoritynounSenior official with authority and responsibility for all intelligence systems within an agency.RoleRestrictedCUI
Principal Certification AuthoritynounThe Principal Certification Authority is a CA designated by an agency to interoperate with the FBCA. An agency may designate multiple Principal CAs to interoperate with the FBCA.IdentityRegulatedCUI
Privacy Impact AssessmentnounAn analysis of how information is handled: 1) to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy; 2) to determine the risks and effects of collecting, maintaining, and disseminating information in identifiable form in an electronic information system; and 3) to examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks.ArtifactConfidentialPII
Privileged CommandnounA human-initiated command executed on an information system involving the control, monitoring, or administration of the system including security functions and associated security-relevant information.ProcessRegulatedCUI
Product Source NodenounThe Key Management Infrastructure core node that provides central generation of cryptographic key material.SystemRegulatedCUI
ProfilingnounMeasuring the characteristics of expected activity so that changes to it can be more easily identified.ProcessRegulatedPII
Proprietary InformationnounMaterial and information relating to or associated with a company's products, business, or activities, including but not limited to financial information; data or statements; trade secrets; product research and development; existing and future product designs and performance specifications; marketing plans or techniques; schematics; client lists; computer programs; processes; and know-how that has been clearly identified and properly marked by the company as proprietary information, trade secrets, or company confidential information. The information must have been developed by the company and not be available to the government or to the public without restriction from another source.DataRestrictedIP
Protected Distribution SystemnounWire line or fiber optic system that includes adequate safeguards and/or countermeasures (e.g., acoustic, electric, electromagnetic, and physical) to permit its use for the transmission of unencrypted information through an area of lesser classification or control.NetworkRegulatedCUI
Protective Distribution SystemnounWire line or fiber optic system that includes adequate safeguards and/or countermeasures (e.g., acoustic, electric, electromagnetic, and physical) to permit its use for the transmission of unencrypted information.SystemRegulatedCUI
Protective PackagingnounPackaging techniques for COMSEC material that discourage penetration, reveal a penetration has occurred or was attempted, or inhibit viewing or copying of keying material prior to the time it is exposed for use.ControlRegulatedCUI
Protective TechnologiesnounSpecial tamper-evident features and materials employed for the purpose of detecting tampering and deterring attempts to compromise, modify, penetrate, extract, or substitute information processing equipment and keying material.ControlRegulatedCUI
Pseudonymnoun1. A subscriber name that has been chosen by the subscriber that is not verified as meaningful by identity proofing. 2. An assigned identity that is used to protect an individual’s true identity.CredentialRestrictedPII
Public Domain SoftwarenounSoftware not protected by copyright laws of any nation that may be freely used without permission of, or payment to, the creator, and that carries no warranties from, or liabilities to the creator.DataPublicPublicInfo
QuadrantnounShort name referring to technology that provides tamper-resistant protection to cryptographic equipment.PhysicalRegulatedCUI
ReceivernounAn individual, corporation, or other entity that has authorized a company or an originator to initiate a credit or debit entry to a transaction account belonging to the receiver held at its RDFI.IdentityRegulatedPII
recordnounAnything that is put down in permanent form and preserved as evidence.ArtifactRegulatedPII
Records ManagementnounThe process for tagging information for records-keeping requirements as mandated in the Federal Records Act and the National Archival and Records Requirements.ProcessRegulatedCUI
Recovery ProceduresnounActions necessary to restore data files of an information system and computational capability after a system failure.ProcessRegulatedCUI
REDnounIn cryptographic systems, refers to information or messages that contain sensitive or classified information that is not encrypted. See also BLACK.DataRegulatedCUI
Red SignalnounAny electronic emission (e.g., plain text, key, key stream, subkey stream, initial fill, or control signal) that would divulge national security information if recovered.VulnerabilityRegulatedCUI
Red/Black ConceptnounSeparation of electrical and electronic circuits, components, equipment, and systems that handle unencrypted information (Red), in electrical form, from those that handle encrypted information (Black) in the same form.ControlRegulatedCUI
RegistrationnounThe process through which a party applies to become a subscriber of a Credentials Service Provider (CSP) and a Registration Authority validates the identity of that party on behalf of the CSP.ProcessRegulatedPII
