Browse — Information Class · CUI
427 terms
TermTypeDefinitionClassificationsUpdated
access lognounA log that lists who has been permitted to physically or logically gain access.ArtifactRegulatedCUI
Account Balancing Monitoring System (ABMS)nounThe Federal Reserve's computing system providing reserve account information to the Federal Reserve Banks and depository institutions on an intraday basis. ABMS serves both as an informational source and a monitoring tool. This information includes opening balances, funds and securities transfers, accounting activity, and depository institutions cap and collateral limits.SystemRegulatedCUI
Accounting Legend CodenounNumeric code used to indicate the minimum accounting controls required for items of accountable communications security (COMSEC) material within the COMSEC Material Control System.RequirementRegulatedCUI
Accreditation PackagenounProduct comprised of a System Security Plan (SSP) and a report documenting the basis for the accreditation decision.ArtifactRegulatedCUI
action plannounSteps that must be taken, or activities that must be performed well, for a strategy to succeed. An action plan has three major elements: (1) Specific tasks: what will be done and by whom. (2) Time horizon: when will it be done. (3) Resource allocation: what specific funds are available for specific activities.ArtifactCUI
actionable intelligencenounInformation that can be acted upon to address, prevent or mitigate a cyber threat. The sum of an information system’s characteristics in the broad categories (software, hardware, network, processes and human) which allows an attacker to probe, enter, attack or maintain a presence in the system and potentially cause damage to an FMI. A smaller attack surface means that the FMI is less exploitable and an attack less likely.CapabilityRestrictedCUI
Activation DatanounPrivate data, other than keys, that are required to access cryptographic modules.DataRegulatedCUI
Advanced Key ProcessornounA cryptographic device that performs all cryptographic functions for a management client node and contains the interfaces to 1) exchange information with a client platform, 2) interact with fill devices, and 3) connect a client platform securely to the primary services node (PRSN).PhysicalRegulatedCUI
AgencynounAny executive department, military department, government corporation, government-controlled corporation, or other establishment in the executive branch of the government (including the Executive Office of the President), or any independent regulatory agency, but does not include: 1) the Government Accountability Office; 2) the Federal Election Commission; 3) the governments of the District of Columbia and of the territories and possessions of the United States, and their various subdivisions; or 4) government-owned contractor-operated facilities, including laboratories engaged in national defense research and production activities.OrganizationRegulatedCUI
Agency Certification AuthoritynounA CA that acts on behalf of an agency and is under the operational control of an agency.CapabilityRegulatedCUI
All Source IntelligencenounIn the NICE Workforce Framework, cybersecurity work where a person: Analyzes threat information from multiple sources, disciplines, and agencies across the Intelligence Community. Synthesizes and places intelligence information in context; draws insights about the possible implications.CapabilityRestrictedCUI
Anti-jamnounCountermeasures ensuring that transmitted information can be received despite deliberate jamming attempts.ControlRegulatedCUI
Approval to OperatenounThe official management decision issued by a DAA or PAA to authorize operation of an information system and to explicitly accept the residual risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals.ArtifactRegulatedCUI
Approved Mode of OperationnounA mode of the cryptographic module that employs only Approved security functions (not to be confused with a specific mode of an Approved security function, e.g., Data Encryption Standard Cipher-Block Chaining (DES CBC) mode).ControlRegulatedCUI
Assessment FindingsnounAssessment results produced by the application of an assessment procedure to a security control or control enhancement to achieve an assessment objective; the execution of a determination statement within an assessment procedure by an assessor that results in either a satisfied or other than satisfied condition.FindingRestrictedCUI
Asset Reporting FormatnounSCAP data model for expressing the transport format of information about assets (components) and the relationships between assets and reports.ArtifactRegulatedCUI
Assured Information SharingnounThe ability to confidently share information with those who need it, when and where they need it, as determined by operational need and an acceptable level of security risk.CapabilityRegulatedCUI
Attribute AuthoritynounAn entity, recognized by the Federal Public Key Infrastructure (PKI) Policy Authority or comparable agency body as having the authority to verify the association of attributes to an identity.OrganizationRegulatedCUI
Audit Log eventnounAny of the various triggering actions that cause an application to write a new entry into the log.ArtifactRegulatedCUI
audit recordnounAn individual entry in an audit log related to an audited event.ArtifactRegulatedCUI
Audit ReviewnounThe assessment of an information system to evaluate the adequacy of implemented security controls, assure that they are functioning properly, identify vulnerabilities, and assist in implementation of new security controls where required. This assessment is conducted annually or whenever significant change has occurred and may lead to recertification of the information system.ProcessRegulatedCUI
Authentication PeriodnounThe maximum acceptable period between any initial authentication process and subsequent reauthentication processes during a single terminal session or during the period data is being accessed.RequirementRegulatedCUI
authorization recordnounA document or identifier which provides evidence of authorization.ArtifactRegulatedCUI
Authorization to operatenounThe official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls.ArtifactRegulatedCUI
Automatic Remote RekeyingnounProcedure to rekey a distant crypto-equipment electronically without specific actions by the receiving terminal operator. See Manual Remote Rekeying.ProcessRegulatedCUI
BLACKnounDesignation applied to encrypted information and the information systems, the associated areas, circuits, components, and equipment processing that information. See also RED.CapabilityRestrictedCUI
Black CorenounA communication network architecture in which user data traversing a global Internet Protocol (IP) network is end-to-end encrypted at the IP layer. Related to striped core.NetworkRegulatedCUI
Body of EvidencenounThe set of data that documents the information system’s adherence to the security controls applied. The BoE will include a Requirements Verification Traceability Matrix (RVTM) delineating where the selected security controls are met and evidence to that fact can be found. The BoE content required by an Authorizing Official will be adjusted according to the impact levels selected.ArtifactRegulatedCUI
Bulk Electric System Cyber SystemnounOne or more Bulk Electric System (BES) Cyber Assets logically grouped by a responsible entity to perform one or more reliability tasks for a functional entity.SystemRegulatedCUI
Bulk Electric System Cyber System InformationnounInformation about the BES Cyber System that could be used to gain unauthorized access or pose a security threat to the BES Cyber System. BES Cyber System Information does not include individual pieces of information that by themselves do not pose a threat or could not be used to allow unauthorized access to BES Cyber Systems, such as, but not limited to, device names, individual IP addresses without context, ESP names, or policy statements. Examples of BES Cyber System Information may include, but are not limited to, security procedures or security information about BES Cyber Systems, Physical Access Control Systems, and Electronic Access Control or Monitoring Systems that is not publicly available and could be used to allow unauthorized access or unauthorized distribution; collections of network addresses; and network topology of the BES Cyber System.DataRegulatedCUI
CanisternounType of protective package used to contain and dispense keying material in punched or printed tape form.PhysicalRegulatedCUI
CardholdernounAn individual possessing an issued Personal Identity Verification (PIV) card.IdentityRegulatedCUI
CascadingnounDownward flow of information through a range of security levels greater than the accreditation range of a system, network, or component.EventRegulatedCUI
CategorynounRestrictive label applied to classified or unclassified information to limit access.RequirementRegulatedCUI
Central Office of RecordnounOffice of a federal department or agency that keeps records of accountable COMSEC material held by elements subject to its oversightOrganizationRegulatedCUI
Central Services NodenounThe Key Management Infrastructure core node that provides central security management and data management services.SystemRestrictedCUI
Certification authoritynoun1. For Certification and Accreditation (C&A) (C&A Assessment): Official responsible for performing the comprehensive evaluation of the security features of an information system and determining the degree to which it meets its security requirements 2. For Public Key Infrastructure (PKI): A trusted third party that issues digital certificates and verifies the identity of the holder of the digital certificate.OrganizationRegulatedCUI
Certification PackagenounProduct of the certification effort documenting the detailed results of the certification activities.ArtifactRegulatedCUI
Certified TEMPEST Technical AuthoritynounAn experienced, technically qualified U.S. government employee who has met established certification requirements in accordance with CNSS-approved criteria and has been appointed by a U.S. government department or agency to fulfill CTTA responsibilities.RoleRegulatedCUI
Chain of EvidencenounA process and record that shows who obtained the evidence; where and when the evidence was obtained; who secured the evidence; and who had control or possession of the evidence. The “sequencing” of the chain of evidence follows this order: collection and identification; analysis; storage; preservation; presentation in court; return to owner.ProcessRegulatedCUI
Check WordnounCipher text generated by cryptographic logic to detect failures in cryptography.ControlRegulatedCUI
CIP exceptional circumstancenounA situation that involves or threatens to involve one or more of the following, or similar, conditions that impact safety or Bulk Electric System (BES) reliability: a risk of injury or death; a natural disaster; civil unrest; an imminent or existing hardware, software, or equipment failure; a Cyber Security Incident requiring emergency assistance; a response by emergency services; the enactment of a mutual assistance agreement; or an impediment of large scale workforce availability.RequirementRegulatedCUI
CIP Senior ManagernounA single senior management official with overall authority and responsibility for leading and managing implementation of and continuing adherence to the requirements within the NERC CIP Standards, CIP-002 through CIP-011.RoleRegulatedCUI
Classified InformationnounInformation that has been determined: (i) pursuant to Executive Order 12958 as amended by Executive Order 13292, or any predecessor Order, to be classified national security information; or (ii) pursuant to the Atomic Energy Act of 1954, as amended, to be Restricted Data (RD).DataRestrictedCUI
Classified Information SpillagenounSecurity incident that occurs whenever classified data is spilled either onto an unclassified information system or to an information system with a lower level of classification.EventRegulatedCUI
Classified National Security InformationnounInformation that has been determined pursuant to Executive Order 13526 or any predecessor order to require protection against unauthorized disclosure and is marked to indicate its classified status when in documentary form.DataRegulatedCUI
ClearancenounFormal certification of authorization to have access to classified information other than that protected in a special access program (including SCI). Clearances are of three types: confidential, secret, and top secret. A top secret clearance permits access to top secret, secret, and confidential material; a secret clearance, to secret and confidential material; and a confidential clearance, to confidential material.CredentialRegulatedCUI
ClearingnounRemoval of data from an information system, its storage devices, and other peripheral devices with storage capacity, in such a way that the data may not be reconstructed using common system capabilities (i.e., through the keyboard); however, the data may be reconstructed using laboratory methods.ProcessRegulatedCUI
Closed Security EnvironmentnounEnvironment providing sufficient assurance that applications and equipment are protected against the introduction of malicious logic during an information system life cycle. Closed security is based upon a system's developers, operators, and maintenance personnel having sufficient clearances, authorization, and configuration control.SystemRegulatedCUI
