Browse — Sensitivity
1447 terms
TermTypeDefinitionClassificationsUpdated
Acceptable interruption windownounThe maximum period of time that a system can be unavailable before compromising the achievement of the enterprise's business objectivesRequirementInternal
Acceptable use policynounA document that establishes an agreement between users and the enterprise and defines for all parties the ranges of use that are approved before users can gain access to a network or the Internet.RequirementInternal
access attemptnounA process of interaction with a communications system by one or more users to enable initiation of user information transfer. The process begins with the granting of an access request by an access originator, and ends in either successful access or access failure.EventRegulated
access codenounNumeric or alphanumeric data which, when entered correctly, authorizes entry into a secure area.CredentialRegulated
Access Control programnounA documented listing of procedures, schedules, roles and responsibilities, and plans or instructions to be performed to implement access control.ControlRegulatedPCI
Access ListnounRoster of individuals authorized admittance to a controlled area.ArtifactRestrictedPII
access lognounA log that lists who has been permitted to physically or logically gain access.ArtifactRegulatedCUI
Access Management AccessnounManagement is the maintenance of access information which consists of four tasks: account administration, maintenance, monitoring, and revocation.ProcessRegulated
Access MatrixnounAn Access Matrix uses rows to represent subjects and columns to represent objects with privileges listed in each cell.ArtifactConfidential
access revocation programnounA documented listing of procedures, schedules, roles and responsibilities, and plans to be performed to revoke access privileges.ProcessRegulatedCDI
Account Balancing Monitoring System (ABMS)nounThe Federal Reserve's computing system providing reserve account information to the Federal Reserve Banks and depository institutions on an intraday basis. ABMS serves both as an informational source and a monitoring tool. This information includes opening balances, funds and securities transfers, accounting activity, and depository institutions cap and collateral limits.SystemRegulatedCUI
Account-To-Account Payment (A2A)nounPayment system that allows the consumer to direct transfer of funds from one account to another account at a different financial institution.ProcessRegulatedPCI
Accounting Legend CodenounNumeric code used to indicate the minimum accounting controls required for items of accountable communications security (COMSEC) material within the COMSEC Material Control System.RequirementRegulatedCUI
Accounting NumbernounNumber assigned to an item of COMSEC material to facilitate its control.ArtifactRegulatedCDI
Accreditation PackagenounProduct comprised of a System Security Plan (SSP) and a report documenting the basis for the accreditation decision.ArtifactRegulatedCUI
Accrediting AuthoritynounSynonymous with Designated Accrediting Authority (DAA). See also Authorizing Official.OrganizationRegulated
accuracynounThe quality or state of being correct, precise, or near to the true value.MetricRegulated
Acquirer FeenounFee paid to the acquirer of the merchant sales draft. The acquirer of the sales draft collects a merchant discount fee (or processing fee) from the merchant for the costs associated with processing the transaction.RequirementRegulatedPCI
action itemnounA documented event, task or action that needs to take place. Action items are discreet units that can be handled by a single person.ArtifactRegulated
actionable intelligencenounInformation that can be acted upon to address, prevent or mitigate a cyber threat. The sum of an information system’s characteristics in the broad categories (software, hardware, network, processes and human) which allows an attacker to probe, enter, attack or maintain a presence in the system and potentially cause damage to an FMI. A smaller attack surface means that the FMI is less exploitable and an attack less likely.CapabilityRestrictedCUI
Activation DatanounPrivate data, other than keys, that are required to access cryptographic modules.DataRegulatedCUI
activity reportingnounThe action of providing an description of an account holder's activity.ArtifactRegulatedPII
Address Verification Service (AVS)nounBankcard company service that verifies the customer-provided billing address matches the billing address on their credit card account. The bankcard companies will not support merchants that opt for not using AVS if those transactions are disputed and will charge the merchant an additional 1.25% on those sales.CapabilityRegulatedPCI
Adequate SecuritynounSecurity commensurate with the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information. Note: This includes assuring that information systems operate effectively and provide appropriate confidentiality, integrity, and availability, through the use of cost-effective management, personnel, operational, and technical controls.RequirementRegulated
Administrative SafeguardsnounAdministrative actions, policies, and procedures to manage the selection, development, implementation, and maintenance of security measures to protect electronic health information and to manage the conduct of the covered entity's workforce in relation to protecting that information.ControlRegulatedPHI
Advanced Encryption StandardnounThe Advanced Encryption Standard specifies a U.S. government-approved cryptographic algorithm that can be used to protect electronic data. The AES algorithm is a symmetric block cipher that can encrypt (encipher) and decrypt (decipher) information. This standard specifies the Rijndael algorithm, a symmetric block cipher that can process data blocks of 128 bits, using cipher keys with lengths of 128, 192, and 256 bits.ControlRegulated
Advanced Key ProcessornounA cryptographic device that performs all cryptographic functions for a management client node and contains the interfaces to 1) exchange information with a client platform, 2) interact with fill devices, and 3) connect a client platform securely to the primary services node (PRSN).PhysicalRegulatedCUI
AdvisorynounNotification of significant new trends or developments regarding the threat to the information systems of an organization. This notification may include analytical insights into trends, intentions, technologies, or tactics of an adversary targeting information systems.ArtifactInternal
affected partynounThis role is focused on contracting parties who are affected by organizational activities. Any individual who is in a contract and is affected by organizational activities should be assigned to this role.IdentityRegulated
affiliatenounThis role focuses on persons who are affiliated with other persons or organizations or on organizations or individuals that control or are controlled by a third party. Any person associated with another person or organization or any organization or individual being controlled by or controlling a third party should be assigned to this role.RoleRegulated
AgencynounAny executive department, military department, government corporation, government-controlled corporation, or other establishment in the executive branch of the government (including the Executive Office of the President), or any independent regulatory agency, but does not include: 1) the Government Accountability Office; 2) the Federal Election Commission; 3) the governments of the District of Columbia and of the territories and possessions of the United States, and their various subdivisions; or 4) government-owned contractor-operated facilities, including laboratories engaged in national defense research and production activities.OrganizationRegulatedCUI
Agency Certification AuthoritynounA CA that acts on behalf of an agency and is under the operational control of an agency.CapabilityRegulatedCUI
Agent BanknounA member of a bankcard company that agrees to participate in an acquirer's merchant processing program. The agent may be liable for losses incurred on its merchant accounts. An agent is usually a small financial institution that wants to offer merchant processing services as a customer service. Agent banks that only refer merchants to an acquiring financial institution's program are known as referral banks.OrganizationRegulated
Aggregate Short PositionnounThe sum of a Settlement Member's short positions, each such short position expressed in its base currency equivalent and adjusted by the applicable haircut.MetricRegulated
Aggregate Short Position LimitnounIn respect of a Settlement Member, the maximum aggregate short position that such Settlement Member is permitted to incur at any time.RequirementRegulated
agreementnounThis record category contains records of mutual understandings, written or verbal, made by two or more parties regarding a matter of opinion or their rights and obligations toward each other.RequirementRegulated
All Source IntelligencenounIn the NICE Workforce Framework, cybersecurity work where a person: Analyzes threat information from multiple sources, disciplines, and agencies across the Intelligence Community. Synthesizes and places intelligence information in context; draws insights about the possible implications.CapabilityRestrictedCUI
Alternate facilitiesnounLocations and infrastructures from which emergency or backup processes are executed, when the main premises are unavailable or destroyed Scope Note: Includes other buildings, offices or data processing centersPhysicalRestricted
Alternate processnounAutomatic or manual process designed and established to continue critical business processes from point-of- failure to return-to-normalProcessRegulated
Alternate Site Test / ExercisenounA business continuity testing activity that tests the capability of staff, systems, and facilities, located at sites other than those generally designated for primary processing and business functions, to effectively support production processing and workloads. During the exercise, business line staff located at recovery site(s) participate in testing business functions and the supporting systems by performing typical production activities, including accessing applications and completing pending transactions. Staff members participate in testing alternate site facilities through the use of PCs, phones, and other equipment needed to perform testing of business activities.ProcessInternal
Alternate Work SitenounGovernmentwide, national program allowing federal employees to work at home or at geographically convenient satellite offices for part of the work week (e.g., telecommuting).PhysicalRegulated
anomalous transactionnounA transaction that deviates from the standards, procedures, and processes used to create a transaction.EventRegulatedPCI
Anti-jamnounCountermeasures ensuring that transmitted information can be received despite deliberate jamming attempts.ControlRegulatedCUI
applicable requirementnounThe relevant or appropriate necessary condition or conditions.RequirementRegulated
application controlnounControls related to transactions and data within application systems. Application controls ensure the completeness and accuracy of the records and the validity of the entries made resulting from both programmed processing and manual data entry. Examples of application controls include data input validation, agreement of batch totals and encryption of data transmitted.ControlRegulated
Approval to OperatenounThe official management decision issued by a DAA or PAA to authorize operation of an information system and to explicitly accept the residual risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals.ArtifactRegulatedCUI
ApprovednounFederal Information Processing Standard (FIPS)-approved or National Institute of Standards and Technology (NIST)-recommended. An algorithm or technique that is either 1) specified in a FIPS or NIST Recommendation, or 2) adopted in a FIPS or NIST Recommendation.RequirementRegulated
Approved Mode of OperationnounA mode of the cryptographic module that employs only Approved security functions (not to be confused with a specific mode of an Approved security function, e.g., Data Encryption Standard Cipher-Block Chaining (DES CBC) mode).ControlRegulatedCUI
Approved Security FunctionnounA security function (e.g., cryptographic algorithm, cryptographic key management technique, or authentication technique) that is either a) specified in an Approved Standard; b) adopted in an Approved Standard and specified either in an appendix of the Approved Standard or in a document referenced by the Approved Standard; or c) specified in the list of Approved security functions.CapabilityRegulated
assessed risknounA detected and evaluated risk. An assessed risk of material misstatement at the assertion level is a significant risk.FindingRegulated
Assessment FindingsnounAssessment results produced by the application of an assessment procedure to a security control or control enhancement to achieve an assessment objective; the execution of a determination statement within an assessment procedure by an assessor that results in either a satisfied or other than satisfied condition.FindingRestrictedCUI
Assessment ObjectivenounA set of determination statements that expresses the desired outcome for the assessment of a security control or control enhancement.RequirementRegulated
asset inventorynounA complete list of all the resources owned by an organization that is used in operations or used to support operations.ArtifactInternal
asset physical securitynounThe protection of assets from theft, vandalism, natural disasters, and accidental damage.ControlRegulated
Asset Reporting FormatnounSCAP data model for expressing the transport format of information about assets (components) and the relationships between assets and reports.ArtifactRegulatedCUI
Assurance CasenounA structured set of arguments and a body of evidence showing that an information system satisfies specific claims with respect to a given quality attribute.ArtifactConfidential
Assured Information SharingnounThe ability to confidently share information with those who need it, when and where they need it, as determined by operational need and an acceptable level of security risk.CapabilityRegulatedCUI
Asymmetric keynounA cipher technique in which different cryptographic keys are used to encrypt and decrypt a message Scope Note: See Public key encryption.CredentialRestricted
attack signaturenounA characteristic byte pattern used in malicious code or an indicator, or set of indicators, that allows the identification of malicious network activities.ArtifactInternal
Attribute AuthoritynounAn entity, recognized by the Federal Public Key Infrastructure (PKI) Policy Authority or comparable agency body as having the authority to verify the association of attributes to an identity.OrganizationRegulatedCUI
audit activitynounThose activities and procedures through which information is obtained to verify conformance to regulatory or organizational requirementsProcessRegulated
Audit charternounA document approved by the board of directors that defines the IT audit function's responsibility, authority to review records, and accountability.ArtifactInternal
audit committeenounAn operating committee of the Board of Directors charged with oversight of audit operations, including appraising the performance of the CPA firm, financial reporting and disclosure. Committee members are drawn from members of the company's board of directors, with a Chairperson selected from among the committee members.OrganizationRegulated
audit cyclenounThe accounting process that auditors employ in the review of a company's financial information. The audit cycle includes the steps that an auditor will take to ensure that the company's financial information is valid and accurate before releasing any financial statements.ProcessRegulated
Audit DatanounChronological record of system activities to enable the reconstruction and examination of the sequence of events and changes in an event.DataRegulated
audit findingnounThe documented conclusion reached as a result of an official inspection of an organization’s accounts or other item or process being audited, typically by an independent body.FindingRegulated
audit lognounA chronological record of system activities. Includes records of system accesses and operations performed in a given period.ArtifactRegulated
Audit Log eventnounAny of the various triggering actions that cause an application to write a new entry into the log.ArtifactRegulatedCUI
audit manualnounA compilation of current audit policies, procedures, and guidelines.ArtifactInternal
Audit plannounA high level description of the audit work to be performed in a certain period of time (ordinarily a year). It includes the areas to be audited, the type of work planned, the high level objectives and scope of the work, and topics such as budget, resource allocation, schedule dates, type of report, and its intended audience and other general aspects of the work.ArtifactInternal
audit policynounA description of the standards and guidelines an organization uses for going through external audits or conducting internal audits.RequirementInternal
Audit programnounThe audit policies, procedures, and strategies that govern the audit function, including Information Technology (IT) audit.ProcessInternal
audit recordnounAn individual entry in an audit log related to an audited event.ArtifactRegulatedCUI