Registration authoritynounA trusted entity that establishes and vouches for the identity of a Subscriber to a CSP. The RA may be an integral part of a CSP, or it may be independent of a CSP, but it has a relationship to the CSP(s).OrganizationRegulatedPII
Release PrefixnounPrefix appended to the short title of U.S.-produced keying material to indicate its foreign releasability. "A" designates material that is releasable to specific allied nations, and "U.S." designates material intended exclusively for U. S. use.ArtifactRegulatedCUI
RemanencenounResidual information remaining on storage media after clearing. See Magnetic Remanence and Clearing.VulnerabilityRegulatedCUI
Remittance cardsnounPayment cards that are typically used to facilitate cross-border movement of funds by individuals and for person-to-person transactions.DataRegulatedPCI
Remote deposit capture (RDC)nounA service that enables users at remote locations to scan digital images of checks and transmit the captured data to a financial institution or a merchant that is a customer of a financial institution.CapabilityRegulatedPCI
Remote RekeyingnounProcedure by which a distant crypto-equipment is rekeyed electrically. See Automatic Remote Rekeying and Manual Remote Rekeying.ProcessRegulatedCUI
Remotely created check (RCC)nounA check that is drawn on a customer account at a financial institution, is created by the payee, and does not bear a signature in the format agreed to by the paying financial institution and customer. RCCs are also known as "demand drafts," "telechecks," "preauthorized drafts," "paper drafts," or "digital checks."DataRegulatedPCI
Repair ActionnounNSA-approved change to a COMSEC end-item that does not affect the original characteristics of the end-item and is provided for optional application by holders. Repair actions are limited to minor electrical and/or mechanical improvements to enhance operation, maintenance, or reliability. They do not require an identification label, marking, or control but must be fully documented by changes to the maintenance manual.ControlRegulatedCUI
reportable cyber incidentnounA Cyber Security Incident that has compromised or disrupted one or more reliability tasks of a functional entity.EventRegulatedCUI
Request for CommentnounA series of notes about the Internet, started in 1969 (when the Internet was the ARPANET). An Internet Document can be submitted to the IETF by anyone, but the IETF decides if the document becomes an RFC. Eventually, if it gains enough interest, it may evolve into an Internet standard.ArtifactPublicPublicInfo
Reserve Keying MaterialnounKey held to satisfy unplanned needs. See Contingency Key.CredentialRegulatedCUI
ResiduenounData left in storage after information-processing operations are complete, but before degaussing or overwriting has taken place.DataRegulatedCUI
Restricted DatanounAll data concerning (i) design, manufacture, or utilization of atomic weapons; (ii) the production of special nuclear material; or (iii) the use of special nuclear material in the production of energy, but shall not include data declassified or removed from the Restricted Data category pursuant to Section 142 [of the Atomic Energy Act of 1954].DataRestrictedCUI
Retail paymentsnounPayments, typically small, made in the goods and services market.DataRegulatedPCI
Return (ACH)nounAny ACH entry that has been returned to the ODFI by the RDFI or by the ACH operator because it cannot be processed. The reason for each return is included with the return in the form of a "return reason code." (See the NACHA "Operating Rules and Guidelines" for a complete reason code listing.)ArtifactRegulatedPCI
Reverse EngineeringnounAcquiring sensitive data by disassembling and analyzing the design of a system component.ThreatRestrictedIP
Risk Mitigation PlannounThis record contains detailed proposals intended to reduce the risks to a critical asset, typically including actions or countermeasures designed to counter the threats to assets.ControlRegulatedCUI
risk-based authenticationnounAny risk-based system of authentication that detects anomalies or changes in the normal use patterns of a Person and require s additional verification of the Person’s identity when such deviations or changes are detected, such as through the use of challenge questions.ControlRegulatedPII
Safeguarding StatementnounStatement affixed to a computer output or printout that states the highest classification being processed at the time the product was produced and requires control of the product, at that level, until determination of the true classification by an authorized individual. Synonymous with banner.ArtifactRegulatedCUI
Scoping GuidancenounA part of tailoring guidance providing organizations with specific policy/regulatory-related, technology-related, system component allocation-related, operational/environmental-related, physical infrastructure-related, public access-related, scalability-related, common control-related, and security objective-related considerations on the applicability and implementation of individual security controls in the security control baseline.RequirementRegulatedCUI
secret keynounA cryptographic key that is used with a secret-key (symmetric) cryptographic algorithm that is uniquely associated with one or more entities and is not made public. The use of the term “secret” in this context does not imply a classification level, but rather implies the need to protect the key from disclosure.CredentialRestrictedCUI