Closed StoragenounStorage of classified information within an accredited facility, in General Services Administration-approved secure containers, while the facility is unoccupied by authorized personnel.ControlRegulatedCUI
Code BooknounDocument containing plain text and code equivalents in a systematic arrangement, or a technique of machine encryption using a word substitution technique.ArtifactRestrictedCUI
Code GroupnounGroup of letters, numbers, or both in a code system used to represent a plain text word, phrase, or sentence.DataRegulatedCUI
Commercial COMSEC Evaluation ProgramnounRelationship between NSA and industry in which NSA provides the COMSEC expertise (i.e., standards, algorithms, evaluations, and guidance) and industry provides design, development, and production capabilities to produce a type 1 or type 2 product. Products developed under the CCEP may include modules, subsystems, equipment, systems, and ancillary devices.ProcessRegulatedCUI
Common Access CardnounStandard identification/smart card issued by the Department of Defense that has an embedded integrated chip storing public key infrastructure (PKI) certificates.CredentialRegulatedCUI
Compliance Enforcement AuthoritynounThe North American Electric Reliability Corporation (NERC) or the Regional Entity in their respective roles of monitoring and enforcing compliance with the NERC Reliability Standards.OrganizationRegulatedCUI
Compromising EmanationsnounUnintentional signals that, if intercepted and analyzed, would disclose the information transmitted, received, handled, or otherwise processed by information systems equipment. See TEMPEST.VulnerabilityRegulatedCUI
Computer Network AttacknounActions taken through the use of computer networks to disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves.ThreatRegulatedCUI
Computer Network ExploitationnounEnabling operations and intelligence collection capabilities conducted through the use of computer networks to gather data from target or adversary information systems or networks.ThreatRegulatedCUI
Computer Network OperationsnounComprised of computer network attack, computer network defense, and related computer network exploitation enabling operations.CapabilityRestrictedCUI
COMSEC AccountnounAdministrative entity, identified by an account number, used to maintain accountability, custody, and control of COMSEC material.IdentityRegulatedCUI
COMSEC Account AuditnounExamination of the holdings, records, and procedures of a COMSEC account ensuring all accountable COMSEC material is properly handled and safeguarded.ProcessRegulatedCUI
COMSEC AidnounCOMSEC material that assists in securing telecommunications and is required in the production, operation, or maintenance of COMSEC systems and their components. COMSEC keying material, callsign/frequency systems, and supporting documentation, such as operating and maintenance manuals, are examples of COMSEC aids.DataRegulatedCUI
COMSEC AssemblynounGroup of parts, elements, subassemblies, or circuits that are removable items of COMSEC equipment.PhysicalRegulatedCUI
COMSEC BoundarynounDefinable perimeter encompassing all hardware, firmware, and software components performing critical COMSEC functions, such as key generation, handling, and storage.ControlRegulatedCUI
COMSEC Control ProgramnounComputer instructions or routines controlling or affecting the externally performed functions of key generation, key distribution, message encryption/decryption, or authentication.ControlRegulatedCUI
COMSEC DemilitarizationnounProcess of preparing COMSEC equipment for disposal by extracting all CCI, classified, or cryptographic (CRYPTO) marked components for their secure destruction, as well as defacing and disposing of the remaining equipment hulk.ProcessRegulatedCUI
COMSEC ElementnounRemovable item of COMSEC equipment, assembly, or subassembly; normally consisting of a single piece or group of replaceable parts.PhysicalRegulatedCUI
COMSEC End-itemnounEquipment or combination of components ready for use in a COMSEC application.PhysicalRegulatedCUI
COMSEC EquipmentnounEquipment designed to provide security to telecommunications by converting information to a form unintelligible to an unauthorized interceptor and, subsequently, by reconverting such information to its original form for authorized recipients; also, equipment designed specifically to aid in, or as an essential element of, the conversion process. COMSEC equipment includes crypto-equipment, crypto-ancillary equipment, cryptographic production equipment, and authentication equipment.PhysicalRegulatedCUI
COMSEC FacilitynounAuthorized and approved space used for generating, storing, repairing, or using COMSEC material.PhysicalRegulatedCUI
COMSEC IncidentnounOccurrence that potentially jeopardizes the security of COMSEC material or the secure electrical transmission of national security information or information governed by 10 U.S.C. Section 2315.EventRegulatedCUI
COMSEC InsecuritynounCOMSEC incident that has been investigated, evaluated, and determined to jeopardize the security of COMSEC material or the secure transmission of information.EventRegulatedCUI
COMSEC MaterialnounItem designed to secure or authenticate telecommunications. COMSEC material includes, but is not limited to key, equipment, devices, documents, firmware, or software that embodies or describes cryptographic logic and other items that perform COMSEC functions.DataRegulatedCUI
COMSEC Material Control SystemnounLogistics and accounting system through which COMSEC material marked "CRYPTO" is distributed, controlled, and safeguarded. Included are the COMSEC central offices of record, crypto logistic depots, and COMSEC accounts. COMSEC material other than key may be handled through the CMCS.SystemRegulatedCUI
COMSEC ModulenounRemovable component that performs COMSEC functions in a telecommunications equipment or system.PhysicalRegulatedCUI
COMSEC MonitoringnounAct of listening to, copying, or recording transmissions of one's own official telecommunications to analyze the degree of security.ProcessRegulatedCUI
COMSEC ProfilenounStatement of COMSEC measures and materials used to protect a given operation, system, or organization.ArtifactRegulatedCUI
COMSEC SurveynounOrganized collection of COMSEC and communications information relative to a given operation, system, or organization.ArtifactRestrictedCUI
COMSEC System DatanounInformation required by a COMSEC equipment or system to enable it to properly handle and control key.DataRegulatedCUI
COMSEC TrainingnounTeaching of skills relating to COMSEC accounting, use of COMSEC aids, or installation, use, maintenance, and repair of COMSEC equipment.ProcessRegulatedCUI
ContaminationnounType of incident involving the introduction of data of one security classification or security category into data of a lower security classification or different security category.EventRegulatedCUI
Contingency KeynounKey held for use under specific operational conditions or in support of specific contingency plans. See Reserve Keying Material.CredentialRegulatedCUI
Contingency PlannounManagement policy and procedures used to guide an enterprise response to a perceived loss of mission capability. The Contingency Plan is the first plan used by the enterprise risk managers to determine what happened, why, and what to do. It may point to the Continuity of Operations Plan (COOP) or Disaster Recovery Plan for major disruptions.RequirementRestrictedCUI
Continuity of GovernmentnounA coordinated effort within the federal government's executive branch to ensure that national essential functions continue to be performed during a catastrophic emergency.ProcessRestrictedCUI
Continuous MonitoringnounThe process implemented to maintain a current security status for one or more information systems or for the entire suite of information systems on which the operational mission of the enterprise depends. The process includes: 1) The development of a strategy to regularly evaluate selected IA controls/metrics, 2) Recording and evaluating IA relevant events and the effectiveness of the enterprise in dealing with those events, 3) Recording changes to IA controls, or changes that affect IA risks, and 4) Publishing the current security status to enable information-sharing decisions involving the enterprise.ProcessRegulatedCUI
Control InformationnounInformation that is entered into a cryptographic module for the purposes of directing the operation of the module.DataRestrictedCUI
Controlled Cryptographic ItemnounSecure telecommunications or information system, or associated cryptographic component, that is unclassified and handled through the COMSEC Material Control System (CMCS), an equivalent material control system, or a combination of the two that provides accountability and visibility. Such items are marked “Controlled Cryptographic Item,” or, where space is limited, “CCI”.PhysicalRegulatedCUI
Controlled Cryptographic Item AssemblynounDevice embodying a cryptographic logic or other COMSEC design that NSA has approved as a Controlled Cryptographic Item (CCI). It performs the entire COMSEC function, but depends upon the host equipment to operate.PhysicalRegulatedCUI
Controlled Cryptographic Item ComponentnounPart of a Controlled Cryptographic Item (CCI) that does not perform the entire COMSEC function but depends upon the host equipment, or assembly, to complete and operate the COMSEC function.PhysicalRegulatedCUI
Controlled Cryptographic Item EquipmentnounTelecommunications or information handling equipment that embodies a Controlled Cryptographic Item (CCI) component or CCI assembly and performs the entire COMSEC function without dependence on host equipment to operate.PhysicalRegulatedCUI
Controlled Unclassified InformationnounA categorical designation that refers to unclassified information that does not meet the standards for National Security Classification under Executive Order 12958, as amended, but is (i) pertinent to the national interests of the United States or to the important interests of entities outside the federal government, and (ii) under law or policy requires protection from unauthorized disclosure, special handling safeguards, or prescribed limits on exchange or dissemination. Henceforth, the designation CUI replaces "Sensitive But Unclassified" (SBU).RequirementRegulatedCUI
Controlling AuthoritynounOfficial responsible for directing the operation of a cryptonet and for managing the operational use and control of keying material assigned to the cryptonet.RoleRegulatedCUI
Covert ChannelnounAn unauthorized communication path that manipulates a communications medium in an unexpected, unconventional, or unforeseen way in order to transmit information without detection by anyone other than the entities operating the covert channel.VulnerabilityRestrictedCUI
Covert Channel AnalysisnounDetermination of the extent to which the security policy model and subsequent lower-level program descriptions may allow unauthorized access to information.ProcessRestrictedCUI
Covert Storage ChannelnounCovert channel involving the direct or indirect writing to a storage location by one process and the direct or indirect reading of the storage location by another process. Covert storage channels typically involve a finite resource (e.g., sectors on a disk) that is shared by two subjects at different security levels.VulnerabilityRegulatedCUI
Critical infrastructurenounSystem and assets, whether physical or virtual, so vital to the U.S. that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters. [Critical Infrastructures Protection Act of 2001, 42 U.S.C. 5195c(e)]SystemRegulatedCUI
Critical Security ParameternounSecurity-related information (e.g., secret and private cryptographic keys, and authentication data such as passwords and Personal Identification Numbers [PINs]) whose disclosure or modification can compromise the security of a cryptographic module.DataRestrictedCUI
Cross-Domain SolutionnounA form of controlled interface that provides the ability to manually and/or automatically access and/or transfer information between different security domains.ControlRegulatedCUI
Cryptographic AlarmnounCircuit or device that detects failures or aberrations in the logic or operation of crypto-equipment. Crypto-alarm may inhibit transmission or may provide a visible and/or audible alarm.EventRegulatedCUI
Cryptographic Ancillary EquipmentnounEquipment designed specifically to facilitate efficient or reliable operation of cryptographic equipment, without performing cryptographic functions itself.PhysicalRegulatedCUI
Cryptographic ComponentnounHardware or firmware embodiment of the cryptographic logic. A cryptographic component may be a modular assembly, a printed wiring assembly, a microcircuit, or a combination of these items.PhysicalRegulatedCUI
Cryptographic Ignition KeynounDevice or electronic key used to unlock the secure mode of crypto-equipment.CredentialRegulatedCUI
Cryptographic MaterialnounCOMSEC material used to secure or authenticate information.CredentialRegulatedCUI