audit reportnounA report issued by an independent Auditor that expresses an opinion about whether the financial statements present fairly a company's financial position, operating results, and cash flows in accordance with generally accepted accounting principles.ArtifactRegulated
Audit ReviewnounThe assessment of an information system to evaluate the adequacy of implemented security controls, assure that they are functioning properly, identify vulnerabilities, and assist in implementation of new security controls where required. This assessment is conducted annually or whenever significant change has occurred and may lead to recertification of the information system.ProcessRegulatedCUI
audit schedulenounThe dates on which a planned, official examination of a system or equipment will be performed.ArtifactInternal
audit scopenounDetermination of the range of the activities and the period (months or years) of records that are to be subjected to an audit examination.RequirementInternal
audit standardnounRules prescribed for auditors by various national and international organizations such as the Auditing Practices Board (in the UK) and the Auditing Standards Board (in the US).FrameworkRegulated
Audit trailnounA chronological record that reconstructs and examines the sequence of activities surrounding or leading to a specific operation, procedure, or event in a security relevant transaction from inception to final result.ArtifactRegulated
audit universenounAn inventory of audit areas that is compiled and maintained to identify areas for audit during the audit planning process.ArtifactInternal
Audit Work PapernounThis record category contains records of working papers that are vital to the successful accomplishment of all audit assignments performed.ArtifactRegulated
Authentication CodenounA cryptographic checksum based on an Approved security function (also known as a Message Authentication Code [MAC]).CredentialRegulated
authentication controlnounOne of several systems which restrict user access to a network.ControlRegulated
authentication methodnounA method of Verifying the identity of a user, such as a challenge password or a digital certificate.ControlRegulated
Authentication PeriodnounThe maximum acceptable period between any initial authentication process and subsequent reauthentication processes during a single terminal session or during the period data is being accessed.RequirementRegulatedCUI
Authentication ProtocolnounA defined sequence of messages between a Claimant and a Verifier that demonstrates that the Claimant has possession and control of a valid token to establish his/her identity, and optionally, demonstrates to the Claimant that he or she is communicating with the intended Verifier.ProcessRegulated
AuthenticatornounThe means used to confirm the identity of a user, process, or device (e.g., user password or token).CredentialRestricted
Authorization (ACH)nounA written or oral agreement between the originator and a receiver that allows payments processed through the ACH network to be deposited in, or withdrawn from, the receiver's account at a financial institution.RequirementRegulatedPCI
Authorization BoundarynounAll components of an information system to be authorized for operation by an authorizing official and excludes separately authorized systems, to which the information system is connected.RequirementRegulated
authorization recordnounA document or identifier which provides evidence of authorization.ArtifactRegulatedCUI
Authorization to operatenounThe official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls.ArtifactRegulatedCUI
authorized accessnounAccess to system components that (a) has been approved by a person designated to do so by management and (b) does not compromise segregation of duties, confidentiality commitments, or otherwise increase risk to the system beyond the levels approved by management (that is, access is appropriate).ControlRegulated
Authorized VendornounManufacturer of information assurance equipment authorized to produce quantities in excess of contractual requirements for direct sale to eligible buyers. Eligible buyers are typically U.S. government organizations or U.S. government contractors.OrganizationRegulated
Authorized Vendor ProgramnounProgram in which a vendor, producing an information systems security (INFOSEC) product under contract to NSA, is authorized to produce that product in numbers exceeding the contracted requirements for direct marketing and sale to eligible buyers. Eligible buyers are typically U.S. government organizations or U.S. government contractors. Products approved for marketing and sale through the AVP are placed on the Endorsed Cryptographic Products List (ECPL).ProcessRegulated
Authorizing Official Designated RepresentativenounAn organizational official acting on behalf of an authorizing official in carrying out and coordinating the required activities associated with security authorization.RoleRegulated
Automated Clearing House (ACH)nounAn electronic clearing system in which a data processing center handles payment orders that are exchanged among financial institutions, primarily via telecommunications networks. ACH systems process large volumes of individual payments electronically. Typical ACH payments include salaries, consumer and corporate bill payments, interest and dividend payments, and Social Security payments.SystemRegulatedPCI
automated clearing house activitynounAny transaction made through the Automated Clearing House network.EventRegulatedPCI
automated clearing house capturenounA service that allows a user to transmit automated clearing house data to a bank for posting and clearing.CapabilityRegulatedPCI
Automated ControlsnounSoftware routines designed into programs to ensure the validity, accuracy, completeness, and availability of input, processed, and stored data.ControlRegulated
Automated Key TransportnounThe transport of cryptographic keys, usually in encrypted form, using electronic means such as a computer network (e.g., key transport/agreement protocols).ProcessRegulated
Automated Teller Machine (ATM)nounAn electronic funds transfer (EFT) terminal that allows customers using a PIN-based debit (ATM) card to initiate transactions (e.g., deposits, withdrawals, account balance inquiries).PhysicalRegulatedPCI
Automatic Remote RekeyingnounProcedure to rekey a distant crypto-equipment electronically without specific actions by the receiving terminal operator. See Manual Remote Rekeying.ProcessRegulatedCUI
availability requirementnounAvailability requirement relates to the need for information to be available when required.RequirementRegulated
Back Office Conversion (BOC)nounUnder NACHA rules, BOC allows retailers and billers that accept checks at the point-of-sale or at manned bill payment locations to convert eligible checks to ACH debits in the back-office.ProcessRegulatedPCI
Back-up GenerationsnounA tape rotation methodology that creates three sets of back-up tapes: daily incremental sets or "sons," weekly full sets or "fathers," and end-of-month tapes or "grandfathers." This back-up methodology is frequently used to refer to master files for financial applications.ProcessRegulated
backgroundnounA persons previous experience, education, or social circumstances.ArtifactRegulatedPII
Backtracking ResistancenounBacktracking resistance is provided relative to time T if there is assurance that an adversary who has knowledge of the internal state of the Deterministic Random Bit Generator (DRBG) at some time subsequent to time T would be unable to distinguish between observations of ideal random bitstrings and (previously unseen) bitstrings that were output by the DRBG prior to time T. The complementary assurance is called Prediction Resistance.ControlRegulated
Bank Identification Number/Interbank Card Company (BIN/ICA)nounA series of assigned numbers used to identify the settling financial institution for both acquiring and issuing bankcard transactions.DataRegulatedPCI
Bank Secrecy ActnounThe Currency and Foreign Transactions Reporting Act, also known as the Bank Secrecy Act (BSA), and its implementing regulation, 31 CFR 103, is a tool the U.S. government uses to fight drug trafficking, money laundering, and other crimes. Congress enacted the BSA to prevent banks and other financial service providers from being used as intermediaries for, or to hide the transfer or deposit of money derived from, criminal activity.FrameworkRegulated
BankcardnounA general-purpose credit card, issued by a financial institution under agreement with the bankcard associations (Visa and MasterCard), which customers can use to purchase goods and services and to obtain cash against a line of credit established by the bankcard issuer.DataRegulatedPCI
Bankcard CompaniesnounVisa and MasterCard International, Inc. are bankcard companies established as bank service companies. Financial institutions must be members of a bankcard company in order to offer their credit card services. The companies have established membership rights and obligations, and membership is limited to financial institutions.OrganizationInternalPCI
BaselinenounHardware, software, databases, and relevant documentation for an information system at a given point in time.ArtifactRegulated
Basic AuthenticationnounBasic Authentication is the simplest web-based authentication scheme that works by sending the username and password with each request.CredentialRestrictedPII
Bastion HostnounA special-purpose computer on a network specifically designed and configured to withstand attacks.SystemRegulated
Batch ProcessingnounThe transmission or processing of a group of related payment instructions.ProcessRegulatedPCI
beforenounThis limits a Control or Mandate's secondary verb to be put into play prior to the event taking place.ControlRegulated
Bilateral Key SecuritynounA multi-level data encryption system, based on the exchange of Bilateral Keys, allowing users of SWIFT to create, send, and receive SWIFT messages. Bilateral Keys are unique authenticator keys possessed by only the two parties (either the provider or recipient of a message) involved and provide confirmation in both directions of the legitimacy of a message sent via SWIFT.ControlRegulated
BindingnounAn acknowledgement by a trusted third party that associates an entity’s identity with its public key. This may take place through (1) a certification authority’s generation of a public key certificate, (2) a security officer’s verification of an entity’s credentials and placement of the entity’s public key and identifier in a secure database, or (3) an analogous method.ProcessRegulated
BLACKnounDesignation applied to encrypted information and the information systems, the associated areas, circuits, components, and equipment processing that information. See also RED.CapabilityRestrictedCUI
Black CorenounA communication network architecture in which user data traversing a global Internet Protocol (IP) network is end-to-end encrypted at the IP layer. Related to striped core.NetworkRegulatedCUI
BlacklistingnounThe process of the system invalidating a user ID based on the user’s inappropriate actions. A blacklisted user ID cannot be used to log on to the system, even with the correct authenticator. Blacklisting and lifting of a blacklisting are both security-relevant events. Blacklisting also applies to blocks placed against IP addresses to prevent inappropriate or unauthorized use of Internet resources.ProcessRegulated
BlocknounSequence of binary bits that comprise the input, output, State, and Round Key. The length of a sequence is the number of bits it contains. Blocks are also interpreted as arrays of bytes.DataRegulated
Body of EvidencenounThe set of data that documents the information system’s adherence to the security controls applied. The BoE will include a Requirements Verification Traceability Matrix (RVTM) delineating where the selected security controls are met and evidence to that fact can be found. The BoE content required by an Authorizing Official will be adjusted according to the impact levels selected.ArtifactRegulatedCUI
botnounA computer connected to the Internet that has been surreptitiously / secretly compromised with malicious logic to perform activities under remote the command and control of a remote administrator.ThreatRegulated
Boundary ProtectionnounMonitoring and control of communications at the external boundary of an information system to prevent and detect malicious and other unauthorized communication, through the use of boundary protection devices (e.g., proxies, gateways, routers, firewalls, guards, encrypted tunnels).ControlRegulated
boundary protection devicenounA device with appropriate mechanisms that: (i) facilitates the adjudication of different interconnected system security policies (e.g., controlling the flow of information into or out of an interconnected system); and/or (ii) provides information system boundary protection.NetworkRegulated
Bulk Electric System Cyber SystemnounOne or more Bulk Electric System (BES) Cyber Assets logically grouped by a responsible entity to perform one or more reliability tasks for a functional entity.SystemRegulatedCUI
Bulk Electric System Cyber System InformationnounInformation about the BES Cyber System that could be used to gain unauthorized access or pose a security threat to the BES Cyber System. BES Cyber System Information does not include individual pieces of information that by themselves do not pose a threat or could not be used to allow unauthorized access to BES Cyber Systems, such as, but not limited to, device names, individual IP addresses without context, ESP names, or policy statements. Examples of BES Cyber System Information may include, but are not limited to, security procedures or security information about BES Cyber Systems, Physical Access Control Systems, and Electronic Access Control or Monitoring Systems that is not publicly available and could be used to allow unauthorized access or unauthorized distribution; collections of network addresses; and network topology of the BES Cyber System.DataRegulatedCUI
business continuitynounThe providing of critical business functions to customers, suppliers, regulators, and other entities at acceptable predefined levels after incidents and business interruptions.ProcessRegulated
Business Continuity PlannounThe documentation of a predetermined set of instructions or procedures that describe how an organization’s mission/business functions will be sustained during and after a significant disruption.ProcessInternal
Business Continuity Plan (BCP)nounA comprehensive written plan to maintain or resume business in the event of a disruption. BCP includes both the technology recovery capability (often referred to as disaster recovery) and the business unit(s) recovery capability.ArtifactInternal
Business Continuity planningnounThe act of creating processes and procedures to put into place to ensure that essential organizational functions can continue during and after a disaster.ProcessRegulated
business continuity programnounA documented approach undertaken by an organization to implement business continuity.ProcessInternal
Business Continuity StrategynounComprehensive strategies to recover, resume, and maintain all critical business functions.ProcessInternal
Business Impact AnalysisnounAn analysis of an enterprise’s requirements, processes, and interdependencies used to characterize information system contingency requirements and priorities in the event of a significant disruption.ProcessInternal
Business Impact Analysis (BIA)nounThe process of identifying the potential impact of uncontrolled, non-specific events on an institution's business processes.ProcessInternal
Business impact analysis/assessmentnounEvaluating the criticality and sensitivity of information assets An exercise that determines the impact of losing the support of any resource to an enterprise, establishes the escalation of that loss over time, identifies the minimum resources needed to recover, and prioritizes the recovery of processes and the supporting system Scope Note: This process also includes addressing: -Income loss -Unexpected expense -Legal issues (regulatory compliance or contractual) -Interdependent processes -Loss of public reputation or public confidenceProcessRestricted
business resumption testingnounA form of testing designed to determine the effectiveness of an organization's in-place strategy for full recovery of business functions following a disaster or disruption.ProcessInternal
Business ValuenounHow much a business is worth. Business value is a highly subjective measure because it involves estimating the value of intangible assets like trade secrets and brand recognition. It adds to this the value of tangible assets like machinery and stockholder equity. Business value is especially important for potential investors or buyers.MetricConfidentialIP
cablenounA wire or group of wires covered in a protective casing used for transmitting electricity or telecommunication signals.PhysicalRegulated
Call BacknounProcedure for identifying and authenticating a remote information system terminal, whereby the host system disconnects the terminal and reestablishes contact.ProcessRegulated
Call TreenounA documented list of employees and external entities that should be contacted in the event of an emergency declaration.ArtifactInternalPII
CanisternounType of protective package used to contain and dispense keying material in punched or printed tape form.PhysicalRegulatedCUI