Secret SeednounA secret value used to initialize a pseudorandom number generator.CredentialRestrictedCUI
Secure CommunicationsnounTelecommunications deriving security through use of NSA-approved products and/or Protected Distribution Systems.CapabilityRegulatedCUI
secure development practicenounA software development practice where the confidentiality, integrity, and availability of the software code is protected against threats and vulnerabilities.ProcessRegulatedIP
Secure Electronic TransactionnounA standard that will ensure that credit card and associated payment order information travels safely and securely between the various involved parties on the Internet.FrameworkRegulatedPCI
Secure Socket LayernounA protocol used for protecting private information during transmission via the Internet. Note: SSL works by using a public key to encrypt data that's transferred over the SSL connection. Most Web browsers support SSL, and many Web sites use the protocol to obtain confidential user information, such as credit card numbers. By convention, URLs that require an SSL connection start with “https:” instead of “http:.”NetworkRegulatedPCI
Security AttributenounAn abstraction representing the basic properties or characteristics of an entity with respect to safeguarding information; typically associated with internal data structures (e.g., records, buffers, files) within the information system which are used to enable the implementation of access control and flow control policies; reflect special dissemination, handling, or distribution instructions; or support other aspects of the information security policy.DataRegulatedCUI
Security Awareness programnounThe documented plan and documented activities to create well-informed interest in being free from danger or threat.ProcessRegulatedCUI
Security BannernounA banner at the top or bottom of a computer screen that states the overall classification of the system in large, bold type. Also can refer to the opening screen that informs users of the security implications of accessing a computer resource.ControlRegulatedCUI
Security CategorizationnounThe process of determining the security category for information or an information system. Security categorization methodologies are described in CNSS Instruction 1253 for national security systems and in FIPS 199 for other than national security systems.ProcessRegulatedCUI
Security Concept of OperationsnounA security-focused description of an information system, its operational policies, classes of users, interactions between the system and its users, and the system’s contribution to the operational mission.ArtifactRestrictedCUI
Security Control AssessmentnounThe testing and/or evaluation of the management, operational, and technical security controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.ControlRegulatedCUI
Security Controls BaselinenounThe set of minimum security controls defined for a low-impact, moderate-impact, or high-impact information system.RequirementRegulatedCUI
Security Event LognounThis record contains records of any security-related and auditing-related events.EventRegulatedCUI
Security MarkingnounHuman-readable information affixed to information system components, removable media, or output indicating the distribution limitations, handling caveats, and applicable security markings.ArtifactRegulatedCUI
Security Net Control StationnounManagement system overseeing and controlling implementation of network security policy.SystemRegulatedCUI
Security Program PlannounFormal document that provides an overview of the security requirements for an organization-wide information security program and describes the program management security controls and common security controls in place or planned for meeting those requirements.ArtifactRestrictedCUI
Security RangenounHighest and lowest security levels that are permitted in or on an information system, system component, subsystem, or network.RequirementRegulatedCUI
Security Requirements Traceability MatrixnounMatrix that captures all security requirements linked to potential risks and addresses all applicable C&A requirements. It is, therefore, a correlation statement of a system’s security features and compliance methods for each security requirement.ArtifactRegulatedCUI
Security TagnounInformation unit containing a representation of certain security-related information (e.g., a restrictive attribute bit map).DataRegulatedCUI
Security Test & EvaluationnounExamination and analysis of the safeguards required to protect an information system, as they have been applied in an operational environment, to determine the security posture of that system.ProcessRegulatedCUI
Security-Relevant InformationnounAny information within the information system that can potentially impact the operation of security functions in a manner that could result in failure to enforce the system security policy or maintain isolation of code and data.DataRestrictedCUI
Sensitive Compartmented InformationnounClassified information concerning or derived from intelligence sources, methods, or analytical processes, which is required to be handled within formal access control systems established by the Director of National Intelligence.DataRegulatedCUI