Cryptographic Module Validation ProgramnounValidates cryptographic modules to Federal Information Processing Standard (FIPS) 140-2 and other cryptography-based standards. The CMVP is a joint effort between National Institute of Standards and Technology (NIST) and the Communications Security Establishment (CSE) of the government of Canada. Products validated as conforming to FIPS 140-2 are accepted by the federal agencies of both countries for the protection of sensitive information (United States) or Designated Information (Canada). The goal of the CMVP is to promote the use of validated cryptographic modules and provide federal agencies with a security metric to use in procuring equipment containing validated cryptographic modules.CapabilityRegulatedCUI
Cryptographic ProductnounA cryptographic key (public, private, or shared) or public key certificate, used for encryption, decryption, digital signature, or signature verification; and other items, such as compromised key lists (CKL) and certificate revocation lists (CRL), obtained by trusted means from the same source which validate the authenticity of keys or certificates. Protected software which generates or regenerates keys or certificates may also be considered a cryptographic product.CredentialRestrictedCUI
Cryptographic SecuritynounComponent of COMSEC resulting from the provision of technically sound cryptographic systems and their proper use.CapabilityRegulatedCUI
Cryptographic System AnalysisnounProcess of establishing the exploitability of a cryptographic system, normally by reviewing transmitted traffic protected or secured by the system under study.ProcessRegulatedCUI
Cryptographic System ReviewnounExamination of a cryptographic system by the controlling authority ensuring its adequacy of design and content, continued need, and proper distribution.ProcessRegulatedCUI
cyber assetnounProgrammable electronic devices and communication networks including hardware, software and data.SystemRegulatedCUI
Cyber OperationsnounIn the NICE Workforce Framework, cybersecurity work where a person: Performs activities to gather evidence on criminal or foreign intelligence entities in order to mitigate possible or real-time threats, protect against espionage or insider threats, foreign sabotage, international terrorist activities, or to support other intelligence activities.CapabilityRestrictedCUI
Cyber Operations Planningnounin the NICE Workforce Framework, cybersecurity work where a person: Performs in-depth joint targeting and cyber planning process. Gathers information and develops detailed Operational Plans and Orders supporting requirements. Conducts strategic and operational-level planning across the full range of operations for integrated information and cyberspace operationsProcessRestrictedCUI
cyber system recovery plannounA step-by-step outline of the processes and procedures to be performed to bring a cyber system back to working order after an incident has occurred.ProcessRegulatedCUI
CyberespionagenounActivities conducted in the name of security, business, politics or technology to find information that ought to remain secret. It is not inherently military.ThreatRestrictedCUI
cybersecurity plannounFormal document that provides an overview of the cybersecurity requirements for an Information Technology and industrial control system and describes the cybersecurity controls in place or planned for meeting those requirements.RequirementRegulatedCUI
CyberwarfarenounActivities supported by military organizations with the purpose to threat the survival and well-being of society/foreign entityThreatRegulatedCUI
data aggregationnounCompilation of individual data systems and data that could result in the totality of the information being classified, or classified at a higher level, or of beneficial use to an adversary.ProcessRegulatedCUI
Data Transfer DevicenounFill device designed to securely store, transport, and transfer electronically both COMSEC and TRANSEC key, designed to be backward compatible with the previous generation of COMSEC common fill devices, and programmable to support modern mission systems.PhysicalRegulatedCUI
Dedicated ModenounInformation systems security mode of operation wherein each user, with direct or indirect access to the system, its peripherals, remote terminals, or remote hosts, has all of the following: 1. valid security clearance for all information within the system, 2. formal access approval and signed nondisclosure agreements for all the information stored and/or processed (including all compartments, subcompartments, and/or special access programs), and 3. valid need-to-know for all information contained within the information system. When in the dedicated security mode, a system is specifically and exclusively dedicated to and controlled for the processing of one particular type or classification of information, either for full-time operation or for a specified period of time.RequirementRegulatedCUI
Default ClassificationnounClassification reflecting the highest classification being processed in an information system. Default classification is included in the caution statement affixed to an object.RequirementRegulatedCUI
DegaussnounProcedure that reduces the magnetic flux to virtual zero by applying a reverse magnetizing field. Also called demagnetizing.ProcessRegulatedCUI
Delegated Development ProgramnounINFOSEC program in which the Director, NSA, delegates, on a case-by-case basis, the development and/or production of an entire telecommunications product, including the INFOSEC portion, to a lead department or agency.ProcessRegulatedCUI
Descriptive Top-Level SpecificationnounA natural language descriptive of a system’s security requirements, an informal design notation, or a combination of the two.RequirementRegulatedCUI
Device Distribution ProfilenounAn approval-based Access Control List (ACL) for a specific product that 1) names the user devices in a specific key management infrastructure (KMI) Operating Account (KOA) to which PRSNs distribute the product, and 2) states conditions of distribution for each device.ControlRegulatedCUI
Direct ShipmentnounShipment of COMSEC material directly from NSA to user COMSEC accounts.ProcessRegulatedCUI
disposalnounThe purpose of this task is to address the final disposition of regulated data by discarding media with no other sanitization considerations or transferring records to their final state: either destruction or transfer to an archive.ProcessRegulatedCUI
Drop AccountabilitynounProcedure under which a COMSEC account custodian initially receipts for COMSEC material, and provides no further accounting for it to its central office of record. Local accountability of the COMSEC material may continue to be required. See Accounting Legend Code.ProcessRegulatedCUI
Duplicate Digital EvidencenounA duplicate is an accurate digital reproduction of all data objects contained on the original physical item and associated media.ArtifactRegulatedCUI
E-GovernmentnounThe use by the U.S. government of Web-based Internet applications and other information technology.CapabilityRegulatedCUI
Electricity Sector Information Sharing and Analysis CenternounThe Electricity Sector Information Sharing and Analysis Center (ES-ISAC) shares critical information with industry participants about infrastructure protection. The ES-ISAC serves the electricity sector by facilitating communications between electricity sector participants, federal governments, and other critical infrastructures. It is the job of the ES-ISAC to promptly disseminate threat indications, vulnerabilities, analyses, and warnings, together with interpretations, to help electricity sector participants take protective actions.OrganizationRegulatedCUI
electronic access controlnounA cyber asset that performs electronic access control of the Electronic Security Perimeter(s) or BES Cyber Systems.ControlRegulatedCUI
Electronic Access PointnounA Cyber Asset interface on an Electronic Security Perimeter that allows routable communication between Cyber Assets outside an Electronic Security Perimeter and Cyber Assets inside an Electronic Security Perimeter.NetworkRegulatedCUI
Electronic CredentialsnounDigital documents used in authentication that bind an identity or an attribute to a subscriber's token.CredentialRestrictedCUI
Electronic Key EntrynounThe entry of cryptographic keys into a cryptographic module using electronic methods such as a smart card or a key-loading device. (The operator of the key may have no knowledge of the value of the key being entered.)ProcessRegulatedCUI
Electronic Key Management SystemnounInteroperable collection of systems being developed by services and agencies of the U.S. government to automate the planning, ordering, generating, distributing, storing, filling, using, and destroying of electronic key and management of other types of COMSEC material.SystemRegulatedCUI
Electronic Messaging ServicesnounServices providing interpersonal messaging capability; meeting specific functional, management, and technical requirements; and yielding a business-quality electronic mail service suitable for the conduct of official government business.CapabilityRegulatedCUI
Electronic Security PerimeternounThe logical border surrounding a network to which Critical Cyber Assets are connected and for which access is controlled.NetworkRegulatedCUI
Electronically Generated KeynounKey generated in a COMSEC device by introducing (either mechanically or electronically) a seed key into the device and then using the seed, together with a software algorithm stored in the device, to produce the desired key.CredentialRegulatedCUI
Emanations AnalysisnounGaining direct knowledge of communicated data by monitoring and resolving a signal that is emitted by a system and that contains the data but is not intended to communicate the data.CapabilityRestrictedCUI
Emanations SecuritynounProtection resulting from measures taken to deny unauthorized individuals information derived from intercept and analysis of compromising emissions from crypto-equipment or an information system. See TEMPEST.ControlRegulatedCUI
Embedded Cryptographic SystemnounCryptosystem performing or controlling a function as an integral element of a larger system or subsystem.SystemRegulatedCUI
Encrypted KeynounA cryptographic key that has been encrypted using an Approved security function with a key encrypting key, a PIN, or a password in order to disguise the value of the underlying plaintext key.CredentialRegulatedCUI
Encryption keynounA piece of information, in a digitized form, used by an encryption algorithm to convert the plaintext to the ciphertextCredentialRestrictedCUI
End Cryptographic UnitnounDevice that (1) performs cryptographic functions, (2) typically is part of a larger system for which the device provides security services, and (3) from the viewpoint of a supporting security infrastructure (e.g., a key management system), is the lowest level of identifiable component with which a management transaction can be conducted.SystemRegulatedCUI
End-Item AccountingnounAccounting for all the accountable components of a COMSEC equipment configuration by a single short title.ProcessRegulatedCUI
Executive AgencynounAn executive department specified in 5 United States Code (U.S.C.), Sec. 101; a military department specified in 5 U.S.C., Sec. 102; an independent establishment as defined in 5 U.S.C., Sec. 104(1); and a wholly owned government corporation fully subject to the provisions of 31 U.S.C., Chapter 91.OrganizationRegulatedCUI
Exercise KeynounCryptographic key material used exclusively to safeguard communications transmitted over-the-air during military or organized civil training exercises.CredentialRegulatedCUI
Expected OutputnounAny data collected from monitoring and assessments as part of the Information Security Continuous Monitoring (ISCM) strategy.DataInternalCUI
Federal Bridge Certification AuthoritynounThe Federal Bridge Certification Authority consists of a collection of Public Key Infrastructure components (Certificate Authorities, Directories, Certificate Policies and Certificate Practice Statements) that are used to provide peer-to-peer interoperability among Agency Principal Certification Authorities.SystemRegulatedCUI
Federal Bridge Certification Authority MembranenounThe Federal Bridge Certification Authority Membrane consists of a collection of Public Key Infrastructure components including a variety of Certification Authority PKI products, Databases, CA specific Directories, Border Directory, Firewalls, Routers, Randomizers, etc.SystemRegulatedCUI
Federal Bridge Certification Authority Operational AuthoritynounThe Federal Bridge Certification Authority Operational Authority is the organization selected by the Federal Public Key Infrastructure Policy Authority to be responsible for operating the Federal Bridge Certification Authority.OrganizationRegulatedCUI
Federal Information Processing StandardnounA standard for adoption and use by federal departments and agencies that has been developed within the Information Technology Laboratory and published by the National Institute of Standards and Technology, a part of the U.S. Department of Commerce. A FIPS covers some topic in information technology in order to achieve a common level of quality or some level of interoperability.FrameworkRegulatedCUI
Federal Information SystemnounAn information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency.SystemRegulatedCUI