Capstone PoliciesnounThose policies that are developed by governing or coordinating institutions of Health Information Exchanges (HIEs). They provide overall requirements and guidance for protecting health information within those HIEs. Capstone Policies must address the requirements imposed by: (1) all laws, regulations, and guidelines at the federal, state, and local levels; (2) business needs; and (3) policies at the institutional and HIE levels.RequirementRegulatedPHI
Card IssuernounA financial institution that issues general-purpose credit cards carrying one of the two bankcard company logos. The issuing financial institution establishes the credit relationship with the consumer.OrganizationRegulatedPCI
Card Verification Code (CVC2)nounNumeric security code printed on the back of MasterCard credit cards. CVC2 reduces credit card fraud and chargeback instances significantly when used in conjunction with AVS. (See Address verification service).CredentialRegulatedPCI
Card Verification Value (CVV2)nounThree-digit security number that is printed on the back of most Visa credit cards. CVV2 reduces credit card fraud and chargeback instances significantly when used in conjunction with AVS.CredentialRegulatedPCI
CardholdernounAn individual possessing an issued Personal Identity Verification (PIV) card.IdentityRegulatedCUI
CascadingnounDownward flow of information through a range of security levels greater than the accreditation range of a system, network, or component.EventRegulatedCUI
Cash LetternounA group of checks accompanied by a paper listing sent to a clearinghouse, a Federal Reserve Bank, or another institution. A cash letter contains a number of negotiable items, mostly checks, accompanied by a letter that lists the amounts and instructions for transmittal to another bank. May also be called a transmittal letter. An incoming cash letter is one that is received by an institution from a clearinghouse, a Federal Reserve Bank, or another institution and contains checks written on accounts at the institution that were cashed elsewhere. An outgoing cash letter is one that is being sent to a clearinghouse, a Federal Reserve Bank, or another institution and contains checks deposited at the institution, which are written on accounts at other institutions.ArtifactRegulatedPII
CategorynounRestrictive label applied to classified or unclassified information to limit access.RequirementRegulatedCUI
Central Office of RecordnounOffice of a federal department or agency that keeps records of accountable COMSEC material held by elements subject to its oversightOrganizationRegulatedCUI
Central Services NodenounThe Key Management Infrastructure core node that provides central security management and data management services.SystemRestrictedCUI
CertificationnounA comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.ProcessRegulated
Certification authoritynoun1. For Certification and Accreditation (C&A) (C&A Assessment): Official responsible for performing the comprehensive evaluation of the security features of an information system and determining the degree to which it meets its security requirements 2. For Public Key Infrastructure (PKI): A trusted third party that issues digital certificates and verifies the identity of the holder of the digital certificate.OrganizationRegulatedCUI
Certification Authority FacilitynounThe collection of equipment, personnel, procedures and structures that are used by a Certification Authority to perform certificate issuance and revocation.PhysicalRestricted
Certification Authority WorkstationnounCommercial off-the-shelf (COTS) workstation with a trusted operating system and special-purpose application software that is used to issue certificatesSystemRestricted
Certification PackagenounProduct of the certification effort documenting the detailed results of the certification activities.ArtifactRegulatedCUI
Certification Practice StatementnounA statement of the practices that a Certification Authority employs in issuing, suspending, revoking, and renewing certificates and providing access to them, in accordance with specific requirements (i.e., requirements specified in this Certificate Policy, or requirements specified in a contract for services).ArtifactInternal
Certification Test and EvaluationnounSoftware and hardware security tests conducted during development of an information system.ProcessRegulated
Certified TEMPEST Technical AuthoritynounAn experienced, technically qualified U.S. government employee who has met established certification requirements in accordance with CNSS-approved criteria and has been appointed by a U.S. government department or agency to fulfill CTTA responsibilities.RoleRegulatedCUI
Chain of custodynounA process that tracks the movement of evidence through its collection, safeguarding, and analysis lifecycle by documenting each person who handled the evidence, the date/time it was collected or transferred, and the purpose for the transfer.ProcessRegulated
Chain of EvidencenounA process and record that shows who obtained the evidence; where and when the evidence was obtained; who secured the evidence; and who had control or possession of the evidence. The “sequencing” of the chain of evidence follows this order: collection and identification; analysis; storage; preservation; presentation in court; return to owner.ProcessRegulatedCUI
ChargebacknounA transaction generated when a cardholder disputes a transaction or when the merchant does not follow bankcard company procedures. The issuer and acquirer research the facts to determine which party is responsible for the transaction. If the merchant is unable to pay, the acquirer will have to cover the chargeback.EventRegulatedPCI
ChecknounA written order from one party (payer) to another (payee) requiring the payer's financial institution to pay a specified sum on demand to the payee or to a third party specified by the payeeArtifactRegulatedPCI
Check 21 ActnounFormally known as the Check Clearing for the 21st Century Act. Creates a new document, the IRD (image replacement document or substitute check) that is the legal equivalent of the original check and should be accepted as such. The act does not require institutions to accept electronic images instead of checks or IRDs, but does require the acceptance of IRDs instead of paper checks. The exchange of electronic images is optional and will be done by agreements between individual institutions, groups of institutions, or clearinghouses.FrameworkRegulatedPCI
Check ClearingnounThe movement of a check from the depository institution where it was deposited to the institution on which it was written. The funds move in the opposite direction, with a corresponding credit and debit to the involved accounts.ProcessRegulated
Check ImagenounElectronic or digital image of an original check that is created by a depositor, a bank or other participant in the check collection process. Check images can be exchanged electronically by financial institutions, printed for customer statement purposes, displayed on Internet banking websites, and used to create substitute checks.DataRegulatedPCI
Check TruncationnounThe practice of holding a check at the institution where it was deposited (or at an intermediary institution) and electronically forwarding the essential information on the check to the institution on which it was written. A truncated check is not returned to the writer.ProcessRegulatedPCI
Check WordnounCipher text generated by cryptographic logic to detect failures in cryptography.ControlRegulatedCUI
Chief Information OfficernounAgency official responsible for: 1) providing advice and other assistance to the head of the executive agency and other senior management personnel of the agency to ensure that information systems are acquired and information resources are managed in a manner that is consistent with laws, Executive Orders, directives, policies, regulations, and priorities established by the head of the agency; 2) developing, maintaining, and facilitating the implementation of a sound and integrated information system architecture for the agency; and 3) promoting the effective and efficient design and operation of all major information resources management processes for the agency, including improvements to work processes of the agency. Note: Organizations subordinate to federal agencies may use the term Chief Information Officer to denote individuals filling positions with similar security responsibilities to agency-level Chief Information Officers.RoleRegulated
Chief Information Security OfficernounThe person in charge of information security within the enterpriseRoleRegulated
CIP exceptional circumstancenounA situation that involves or threatens to involve one or more of the following, or similar, conditions that impact safety or Bulk Electric System (BES) reliability: a risk of injury or death; a natural disaster; civil unrest; an imminent or existing hardware, software, or equipment failure; a Cyber Security Incident requiring emergency assistance; a response by emergency services; the enactment of a mutual assistance agreement; or an impediment of large scale workforce availability.RequirementRegulatedCUI
CIP Senior ManagernounA single senior management official with overall authority and responsibility for leading and managing implementation of and continuing adherence to the requirements within the NERC CIP Standards, CIP-002 through CIP-011.RoleRegulatedCUI
ClaimantnounAn entity which is or represents a principal for the purposes of authentication, together with the functions involved in an authentication exchange on behalf of that entity. A claimant acting on behalf of a principal must include the functions necessary for engaging in an authentication exchange. (e.g., a smartcard [claimant] can act on behalf of a human user [principal])IdentityRegulatedPII
Classified InformationnounInformation that has been determined: (i) pursuant to Executive Order 12958 as amended by Executive Order 13292, or any predecessor Order, to be classified national security information; or (ii) pursuant to the Atomic Energy Act of 1954, as amended, to be Restricted Data (RD).DataRestrictedCUI
Classified Information SpillagenounSecurity incident that occurs whenever classified data is spilled either onto an unclassified information system or to an information system with a lower level of classification.EventRegulatedCUI
Classified National Security InformationnounInformation that has been determined pursuant to Executive Order 13526 or any predecessor order to require protection against unauthorized disclosure and is marked to indicate its classified status when in documentary form.DataRegulatedCUI
ClearancenounFormal certification of authorization to have access to classified information other than that protected in a special access program (including SCI). Clearances are of three types: confidential, secret, and top secret. A top secret clearance permits access to top secret, secret, and confidential material; a secret clearance, to secret and confidential material; and a confidential clearance, to confidential material.CredentialRegulatedCUI
ClearingnounRemoval of data from an information system, its storage devices, and other peripheral devices with storage capacity, in such a way that the data may not be reconstructed using common system capabilities (i.e., through the keyboard); however, the data may be reconstructed using laboratory methods.ProcessRegulatedCUI
Clearing CorporationnounAlso known as a clearing house or clearing house association. A central processing mechanism whereby members agree to net, clear, and settle transactions involving financial instruments. Clearing corporations fulfill one or all of the following functions: Net many trades so that the number and the amount of payments that have to be made are minimized, determine money obligations among traders, and guarantee that trades will go through by legally assuming the risk of payments not made or securities not delivered. The latter function is implied when it is stated that the clearing corporation becomes the "counterpart" to all trades entered into its system.OrganizationRegulated
Clearing House AssociationsnounVoluntary associations, formed by financial institutions that establish an exchange for checks drawn on them. Typically, institutions participating in check clearing houses use the Federal Reserve's National Settlement Service for the checks exchanged each business day.OrganizationRegulated
Clearing House Interbank Payment Systems (CHIPS)nounA "real time," multilateral, final payments system for large dollar value, business-to-business payment transactions between domestic or foreign institutions that have offices located in the United States. CHIPS is run by CHIP Co. LLC, a subsidiary of The Clearing House Payments Company, LLC.SystemRegulated
Clinger-Cohen Act of 1996nounAlso known as Information Technology Management Reform Act. A statute that substantially revised the way that IT resources are managed and procured, including a requirement that each agency design and implement a process for maximizing the value and assessing and managing the risks of IT investments.RequirementRegulated
Closed Security EnvironmentnounEnvironment providing sufficient assurance that applications and equipment are protected against the introduction of malicious logic during an information system life cycle. Closed security is based upon a system's developers, operators, and maintenance personnel having sufficient clearances, authorization, and configuration control.SystemRegulatedCUI
Closed StoragenounStorage of classified information within an accredited facility, in General Services Administration-approved secure containers, while the facility is unoccupied by authorized personnel.ControlRegulatedCUI
Code BooknounDocument containing plain text and code equivalents in a systematic arrangement, or a technique of machine encryption using a word substitution technique.ArtifactRestrictedCUI
Code GroupnounGroup of letters, numbers, or both in a code system used to represent a plain text word, phrase, or sentence.DataRegulatedCUI
Cold SitenounBackup site that can be up and operational in a relatively short time span, such as a day or two. Provision of services, such as telephone lines and power, is taken care of, and the basic office furniture might be in place, but there is unlikely to be any computer equipment, even though the building might well have a network infrastructure and a room ready to act as a server room. In most cases, cold sites provide the physical location and basic services.PhysicalRegulated
Cold/Warm/Hot Disaster Recovery Sitenoun* Hot site. It contains fully redundant hardware and software, with telecommunications, telephone and utility connectivity to continue all primary site operations. Failover occurs within minutes or hours, following a disaster. Daily data synchronization usually occurs between the primary and hot site, resulting in minimum or no data loss. Offsite data backup tapes might be obtained and delivered to the hot site to help restore operations. Backup tapes should be regularly tested to detect data corruption, malicious code and environmental damage. A hot site is the most expensive option. * Warm site. It contains partially redundant hardware and software, with telecommunications, telephone and utility connectivity to continue some, but not all primary site operations. Failover occurs within hours or days, following a disaster. Daily or weekly data synchronization usually occurs between the primary and warm site, resulting in minimum data loss. Offsite data backup tapes must be obtained and delivered to the warm site to restore operations. A warm site is the second most expensive option. * Cold site. Hardware is ordered, shipped and installed, and software is loaded. Basic telecommunications, telephone and utility connectivity might need turning on to continue some, but not all primary site operations. Relocation occurs within weeks or longer, depending on hardware arrival time, following a disaster. No data synchronization occurs between the primary and cold site, and could result in significant data loss. Offsite data backup tapes must be obtained and delivered to the cold site to restore operations. A cold site is the least expensive option.PhysicalRestricted
Command AuthoritynounIndividual responsible for the appointment of user representatives for a department, agency, or organization and their key ordering privileges.RoleRegulated
Commercial COMSEC Evaluation ProgramnounRelationship between NSA and industry in which NSA provides the COMSEC expertise (i.e., standards, algorithms, evaluations, and guidance) and industry provides design, development, and production capabilities to produce a type 1 or type 2 product. Products developed under the CCEP may include modules, subsystems, equipment, systems, and ancillary devices.ProcessRegulatedCUI
Commodity ServicenounAn information system service (e.g., telecommunications service) provided by a commercial service provider typically to a large and diverse set of consumers. The organization acquiring and/or receiving the commodity service possesses limited visibility into the management structure and operations of the provider, and while the organization may be able to negotiate service-level agreements, the organization is typically not in a position to require that the provider implement specific security controls.CapabilityInternal