Sensitive Compartmented Information FacilitynounAccredited area, room, or group of rooms, buildings, or installation where SCI may be stored, used, discussed, and/or processed.PhysicalRegulatedCUI
Sensitive customer informationnounA customer’s name, address, or telephone number, in conjunction with the customer’s social security number, driver’s license number, account number, credit or debit card number, or personal identification number or password that would permit access to the customer’s account. Sensitive customer information also includes any combination of components of customer information that would allow someone to log into or access the customer’s account, such as user name and password or password and account number.DataRegulatedPII
sensitive datanounInformation whose loss, misuse, unauthorized access to, modification, or destruction, could adversely affect the national interest or the conduct of federal programs, or privacy to which individuals are entitled, but which has not been specifically authorized to be kept secret in the interest of national defense or foreign policy, etc.DataRegulatedCUI
Sensitive InformationnounInformation, the loss, misuse, or unauthorized access to or modification of, that could adversely affect the national interest or the conduct of federal programs, or the privacy to which individuals are entitled under 5 U.S.C. Section 552a (the Privacy Act), but that has not been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy. (Systems that are not national security systems, but contain sensitive information, are to be protected in accordance with the requirements of the Computer Security Act of 1987 [P.L.100-235].)DataRegulatedCUI
Sensitivity LabelnounInformation representing elements of the security label(s) of a subject and an object. Sensitivity labels are used by the trusted computing base (TCB) as the basis for mandatory access control decisions. See Security Label.DataRegulatedCUI
service providernounFor purposes of the Information Security Standards, service provider means any person or entity that maintains, processes, or otherwise is permitted access to customer information or consumer information through its provision of services directly to a financial institution.OrganizationRegulatedPII
shared accountnounA single local account created for a group, with one user name and one password.IdentityRegulatedCUI
Shielded EnclosurenounRoom or container designed to attenuate electromagnetic radiation, acoustic signals, or emanations.PhysicalRegulatedCUI
Short TitlenounIdentifying combination of letters and numbers assigned to certain COMSEC materials to facilitate handling, accounting, and controlling.ArtifactRegulatedCUI
Single Point KeyingnounMeans of distributing key to multiple, local crypto equipment or devices from a single fill point.ProcessRegulatedCUI
Single-Entry (ACH)nounA one-time transfer of funds initiated by an originator in accordance with the receiver's authorization for a single ACH credit or debit to the receiver's consumer account.DataRegulatedPCI
SkimmingnounThe unauthorized use of a reader to read tags without the authorization or knowledge of the tag’s owner or the individual in possession of the tag.ThreatRegulatedPII
Source codenounSoftware program instructions written in a format (language) readable by humans.DataConfidentialIP
Source programnounA program written in a programming language (such as C, Pascal, or COBOL). A compiler translates the source code into a machine-language object program.ArtifactIP
Special Access ProgramnounA program established for a specific class of classified information that imposes safeguarding and access requirements that exceed those normally required for information at the same classification level.ProcessRegulatedCUI
Special Access Program FacilitynounFacility formally accredited by an appropriate agency in accordance with DCID 6/9 in which SAP information may be processed.PhysicalRegulatedCDI
SpillagenounSecurity incident that results in the transfer of classified or CUI information onto an information system not accredited (i.e., authorized) for the appropriate security level.EventRegulatedCUI
Split Knowledgenoun1. Separation of data or information into two or more parts, each part constantly kept under control of separate authorized individuals or teams so that no one individual or team will know the whole data. 2. A process by which a cryptographic key is split into multiple key components, individually sharing no knowledge of the original key, which can be subsequently input into, or output from, a cryptographic module by separate entities and combined to recreate the original cryptographic key.ControlRegulatedCUI
Sreen scrapingnounA process used by information aggregators to gather information from a customer's website, whereby the aggregator accesses the target site by logging in as the customer, electronically reads and copies selected information from the displayed webpage(s), then redisplays the information on the aggregator's site. The process is analogous to "scraping" the information off the computer screen.ProcessRegulatedPII
Start-Up KEKnounKey-encryption-key held in common by a group of potential communicating entities and used to establish ad hoc tactical networks.CredentialRegulatedCUI