Fill DevicenounCOMSEC item used to transfer or store key in electronic form or to insert key into cryptographic equipment.PhysicalRegulatedCUI
FIPS PUBnounAn acronym for Federal Information Processing Standards Publication. FIPS publications (PUB) are issued by NIST after approval by the Secretary of Commerce.FrameworkRegulatedCUI
FIPS-Approved Security MethodnounA security method (e.g., cryptographic algorithm, cryptographic key generation algorithm or key distribution technique, random number generator, authentication technique, or evaluation criteria) that is either a) specified in a FIPS, or b) adopted in a FIPS.ControlRegulatedCUI
Fixed COMSEC FacilitynounCOMSEC facility located in an immobile structure or aboard a ship.PhysicalRegulatedCUI
Formal Access ApprovalnounA formalization of the security determination for authorizing access to a specific type of classified or sensitive information, based on specified access requirements, a determination of the individual’s security eligibility and a determination that the individual’s official duties require the individual be provided access to the information.ControlRegulatedCUI
Frequency HoppingnounRepeated switching of frequencies during radio transmission according to a specified algorithm, to minimize unauthorized interception or jamming of telecommunications.ControlRegulatedCUI
Full MaintenancenounComplete diagnostic repair, modification, and overhaul of COMSEC equipment, including repair of defective assemblies by piece part replacement. See Limited Maintenance.ProcessRestrictedCUI
Global Information GridnounThe globally interconnected, end-to-end set of information capabilities for collecting, processing, storing, disseminating, and managing information on demand to warfighters, policy makers, and support personnel. The GIG includes owned and leased communications and computing systems and services, software (including applications), data, security services, other associated services, and National Security Systems. Non-GIG IT includes stand-alone, self-contained, or embedded IT that is not, and will not be, connected to the enterprise network.SystemRegulatedCUI
Government Emergency Telecommunications Service (GETS)nounAcronym for the Government Emergency Telecommunications Service card program. GETS cards provide emergency access and priority processing for voice communications services in emergency situations.CapabilityRegulatedCUI
Hard Copy KeynounPhysical keying material, such as printed key lists, punched or printed key tapes, or programmable, read-only memories (PROM).PhysicalRegulatedCUI
High Assurance GuardnounA guard that has two basic functional capabilities: a Message Guard and a Directory Guard. The Message Guard provides filter service for message traffic traversing the Guard between adjacent security domains. The Directory Guard provides filter service for directory access and updates traversing the Guard between adjacent security domains.SystemRegulatedCUI
High ImpactnounThe loss of confidentiality, integrity, or availability that could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, individuals, other organizations, or the national security interests of the United States; (i.e., 1) causes a severe degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; 2) results in major damage to organizational assets; 3) results in major financial loss; or 4) results in severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries).MetricRegulatedCUI
high impact Bulk Electric System Cyber SystemnounA Bulk Electric System Cyber System in which at least one security objective (i.e., confidentiality, integrity, or availability) is assigned a potential impact value of high.SystemRegulatedCUI
High-Impact SystemnounAn information system in which at least one security objective (i.e., confidentiality, integrity, or availability) is assigned a FIPS 199 potential impact value of high.SystemRegulatedCUI
IA InfrastructurenounThe underlying security framework that lies beyond an enterprise’s defined boundary, but supports its IA and IA-enabled products, its security posture and its risk management plan.SystemRegulatedCUI
Identity VerificationnounThe process of confirming or denying that a claimed identity is correct by comparing the credentials (something you know, something you have, something you are) of a person requesting access with those previously proven and stored in the PIV Card of system and associated with the identity being claimed.ProcessRegulatedCUI
Imitative Communications DeceptionnounIntroduction of deceptive messages or signals into an adversary's telecommunications signals. See also Communications Deception and Manipulative Communications Deception.ThreatRegulatedCUI
ImplantnounElectronic device or electronic equipment modification designed to gain unauthorized interception of information-bearing emanations.ThreatRegulatedCUI
Independent Validation AuthoritynounEntity that reviews the soundness of independent tests and system compliance with all stated security controls and risk mitigation actions. IVAs will be designated by the Authorizing Official as needed.OrganizationRegulatedCUI
Industrial Control SystnounAn information system used to control industrial processes such as manufacturing, product handling, production, and distribution or to control infrastructure assets.SystemRegulatedCUI
Industrial Control SystemnounAn information system used to control industrial processes such as manufacturing, product handling, production, and distribution. Industrial control systems include supervisory control and data acquisition systems (SCADA) used to control geographically dispersed assets, as well as distributed control systems (DCS) and smaller control systems using programmable logic controllers to control localized processes.SystemRegulatedCUI
Information Assurance ComponentnounAn application (hardware and/or software) that provides one or more Information Assurance capabilities in support of the overall security and operational objectives of a system.CapabilityRegulatedCUI
Information Flow ControlnounProcedure to ensure that information transfers within an information system are not made in violation of the security policy.ControlRegulatedCUI
Information OperationsnounThe integrated employment of the core capabilities of electronic warfare, computer network operations, psychological operations, military deception, and operations security, in concert with specified supporting and related capabilities, to influence, disrupt, corrupt, or usurp adversarial human and automated decision-making process, information, and information systems while protecting our own.CapabilityRegulatedCUI
Information Security Program PlannounFormal document that provides an overview of the security requirements for an organization-wide information security program and describes the program management controls and common controls in place or planned for meeting those requirements.ArtifactRestrictedCUI
Information Security risknounThe risk to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation due to the potential for unauthorized access, use, disclosure, disruption, modification, or destruction of information and/or information systems. See Risk.MetricRegulatedCUI
Information Sharing Environmentnoun1. An approach that facilitates the sharing of terrorism and homeland security information; or 2. ISE in its broader application enables those in a trusted partnership to share, discover, and access controlled information.SystemRegulatedCUI
Information System Contingency PlannounManagement policy and procedures designed to maintain or restore business operations, including computer operations, possibly at an alternate location, in the event of emergencies, system failures, or disasters.ProcessRegulatedCUI
Information Systems Security Equipment ModificationnounModification of any fielded hardware, firmware, software, or portion thereof, under NSA configuration control. There are three classes of modifications: mandatory (to include human safety); optional/special mission modifications; and repair actions. These classes apply to elements, subassemblies, equipment, systems, and software packages performing functions such as key generation, key distribution, message encryption, decryption, authentication, or those mechanisms necessary to satisfy security policy, labeling, identification, or accountability.ProcessRegulatedCUI
Inspectable SpacenounThree dimensional space surrounding equipment that processes classified and/or sensitive information within which TEMPEST exploitation is not considered practical or where legal authority to identify and remove a potential TEMPEST exploitation exists. Synonymous with zone of control.PhysicalRegulatedCUI
interactive remote accessnounUser-initiated access by a person employing a remote access client or other remote access technology using a routable protocol. Remote access originates from a Cyber Asset that is not an Intermediate System and not located within any of the Responsible Entity’s Electronic Security Perimeter(s) or at a defined Electronic Access Point (EAP). Remote access may be initiated from: 1) Cyber Assets used or owned by the Responsible Entity, 2) Cyber Assets used or owned by employees, and 3) Cyber Assets used or owned by vendors, contractors, or consultants. Interactive remote access does not include system-to-system process communications.ProcessRegulatedCUI
Interconnection Security AgreementnounA document that regulates security-relevant aspects of an intended connection between an agency and an external system. It regulates the security interface between any two systems operating under two different distinct authorities. It includes a variety of descriptive, technical, procedural, and planning information. It is usually preceded by a formal MOA/MOU that defines high-level roles and responsibilities in management of a cross-domain connection.RequirementRegulatedCUI
Interface Control DocumentnounTechnical document describing interface controls and identifying the authorities and responsibilities for ensuring the operation of such controls. This document is baselined during the preliminary design review and is maintained throughout the information system life cycle.ArtifactRegulatedCUI
Interim Approval to OperatenounTemporary authorization granted by a DAA for an information system to process information based on preliminary results of a security evaluation of the system. (To be replaced by ATO and POA&M)ArtifactRegulatedCUI
Interim Approval to TestnounTemporary authorization to test an information system in a specified operational information environment within the time frame and under the conditions or constraints enumerated in the written authorization.RequirementRegulatedCUI
intermediate systemnounA Cyber Asset or collection of Cyber Assets performing access control to restrict Interactive Remote Access to only authorized users. The Intermediate System must not be located inside the Electronic Security Perimeter.SystemRegulatedCUI
IT Security Awareness and Training ProgramnounExplains proper rules of behavior for the use of agency information systems and information. The program communicates IT security policies and procedures that need to be followed (i.e., NSTISSD 501, NIST SP 800-50).ProcessRegulatedCUI
keynounA parameter used in conjunction with a cryptographic algorithm that determines its operation. Examples applicable to this Standard include: 1. The computation of a digital signature from data, and 2. The verification of a digital signature.CredentialRestrictedCUI
Key Distribution CenternounCOMSEC facility generating and distributing key in electronic form.SystemRegulatedCUI
Key Escrownoun1. The processes of managing (e.g., generating, storing, transferring, auditing) the two components of a cryptographic key by two key component holders. 2. A key recovery technique for storing knowledge of a cryptographic key, or parts thereof, in the custody of one or more third parties called "escrow agents," so that the key can be recovered and used in specified circumstances.ProcessRegulatedCUI
Key Escrow SystemnounA system that entrusts the two components comprising a cryptographic key (e.g., a device unique key) to two key component holders (also called "escrow agents").SystemRegulatedCUI
Key EstablishmentnounThe process by which cryptographic keys are securely established among cryptographic modules using manual transport methods (e.g., key loaders), automated methods (e.g., key transport and/or key agreement protocols), or a combination of automated and manual methods (consists of key transport plus key agreement).ProcessRestrictedCUI
Key Generation MaterialnounRandom numbers, pseudo-random numbers, and cryptographic parameters used in generating cryptographic keys.DataRegulatedCUI
Key ListnounPrinted series of key settings for a specific cryptonet. Key lists may be produced in list, pad, or printed tape format.ArtifactRegulatedCUI
Key LoadernounA self-contained unit that is capable of storing at least one plaintext or encrypted cryptographic key or a component of a key that can be transferred, upon request, into a cryptographic module.PhysicalRegulatedCUI
Key ManagementnounThe activities involving the handling of cryptographic keys and other related security parameters (e.g., IVs and passwords) during the entire life cycle of the keys, including their generation, storage, establishment, entry and output, and zeroization.ProcessRegulatedCUI