Common Access CardnounStandard identification/smart card issued by the Department of Defense that has an embedded integrated chip storing public key infrastructure (PKI) certificates.CredentialRegulatedCUI
Common Attack Pattern Enumeration and ClassificationnounA catalogue of attack patterns as an abstraction mechanism for helping describe how an attack against vulnerable systems or networks is executed published by the MITRE CorporationFrameworkPublicPublicInfo
Common CarriernounIn a telecommunications context, a telecommunications company that holds itself out to the public for hire to provide communications transmission services. Note: In the United States, such companies are usually subject to regulation by federal and state regulatory commissions.OrganizationRegulated
Compliance documentsnounPolicies, standard and procedures that document the actions that are required or prohibited. Violations may be subject to disciplinary actions.ArtifactInternal
Compliance Enforcement AuthoritynounThe North American Electric Reliability Corporation (NERC) or the Regional Entity in their respective roles of monitoring and enforcing compliance with the NERC Reliability Standards.OrganizationRegulatedCUI
compliance plannounA compliance plan is a system of checks and balances through which a reasonable effort is made to identify potential non-compliance issues regarding applicable laws and regulations, and to eliminate or mitigate those issues.ProcessInternal
compliance policynounAn official expression of principles that direct an organization's approach to compliance.RequirementInternal
compliance programnounCompliance programs aim to prevent, and where necessary, identify and respond to, breaches of laws, regulations, codes or organizational standards occurring in the organization; and promote a culture of compliance within the organization.ProcessInternal
compliance requirementnounThe various legal, contractual, and service level requirements that an organization must follow.RequirementRegulated
compliance risknounThe risk to current and prospective earnings that arises from violating or not acting in accordance with laws, rules, regulations, prescribed practices, or ethical standards.MetricRegulated
compliance violation is detectednounThis Triggering Event takes place when the condition of someone or something does not conform to the documented policies and standards has been discovered.FindingRegulated
CompromisenounDisclosure of information to unauthorized persons, or a violation of the security policy of a system in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object may have occurred.EventRegulated
Compromising EmanationsnounUnintentional signals that, if intercepted and analyzed, would disclose the information transmitted, received, handled, or otherwise processed by information systems equipment. See TEMPEST.VulnerabilityRegulatedCUI
Computer AbusenounIntentional or reckless misuse, alteration, disruption, or destruction of information processing resources.ThreatRegulated
Computer forensicsnounThe practice of gathering, retaining, and analyzing computer-related data for investigative purposes in a manner that maintains the integrity of the data.ProcessRegulated
Computer Network AttacknounActions taken through the use of computer networks to disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves.ThreatRegulatedCUI
computer network defensenounActions taken to defend against unauthorized activity within computer networks. CND includes monitoring, detection, analysis (such as trend and pattern analysis), and response and restoration activities.CapabilityRegulated
Computer Network ExploitationnounEnabling operations and intelligence collection capabilities conducted through the use of computer networks to gather data from target or adversary information systems or networks.ThreatRegulatedCUI
Computer Network OperationsnounComprised of computer network attack, computer network defense, and related computer network exploitation enabling operations.CapabilityRestrictedCUI
computer roomnounA facility used to house computer systems and associated components, such as telecommunications and storage systems, generally including redundant or backup power supplies, redundant data communications connections, environmental controls (e.g., air conditioning, fire suppression) and various security devices.PhysicalRestricted
Computer Security Objects RegisternounA collection of Computer Security Object names and definitions kept by a registration authority.ArtifactInternal
COMSEC AccountnounAdministrative entity, identified by an account number, used to maintain accountability, custody, and control of COMSEC material.IdentityRegulatedCUI
COMSEC Account AuditnounExamination of the holdings, records, and procedures of a COMSEC account ensuring all accountable COMSEC material is properly handled and safeguarded.ProcessRegulatedCUI
COMSEC AidnounCOMSEC material that assists in securing telecommunications and is required in the production, operation, or maintenance of COMSEC systems and their components. COMSEC keying material, callsign/frequency systems, and supporting documentation, such as operating and maintenance manuals, are examples of COMSEC aids.DataRegulatedCUI
COMSEC AssemblynounGroup of parts, elements, subassemblies, or circuits that are removable items of COMSEC equipment.PhysicalRegulatedCUI
COMSEC BoundarynounDefinable perimeter encompassing all hardware, firmware, and software components performing critical COMSEC functions, such as key generation, handling, and storage.ControlRegulatedCUI
COMSEC Control ProgramnounComputer instructions or routines controlling or affecting the externally performed functions of key generation, key distribution, message encryption/decryption, or authentication.ControlRegulatedCUI
COMSEC DemilitarizationnounProcess of preparing COMSEC equipment for disposal by extracting all CCI, classified, or cryptographic (CRYPTO) marked components for their secure destruction, as well as defacing and disposing of the remaining equipment hulk.ProcessRegulatedCUI
COMSEC ElementnounRemovable item of COMSEC equipment, assembly, or subassembly; normally consisting of a single piece or group of replaceable parts.PhysicalRegulatedCUI
COMSEC End-itemnounEquipment or combination of components ready for use in a COMSEC application.PhysicalRegulatedCUI
COMSEC EquipmentnounEquipment designed to provide security to telecommunications by converting information to a form unintelligible to an unauthorized interceptor and, subsequently, by reconverting such information to its original form for authorized recipients; also, equipment designed specifically to aid in, or as an essential element of, the conversion process. COMSEC equipment includes crypto-equipment, crypto-ancillary equipment, cryptographic production equipment, and authentication equipment.PhysicalRegulatedCUI
COMSEC FacilitynounAuthorized and approved space used for generating, storing, repairing, or using COMSEC material.PhysicalRegulatedCUI
COMSEC IncidentnounOccurrence that potentially jeopardizes the security of COMSEC material or the secure electrical transmission of national security information or information governed by 10 U.S.C. Section 2315.EventRegulatedCUI
COMSEC InsecuritynounCOMSEC incident that has been investigated, evaluated, and determined to jeopardize the security of COMSEC material or the secure transmission of information.EventRegulatedCUI
COMSEC MaterialnounItem designed to secure or authenticate telecommunications. COMSEC material includes, but is not limited to key, equipment, devices, documents, firmware, or software that embodies or describes cryptographic logic and other items that perform COMSEC functions.DataRegulatedCUI
COMSEC Material Control SystemnounLogistics and accounting system through which COMSEC material marked "CRYPTO" is distributed, controlled, and safeguarded. Included are the COMSEC central offices of record, crypto logistic depots, and COMSEC accounts. COMSEC material other than key may be handled through the CMCS.SystemRegulatedCUI
COMSEC ModulenounRemovable component that performs COMSEC functions in a telecommunications equipment or system.PhysicalRegulatedCUI
COMSEC MonitoringnounAct of listening to, copying, or recording transmissions of one's own official telecommunications to analyze the degree of security.ProcessRegulatedCUI
COMSEC ProfilenounStatement of COMSEC measures and materials used to protect a given operation, system, or organization.ArtifactRegulatedCUI
COMSEC SurveynounOrganized collection of COMSEC and communications information relative to a given operation, system, or organization.ArtifactRestrictedCUI
COMSEC System DatanounInformation required by a COMSEC equipment or system to enable it to properly handle and control key.DataRegulatedCUI
COMSEC TrainingnounTeaching of skills relating to COMSEC accounting, use of COMSEC aids, or installation, use, maintenance, and repair of COMSEC equipment.ProcessRegulatedCUI
configuration change control processnounAn action that is taken or performed to systematically manage all changes made to an asset's arrangement, system configuration, or security configuration in order to prevent unnecessary disruptions, vulnerabilities, and mitigate threats. Its purpose is to ensure that all changes to a complex system are performed with the knowledge and consent of management.ProcessRegulated
configuration change managementnounA process for managing configuration changes and variances in configurations.ProcessRegulated
Configuration ControlnounProcess of controlling modifications to hardware, firmware, software, and documentation to protect the information system against improper modification prior to, during, and after system implementation.ProcessRegulated
constitutenounGive legal or constitutional form to (an institution); establish by law.RequirementRegulated
ConsumernounUsually refers to an individual engaged in non-commercial transactions.IdentityRegulatedPII
Consumer AccountnounA deposit account held by a participating depository financial institution and established by a natural person primarily for personal, family, or household use and not for commercial purposes.DataRegulatedPII
Consumer informationnounFor purposes of the Information Security Standards, “consumer information” means any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report that is maintained by or on behalf of a financial institution for a business purpose, such as information that an institution obtains about a loan applicant or a prospective employee from a consumer report.DataRegulatedPII
contact informationnounInformation usually containing the person's telephone number(s), fax number, address, and electronic mail address(es).DataRegulatedPII
ContainernounThe file used by a virtual disk encryption technology to encompass and protect other files.SystemRestricted
ContaminationnounType of incident involving the introduction of data of one security classification or security category into data of a lower security classification or different security category.EventRegulatedCUI
Contingency KeynounKey held for use under specific operational conditions or in support of specific contingency plans. See Reserve Keying Material.CredentialRegulatedCUI
Contingency PlannounManagement policy and procedures used to guide an enterprise response to a perceived loss of mission capability. The Contingency Plan is the first plan used by the enterprise risk managers to determine what happened, why, and what to do. It may point to the Continuity of Operations Plan (COOP) or Disaster Recovery Plan for major disruptions.RequirementRestrictedCUI
Contingency PlanningnounThe purpose of this task is to support the required actions for planning, responding, and mitigating damaging events.ProcessRegulated
Continuity of GovernmentnounA coordinated effort within the federal government's executive branch to ensure that national essential functions continue to be performed during a catastrophic emergency.ProcessRestrictedCUI
Continuity of Operations PlannounManagement policy and procedures used to guide an enterprise response to a major loss of enterprise capability or damage to its facilities. The COOP is the third plan needed by the enterprise risk managers and is used when the enterprise must recover (often at an alternate site) for a specified period of time. Defines the activities of individual departments and agencies and their sub-components to ensure that their essential functions are performed. This includes plans and procedures that delineate essential functions; specifies succession to office and the emergency delegation of authority; provide for the safekeeping of vital records and databases; identify alternate operating facilities; provide for interoperable communications, and validate the capability through tests, training, and exercises. See also Disaster Recovery Plan and Contingency Plan.ProcessRestricted
continuity plannounA step by step outline of management procedures designed to maintain and restore business operations in the event of an emergency or system failure.ProcessInternal
Continuous MonitoringnounThe process implemented to maintain a current security status for one or more information systems or for the entire suite of information systems on which the operational mission of the enterprise depends. The process includes: 1) The development of a strategy to regularly evaluate selected IA controls/metrics, 2) Recording and evaluating IA relevant events and the effectiveness of the enterprise in dealing with those events, 3) Recording changes to IA controls, or changes that affect IA risks, and 4) Publishing the current security status to enable information-sharing decisions involving the enterprise.ProcessRegulatedCUI
contractnounA document that records the terms and conditions of a legally binding agreement.ArtifactConfidential
contractual obligationnounA course of action or conditions that someone is legally bound to because they signed a contract.RequirementRestricted
contractual requirementnounWritten and signed stipulations (within the said contract) employed in controlling, directing, or managing an activity, organization, or system.RequirementConfidential
Control InformationnounInformation that is entered into a cryptographic module for the purposes of directing the operation of the module.DataRestrictedCUI
Control requirementsnounProcess used to document and/or track internal processes to determine that those established procedures and/or physical security policies are being followed.RequirementRegulated
Controlled Access AreanounPhysical area (e.g., building, room, etc.) to which only authorized personnel are granted unrestricted access. All other personnel are either escorted by authorized personnel or are under continuous surveillance.PhysicalRegulated
Controlled AreanounAny area or space for which the organization has confidence that the physical and procedural protections provided are sufficient to meet the requirements established for protecting the information and/or information system.PhysicalRestricted
Controlled Cryptographic ItemnounSecure telecommunications or information system, or associated cryptographic component, that is unclassified and handled through the COMSEC Material Control System (CMCS), an equivalent material control system, or a combination of the two that provides accountability and visibility. Such items are marked “Controlled Cryptographic Item,” or, where space is limited, “CCI”.PhysicalRegulatedCUI
Controlled Cryptographic Item AssemblynounDevice embodying a cryptographic logic or other COMSEC design that NSA has approved as a Controlled Cryptographic Item (CCI). It performs the entire COMSEC function, but depends upon the host equipment to operate.PhysicalRegulatedCUI
Controlled Cryptographic Item ComponentnounPart of a Controlled Cryptographic Item (CCI) that does not perform the entire COMSEC function but depends upon the host equipment, or assembly, to complete and operate the COMSEC function.PhysicalRegulatedCUI
Controlled Cryptographic Item EquipmentnounTelecommunications or information handling equipment that embodies a Controlled Cryptographic Item (CCI) component or CCI assembly and performs the entire COMSEC function without dependence on host equipment to operate.PhysicalRegulatedCUI
Controlled SpacenounThree-dimensional space surrounding information system equipment, within which unauthorized individuals are denied unrestricted access and are either escorted by authorized individuals or are under continuous physical or electronic surveillance.PhysicalRegulated
Controlled Unclassified InformationnounA categorical designation that refers to unclassified information that does not meet the standards for National Security Classification under Executive Order 12958, as amended, but is (i) pertinent to the national interests of the United States or to the important interests of entities outside the federal government, and (ii) under law or policy requires protection from unauthorized disclosure, special handling safeguards, or prescribed limits on exchange or dissemination. Henceforth, the designation CUI replaces "Sensitive But Unclassified" (SBU).RequirementRegulatedCUI
Controlling AuthoritynounOfficial responsible for directing the operation of a cryptonet and for managing the operational use and control of keying material assigned to the cryptonet.RoleRegulatedCUI