SteganographynounThe art and science of communicating in a way that hides the existence of the communication. For example, a child pornography image can be hidden inside another graphic image file, audio file, or other file format.ThreatRegulatedPHI
Store cardnounA credit card issued by a financial institution for a specific merchant or vendor that does not carry a bankcard association logo. Store cards can only be used at the merchant or vendor whose name appears on the front of the card.PhysicalRegulatedPCI
Stored-value cardnounA card-based payment system that assigns a value to the card. The card's value can be stored on the card itself (i.e., on the magnetic stripe or in a computer chip) or in a network database. As the card is used for transactions, the transaction amounts are subtracted from the card's balance. As the balance approaches zero, some cards can be "reloaded" through various methods and others are designed to be discarded. These cards are often used in closed systems for specific types of purchases.PhysicalRegulatedPCI
Striped CorenounA network architecture in which user data traversing a core IP network is decrypted, filtered and re-encrypted one or more times. Note: The decryption, filtering, and re-encryption are performed within a “Red gateway”; consequently, the core is “striped” because the data path is alternately Black, Red, and Black.NetworkRegulatedCUI
Subject Security LevelnounSensitivity label(s) of the objects to which the subject has both read and write access. Security level of a subject must always be dominated by the clearance level of the user associated with the subject.IdentityRegulatedCUI
Subordinate Certification AuthoritynounIn a hierarchical PKI, a Certification Authority whose certificate signature key is certified by another CA, and whose activities are constrained by that other CA.SystemRegulatedCUI
Substitute check (Check 21)nounAlso known as the Image Replacement Document (IRD). A paper reproduction of an original check that (1) contains an image of the front and back of the original check; (2) bears a MICR line that, except as provided under ANS X9.100-140, contains all the information appearing on the MICR line of the original check when it was issued and any additional information that was encoded on the original check's MICR line before an image of the original check was captured; (3) conforms in paper stock, dimension, and otherwise with ANS X9.100-140; and (4) is suitable for automated processing in the same manner as the original check. The Federal Reserve Board of Governors can by rule or order determine different standards.ArtifactRegulatedPCI
Suite AnounA specific set of classified cryptographic algorithms used for the protection of some categories of restricted mission-critical information.RequirementRegulatedCUI
Suite BnounA specific set of cryptographic algorithms suitable for protecting national security systems and information throughout the U.S. government and to support interoperability with allies and coalition partners.RequirementRegulatedCUI
SuperencryptionnounProcess of encrypting encrypted information. Occurs when a message, encrypted off-line, is transmitted over a secured, online circuit, or when information encrypted by the originator is multiplexed onto a communications trunk, which is then bulk encrypted.ProcessRegulatedCUI
Superior Certification AuthoritynounIn a hierarchical PKI, a Certification Authority who has certified the certificate signature key of another CA, and who constrains the activities of that CA.SystemRestrictedCUI
SupersessionnounScheduled or unscheduled replacement of COMSEC material with a different edition.ProcessRegulatedCUI
Supervisory control and data acquisitionnounA generic name for a computerized system that is capable of gathering and processing data and applying operational controls over long distances. Typical uses include power transmission and distribution and pipeline systems. SCADA was designed for the unique communication challenges (delays, data integrity, etc.) posed by the various media that must be used, such as phone lines, microwave, and satellite. Usually shared rather than dedicated.SystemRegulatedCUI
Supply Chain AttacknounAttacks that allow the adversary to utilize implants or other vulnerabilities inserted prior to installation in order to infiltrate data, or manipulate information technology hardware, software, operating systems, peripherals (information technology products) or services at any point during the life cycle.ThreatRegulatedCUI
Suppression MeasurenounAction, procedure, modification, or device that reduces the level of, or inhibits the generation of, compromising emanations in an information system.ControlRegulatedCUI
symmetric keynounA cryptographic key that is used to perform both the cryptographic operation and its inverse, for example to encrypt and decrypt, or create a message authentication code and to verify the code.CredentialRestrictedCUI
system documentationnounDetailed information about a computer system its architecture, design, data flow, and programming logic.ArtifactInternalIP