Key Management InfrastructurenounAll parts – computer hardware, firmware, software, and other equipment and its documentation; facilities that house the equipment and related functions; and companion standards, policies, procedures, and doctrine that form the system that manages and supports the ordering and delivery of cryptographic material and related information products and services to users.SystemRegulatedCUI
Key Production KeynounKey used to initialize a keystream generator for the production of other electronically generated key.CredentialRestrictedCUI
Key RecoverynounMechanisms and processes that allow authorized parties to retrieve the cryptographic key used for data confidentiality.ProcessRestrictedCUI
Key StreamnounSequence of symbols (or their electrical or mechanical equivalents) produced in a machine or auto-manual cryptosystem to combine with plain text to produce cipher text, control transmission security processes, or produce key.DataRestrictedCUI
Key TagnounIdentification information associated with certain types of electronic key.ArtifactRegulatedCUI
Key TapenounPunched or magnetic tape containing key. Printed key in tape form is referred to as a key list.PhysicalRegulatedCUI
Keying MaterialnounKey, code, or authentication information in physical, electronic, or magnetic form.CredentialRestrictedCUI
Keystroke MonitoringnounThe process used to view or record both the keystrokes entered by a computer user and the computer’s response during an interactive session. Keystroke monitoring is usually considered a special case of audit trails.ProcessRegulatedCUI
KMI Operating AccountnounA KMI business relationship that is established 1) to manage the set of user devices that are under the control of a specific KMI customer organization, and 2) to control the distribution of KMI products to those devices.OrganizationRegulatedCUI
KMI Protected ChannelnounA KMI Communication Channel that provides 1) Information Integrity Service; 2) either Data Origin Authentication Service or Peer Entity Authentication Service, as is appropriate to the mode of communications; and 3) optionally, Information Confidentiality Service.NetworkRegulatedCUI
KMI-Aware DevicenounA user device that has a user identity for which the registration has significance across the entire KMI (i.e., the identity’s registration data is maintained in a database at the PRSN level of the system, rather than only at an MGC) and for which a product can be generated and wrapped by a PSN for distribution to the specific device.SystemRegulatedCUI
KOA AgentnounA user identity that is designated by a KOA manager to access PRSN product delivery enclaves for the purpose of retrieving wrapped products that have been ordered for user devices that are assigned to that KOA.IdentityRegulatedCUI
KOA ManagernounThe Management Role that is responsible for the operation of one or KOA’s (i.e., manages distribution of KMI products to the end cryptographic units, fill devices, and ADPs that are assigned to the manager’s KOA).RoleRegulatedCUI
Laboratory AttacknounUse of sophisticated signal recovery equipment in a laboratory environment to recover information from data storage media.ThreatRegulatedCUI
Level of ConcernnounRating assigned to an information system indicating the extent to which protection measures, techniques, and procedures must be applied. High, Medium, and Basic are identified levels of concern. A separate Level-of-Concern is assigned to each information system for confidentiality, integrity, and availability.MetricRegulatedCUI
Level of ProtectionnounExtent to which protective measures, techniques, and procedures must be applied to information systems and networks based on risk, threat, vulnerability, system interconnectivity considerations, and information assurance needs. Levels of protection are: 1. Basic: information systems and networks requiring implementation of standard minimum security countermeasures. 2. Medium: information systems and networks requiring layering of additional safeguards above the standard minimum security countermeasures. 3. High: information systems and networks requiring the most stringent protection and rigorous security countermeasures.RequirementRegulatedCUI
Limited MaintenancenounCOMSEC maintenance restricted to fault isolation, removal, and replacement of plug-in assemblies. Soldering or unsoldering usually is prohibited in limited maintenance. See Full Maintenance.ProcessRestrictedCUI
Line ConductionnounUnintentional signals or noise induced or conducted on a telecommunications or information system signal, power, control, indicator, or other external interface line.VulnerabilityRegulatedCUI
Local Management Device/Key ProcessornounEKMS platform providing automated management of COMSEC material and generating key for designated users.SystemRegulatedCUI
Local Registration AuthoritynounA Registration Authority with responsibility for a local community in a PKI-enabled environment.OrganizationRegulatedCUI
Log ClippingnounLog clipping is the selective removal of log entries from a system log to hide a compromise.ThreatRegulatedCUI
low impact Bulk Electric System Cyber SystemnounA Bulk Electric System Cyber System in which at least one security objective (i.e., confidentiality, integrity, or availability) is assigned a potential impact value of low, and none are assigned a potential impact value of medium or high.SystemRegulatedCUI
Low Impact Bulk Electric System Cyber System Electronic Access PointnounA Cyber Asset interface that controls Low Impact External Routable Connectivity. The Cyber Asset containing the LEAP may reside at a location external to the asset or assets containing low impact Bulk Electric System (BES) Cyber Systems.SystemRegulatedCUI
Low Probability of DetectionnounResult of measures used to hide or disguise intentional electromagnetic transmissions.ControlRegulatedCUI
Low Probability of InterceptnounResult of measures to prevent the intercept of intentional electromagnetic transmissions. The objective is to minimize an adversary’s capability of receiving, processing, or replaying an electronic signal.ControlRegulatedCUI
Magnetic RemanencenounMagnetic representation of residual information remaining on a magnetic medium after the medium has been cleared. See Clearing.VulnerabilityRegulatedCUI
Maintenance HooknounSpecial instructions (trapdoors) in software allowing easy maintenance and additional feature development. Since maintenance hooks frequently allow entry into the code without the usual checks, they are a serious security risk if they are not removed prior to live implementation.VulnerabilityRegulatedCUI
Major ApplicationnounAn application that requires special attention to security due to the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application. Note: All federal applications require some level of protection. Certain applications, because of the information in them, however, require special management oversight and should be treated as major. Adequate security for other applications should be provided by security of the systems in which they operate.SystemRegulatedCUI
Major Information SystemnounAn information system that requires special management attention because of its importance to an agency mission; its high development, operating, or maintenance costs; or its significant role in the administration of agency programs, finances, property, or other resources.SystemRegulatedCUI
Management ClientnounA configuration of a client node that enables a KMI external operational manager to manage KMI products and services by either 1) accessing a PRSN, or 2) exercising locally provided capabilities. An MGC consists of a client platform and an advanced key processor (AKP).SystemRegulatedCUI
Management Security ControlsnounThe security controls (i.e., safeguards or countermeasures) for an information system that focus on the management of risk and the management of information systems security.ControlRestrictedCUI
Mandatory ModificationnounChange to a COMSEC end-item that NSA requires to be completed and reported by a specified date. See Optional Modification.ControlRegulatedCUI
Manipulative Communications DeceptionnounAlteration or simulation of friendly telecommunications for the purpose of deception. See Communications Deception and Imitative Communications Deception.ThreatRegulatedCUI
Manual CryptosystemnounCryptosystem in which the cryptographic processes are performed without the use of crypto-equipment or auto-manual devices.SystemRegulatedCUI
Manual Key TransportnounA non-automated means of transporting cryptographic keys by physically moving a device, document, or person containing or possessing the key or key component.ProcessRegulatedCUI
Manual Remote RekeyingnounProcedure by which a distant crypto-equipment is rekeyed electronically, with specific actions required by the receiving terminal operator. Synonymous with cooperative remote rekeying. See also Automatic Remote Keying.ProcessRegulatedCUI
Master Cryptographic Ignition KeynounKey device with electronic logic and circuits providing the capability for adding more operational CIKs to a keyset.PhysicalRegulatedCUI
medium impact Bulk Electric System Cyber SystemnounA Bulk Electric System Cyber System in which at least one security objective (i.e., confidentiality, integrity, or availability) is assigned a potential impact value of medium, and none are assigned a potential impact value of high.SystemRegulatedCUI
Memorandum of Understanding/AgreementnounA document established between two or more parties to define their respective responsibilities in accomplishing a particular goal or mission. In this guide, an MOU/A defines the responsibilities of two or more organizations in establishing, operating, and securing a system interconnection.ArtifactInternalCUI
Message IndicatornounSequence of bits transmitted over a communications system for synchronizing cryptographic equipment.DataRegulatedCUI
Mission CriticalnounAny telecommunications or information system that is defined as a national security system (Federal Information Security Management Act of 2002 - FISMA) or processes any information the loss, misuse, disclosure, or unauthorized access to or modification of, would have a debilitating impact on the mission of an agency.RequirementRegulatedCUI
Mode of OperationnounDescription of the conditions under which an information system operates based on the sensitivity of information processed and the clearance levels, formal access approvals, and need-to-know of its users. Four modes of operation are authorized for processing or transmitting information: dedicated mode, system high mode, compartmented/partitioned mode, and multilevel mode.RequirementRegulatedCUI
Moderate ImpactnounThe loss of confidentiality, integrity, or availability that could be expected to have a serious adverse effect on organizational operations, organizational assets, individuals, other organizations, or the national security interests of the United States; (i.e., 1) causes a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; 2) results in significant damage to organizational assets; 3) results in significant financial loss; or 4) results in significant harm to individuals that does not involve loss of life or serious life threatening injuries).MetricRegulatedCUI
Multi-ReleasablenounA characteristic of an information domain where access control mechanisms enforce policy-based release of information to authorized users within the information domain.RequirementRegulatedCUI
Multilevel DevicenounEquipment trusted to properly maintain and separate data of different security domains.SystemRegulatedCUI
Multilevel ModenounMode of operation wherein all the following statements are satisfied concerning the users who have direct or indirect access to the system, its peripherals, remote terminals, or remote hosts: 1) some users do not have a valid security clearance for all the information processed in the information system; 2) all users have the proper security clearance and appropriate formal access approval for that information to which they have access; and 3) all users have a valid need-to-know only for information to which they have access.ProcessRegulatedCUI
Multilevel SecuritynounConcept of processing information with different classifications and categories that simultaneously permits access by users with different security clearances and denies access to users who lack authorization.CapabilityRegulatedCUI
Multiple Security LevelsnounCapability of an information system that is trusted to contain, and maintain separation between, resources (particularly stored data) of different security domains.CapabilityRegulatedCUI
multiple sourcesnounInformation classified based on two or more source documents, classification guides or combination of both.DataRegulatedCUI
National Security Emergency Preparedness Telecommunications ServicesnounTelecommunications services that are used to maintain a state of readiness or to respond to and manage any event or crisis (local, national, or international) that causes or could cause injury or harm to the population, damage to or loss of property, or degrade or threaten the national security or emergency preparedness posture of the United States.CapabilityRegulatedCUI