Conversion plannounA plan that details transition planning and implementation issues in the period between the execution of an outsourcing agreement and the full production use of the outsourced services.ProcessRegulated
Cooperative Key GenerationnounElectronically exchanging functions of locally generated, random components, from which both terminals of a secure circuit construct traffic encryption key or key encryption key for use on that circuit. See Per-Call Key.ProcessRestricted
Core firmnounCore clearing and settlement organization that serves critical financial markets.OrganizationRegulated
Correspondent BanknounAn institution, acting on behalf of other institutions, that can settle the checks they collect for other institutions (respondents) by using accounts on their books or by sending a wire funds transfers. Generally, a provider of banking and payment services to other financial institutions.OrganizationRegulated
Covered EntitynounAny Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.OrganizationRegulated
Covert ChannelnounAn unauthorized communication path that manipulates a communications medium in an unexpected, unconventional, or unforeseen way in order to transmit information without detection by anyone other than the entities operating the covert channel.VulnerabilityRestrictedCUI
Covert Channel AnalysisnounDetermination of the extent to which the security policy model and subsequent lower-level program descriptions may allow unauthorized access to information.ProcessRestrictedCUI
Covert Storage ChannelnounCovert channel involving the direct or indirect writing to a storage location by one process and the direct or indirect reading of the storage location by another process. Covert storage channels typically involve a finite resource (e.g., sectors on a disk) that is shared by two subjects at different security levels.VulnerabilityRegulatedCUI
Covert TestingnounTesting performed using covert methods and without the knowledge of the organization’s IT staff, but with the full knowledge and permission of upper management.ProcessInternal
Covert Timing ChannelnounCovert channel in which one process signals information to another process by modulating its own use of system resources (e.g., central processing unit time) in such a way that this manipulation affects the real response time observed by the second process.VulnerabilityRegulated
credentialnounAn object or data structure that authoritatively binds an identity (and optionally, additional attributes) to a token possessed and controlled by a Subscriber.CredentialRestricted
Credential Service ProvidernounA trusted entity that issues or registers Subscriber tokens and issues electronic credentials to Subscribers. The CSP may encompass Registration Authorities (RAs) and Verifiers that it operates. A CSP may be an independent third party, or may issue credentials for its own use.OrganizationRegulated
Credit CardnounA card indicating the holder has been granted a line of credit. It enables the holder to make purchases or withdraw cash up to a prearranged ceiling. The credit granted can be settled in full by the end of a specified period or can be settled in part, with the balance taken as extended credit. Interest is charged based on the terms of the credit card agreement and the holder is sometimes charged an annual fee.DataRegulatedPCI
Credit EntrynounAn entry to the record of an account that represents the transfer or placement of funds into the account.ArtifactRegulatedPCI
credit policynounA company's policy on when its customers should pay for goods or services they have ordered a government's policy at a particular time on how easy or difficult it should be for people and businesses to borrow and how much it should cost. The government influences this through changes in interest rates.RequirementRegulated
criminal records checknounThe purpose of this task is to determine if a person has been convicted of a crime.ProcessRegulatedPII
Crisis Management Test/ExercisenounA testing exercise that validates the capabilities of crisis management teams to respond to specific events. Crisis management exercises typically test the call tree notification process with employees, vendors, and key clients. Escalation procedures and disaster declaration criteria may also be validated.ProcessInternal
critical business processnounA business process that must be restored immediately after a disruption to ensure the affected firm's ability to protect its assets, meet its critical needs, and satisfy mandatory regulations and requirements.ProcessRegulated
Critical Financial MarketsnounFinancial markets whose operations are critical to the economy. Critical financial markets provide the means for financial institutions to adjust their cash and securities positions and those of their customers in order to manage liquidity, market, and other risks to their organizations. Critical financial markets also provide support for the provision of a wide range of financial services to businesses and consumers in the United States and support the implementation of monetary policy. Examples of "critical financial markets" include: • Federal funds, foreign exchange, and commercial paper; • U.S. Government and agency securities; and • Corporate debt and equity securities.SystemRegulated
critical functionnounBusiness activities or information that could not be interrupted or unavailable for several business days without significantly jeopardizing operation of the organization.CapabilityRestricted
Critical infrastructurenounSystem and assets, whether physical or virtual, so vital to the U.S. that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters. [Critical Infrastructures Protection Act of 2001, 42 U.S.C. 5195c(e)]SystemRegulatedCUI
Critical Market ParticipantsnounParticipants in the financial markets that perform critical operations or provide critical services. Their inability to perform these operations or services could result in major disruptions in the financial system.OrganizationRegulated
critical operationsnounAny activity, function, process, or service, the loss of which, for even a short period of time, would materially affect the continued operation of an FMI, its participants, the market it serves, and/or the broader financial system.ProcessRegulated
Critical PathnounThe critical path represents the business processes or systems that must receive the highest priority during the recovery phase.ProcessRegulated
Critical Security ParameternounSecurity-related information (e.g., secret and private cryptographic keys, and authentication data such as passwords and Personal Identification Numbers [PINs]) whose disclosure or modification can compromise the security of a cryptographic module.DataRestrictedCUI
critical servicenounA service that could not be interrupted or unavailable for several business days without significantly jeopardizing operation of the organization.SystemRestricted
Critical system (infrastructure)nounThe systems and assets, whether physical or virtual, that are so vital that the incapacity or destruction of such may have a debilitating impact.SystemRegulated
Cross Site ScriptingnounA vulnerability that allows attackers to inject malicious code into an otherwise benign website. These scripts acquire the permissions of scripts generated by the target website and can therefore compromise the confidentiality and integrity of data transfers between the website and client. Websites are vulnerable if they display user supplied data from requests or forms without sanitizing the data so that it is not executable.VulnerabilityRegulated
Cross-Domain CapabilitiesnounThe set of functions that enable the transfer of information between security domains in accordance with the policies of the security domains involved.CapabilityRegulated
Cross-Domain SolutionnounA form of controlled interface that provides the ability to manually and/or automatically access and/or transfer information between different security domains.ControlRegulatedCUI
Cross-Market TestsnounCross-market tests are also called market-wide tests or "street tests" that are sponsored by the Securities Industry Association, Bond Market Association, and Futures Industry Association. These tests validate the connectivity from alternate sites and include transaction, settlement, and payment processes, to the extent practical.ProcessInternal
Crypto OfficernounAn operator or process (subject), acting on behalf of the operator, performing cryptographic initialization or management functions.RoleRegulated
Cryptographic AlarmnounCircuit or device that detects failures or aberrations in the logic or operation of crypto-equipment. Crypto-alarm may inhibit transmission or may provide a visible and/or audible alarm.EventRegulatedCUI
Cryptographic Ancillary EquipmentnounEquipment designed specifically to facilitate efficient or reliable operation of cryptographic equipment, without performing cryptographic functions itself.PhysicalRegulatedCUI
Cryptographic BoundarynounAn explicitly defined continuous perimeter that establishes the physical bounds of a cryptographic module and contains all the hardware, software, and/or firmware components of a cryptographic module.ControlRegulated
Cryptographic ComponentnounHardware or firmware embodiment of the cryptographic logic. A cryptographic component may be a modular assembly, a printed wiring assembly, a microcircuit, or a combination of these items.PhysicalRegulatedCUI
Cryptographic Ignition KeynounDevice or electronic key used to unlock the secure mode of crypto-equipment.CredentialRegulatedCUI
Cryptographic LogicnounThe embodiment of one (or more) cryptographic algorithm(s) along with alarms, checks, and other processes essential to effective and secure performance of the cryptographic process(es).CapabilityRegulated
Cryptographic MaterialnounCOMSEC material used to secure or authenticate information.CredentialRegulatedCUI
Cryptographic ModulenounThe set of hardware, software, firmware, or some combination thereof that implements cryptographic logic or processes, including cryptographic algorithms, and is contained within the cryptographic boundary of the module.SystemRegulated
Cryptographic Module Validation ProgramnounValidates cryptographic modules to Federal Information Processing Standard (FIPS) 140-2 and other cryptography-based standards. The CMVP is a joint effort between National Institute of Standards and Technology (NIST) and the Communications Security Establishment (CSE) of the government of Canada. Products validated as conforming to FIPS 140-2 are accepted by the federal agencies of both countries for the protection of sensitive information (United States) or Designated Information (Canada). The goal of the CMVP is to promote the use of validated cryptographic modules and provide federal agencies with a security metric to use in procuring equipment containing validated cryptographic modules.CapabilityRegulatedCUI
Cryptographic ProductnounA cryptographic key (public, private, or shared) or public key certificate, used for encryption, decryption, digital signature, or signature verification; and other items, such as compromised key lists (CKL) and certificate revocation lists (CRL), obtained by trusted means from the same source which validate the authenticity of keys or certificates. Protected software which generates or regenerates keys or certificates may also be considered a cryptographic product.CredentialRestrictedCUI
Cryptographic SecuritynounComponent of COMSEC resulting from the provision of technically sound cryptographic systems and their proper use.CapabilityRegulatedCUI
Cryptographic SynchronizationnounProcess by which a receiving decrypting cryptographic logic attains the same internal state as the transmitting encrypting logic.ProcessRegulated
Cryptographic SystemnounAssociated information assurance items interacting to provide a single means of encryption or decryption.SystemRegulated
Cryptographic System AnalysisnounProcess of establishing the exploitability of a cryptographic system, normally by reviewing transmitted traffic protected or secured by the system under study.ProcessRegulatedCUI
Cryptographic System EvaluationnounProcess of determining vulnerabilities of a cryptographic system and recommending countermeasures.ProcessRegulated
Cryptographic System ReviewnounExamination of a cryptographic system by the controlling authority ensuring its adequacy of design and content, continued need, and proper distribution.ProcessRegulatedCUI
Cryptographic System SurveynounManagement technique in which actual holders of a cryptographic system express opinions on the system's suitability and provide usage information for technical evaluations.ProcessInternal
Currency BalancenounAs at the time calculated, the current amount (positive or negative) of a particular eligible currency included in an account, as indicated on the books and records of CLS Bank. A currency balance is not a separate account.DataRegulated
Custom redirect servicenounThis service enables control over the location of incoming calls or the redirection of calls to various locations or pre-established phone numbers to ensure customer service continuity.CapabilityInternal
customer accessnounA customer’s ability and means to communicate or interact with a system, use system resources or to control system components and functions.CapabilityRegulated
customer accountnounA client's formal contract with an individual or organization whereby the client receives goods or services.IdentityRegulatedPII
customer data privacynounThe ability an organization or individual has to determine what customer data in a computer system can be shared with third parties.RequirementRegulatedPII
customer educational materialnounEducational materials used to inform customers about topics regarding the products and/or services that they use.ArtifactInternal
customer informationnounA term used in the Information Security Standards to mean any record containing non-public personal information about a customer, whether in paper, electronic, or other form, that is maintained by or on behalf of a financial institution.DataRegulatedPII
customer information systemnounFor purposes of the Information Security Standards, “customer information systems” means any methods used to access, collect, store, use, transmit, protect, or dispose of customer information.SystemRegulatedPII
cyber assetnounProgrammable electronic devices and communication networks including hardware, software and data.SystemRegulatedCUI
Cyber AttacknounAn attack, via cyberspace, targeting an enterprise’s use of cyberspace for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment/infrastructure; or destroying the integrity of the data or stealing controlled information.ThreatRegulated
cyber incidentnounActions taken through the use of computer networks that result in an actual or potentially adverse effect on an information system and/or the information residing therein. See Incident.EventRegulated
cyber incident response plannounThe series of actions and processes associated with a security event associated with 'cyberspace' (i.e. the Internet, corporate networks, etc.).ProcessRegulated
cyber incident response roles and responsibilitiesnounThe functions and duties of personnel who are responsible for triaging, and resolving events regarding cybersecurity events that disrupt operations and alerting interested personnel and affected parties in conformance with pertinent standards.ProcessRegulated
cyber infrastructurenounIncludes electronic information and communications systems and services and the information contained in these systems and services. Information and communications systems and services are composed of all hardware and software that process, store, and communicate information, or any combination of all of these elements. Processing includes the creation, access, modification, and destruction of information. Storage includes paper, magnetic, electronic, and all other media types. Communications include sharing and distribution of information. For example: computer systems; control systems (e.g., supervisory control and data acquisition–SCADA); networks, such as the Internet; and cyber services (e.g., managed security services) are part of cyber infrastructure.SystemRegulated
Cyber OperationsnounIn the NICE Workforce Framework, cybersecurity work where a person: Performs activities to gather evidence on criminal or foreign intelligence entities in order to mitigate possible or real-time threats, protect against espionage or insider threats, foreign sabotage, international terrorist activities, or to support other intelligence activities.CapabilityRestrictedCUI
Cyber Operations Planningnounin the NICE Workforce Framework, cybersecurity work where a person: Performs in-depth joint targeting and cyber planning process. Gathers information and develops detailed Operational Plans and Orders supporting requirements. Conducts strategic and operational-level planning across the full range of operations for integrated information and cyberspace operationsProcessRestrictedCUI
cyber resilience frameworknounConsists of the policies, procedures and controls an FMI has established to identify, protect, detect, respond to and recover from the plausible sources of cyber risks it faces.FrameworkRegulated
cyber resilience strategynounAn FMI’s high level principles and medium term plans to achieve its objective of managing cyber risks.ProcessInternal