System High ModenounInformation systems security mode of operation wherein each user, with direct or indirect access to the information system, its peripherals, remote terminals, or remote hosts, has all of the following: a. valid security clearance for all information within an information system; b. formal access approval and signed nondisclosure agreements for all the information stored and/or processed (including all compartments, subcompartments and/or special access programs); and c. valid need-to-know for some of the information contained within the information system.ProcessRegulatedCUI
System IndicatornounSymbol or group of symbols in an off-line encrypted message identifying the specific cryptosystem or key used in the encryption.DataRegulatedCUI
System Of RecordsnounA group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual.DataRegulatedPII
System ProfilenounDetailed security description of the physical structure, equipment component, location, relationships, and general operating environment of an information system.ArtifactRegulatedCUI
TEMPEST ZonenounDesignated area within a facility where equipment with appropriate TEMPEST characteristics (TEMPEST zone assignment) may be operated.PhysicalRegulatedCUI
Third Party Service ProvidernounAs defined in the PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms, a service provider is a business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This also includes companies that provide services that control or could impact the security of cardholder data. There are many types of businesses that could fall into the category of “service provider,” dependent on the services provided. Most commonly, a TPSP could be a legally separate entity; but it can also be a separate business unit or component of the entity under assessment—for example, an internal service provider—where the provider is outside the direct management control of the entity assessed.OrganizationRegulatedPCI
Third-party service provider (ACH)nounA third party, other than the ODFI or RDFI, that performs any function on behalf of the ODFI or the RDFI related to ACH processing. These functions would include the creation and sending of ACH files or acting as a sending or receiving point on behalf of a participating depository financial institution.OrganizationRegulatedPCI
Time-Compliance DatenounDate by which a mandatory modification to a COMSEC end-item must be incorporated if the item is to remain approved for operational use.RequirementRegulatedCUI
TOE Security FunctionsnounSet consisting of all hardware, software, and firmware of the TOE that must be relied upon for the correct enforcement of the TOE Security Policy (TSP).CapabilityRegulatedCUI
Tracking CookienounA cookie placed on a user’s computer to track the user’s activity on different Web sites, creating a detailed profile of the user’s behavior.DataRegulatedPII
Tradecraft IdentitynounAn identity used for the purpose of work-related interactions that may or may not be synonymous with an individual’s true identity.IdentityRestrictedCUI
Traditional INFOSEC ProgramnounProgram in which NSA acts as the central procurement agency for the development and, in some cases, the production of INFOSEC items. This includes the Authorized Vendor Program. Modifications to the INFOSEC end-items used in products developed and/or produced under these programs must be approved by NSA.ProcessRegulatedCUI
Traffic Encryption KeynounKey used to encrypt plain text or to superencrypt previously encrypted text and/or to decrypt cipher text.CredentialRestrictedCUI
Training Effectiveness EvaluationnounInformation collected to assist employees and their supervisors in assessing individual students’ subsequent on-the-job performance, to provide trend data to assist trainers in improving both learning and teaching, and to be used in return-on-investment statistics to enable responsible officials to allocate limited resources in a thoughtful, strategic manner among the spectrum of IT security awareness, security literacy, training, and education options for optimal results among the workforce as a whole.MetricInternalPII
transient cyber assetnounA Cyber Asset that (i) is capable of transmitting or transferring executable code, (ii) is not included in a BES Cyber System, (iii) is not a Protected Cyber Asset (PCA), and (iv) is directly connected (e.g., using Ethernet, serial, Universal Serial Bus, or wireless, including near field or Bluetooth communication) for 30 consecutive calendar days or less to a BES Cyber Asset, a network within an ESP, or a PCA. Examples include, but are not limited to, Cyber Assets used for data transfer, vulnerability assessment, maintenance, or troubleshooting purposes.SystemRegulatedCUI
Transmission SecuritynounMeasures (security controls) applied to transmissions in order to prevent interception, disruption of reception, communications deception, and/or derivation of intelligence by analysis of transmission characteristics such as signal parameters or message externals. Note: TRANSEC is that field of COMSEC which deals with the security of communication transmissions, rather than that of the information being communicated.ControlRegulatedCUI
Trap Doornoun1. A means of reading cryptographically protected information by the use of private knowledge of weaknesses in the cryptographic algorithm used to protect the data. 2. In cryptography, one-to-one function that is easy to compute in one direction, yet believed to be difficult to invert without special information.VulnerabilityRegulatedCUI