National Security InformationnounInformation that has been determined pursuant to Executive Order 12958 as amended by Executive Order 13292, or any predecessor order, or by the Atomic Energy Act of 1954, as amended, to require protection against unauthorized disclosure and is marked to indicate its classified status.DataRegulatedCUI
National Security SystemnounAny information system (including any telecommunications system) used or operated by an agency or by a contractor of any agency, or other organization on behalf of an agency, the function, operation, or use of which: I. involves intelligence activities; II. involves cryptologic activities related to national security; III. Involves command and control of military forces; IV. involves equipment that is an integral part of a weapon or weapon system; or V. subject to subparagraph (B), is critical to the direct fulfillment of military or intelligence missions; or is protected at all times by procedures established for information that have been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy. Subparagraph (B). Does not include a system that is to be used for routine administrative and business applications (including payroll, finance, logistics, and personnel management applications). (Title 44 U.S. Code Section 3542, Federal Information Security Management Act of 2002.)SystemRegulatedCUI
need to knownounAn administrative action officially declaring a particular individual requires access to specified sensitive or classified information in order to perform their assigned duties.RequirementRegulatedCUI
Need To Know DeterminationnounDecision made by an authorized holder of official information that a prospective recipient requires access to specific official information to carry out official duties.ProcessRegulatedCUI
network activity baselinenounEstablishing a trusted baseline document involves identifying the following: - network data points of interest - length of the baseline data collection period - methods and tools used to collect and store data Suggested network data points of interest include the following: - a list of predetermined devices a given workstation or server should communicate with - VPN usage, including access times, bandwidth and resources used, source IP addresses, and geolocation information - the known set of ports and protocols in use by the network - firewall and intrusion detection system logs - normal traffic patterns and flows.ArtifactInternalCUI
No-Lone ZonenounArea, room, or space that, when staffed, must be occupied by two or more appropriately cleared individuals who remain within sight of each other. See Two-Person Integrity.ControlRegulatedCUI
non-compliance informationnounInformation regarding a failure to act in accordance with applicable standards and regulations.FindingRegulatedCUI
NullnounDummy letter, letter symbol, or code group inserted into an encrypted message to delay or prevent its decryption or to complete encrypted groups for transmission or transmission security purposes.ControlRegulatedCUI
Object IdentifiernounA specialized formatted number that is registered with an internationally recognized standards organization. The unique alphanumeric/numeric identifier registered under the ISO registration standard to reference a specific object or object class. In the federal government PKI, they are used to uniquely identify each of the four policies and cryptographic algorithms supported.ArtifactRegulatedCUI
Off-CardnounRefers to data that is not stored within the PIV card or computation that is not done by the Integrated Circuit Chip (ICC) of the PIV card.DataRegulatedCUI
Official InformationnounAll information in the custody and control of a U.S. government department or agency that was acquired by U.S. government employees as a part of their official duties or because of their official status and has not been cleared for public release.DataRegulatedCUI
On-CardnounRefers to data that is stored within the PIV card or computation that is done by the ICC of the PIV card.DataRegulatedCUI
One-time TapenounPunched paper tape used to provide key streams on a one-time basis in certain machine cryptosystems.PhysicalRegulatedCUI
Open StoragenounAny storage of classified national security information outside of approved containers. This includes classified information that is resident on information systems media and outside of an approved storage container, regardless of whether or not that media is in use (i.e., unattended operations).FindingRegulatedCUI
Operational KeynounKey intended for use over-the-air for protection of operational information or for the production or secure electrical transmission of key streams.CredentialRegulatedCUI
Operational Vulnerability InformationnounInformation that describes the presence of an information vulnerability within a specific operational setting or network.VulnerabilityRegulatedCUI
Operational WaivernounAuthority for continued use of unmodified COMSEC end-items pending the completion of a mandatory modification.RequirementRegulatedCUI
Operations CodenounCode composed largely of words and phrases suitable for general communications use.ArtifactRegulatedCUI
Operations SecuritynounSystematic and proven process by which potential adversaries can be denied information about capabilities and intentions by identifying, controlling, and protecting generally unclassified evidence of the planning and execution of sensitive activities. The process involves five steps: identification of critical information, analysis of threats, analysis of vulnerabilities, assessment of risks, and application of appropriate countermeasures.ProcessRegulatedCUI
Optional ModificationnounNSA-approved modification not required for universal implementation by all holders of a COMSEC end-item. This class of modification requires all of the engineering/doctrinal control of mandatory modification but is usually not related to security, safety, TEMPEST, or reliability. See Mandatory Modification.ControlRegulatedCUI
Over-The-Air Key DistributionnounProviding electronic key via over-the-air rekeying, over-the-air key transfer, or cooperative key generation.ProcessRestrictedCUI
Over-The-Air Key TransfernounElectronically distributing key without changing traffic encryption key used on the secured communications path over which the transfer is accomplished.ProcessRegulatedCUI
Over-The-Air RekeyingnounChanging traffic encryption key or transmission security key in remote cryptographic equipment by sending new key directly to the remote cryptographic equipment over the communications path it secures.ProcessRegulatedCUI
Partitioned Security ModenounInformation systems security mode of operation wherein all personnel have the clearance, but not necessarily formal access approval and need-to-know, for all information handled by an information system.RequirementRegulatedCUI
Path HistoriesnounMaintaining an authenticatable record of the prior platforms visited by a mobile software agent, so that a newly visited platform can determine whether to process the agent and what resource constraints to apply.ArtifactInternalCUI
Per-Call KeynounUnique traffic encryption key generated automatically by certain secure telecommunications systems to secure single voice or data transmissions. See Cooperative Key Generation.CredentialRegulatedCUI
Perimeternoun(C&A) Encompasses all those components of the system that are to be accredited by the DAA, and excludes separately accredited systems to which the system is connected. (Authorization) Encompasses all those components of the system or network for which a Body of Evidence is provided in support of a formal approval to operate.SystemRegulatedCUI
Periods ProcessingnounThe processing of various levels of classified and unclassified information at distinctly different times. Under the concept of periods processing, the system must be purged of all information from one processing period before transitioning to the next.ProcessRegulatedCUI
PermuternounDevice used in cryptographic equipment to change the order in which the contents of a shift register are used in various nonlinear combining circuits.PhysicalRestrictedCUI
Personal Identity VerificationnounThe process of creating and using a governmentwide secure and reliable form of identification for federal employees and contractors, in support of HSPD 12, Policy for a Common Identification Standard for Federal Employees and Contractors.ProcessRegulatedCUI
Personal Identity Verification AccreditationnounThe official management decision to authorize operation of a PIV Card Issuer after determining that the Issuer’s reliability has satisfactorily been established through appropriate assessment and certification processes.ProcessRegulatedCUI
Personal Identity Verification Authorizing OfficialnounAn individual who can act on behalf of an agency to authorize the issuance of a credential to an applicant.RoleRegulatedCUI
Personal Identity Verification CardnounPhysical artifact (e.g., identity card, “smart” card) issued to an individual that contains stored identity credentials (e.g., photograph, cryptographic keys, digitized fingerprint representation, etc.) such that a claimed identity of the cardholder may be verified against the stored credentials by another person (human-readable and verifiable) or an automated process (computer-readable and verifiable).PhysicalRegulatedCUI
Personal Identity Verification IssuernounAn authorized identity card creator that procures FIPS-approved blank identity cards, initializes them with appropriate software and data elements for the requested identity verification and access control application, personalizes the cards with the identity credentials of the authorized subjects, and delivers the personalized card to the authorized subjects along with appropriate instructions for protection and use.OrganizationRegulatedCUI
Personal Identity Verification SponsornounAn individual who can act on behalf of a department or agency to request a PIV Card for an applicant.RoleRegulatedCUI
Physical Access Control system maintenance and testing programnounA documented listing of procedures, schedules, roles and responsibilities, and plans to be performed to ensure continued maintenance and testing of the Physical Access Control System.ControlRegulatedCUI
physical security plannounA formal document that provides an overview of the security requirements for a physical security program and describes the security controls in place or planned for meeting those requirements.ArtifactRegulatedCUI
Plan of Action and MilestonesnounA document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones.ArtifactRegulatedCUI
Portable Electronic DevicenounAny nonstationary electronic apparatus with singular or multiple capabilities of recording, storing, and/or transmitting data, voice, video, or photo images. This includes but is not limited to laptops, personal digital assistants, pocket personal computers, palmtops, MP3 players, cellular telephones, thumb drives, video cameras, and pagers.PhysicalRegulatedCUI
Positive Control MaterialnounGeneric term referring to a sealed authenticator system, permissive action link, coded switch system, positive enable system, or nuclear command and control documents, material, or devices.PhysicalRegulatedCUI
Primary Services NodenounA Key Management Infrastructure core node that provides the users’ central point of access to KMI products, services, and information.SystemRegulatedCUI
Principal Accrediting AuthoritynounSenior official with authority and responsibility for all intelligence systems within an agency.RoleRestrictedCUI
Principal Certification AuthoritynounThe Principal Certification Authority is a CA designated by an agency to interoperate with the FBCA. An agency may designate multiple Principal CAs to interoperate with the FBCA.IdentityRegulatedCUI
Privileged CommandnounA human-initiated command executed on an information system involving the control, monitoring, or administration of the system including security functions and associated security-relevant information.ProcessRegulatedCUI
Product Source NodenounThe Key Management Infrastructure core node that provides central generation of cryptographic key material.SystemRegulatedCUI
Protected Distribution SystemnounWire line or fiber optic system that includes adequate safeguards and/or countermeasures (e.g., acoustic, electric, electromagnetic, and physical) to permit its use for the transmission of unencrypted information through an area of lesser classification or control.NetworkRegulatedCUI
Protective Distribution SystemnounWire line or fiber optic system that includes adequate safeguards and/or countermeasures (e.g., acoustic, electric, electromagnetic, and physical) to permit its use for the transmission of unencrypted information.SystemRegulatedCUI
Protective PackagingnounPackaging techniques for COMSEC material that discourage penetration, reveal a penetration has occurred or was attempted, or inhibit viewing or copying of keying material prior to the time it is exposed for use.ControlRegulatedCUI
Protective TechnologiesnounSpecial tamper-evident features and materials employed for the purpose of detecting tampering and deterring attempts to compromise, modify, penetrate, extract, or substitute information processing equipment and keying material.ControlRegulatedCUI