cyber risk managementnounThe process used by an FMI to establish an enterprise-wide framework to manage the likelihood of a cyber attack and develop strategies to mitigate, respond to, learn from and coordinate its response to the impact of a cyber attack. The management of an FMI’s cyber risk should support the business processes and be integrated in the FMI’s overall risk management framework.ProcessRegulated
cyber risk profilenounThe cyber risk actually assumed, measured at a given point in time.MetricInternal
cyber risk tolerancenounThe propensity to incur cyber risk, being the level of cyber risk that an FMI intends to assume in pursuing its strategic objectives.MetricInternal
cyber supply chain risk assessment processnounThe foundational task in the cyber supply chain risk assessment process, cyber supply chain risk assessments are aimed at identifying and assessing applicable risk of Information and operational technology (IT/OT) outsourcing, diverse distribution routes, assorted technologies, laws, policies, procedures, and practices.ProcessRegulated
Cyber Supply Chain Risk Management PlannounA plan that includes confidentiality, integrity, and availability controls for mitigating the risks associated with the distributed and interconnected nature of IT/OT product and service supply chains. It covers the entire life cycle of a system (including design, development, distribution, deployment, acquisition, maintenance, and destruction) as supply chain threats and vulnerabilities may intentionally or unintentionally compromise an IT/OT product or service at any stage.ProcessInternal
cyber supply chain risk management processnounA detailed description of the steps necessary to mitigating the risks associated with the distributed and interconnected nature of IT/OT product and service supply chains. It covers the entire life cycle of a system (including design, development, distribution, deployment, acquisition, maintenance, and destruction) as supply chain threats and vulnerabilities may intentionally or unintentionally compromise an IT/OT product or service at any stage.ProcessRegulated
cyber system recovery plannounA step-by-step outline of the processes and procedures to be performed to bring a cyber system back to working order after an incident has occurred.ProcessRegulatedCUI
cyber threatnounAn internal or external circumstance, event, action, occurrence, or person with the potential to exploit technology-based vulnerabilities and to adversely impact (create adverse consequences for) organizational operations, organizational assets (including information and information systems), individuals, other organizations, or society.ThreatRegulated
cyber threat intelligencenounOrganized, analyzed and refined information about potential or current attacks that threaten an organization. The primary purpose of threat intelligence is helping organizations understand the risks of the most common and severe external threats, such as zero-day threats, advanced persistent threats (APTs) and exploits. Although threat actors also include internal (or insider) and partner threats, the emphasis is on the types that are most likely to affect a particular organization's environment. Threat intelligence includes in-depth information about specific threats to help an organization protect itself from the types of attacks that could do them the most damage. In a military, business or security context, intelligence is information that provides an organization with decision support and possibly a strategic advantage. Threat intelligence is a component of security intelligence and, like SI, includes both the information relevant to protecting an organization from external and inside threats as well as the processes, policies and tools designed to gather and analyze that information. Threat intelligence services provide organizations with current information related to potential attack sources relevant to their businesses; some also offer consultation service.CapabilityRestricted
cyber threat response strategynounA plan of action designed to achieve a long-term or overall aim regarding how to resolve cyber incidents.ProcessInternal
CyberespionagenounActivities conducted in the name of security, business, politics or technology to find information that ought to remain secret. It is not inherently military.ThreatRestrictedCUI
cybersecurity awarenessnounThe extent to which individuals of an organization or those who have access to an organizations information understand their individual responsibilities regarding cybersecurity risks and the need to identify, assess, and mitigate these risks in light of the increasing volume and sophistication of cyber threats.CapabilityInternal
cybersecurity controlnounPractices and procedures established to protect organizational assets, user assets, and the cyber environment from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality, and availability.ControlRegulated
cybersecurity eventnounAny act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System.EventRegulated
Cybersecurity Framework CorenounA set of cybersecurity activities and references that are common across critical infrastructure sectors and are organized around particular outcomes. The Framework Core comprises four types of elements: Functions, Categories, Subcategories, and Informative References.FrameworkPublic
Cybersecurity Framework Implementation TiernounA lens through which to view the characteristics of an organization’s approach to risk—how an organization views cybersecurity risk and the processes in place to manage that risk.FrameworkInternal
cybersecurity incident responsenounThe process of managing and resolving cybersecurity events that disrupt the organization's operations and restoring services.ProcessRegulated
cybersecurity law, rule, or regulationnounAny federal, state, or local statute or ordinance or any rule or regulation adopted according to any federal, state, or local statute or ordinance that deals specifically with the topic of protecting or defending computerized environments, organizational computerized assets, and user’s computerized assets.RequirementRegulated
Cybersecurity outcomenounA Cybersecurity outcome is the business need defined and tiered implementation of the outcomes listed in either the Categories or Subcategories section of Table 2 in the NIST Cybersecurity Framework.RequirementRegulated
cybersecurity plannounFormal document that provides an overview of the cybersecurity requirements for an Information Technology and industrial control system and describes the cybersecurity controls in place or planned for meeting those requirements.RequirementRegulatedCUI
cybersecurity policynounA set of criteria for the provision of security services.RequirementRegulated
Cybersecurity ProfilenounA representation of the outcomes that a particular system or organization has selected from the Framework Categories and Subcategories.ArtifactInternal
cybersecurity programnounAn integrated group of activities designed and managed to meet cybersecurity objectives for the organization and/or the function. A cybersecurity program may be implemented at either the organization or the function level, but a higher-level implementation and enterprise viewpoint may benefit the organization by integrating activities and leveraging resource investments across the entire enterprise.ProcessRegulated
cybersecurity requirementnounRequirements levied on an Information Technology and Operations Technology that are derived from organizational mission and business case needs (in the context of applicable legislation, Executive Orders, directives, policies, standards, instructions, regulations, procedures) to ensure the confidentiality, integrity, and availability of the services being provided by the organization and the information being processed, stored, or transmitted.RequirementRegulated
cybersecurity risknounA risk to organizational operations, (including mission, functions, image, and reputation), resources, and other organizations due to the potential for unauthorized access, use, disclosure, disruption, modification, or destruction of information, Information Technology, and/or Operations Technology.ThreatRegulated
cybersecurity trainingnounActivities that are used to teach people about tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and organization and user’s assets.ProcessInternal
CyberwarfarenounActivities supported by military organizations with the purpose to threat the survival and well-being of society/foreign entityThreatRegulatedCUI
data aggregationnounCompilation of individual data systems and data that could result in the totality of the information being classified, or classified at a higher level, or of beneficial use to an adversary.ProcessRegulatedCUI
data backupnounThe physical copying of data files to a removable storage device that allows the data to be stored in another location.DataRegulated
data breachnounThe unauthorized movement or disclosure of sensitive information to a party, usually outside the organization, that is not authorized to have or see the information.EventRegulated
Data centernounA facility that houses an institution's most important information systems components, including computer systems, telecommunications components, and storage systems.PhysicalRegulated
Data classification programnounA program that categorizes data to convey required safeguards for information confidentiality, integrity, and availability; establishes controls required based on value and level of sensitivity.ProcessInternal
Data Encryption AlgorithmnounThe DEA cryptographic engine that is used by the Triple Data Encryption Algorithm (TDEA).ControlRegulated
Data Encryption StandardnounCryptographic algorithm designed for the protection of unclassified data and published by the National Institute of Standards and Technology (NIST) in Federal Information Processing Standard (FIPS) Publication 46. (FIPS 46-3 withdrawn 19 May 2005) See Triple DES.ControlRegulated
data lossnounThe exposure of proprietary, sensitive, or classified information through either data theft or data leakage.EventRegulatedIP
Data loss prevention (DLP) programnounA comprehensive approach (covering people, processes, and systems) of implementing policies and controls designed specifically to discover, monitor, and protect confidential data wherever it is stored, used, or in transit over the network and at the perimeter.ProcessRegulated
Data retentionnounRefers to the policies that govern data and records management for meeting internal, legal and regulatory data archival requirementsRequirementRegulated
data storage medianounThe physical form of how data is stored (e.g. magnetic tape, CD-ROM, paper).PhysicalRegulated
Data Transfer DevicenounFill device designed to securely store, transport, and transfer electronically both COMSEC and TRANSEC key, designed to be backward compatible with the previous generation of COMSEC common fill devices, and programmable to support modern mission systems.PhysicalRegulatedCUI
Data-At-RestnounRefers to all data stored on hard drives, thumb drives, DVDs, CDs, floppy diskettes, and similar storage media. It excludes data that is traversing a network or temporarily residing in computer memory to be read or updated.DataRegulated
Daylight overdraftnounA daylight overdraft occurs at any point in the business day when the balance in an institution's account becomes negative. Daylight overdrafts can occur in accounts at Federal Reserve Banks as well as at private financial institutions. Daylight credit can also arise in the form of net debit positions of participants in private payment systems. A daylight overdraft occurs at a Federal Reserve Bank when there are insufficient funds in an institution's Federal Reserve Bank account to cover outgoing funds transfers or incoming book-entry securities transfers. An overdraft can also be the result of other payment activity processed by the Federal Reserve Bank, such as check or automated clearinghouse transactions.EventRegulated
Debit cardnounA payment card issued as either a PIN-based debit (ATM) card or as a signature-based debit card from one of the bankcard associations. A payment card issued to a person for purchasing goods and services through an electronic transfer of funds from a demand deposit account rather than using cash, checks, or drafts at the point-of-sale.PhysicalRegulatedPCI
Debit entrynounAn entry to the record of an account to represent the transfer or removal of funds from the account.DataRegulated
DecertificationnounRevocation of the certification of an information system item or equipment for cause.EventRegulated
Decryption keynounA digital piece of information used to recover plaintext from the corresponding ciphertext by decryptionCredentialRestricted
Dedicated ModenounInformation systems security mode of operation wherein each user, with direct or indirect access to the system, its peripherals, remote terminals, or remote hosts, has all of the following: 1. valid security clearance for all information within the system, 2. formal access approval and signed nondisclosure agreements for all the information stored and/or processed (including all compartments, subcompartments, and/or special access programs), and 3. valid need-to-know for all information contained within the information system. When in the dedicated security mode, a system is specifically and exclusively dedicated to and controlled for the processing of one particular type or classification of information, either for full-time operation or for a specified period of time.RequirementRegulatedCUI
Default ClassificationnounClassification reflecting the highest classification being processed in an information system. Default classification is included in the caution statement affixed to an object.RequirementRegulatedCUI
DegaussnounProcedure that reduces the magnetic flux to virtual zero by applying a reverse magnetizing field. Also called demagnetizing.ProcessRegulatedCUI
Delegated Development ProgramnounINFOSEC program in which the Director, NSA, delegates, on a case-by-case basis, the development and/or production of an entire telecommunications product, including the INFOSEC portion, to a lead department or agency.ProcessRegulatedCUI
DepositorynounAn institution that holds funds or marketable securities for safekeeping. Depositories may be privately or publicly operated and allow securities transfers through book-entry and offer funds accounts permitting funds transfers as a means of payment.PhysicalRegulatedPCI
Depository banknounThe institution at which a check is first deposited. While this term is often used interchangeably with "depository," "depositary" is a term of art in laws and regulations related to check processing.OrganizationRegulated
Depository bank (Check 21)nounAlso known as Bank of First Deposit (BOFD). The first bank to which a check is transferred even though it is also the paying bank or the payee. A check deposited in an account is deemed to be transferred to the financial institution holding the account into which the check is deposited, even though the check is physically received and endorsed first by another financial institution.OrganizationRegulatedPCI
Descriptive Top-Level SpecificationnounA natural language descriptive of a system’s security requirements, an informal design notation, or a combination of the two.RequirementRegulatedCUI
destructionnounThe purpose of this task is to remove an asset from existence and to ensure media cannot be reused as originally intended and information is virtually impossible to recover or prohibitively expensive to recover.ProcessRegulated
destruction of datanounThe complete physical destruction of data or of the data carrier containing them.ProcessRegulated
Deterministic Random Bit GeneratornounA Random Bit Generator (RBG) that includes a DRBG mechanism and (at least initially) has access to a source of entropy input. The DRBG produces a sequence of bits from a secret initial value called a seed, along with other possible inputs. A DRBG is often called a Pseudorandom Number (or Bit) Generator. Source of entropy input. The DRBG produces a sequence of bits from a secret initial value called a seed, along with other possible inputs. A DRBG is often called a Pseudorandom Number (or Bit) Generator.CapabilityRegulated
Deterministic Random Bit Generator MechanismnounThe portion of an RBG that includes the functions necessary to instantiate and uninstantiate the RBG, generate pseudorandom bits, (optionally) reseed the RBG and test the health of the DRBG mechanism.CapabilityRegulated
Device Distribution ProfilenounAn approval-based Access Control List (ACL) for a specific product that 1) names the user devices in a specific key management infrastructure (KMI) Operating Account (KOA) to which PRSNs distribute the product, and 2) states conditions of distribution for each device.ControlRegulatedCUI
device managementnounManaging the implementation, operation, and maintenance of a physical and/or virtual device. This includes the use of various administrative tools and processes for the maintenance and upkeep of a computing, network, mobile and/or virtual device.ProcessRegulated
Differential Power AnalysisnounAn analysis of the variations of the electrical power consumption of a cryptographic module, using advanced statistical methods and/or other techniques, for the purpose of extracting information correlated to cryptographic keys used in a cryptographic algorithm.ThreatRegulated
Digital EnvelopenounA digital envelope is an encrypted message with the encrypted session key.DataRegulated