Truncating bank (Check 21)nounThe financial institution that truncates the original check. If a person other than a financial institution truncates the original check, the truncating bank is the first financial institution that transfers, presents, or returns, in lieu of such original check, a substitute check or, by agreement with the recipient, information relating to the original check (including data taken from the MICR line of the original check or an electronic image of the original check), whether with or without the subsequent delivery of the original check.OrganizationRegulatedPCI
Trusted AgentnounEntity authorized to act as a representative of an agency in confirming Subscriber identification during the registration process. Trusted Agents do not have automated interfaces with Certification Authorities.RoleRestrictedCUI
Trusted Computer SystemnounA system that employs sufficient hardware and software assurance measures to allow its use for processing simultaneously a range of sensitive or classified information.SystemRegulatedCUI
Trusted DistributionnounMethod for distributing trusted computing base (TCB) hardware, software, and firmware components that protects the TCB from modification during distribution.ProcessRegulatedCUI
Trusted FoundrynounFacility that produces integrated circuits with a higher level of integrity assurance.PhysicalRegulatedCDI
Trusted Identification ForwardingnounIdentification method used in information system networks whereby the sending host can verify an authorized user on its system is attempting a connection to another host. The sending host transmits the required user authentication information to the receiving host.ControlRegulatedCUI
TSEC NomenclaturenounSystem for identifying the type and purpose of certain items of COMSEC material.FrameworkRestrictedCUI
Two-Person ControlnounContinuous surveillance and control of positive control material at all times by a minimum of two authorized individuals, each capable of detecting incorrect and unauthorized procedures with respect to the task being performed and each familiar with established security and safety requirements.ControlRegulatedCUI
Two-Person IntegritynounSystem of storage and handling designed to prohibit individual access by requiring the presence of at least two authorized individuals, each capable of detecting incorrect or unauthorized security procedures with respect to the task being performed. See No-Lone Zone.ControlRegulatedCUI
Type 1 KeynounGenerated and distributed under the auspices of NSA for use in a cryptographic device for the protection of national security information.CredentialRegulatedCUI
Type 1 ProductnounCryptographic equipment, assembly or component classified or certified by NSA for encrypting and decrypting national security information when appropriately keyed. Developed using established NSA business processes and containing NSA-approved algorithms. Used to protect systems requiring the most stringent protection mechanisms.PhysicalRegulatedCUI
Type 2 KeynounGenerated and distributed under the auspices of NSA for use in a cryptographic device for the protection of unclassified information.CredentialRegulatedCUI
Type 2 ProductnounCryptographic equipment, assembly, or component certified by NSA for encrypting or decrypting sensitive information when appropriately keyed. Developed using established NSA business processes and containing NSA-approved algorithms. Used to protect systems requiring protection mechanisms exceeding best commercial practices including systems used for the protection of unclassified information.PhysicalRegulatedCUI
Type 3 KeynounUsed in a cryptographic device for the protection of unclassified sensitive information, even if used in a Type 1 or Type 2 product.CredentialRegulatedCUI
Type 3 ProductnounUnclassified cryptographic equipment, assembly, or component used, when appropriately keyed, for encrypting or decrypting unclassified sensitive U.S. government or commercial information, and to protect systems requiring protection mechanisms consistent with standard commercial practices. Developed using established commercial standards and containing NIST-approved cryptographic algorithms/modules or successfully evaluated by the National Information Assurance Partnership (NIAP).PhysicalRegulatedCUI
Type 4 KeynounUsed by a cryptographic device in support of its Type 4 functionality, i.e., any provision of key that lacks U.S. government endorsement or oversight.CredentialRegulatedCUI
Type 4 ProductnounUnevaluated commercial cryptographic equipment, assemblies, or components that neither NSA nor NIST certify for any government usage. These products are typically delivered as part of commercial offerings and are commensurate with the vendor’s commercial practices. These products may contain either vendor proprietary algorithms, algorithms registered by NIST, or algorithms registered by NIST and published in a FIPS.ArtifactRegulatedCUI
Type CertificationnounThe certification acceptance of replica information systems based on the comprehensive evaluation of the technical and nontechnical security features of an information system and other safeguards, made as part of and in support of the formal approval process, to establish the extent to which a particular design and implementation meet a specified set of security requirements.ProcessRegulatedCUI