QuadrantnounShort name referring to technology that provides tamper-resistant protection to cryptographic equipment.PhysicalRegulatedCUI
Records ManagementnounThe process for tagging information for records-keeping requirements as mandated in the Federal Records Act and the National Archival and Records Requirements.ProcessRegulatedCUI
Recovery ProceduresnounActions necessary to restore data files of an information system and computational capability after a system failure.ProcessRegulatedCUI
REDnounIn cryptographic systems, refers to information or messages that contain sensitive or classified information that is not encrypted. See also BLACK.DataRegulatedCUI
Red SignalnounAny electronic emission (e.g., plain text, key, key stream, subkey stream, initial fill, or control signal) that would divulge national security information if recovered.VulnerabilityRegulatedCUI
Red/Black ConceptnounSeparation of electrical and electronic circuits, components, equipment, and systems that handle unencrypted information (Red), in electrical form, from those that handle encrypted information (Black) in the same form.ControlRegulatedCUI
Release PrefixnounPrefix appended to the short title of U.S.-produced keying material to indicate its foreign releasability. "A" designates material that is releasable to specific allied nations, and "U.S." designates material intended exclusively for U. S. use.ArtifactRegulatedCUI
RemanencenounResidual information remaining on storage media after clearing. See Magnetic Remanence and Clearing.VulnerabilityRegulatedCUI
Remote RekeyingnounProcedure by which a distant crypto-equipment is rekeyed electrically. See Automatic Remote Rekeying and Manual Remote Rekeying.ProcessRegulatedCUI
Repair ActionnounNSA-approved change to a COMSEC end-item that does not affect the original characteristics of the end-item and is provided for optional application by holders. Repair actions are limited to minor electrical and/or mechanical improvements to enhance operation, maintenance, or reliability. They do not require an identification label, marking, or control but must be fully documented by changes to the maintenance manual.ControlRegulatedCUI
reportable cyber incidentnounA Cyber Security Incident that has compromised or disrupted one or more reliability tasks of a functional entity.EventRegulatedCUI
Reserve Keying MaterialnounKey held to satisfy unplanned needs. See Contingency Key.CredentialRegulatedCUI
ResiduenounData left in storage after information-processing operations are complete, but before degaussing or overwriting has taken place.DataRegulatedCUI
Restricted DatanounAll data concerning (i) design, manufacture, or utilization of atomic weapons; (ii) the production of special nuclear material; or (iii) the use of special nuclear material in the production of energy, but shall not include data declassified or removed from the Restricted Data category pursuant to Section 142 [of the Atomic Energy Act of 1954].DataRestrictedCUI
Risk Mitigation PlannounThis record contains detailed proposals intended to reduce the risks to a critical asset, typically including actions or countermeasures designed to counter the threats to assets.ControlRegulatedCUI
Safeguarding StatementnounStatement affixed to a computer output or printout that states the highest classification being processed at the time the product was produced and requires control of the product, at that level, until determination of the true classification by an authorized individual. Synonymous with banner.ArtifactRegulatedCUI
Scoping GuidancenounA part of tailoring guidance providing organizations with specific policy/regulatory-related, technology-related, system component allocation-related, operational/environmental-related, physical infrastructure-related, public access-related, scalability-related, common control-related, and security objective-related considerations on the applicability and implementation of individual security controls in the security control baseline.RequirementRegulatedCUI
secret keynounA cryptographic key that is used with a secret-key (symmetric) cryptographic algorithm that is uniquely associated with one or more entities and is not made public. The use of the term “secret” in this context does not imply a classification level, but rather implies the need to protect the key from disclosure.CredentialRestrictedCUI
Secret SeednounA secret value used to initialize a pseudorandom number generator.CredentialRestrictedCUI
Secure CommunicationsnounTelecommunications deriving security through use of NSA-approved products and/or Protected Distribution Systems.CapabilityRegulatedCUI
Security AttributenounAn abstraction representing the basic properties or characteristics of an entity with respect to safeguarding information; typically associated with internal data structures (e.g., records, buffers, files) within the information system which are used to enable the implementation of access control and flow control policies; reflect special dissemination, handling, or distribution instructions; or support other aspects of the information security policy.DataRegulatedCUI
Security Awareness programnounThe documented plan and documented activities to create well-informed interest in being free from danger or threat.ProcessRegulatedCUI
Security BannernounA banner at the top or bottom of a computer screen that states the overall classification of the system in large, bold type. Also can refer to the opening screen that informs users of the security implications of accessing a computer resource.ControlRegulatedCUI
Security CategorizationnounThe process of determining the security category for information or an information system. Security categorization methodologies are described in CNSS Instruction 1253 for national security systems and in FIPS 199 for other than national security systems.ProcessRegulatedCUI
Security Concept of OperationsnounA security-focused description of an information system, its operational policies, classes of users, interactions between the system and its users, and the system’s contribution to the operational mission.ArtifactRestrictedCUI
Security Control AssessmentnounThe testing and/or evaluation of the management, operational, and technical security controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.ControlRegulatedCUI
Security Controls BaselinenounThe set of minimum security controls defined for a low-impact, moderate-impact, or high-impact information system.RequirementRegulatedCUI
Security Event LognounThis record contains records of any security-related and auditing-related events.EventRegulatedCUI
Security MarkingnounHuman-readable information affixed to information system components, removable media, or output indicating the distribution limitations, handling caveats, and applicable security markings.ArtifactRegulatedCUI
Security Net Control StationnounManagement system overseeing and controlling implementation of network security policy.SystemRegulatedCUI
Security Program PlannounFormal document that provides an overview of the security requirements for an organization-wide information security program and describes the program management security controls and common security controls in place or planned for meeting those requirements.ArtifactRestrictedCUI
Security RangenounHighest and lowest security levels that are permitted in or on an information system, system component, subsystem, or network.RequirementRegulatedCUI
Security Requirements Traceability MatrixnounMatrix that captures all security requirements linked to potential risks and addresses all applicable C&A requirements. It is, therefore, a correlation statement of a system’s security features and compliance methods for each security requirement.ArtifactRegulatedCUI
Security TagnounInformation unit containing a representation of certain security-related information (e.g., a restrictive attribute bit map).DataRegulatedCUI
Security Test & EvaluationnounExamination and analysis of the safeguards required to protect an information system, as they have been applied in an operational environment, to determine the security posture of that system.ProcessRegulatedCUI
Security-Relevant InformationnounAny information within the information system that can potentially impact the operation of security functions in a manner that could result in failure to enforce the system security policy or maintain isolation of code and data.DataRestrictedCUI
Sensitive Compartmented InformationnounClassified information concerning or derived from intelligence sources, methods, or analytical processes, which is required to be handled within formal access control systems established by the Director of National Intelligence.DataRegulatedCUI
Sensitive Compartmented Information FacilitynounAccredited area, room, or group of rooms, buildings, or installation where SCI may be stored, used, discussed, and/or processed.PhysicalRegulatedCUI
sensitive datanounInformation whose loss, misuse, unauthorized access to, modification, or destruction, could adversely affect the national interest or the conduct of federal programs, or privacy to which individuals are entitled, but which has not been specifically authorized to be kept secret in the interest of national defense or foreign policy, etc.DataRegulatedCUI
Sensitive InformationnounInformation, the loss, misuse, or unauthorized access to or modification of, that could adversely affect the national interest or the conduct of federal programs, or the privacy to which individuals are entitled under 5 U.S.C. Section 552a (the Privacy Act), but that has not been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy. (Systems that are not national security systems, but contain sensitive information, are to be protected in accordance with the requirements of the Computer Security Act of 1987 [P.L.100-235].)DataRegulatedCUI
Sensitivity LabelnounInformation representing elements of the security label(s) of a subject and an object. Sensitivity labels are used by the trusted computing base (TCB) as the basis for mandatory access control decisions. See Security Label.DataRegulatedCUI
shared accountnounA single local account created for a group, with one user name and one password.IdentityRegulatedCUI
Shielded EnclosurenounRoom or container designed to attenuate electromagnetic radiation, acoustic signals, or emanations.PhysicalRegulatedCUI
Short TitlenounIdentifying combination of letters and numbers assigned to certain COMSEC materials to facilitate handling, accounting, and controlling.ArtifactRegulatedCUI
Single Point KeyingnounMeans of distributing key to multiple, local crypto equipment or devices from a single fill point.ProcessRegulatedCUI
Special Access ProgramnounA program established for a specific class of classified information that imposes safeguarding and access requirements that exceed those normally required for information at the same classification level.ProcessRegulatedCUI
SpillagenounSecurity incident that results in the transfer of classified or CUI information onto an information system not accredited (i.e., authorized) for the appropriate security level.EventRegulatedCUI
Split Knowledgenoun1. Separation of data or information into two or more parts, each part constantly kept under control of separate authorized individuals or teams so that no one individual or team will know the whole data. 2. A process by which a cryptographic key is split into multiple key components, individually sharing no knowledge of the original key, which can be subsequently input into, or output from, a cryptographic module by separate entities and combined to recreate the original cryptographic key.ControlRegulatedCUI
Start-Up KEKnounKey-encryption-key held in common by a group of potential communicating entities and used to establish ad hoc tactical networks.CredentialRegulatedCUI
Striped CorenounA network architecture in which user data traversing a core IP network is decrypted, filtered and re-encrypted one or more times. Note: The decryption, filtering, and re-encryption are performed within a “Red gateway”; consequently, the core is “striped” because the data path is alternately Black, Red, and Black.NetworkRegulatedCUI
Subject Security LevelnounSensitivity label(s) of the objects to which the subject has both read and write access. Security level of a subject must always be dominated by the clearance level of the user associated with the subject.IdentityRegulatedCUI
Subordinate Certification AuthoritynounIn a hierarchical PKI, a Certification Authority whose certificate signature key is certified by another CA, and whose activities are constrained by that other CA.SystemRegulatedCUI
Suite AnounA specific set of classified cryptographic algorithms used for the protection of some categories of restricted mission-critical information.RequirementRegulatedCUI
Suite BnounA specific set of cryptographic algorithms suitable for protecting national security systems and information throughout the U.S. government and to support interoperability with allies and coalition partners.RequirementRegulatedCUI