Digital forensicsnounThe application of science to the identification, collection, examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data.ProcessRegulated
Digital signaturenounAn asymmetric key operation where the private key is used to digitally sign data and the public key is used to verify the signature. Digital signatures provide authenticity protection, integrity protection, and non-repudiation.CredentialRegulated
Digital Signature StandardnounThe US Government standard that specifies the Digital Signature Algorithm (DSA), which involves asymmetric cryptography.FrameworkRegulated
Direct debitnounElectronic transfer, usually through ACH, out of an individual's checking (or savings) account to pay bills, such as mortgage payments, insurance premiums, and utility payments. Also referred to as "direct payment."DataRegulatedPII
Direct depositnounElectronic deposits or credit, usually through ACH, to an individual's deposit account. Common uses of direct deposit include payroll payments, Social Security benefits, and income from investments such as CDs, annuities, and mutual funds.DataRegulatedPII
Direct presentmentnounDepositary banks can present checks directly to the paying institution. The paying institution may be the depositary bank (no settlement is needed), or, if not, may settle on the books of the Federal Reserve, using the Federal Reserve's national settlement service.ProcessRegulated
Direct ShipmentnounShipment of COMSEC material directly from NSA to user COMSEC accounts.ProcessRegulatedCUI
Disasternoun1. A sudden, unplanned calamitous event causing great damage or loss. Any event that creates an inability on an enterprise's part to provide critical business functions for some predetermined period of time. Similar terms are business interruption, outage and catastrophe. 2. The period when enterprise management decides to divert from normal production responses and exercises its disaster recovery plan (DRP). It typically signifies the beginning of a move from a primary location to an alternate location.EventRegulated
Disaster recovery plannounManagement policy and procedures used to guide an enterprise response to a major loss of enterprise capability or damage to its facilities. The DRP is the second plan needed by the enterprise risk managers and is used when the enterprise must recover (at its original facilities) from a loss of capability over a period of hours or days. See Continuity of Operations Plan and Contingency Plan.ProcessInternal
Disk ImagingnounGenerating a bit-for-bit copy of the original media, including free space and slack space.ProcessRegulated
disposalnounThe purpose of this task is to address the final disposition of regulated data by discarding media with no other sanitization considerations or transferring records to their final state: either destruction or transfer to an archive.ProcessRegulatedCUI
Distinguishing IdentifiernounInformation which unambiguously distinguishes an entity in the authentication process.CredentialRestrictedPII
Drop AccountabilitynounProcedure under which a COMSEC account custodian initially receipts for COMSEC material, and provides no further accounting for it to its central office of record. Local accountability of the COMSEC material may continue to be required. See Accounting Legend Code.ProcessRegulatedCUI
Due carenounThe level of care expected from a reasonable person of similar competency under similar conditionsRequirementRegulated
due diligencenounThe purpose of this task is to take reasonable action in order to comply with a law or industry standard.ProcessRegulated
Due diligence for service provider selectionnounTechnical, functional, and financial review to verify a third-party service provider's ability to deliver the requirements specified in its proposal. The intent is to verify that the service provider has a well-developed plan and adequate resources and experience to ensure acceptable service, controls, systems backup, availability, and continuity of service to its clients.ProcessInternal
due diligence processnounThe series of actions an organization takes to implement the steps needed to ensure they respect human rights and do not contribute to conflict.ProcessRegulated
Dumpster DivingnounDumpster Diving is obtaining passwords and corporate directories by searching through discarded media.ThreatRestrictedIP
Duplicate Digital EvidencenounA duplicate is an accurate digital reproduction of all data objects contained on the original physical item and associated media.ArtifactRegulatedCUI
DurationnounA field within a certificate that is composed of two subfields; “date of issue” and “date of next issue.”ArtifactRestricted
E-BankingnounThe remote delivery of new and traditional banking products and services through electronic delivery channels.SystemRegulatedPCI
E-GovernmentnounThe use by the U.S. government of Web-based Internet applications and other information technology.CapabilityRegulatedCUI
Eavesdropping AttacknounAn attack in which an Attacker listens passively to the authentication protocol to capture information which can be used in a subsequent active attack to masquerade as the Claimant.ThreatRegulated
ecosystemnounA system or group of interconnected elements, formed linkages and dependencies. For an FMI, this may include participants, linked FMIs, service providers, vendors and vendor products.SystemRegulated
Electricity Sector Information Sharing and Analysis CenternounThe Electricity Sector Information Sharing and Analysis Center (ES-ISAC) shares critical information with industry participants about infrastructure protection. The ES-ISAC serves the electricity sector by facilitating communications between electricity sector participants, federal governments, and other critical infrastructures. It is the job of the ES-ISAC to promptly disseminate threat indications, vulnerabilities, analyses, and warnings, together with interpretations, to help electricity sector participants take protective actions.OrganizationRegulatedCUI
electronic accessnounThe right or opportunity to use or retrieve something or enter a place through electronic means.ControlRegulated
electronic access controlnounA cyber asset that performs electronic access control of the Electronic Security Perimeter(s) or BES Cyber Systems.ControlRegulatedCUI
Electronic Access PointnounA Cyber Asset interface on an Electronic Security Perimeter that allows routable communication between Cyber Assets outside an Electronic Security Perimeter and Cyber Assets inside an Electronic Security Perimeter.NetworkRegulatedCUI
Electronic Benefits Transfer (EBT)nounA type of EFT system involving the transfer of public entitlement payments, such as welfare or food stamps, through direct deposit or point-of-sale technology (see POS). The recipient can be given an identification card, similar to a benefit card, and a PIN allowing access to the benefits through an electronic network.SystemRegulatedPII
Electronic bill presentment and payment (EBPP)nounAn electronic alternative to traditional bill payment, allowing a merchant or utility to present its customers with an electronic bill and the payer to pay the bill electronically. EBPP systems usually fall within two models: direct and consolidation-aggregation. In the direct model, the merchant or utility generates an electronic version of the consumer's billing information, and notifies the consumer of a pending bill, generally via e-mail. The consumer can initiate payment of the electronically presented bill using a variety of payment mechanisms, typically a credit card. In the consolidation-aggregation model, the consumer's bills are consolidated by a consolidator acting on behalf of merchants and utilities (or aggregated on behalf of the consumer), combining data from multiple bills and presenting a single source for the consumer to initiate payment. Some consolidators present bills at their own web sites, typically most support the aggregation of bills by consumer service providers such an Internet portals, financial institutions, and brokerage web sites.SystemRegulatedPCI
Electronic check conversionnounThe process by which a check is used as a source of information for the check number, the customer's account number, and the number that identifies the financial institution. The information is used to make a one-time electronic payment from the customer's account -- an electronic fund transfer. The check itself is not the method of payment.ProcessRegulatedPII
Electronic check presentment (ECP)nounCheck truncation methodology in which the paper check's MICR line information is captured and stored electronically for presentment. The physical checks may or may not be presented after the electronic files are delivered, depending on the type of ECP service that is used.ProcessRegulatedPCI
Electronic CredentialsnounDigital documents used in authentication that bind an identity or an attribute to a subscriber's token.CredentialRestrictedCUI
Electronic data capture (EDC)nounProcess used for capturing and transferring the encoded information on the magnetic strip from a bankcard or debit card at the point-of-sale to the processor's database.ProcessRegulatedPCI
Electronic EvidencenounInformation and data of investigative value that is stored on or transmitted by an electronic device.ArtifactRegulated
electronic funds transfernounThe use of telecommunications networks to transfer funds from one financial institution, as a bank, to another, or to withdraw funds from one's own account to deposit in a creditor's.ProcessRegulatedPCI
Electronic funds transfer (EFT)nounA generic term describing any transfer of funds between parties or depository institutions through electronic data systems.ProcessRegulatedPCI
Electronic Funds Transfer Act (EFTA)nounThe Electronic Funds Transfer Act and Regulation E are designed to ensure adequate disclosure of basic terms, costs, and rights relating to electronic fund transfer (EFT) services provided to consumers. Institutions offering EFT services must disclose to consumers certain information, including: initial and updated EFT terms, transaction information, periodic statements of activity, the consumer's potential liability for unauthorized transfers, and error resolution rights and procedures. EFT services include automated teller machines, telephone bill payment, point-of-sale transfers in retail stores, fund transfers initiated through the Internet, and pre-authorized transfers to or from a consumer's account.FrameworkRegulated
electronic funds transfer activitynounAny transfer of funds which is initiated through an electronic terminal, telephonic instrument, computer, or magnetic tape so as to order, instruct, or authorize a financial institution to debit or credit an account. ... These are normally considered retail funds transfer systems.DataRegulatedPCI
electronic funds transfer functionnounAny activity that corresponds with or relates to the transfer of funds electronicallyCapabilityRegulated
Electronic funds transfer point of sale equipmentnounAny, instruments or machinery required for an electric transfer of money to take place.PhysicalRegulatedPCI
Electronic Key EntrynounThe entry of cryptographic keys into a cryptographic module using electronic methods such as a smart card or a key-loading device. (The operator of the key may have no knowledge of the value of the key being entered.)ProcessRegulatedCUI
Electronic Key Management SystemnounInteroperable collection of systems being developed by services and agencies of the U.S. government to automate the planning, ordering, generating, distributing, storing, filling, using, and destroying of electronic key and management of other types of COMSEC material.SystemRegulatedCUI
Electronic Messaging ServicesnounServices providing interpersonal messaging capability; meeting specific functional, management, and technical requirements; and yielding a business-quality electronic mail service suitable for the conduct of official government business.CapabilityRegulatedCUI
Electronic Security PerimeternounThe logical border surrounding a network to which Critical Cyber Assets are connected and for which access is controlled.NetworkRegulatedCUI
electronic signaturenounThe process of applying any mark in electronic form with the intent to sign a data object. See also Digital Signature.CredentialRegulated
Electronic vaultingnounA back-up procedure that copies changed files and transmits them to an off-site location using a batch process.ProcessRegulated
Electronically Generated KeynounKey generated in a COMSEC device by introducing (either mechanically or electronically) a seed key into the device and then using the seed, together with a software algorithm stored in the device, to produce the desired key.CredentialRegulatedCUI
Electronically-created payment ordersnounThese are payment orders received by merchants from consumers, typically by telephone or the Internet. These payment orders are processed through the check processing system although they were not initiated as paper checks. These payment orders are not subject to check law and are not warranted by the Federal Reserve Banks.DataRegulatedPCI
elevated accessnounRoles or permissions that, if misused or compromised, could allow a person to exploit the system for his or her own gain or illicit purpose.ControlRegulated
Emanations AnalysisnounGaining direct knowledge of communicated data by monitoring and resolving a signal that is emitted by a system and that contains the data but is not intended to communicate the data.CapabilityRestrictedCUI
Emanations SecuritynounProtection resulting from measures taken to deny unauthorized individuals information derived from intercept and analysis of compromising emissions from crypto-equipment or an information system. See TEMPEST.ControlRegulatedCUI
Embedded Cryptographic SystemnounCryptosystem performing or controlling a function as an integral element of a larger system or subsystem.SystemRegulatedCUI
Emergency plannounThe steps to be followed during and immediately after an emergency such as a fire, tornado, bomb threat, etc.ProcessInternal
employee accessnounThe privileges to gain entry to somewhere or to use something given only to employees.ControlRegulated
EnclavenounCollection of information systems connected by one or more internal networks under the control of a single authority and security policy. The systems may be structured by physical proximity or by function, independent of location.SystemRegulated
Enclave BoundarynounPoint at which an enclave’s internal network service layer connects to an external network’s service layer, i.e., to another enclave or to a Wide Area Network (WAN).NetworkRegulated
Encrypted KeynounA cryptographic key that has been encrypted using an Approved security function with a key encrypting key, a PIN, or a password in order to disguise the value of the underlying plaintext key.CredentialRegulatedCUI
Encrypted NetworknounA network on which messages are encrypted (e.g., using DES, AES, or other appropriate algorithms) to prevent reading by unauthorized parties.NetworkRestricted
Encryption keynounA piece of information, in a digitized form, used by an encryption algorithm to convert the plaintext to the ciphertextCredentialRestrictedCUI
End Cryptographic UnitnounDevice that (1) performs cryptographic functions, (2) typically is part of a larger system for which the device provides security services, and (3) from the viewpoint of a supporting security infrastructure (e.g., a key management system), is the lowest level of identifiable component with which a management transaction can be conducted.SystemRegulatedCUI
End-Item AccountingnounAccounting for all the accountable components of a COMSEC equipment configuration by a single short title.ProcessRegulatedCUI
End-to-end recoverabilitynounThe ability of an institution to recover a business process from initiation, such as customer contact, through process finalization, such as transaction closure.CapabilityRegulated
Engagement LetternounThis record contains formal agreements to perform services in exchange for compensation.ArtifactConfidential
entrance of a visitornounThis Triggering Event takes place when a visitor enters the organization's facility.EventInternal
EntrapmentnounDeliberate planting of apparent flaws in an IS for the purpose of detecting attempted penetrations.ControlRestricted
entry pointnounAn entry point is a memory address, corresponding to a point in the code of a computer program which is intended as destination of a long jump, be it internal or external.SystemRegulated
Ephemeral KeynounA cryptographic key that is generated for each execution of a key establishment process and that meets other requirements of the key type (e.g., unique to each message or session). In some cases, ephemeral keys are used more than once within a single session (e.g., broadcast applications) where the sender generates only one ephemeral key pair per message, and the private key is combined separately with each recipient’s public key.CredentialRestricted
Error Detection CodenounA code computed from data and comprised of redundant bits of information designed to detect, but not correct, unintentional changes in the data.ControlRegulated
escrownounSomething (e.g., a document, an encryption key) that is "delivered to a third person to be given to the grantee only upon the fulfillment of a condition."ArtifactRegulated