U.S. PersonnounFederal law and Executive Order define a U.S. Person as: a citizen of the United States; an alien lawfully admitted for permanent residence; an unincorporated association with a substantial number of members who are citizens of the U.S. or are aliens lawfully admitted for permanent residence; and/or a corporation that is incorporated in the U.S.IdentityRegulatedPII
U.S.-Controlled FacilitynounBase or building to which access is physically controlled by U.S. individuals who are authorized U.S. government or U.S. government contractor employees.PhysicalRegulatedCUI
U.S.-Controlled SpacenounRoom or floor within a facility that is not a U.S.-controlled facility, access to which is physically controlled by U.S. individuals who are authorized U.S. government or U.S. government contractor employees. Keys or combinations to locks controlling entrance to U.S.-controlled spaces must be under the exclusive control of U.S. individuals who are U.S. government or U.S. government contractor employees.PhysicalRegulatedCUI
UnclassifiednounInformation that has not been determined pursuant to E.O. 12958, as amended, or any predecessor order, to require protection against unauthorized disclosure and that is not designated as classified.RequirementRegulatedCUI
United States Government Configuration BaselinenounThe United States Government Configuration Baseline (USGCB) provides security configuration baselines for Information Technology products widely deployed across the federal agencies. The USGCB baseline evolved from the federal Desktop Core Configuration mandate. The USGCB is a Federal government-wide initiative that provides guidance to agencies on what should be done to improve and maintain an effective configuration settings focusing primarily on security.FrameworkRegulatedCUI
unposted suspense itemnounA transaction that has not yet been processed, but may affect the amount of credit available.ArtifactRegulatedPCI
USA Patriot ActnounThe USA PATRIOT Act (Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (Public Law Pub.L. 107-56), commonly known as the "Patriot Act", was enacted by Congress to deter and punish terrorist acts in the United States and around the world by enhancing the law enforcement investigatory tools of both domestic law enforcement and foreign intelligence agencies.RequirementRegulatedCUI
User IDnounUnique symbol or character string used by an information system to identify a specific user.IdentityRegulatedPII
User IdentificationnounThe process, control, or information by which a user identifies himself or herself to the system as a valid user (as opposed to authentication).ProcessRegulatedPII
User InitializationnounA function in the life cycle of keying material; the process whereby a user initializes its cryptographic application (e.g., installing and initializing software and hardware).ProcessRegulatedCUI
User Partnership ProgramnounPartnership between the NSA and a U.S. government agency to facilitate development of secure information system equipment incorporating NSA-approved cryptography. The result of this program is the authorization of the product or system to safeguard national security information in the user’s specific application.ProcessRegulatedCUI
User RepresentativenounIndividual authorized by an organization to order COMSEC keying material and interface with the keying system, provide information to key users, and ensure the correct type of key is ordered.RoleRegulatedCUI
visitor lognounA paper or electronic record of any non-employee entering a facility, construction site, structure or website.ArtifactRegulatedCUI
Web BugnounMalicious code, invisible to a user, placed on Web sites in such a way that it allows third parties to track use of Web servers and collect information about the user, including IP address, host name, browser type and version, operating system name and version, and Web browser cookie.ThreatRegulatedPII
WEB SEC codenounAn ACH debit entry initiated by an originator resulting from the receiver's authorization through the Internet to make a transfer of funds from a consumer account of the receiver.ArtifactRegulatedPII
Well-know portsnounWell-known ports--0 through 1023: Controlled and assigned by the Internet Assigned Numbers Authority (IANA), and on most systems can be used only by system (or root) processes or by programs executed by privileged users. The assigned ports use the first portion of the possible port numbers. Initially, these assigned ports were in the range 0-255. Currently, the range for assigned ports managed by the IANA has been expanded to the range 0-1023.NetworkPublicInfo
wire servicernounA financial institution that offers electronic funds transfer serviceOrganizationRegulatedPCI
ZeroizationnounA method of erasing electronically stored data, cryptographic keys, and Credentials Service Providers (CSPs) by altering or deleting the contents of the data storage to prevent recovery of the data.ControlRegulatedCUI
Zone Of ControlnounThree-dimensional space surrounding equipment that processes classified and/or sensitive information within which TEMPEST exploitation is not considered practical or where legal authority to identify and remove a potential TEMPEST exploitation exists.PhysicalRestrictedCUI