SuperencryptionnounProcess of encrypting encrypted information. Occurs when a message, encrypted off-line, is transmitted over a secured, online circuit, or when information encrypted by the originator is multiplexed onto a communications trunk, which is then bulk encrypted.ProcessRegulatedCUI
Superior Certification AuthoritynounIn a hierarchical PKI, a Certification Authority who has certified the certificate signature key of another CA, and who constrains the activities of that CA.SystemRestrictedCUI
SupersessionnounScheduled or unscheduled replacement of COMSEC material with a different edition.ProcessRegulatedCUI
Supervisory control and data acquisitionnounA generic name for a computerized system that is capable of gathering and processing data and applying operational controls over long distances. Typical uses include power transmission and distribution and pipeline systems. SCADA was designed for the unique communication challenges (delays, data integrity, etc.) posed by the various media that must be used, such as phone lines, microwave, and satellite. Usually shared rather than dedicated.SystemRegulatedCUI
Supply Chain AttacknounAttacks that allow the adversary to utilize implants or other vulnerabilities inserted prior to installation in order to infiltrate data, or manipulate information technology hardware, software, operating systems, peripherals (information technology products) or services at any point during the life cycle.ThreatRegulatedCUI
Suppression MeasurenounAction, procedure, modification, or device that reduces the level of, or inhibits the generation of, compromising emanations in an information system.ControlRegulatedCUI
symmetric keynounA cryptographic key that is used to perform both the cryptographic operation and its inverse, for example to encrypt and decrypt, or create a message authentication code and to verify the code.CredentialRestrictedCUI
System High ModenounInformation systems security mode of operation wherein each user, with direct or indirect access to the information system, its peripherals, remote terminals, or remote hosts, has all of the following: a. valid security clearance for all information within an information system; b. formal access approval and signed nondisclosure agreements for all the information stored and/or processed (including all compartments, subcompartments and/or special access programs); and c. valid need-to-know for some of the information contained within the information system.ProcessRegulatedCUI
System IndicatornounSymbol or group of symbols in an off-line encrypted message identifying the specific cryptosystem or key used in the encryption.DataRegulatedCUI
System ProfilenounDetailed security description of the physical structure, equipment component, location, relationships, and general operating environment of an information system.ArtifactRegulatedCUI
TEMPEST ZonenounDesignated area within a facility where equipment with appropriate TEMPEST characteristics (TEMPEST zone assignment) may be operated.PhysicalRegulatedCUI
Time-Compliance DatenounDate by which a mandatory modification to a COMSEC end-item must be incorporated if the item is to remain approved for operational use.RequirementRegulatedCUI
TOE Security FunctionsnounSet consisting of all hardware, software, and firmware of the TOE that must be relied upon for the correct enforcement of the TOE Security Policy (TSP).CapabilityRegulatedCUI
Tradecraft IdentitynounAn identity used for the purpose of work-related interactions that may or may not be synonymous with an individual’s true identity.IdentityRestrictedCUI
Traditional INFOSEC ProgramnounProgram in which NSA acts as the central procurement agency for the development and, in some cases, the production of INFOSEC items. This includes the Authorized Vendor Program. Modifications to the INFOSEC end-items used in products developed and/or produced under these programs must be approved by NSA.ProcessRegulatedCUI
Traffic Encryption KeynounKey used to encrypt plain text or to superencrypt previously encrypted text and/or to decrypt cipher text.CredentialRestrictedCUI
transient cyber assetnounA Cyber Asset that (i) is capable of transmitting or transferring executable code, (ii) is not included in a BES Cyber System, (iii) is not a Protected Cyber Asset (PCA), and (iv) is directly connected (e.g., using Ethernet, serial, Universal Serial Bus, or wireless, including near field or Bluetooth communication) for 30 consecutive calendar days or less to a BES Cyber Asset, a network within an ESP, or a PCA. Examples include, but are not limited to, Cyber Assets used for data transfer, vulnerability assessment, maintenance, or troubleshooting purposes.SystemRegulatedCUI
Transmission SecuritynounMeasures (security controls) applied to transmissions in order to prevent interception, disruption of reception, communications deception, and/or derivation of intelligence by analysis of transmission characteristics such as signal parameters or message externals. Note: TRANSEC is that field of COMSEC which deals with the security of communication transmissions, rather than that of the information being communicated.ControlRegulatedCUI
Trap Doornoun1. A means of reading cryptographically protected information by the use of private knowledge of weaknesses in the cryptographic algorithm used to protect the data. 2. In cryptography, one-to-one function that is easy to compute in one direction, yet believed to be difficult to invert without special information.VulnerabilityRegulatedCUI
Trusted AgentnounEntity authorized to act as a representative of an agency in confirming Subscriber identification during the registration process. Trusted Agents do not have automated interfaces with Certification Authorities.RoleRestrictedCUI
Trusted Computer SystemnounA system that employs sufficient hardware and software assurance measures to allow its use for processing simultaneously a range of sensitive or classified information.SystemRegulatedCUI
Trusted DistributionnounMethod for distributing trusted computing base (TCB) hardware, software, and firmware components that protects the TCB from modification during distribution.ProcessRegulatedCUI
Trusted Identification ForwardingnounIdentification method used in information system networks whereby the sending host can verify an authorized user on its system is attempting a connection to another host. The sending host transmits the required user authentication information to the receiving host.ControlRegulatedCUI
TSEC NomenclaturenounSystem for identifying the type and purpose of certain items of COMSEC material.FrameworkRestrictedCUI
Two-Person ControlnounContinuous surveillance and control of positive control material at all times by a minimum of two authorized individuals, each capable of detecting incorrect and unauthorized procedures with respect to the task being performed and each familiar with established security and safety requirements.ControlRegulatedCUI
Two-Person IntegritynounSystem of storage and handling designed to prohibit individual access by requiring the presence of at least two authorized individuals, each capable of detecting incorrect or unauthorized security procedures with respect to the task being performed. See No-Lone Zone.ControlRegulatedCUI
Type 1 KeynounGenerated and distributed under the auspices of NSA for use in a cryptographic device for the protection of national security information.CredentialRegulatedCUI
Type 1 ProductnounCryptographic equipment, assembly or component classified or certified by NSA for encrypting and decrypting national security information when appropriately keyed. Developed using established NSA business processes and containing NSA-approved algorithms. Used to protect systems requiring the most stringent protection mechanisms.PhysicalRegulatedCUI
Type 2 KeynounGenerated and distributed under the auspices of NSA for use in a cryptographic device for the protection of unclassified information.CredentialRegulatedCUI
Type 2 ProductnounCryptographic equipment, assembly, or component certified by NSA for encrypting or decrypting sensitive information when appropriately keyed. Developed using established NSA business processes and containing NSA-approved algorithms. Used to protect systems requiring protection mechanisms exceeding best commercial practices including systems used for the protection of unclassified information.PhysicalRegulatedCUI
Type 3 KeynounUsed in a cryptographic device for the protection of unclassified sensitive information, even if used in a Type 1 or Type 2 product.CredentialRegulatedCUI
Type 3 ProductnounUnclassified cryptographic equipment, assembly, or component used, when appropriately keyed, for encrypting or decrypting unclassified sensitive U.S. government or commercial information, and to protect systems requiring protection mechanisms consistent with standard commercial practices. Developed using established commercial standards and containing NIST-approved cryptographic algorithms/modules or successfully evaluated by the National Information Assurance Partnership (NIAP).PhysicalRegulatedCUI
Type 4 KeynounUsed by a cryptographic device in support of its Type 4 functionality, i.e., any provision of key that lacks U.S. government endorsement or oversight.CredentialRegulatedCUI
Type 4 ProductnounUnevaluated commercial cryptographic equipment, assemblies, or components that neither NSA nor NIST certify for any government usage. These products are typically delivered as part of commercial offerings and are commensurate with the vendor’s commercial practices. These products may contain either vendor proprietary algorithms, algorithms registered by NIST, or algorithms registered by NIST and published in a FIPS.ArtifactRegulatedCUI
Type CertificationnounThe certification acceptance of replica information systems based on the comprehensive evaluation of the technical and nontechnical security features of an information system and other safeguards, made as part of and in support of the formal approval process, to establish the extent to which a particular design and implementation meet a specified set of security requirements.ProcessRegulatedCUI
U.S.-Controlled FacilitynounBase or building to which access is physically controlled by U.S. individuals who are authorized U.S. government or U.S. government contractor employees.PhysicalRegulatedCUI
U.S.-Controlled SpacenounRoom or floor within a facility that is not a U.S.-controlled facility, access to which is physically controlled by U.S. individuals who are authorized U.S. government or U.S. government contractor employees. Keys or combinations to locks controlling entrance to U.S.-controlled spaces must be under the exclusive control of U.S. individuals who are U.S. government or U.S. government contractor employees.PhysicalRegulatedCUI
UnclassifiednounInformation that has not been determined pursuant to E.O. 12958, as amended, or any predecessor order, to require protection against unauthorized disclosure and that is not designated as classified.RequirementRegulatedCUI
United States Government Configuration BaselinenounThe United States Government Configuration Baseline (USGCB) provides security configuration baselines for Information Technology products widely deployed across the federal agencies. The USGCB baseline evolved from the federal Desktop Core Configuration mandate. The USGCB is a Federal government-wide initiative that provides guidance to agencies on what should be done to improve and maintain an effective configuration settings focusing primarily on security.FrameworkRegulatedCUI
USA Patriot ActnounThe USA PATRIOT Act (Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (Public Law Pub.L. 107-56), commonly known as the "Patriot Act", was enacted by Congress to deter and punish terrorist acts in the United States and around the world by enhancing the law enforcement investigatory tools of both domestic law enforcement and foreign intelligence agencies.RequirementRegulatedCUI
User InitializationnounA function in the life cycle of keying material; the process whereby a user initializes its cryptographic application (e.g., installing and initializing software and hardware).ProcessRegulatedCUI
User Partnership ProgramnounPartnership between the NSA and a U.S. government agency to facilitate development of secure information system equipment incorporating NSA-approved cryptography. The result of this program is the authorization of the product or system to safeguard national security information in the user’s specific application.ProcessRegulatedCUI
User RepresentativenounIndividual authorized by an organization to order COMSEC keying material and interface with the keying system, provide information to key users, and ensure the correct type of key is ordered.RoleRegulatedCUI
visitor lognounA paper or electronic record of any non-employee entering a facility, construction site, structure or website.ArtifactRegulatedCUI
ZeroizationnounA method of erasing electronically stored data, cryptographic keys, and Credentials Service Providers (CSPs) by altering or deleting the contents of the data storage to prevent recovery of the data.ControlRegulatedCUI
Zone Of ControlnounThree-dimensional space surrounding equipment that processes classified and/or sensitive information within which TEMPEST exploitation is not considered practical or where legal authority to identify and remove a potential TEMPEST exploitation exists.PhysicalRestrictedCUI