Escrow PasswordsnounEscrow Passwords are passwords that are written down and stored in a secure location (like a safe) that are used by emergency personnel when privileged personnel are unavailable.CredentialRestricted
Evaluation Assurance LevelnounSet of assurance requirements that represent a point on the Common Criteria predefined assurance scale.RequirementRegulated
Evaluation Products ListnounList of validated products that have been successfully evaluated under the National Information Assurance Partnership (NIAP) Common Criteria Evaluation and Validation Scheme (CCEVS).ArtifactPublicPublicInfo
event lognounA basic resource that helps provide information about network traffic, usage and other conditions. An event log stores these data for retrieval by security professionals or automated security systems to help network administrators manage various aspects such as security, performance and transparency.ArtifactRegulated
event loggingnounThe purpose of this task is to record the actions performed on a system.ArtifactRegulated
Exculpatory EvidencenounEvidence that tends to decrease the likelihood of fault or guilt.ArtifactRestricted
execution statusnounThe status of the implementation or enactment of a plan, order, or course of action.MetricRegulated
Executive AgencynounAn executive department specified in 5 United States Code (U.S.C.), Sec. 101; a military department specified in 5 U.S.C., Sec. 102; an independent establishment as defined in 5 U.S.C., Sec. 104(1); and a wholly owned government corporation fully subject to the provisions of 31 U.S.C., Chapter 91.OrganizationRegulatedCUI
Exercise KeynounCryptographic key material used exclusively to safeguard communications transmitted over-the-air during military or organized civil training exercises.CredentialRegulatedCUI
Expected OutputnounAny data collected from monitoring and assessments as part of the Information Security Continuous Monitoring (ISCM) strategy.DataInternalCUI
Exploit CodenounA program that allows attackers to automatically break into a system.VulnerabilityRestricted
Exploitable ChannelnounChannel that allows the violation of the security policy governing an information system and is usable or detectable by subjects external to the trusted computing base. See Covert Channel.VulnerabilityRestricted
exposurenounThe potential loss to an area due to the occurrence of an adverse event.VulnerabilityRegulated
Exposure limitnounIn reference to the settlement of operating services, this is the maximum amount an ACH originator is allowed to originate. This amount can be based on the originator's credit rating, historical or predicted funding requirements, and the type of obligation.RequirementRegulated
Extensible Configuration Checklist Description FormatnounSCAP language for specifying checklists and reporting checklist results.FrameworkInternal
external connectionnounA link between a system within the organizational boundaries and a secondary (or multiple) system(s) outside of the organizational boundaries.NetworkRegulated
external connectivitynounA computer or network connection to an outside, uncontrolled network that is unprotected by perimeter security, e.g., a modem connection to a network computer.NetworkRegulated
external information systemnounAn information system or component of an information system that is outside of the accreditation boundary established by the organization and for which the organization typically has no direct control over the application of required security controls or the assessment of security control effectiveness.SystemRegulated
External Information System or ComponentnounAn information system or component of an information system that is outside of the authorization boundary established by the organization and for which the organization typically has no direct control over the application of required security controls or the assessment of security control effectiveness.SystemRegulated
External Information System ServicenounAn information system service that is implemented outside of the authorization boundary of the organizational information system (i.e., a service that is used by, but not a part of, the organizational information system) and for which the organization typically has no direct control over the application of required security controls or the assessment of security control effectiveness.SystemRegulated
External Information System Service ProvidernounA provider of external information system services to an organization through a variety of consumer-producer relationships, including but not limited to: joint ventures; business partnerships; outsourcing arrangements (i.e., through contracts, interagency agreements, lines of business arrangements); licensing agreements; and/or supply chain exchanges.OrganizationRegulated
external requirementnounAny law, contractual obligation, code of connection, service level agreement, or even international agreement.RequirementRegulated
external routable connectivitynounThe ability to access a Bulk Electric System Cyber System from a Cyber Asset that is outside of its associated Electronic Security Perimeter via a bi-directional routable protocol connection.NetworkRegulated
external usernounIndividuals that are non-workforce members or personnel who are authorized by customers, entity management, or other authorized persons to interact with the system.IdentityRegulated
Extraction ResistancenounCapability of crypto-equipment or secure telecommunications equipment to resist efforts to extract key.ControlRegulated
Failure AccessnounType of incident in which unauthorized access to data results from hardware or software failure.EventRegulated
False AcceptancenounIn biometrics, the instance of a security system incorrectly verifying or identifying an unauthorized person. It typically is considered the most serious of biometric security errors as it gives unauthorized users access to systems that expressly are trying to keep them out.VulnerabilityRegulated
False RejectionnounIn biometrics, the instance of a security system failing to verify or identify an authorized person. It does not necessarily indicate a flaw in the biometric system; for example, in a fingerprint-based system, an incorrectly aligned finger on the scanner or dirt on the scanner can result in the scanner misreading the fingerprint, causing a false rejection of the authorized user.EventRegulated
Federal Bridge Certification AuthoritynounThe Federal Bridge Certification Authority consists of a collection of Public Key Infrastructure components (Certificate Authorities, Directories, Certificate Policies and Certificate Practice Statements) that are used to provide peer-to-peer interoperability among Agency Principal Certification Authorities.SystemRegulatedCUI
Federal Bridge Certification Authority MembranenounThe Federal Bridge Certification Authority Membrane consists of a collection of Public Key Infrastructure components including a variety of Certification Authority PKI products, Databases, CA specific Directories, Border Directory, Firewalls, Routers, Randomizers, etc.SystemRegulatedCUI
Federal Bridge Certification Authority Operational AuthoritynounThe Federal Bridge Certification Authority Operational Authority is the organization selected by the Federal Public Key Infrastructure Policy Authority to be responsible for operating the Federal Bridge Certification Authority.OrganizationRegulatedCUI
Federal Enterprise ArchitecturenounA business-based framework for governmentwide improvement developed by the Office of Management and Budget that is intended to facilitate efforts to transform the federal government to one that is citizen-centered, results-oriented, and market-based.FrameworkInternal
Federal Information Processing StandardnounA standard for adoption and use by federal departments and agencies that has been developed within the Information Technology Laboratory and published by the National Institute of Standards and Technology, a part of the U.S. Department of Commerce. A FIPS covers some topic in information technology in order to achieve a common level of quality or some level of interoperability.FrameworkRegulatedCUI
Federal Information Security Management ActnounA statute (Title III, P.L. 107-347) that requires agencies to assess risk to information systems and provide information security protections commensurate with the risk. FISMA also requires that agencies integrate information security into their capital planning and enterprise architecture processes, conduct annual information systems security reviews of all programs and systems, and report the results of those reviews to OMB.FrameworkRegulated
Federal Information SystemnounAn information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency.SystemRegulatedCUI
Federal Information Systems Security Educators’ AssociationnounAn organization whose members come from federal agencies, industry, and academic institutions devoted to improving the IT security awareness and knowledge within the federal government and its related external workforce.OrganizationInternal
Federal Reserve BanksnounThe Federal Reserve Banks provide a variety of financial services including retail and wholesale payments. The Federal Reserve Bank operates a nationwide system for clearing and settling checks drawn on depository institutions located in all regions of the United States.OrganizationRegulated
federal securities lawnounConsists of a handful of laws passed between 1933 and 1940, as well as legislation enacted in 1970. The federal laws stem from Congress's power to regulate interstate commerce. Therefore the laws are generally limited to transactions involving transportation or communication using interstate commerce or the mail.FrameworkRegulated
FedwirenounThe Federal Reserve Bank's nationwide real time gross settlement electronic funds and securities transfer network. Fedwire® is a credit transfer system. Each funds transfer is settled individually against an institution's reserve or clearing account on the books of the Federal Reserve. The transaction is considered an irrevocable payment as it is processed.NetworkRegulated
Fedwire Funds ServicenounThe Federal Reserve Banks' high-speed electronic funds transfer system. As a real-time gross settlement system, the Fedwire® Funds Service processes and settles individual payments between participants immediately in central bank money. Once processed, these payments are final.SystemRegulated
Fedwire Securities ServicenounThe Federal Reserve Banks' high-speed electronic payments system for maintaining securities accounts and for effecting securities transfers. The Fedwire® Securities Service provides a real-time, delivery-versus-payment (DVP), gross settlement system that allows for the immediate, simultaneous transfer of securities against payment. Once processed, securities transfers are final.SystemRegulated
Fill DevicenounCOMSEC item used to transfer or store key in electronic form or to insert key into cryptographic equipment.PhysicalRegulatedCUI
FIN (Financial Application)nounThe SWIFT application within which all SWIFT user-to-user messages are input and output.SystemRegulatedPCI
FinalitynounIrrevocable and unconditional transfer of payment during settlement.RequirementRegulatedPCI
Financial AuthoritynounA supervisory organization that is responsible for safeguarding and maintaining consumer confidence in the financial system.OrganizationRegulated
financial conditionnounThe status of a firm's assets, liabilities and equity positions at a specific point in time, often described in a financial statement.DataRegulated
Financial EDI (FEDI)nounFinancial electronic data interchange. An instrument for settling invoices by initiating payments, processing remittance data and automating reconciliation, through the exchange of electronic messages.DataRegulatedPII
Financial industry participantsnounFinancial institutions and other companies that are involved in the banking, securities, and/or insurance industry and are regulated by supervisory authorities.OrganizationRegulated
financial institutionnounAny bank licensed under the Banking Act (Cap. 19); any finance company licensed under the Finance Companies Act (Cap. 108); any person that is approved as a financial institution under section 28; any money-changer licensed to conduct money-changing business, or any remitter licensed to conduct remittance business, under the Money-changing and Remittance Businesses Act (Cap. 187); any insurer licensed or regulated under the Insurance Act (Cap. 142); any insurance intermediary registered or regulated under the Insurance Act; any licensed financial adviser under the Financial Advisers Act (Cap. 110); any approved holding company, securities exchange, futures exchange, recognised market operator, licensed trade repository, licensed foreign trade repository, approved clearing house, recognised clearing house or holder of a capital markets services licence under the Securities and Futures Act (Cap. 289); any trustee for a collective investment scheme authorised under section 286 of the Securities and Futures Act, that is approved under that Act; any trustee-manager of a business trust that is registered under the Business Trusts Act (Cap. 31A); any licensed trust company under the Trust Companies Act (Cap. 336); any holder of a stored value facility under the Payment Systems (Oversight) Act (Cap. 222A); any designated financial holding company under the Financial Holding Companies Act 2013 (Act 13 of 2013); any person licensed under the Banking Act (Cap. 19) to carry on the business of issuing credit cards or charge cards in Singapore; and any other person licensed, approved, registered or regulated by the Authority under any written law, but does not include such person or class of persons as the Authority may, by regulations made under this section, prescribe.OrganizationRegulated
financial market infrastructurenounA multilateral system among participating institutions, including the operator of the system, used for the purposes of clearing, settling or recording payments, securities, derivatives or other financial transactions.SystemRegulated
Financial Services Information Sharing and Analysis Center (FS-ISAC)nounA nonprofit, information-sharing forum established by financial services industry participants to facilitate the public and private sectors' sharing of physical and cybersecurity threat and vulnerability information.OrganizationRegulated
financial transactionnounAn event or agreement carried out between a buyer and a seller to exchange an asset for payment.EventRegulated
FIPS PUBnounAn acronym for Federal Information Processing Standards Publication. FIPS publications (PUB) are issued by NIST after approval by the Secretary of Commerce.FrameworkRegulatedCUI
FIPS-Approved Security MethodnounA security method (e.g., cryptographic algorithm, cryptographic key generation algorithm or key distribution technique, random number generator, authentication technique, or evaluation criteria) that is either a) specified in a FIPS, or b) adopted in a FIPS.ControlRegulatedCUI
FIPS-Validated CryptographynounA cryptographic module validated by the Cryptographic Module Validation Program (CMVP) to meet requirements specified in FIPS 140-2 (as amended). As a prerequisite to CMVP validation, the cryptographic module is required to employ a cryptographic algorithm implementation that has successfully passed validation testing by the Cryptographic Algorithm Validation Program (CAVP). See NSA-Approved Cryptography.ControlRegulated
Fixed COMSEC FacilitynounCOMSEC facility located in an immobile structure or aboard a ship.PhysicalRegulatedCUI
FloatnounFunds held by an institution during the check-clearing process before being made available to a depositor. Interest may be earned on these funds.DataRegulated
Forensic CopynounAn accurate bit-for-bit reproduction of the information contained on an electronic device or associated media, whose validity and integrity has been verified using an accepted algorithm.ArtifactRegulated
Forensic examinationnounThe process of collecting, assessing, classifying and documenting digital evidence to assist in the identification of an offender and the method of compromiseProcessRegulated
forensic investigationnounThe application of investigative and analytical techniques to gather and preserve evidence from a digital device impacted by a cyber attack.ProcessRegulated
forensic readinessnounThe ability of an FMI to maximise the use of digital evidence to identify the nature of a cyber attack.CapabilityRegulated
forensicsnounThe practice of gathering, retaining, and analyzing computer-related data for investigative purposes in a manner that maintains the integrity of the data.ProcessRegulated
Formal Access ApprovalnounA formalization of the security determination for authorizing access to a specific type of classified or sensitive information, based on specified access requirements, a determination of the individual’s security eligibility and a determination that the individual’s official duties require the individual be provided access to the information.ControlRegulatedCUI
formal contractnounAn officially recognized agreement between two or more parties.RequirementConfidentialIP
Frequency HoppingnounRepeated switching of frequencies during radio transmission according to a specified algorithm, to minimize unauthorized interception or jamming of telecommunications.ControlRegulatedCUI
Full Disk EncryptionnounThe process of encrypting all the data on the hard disk drive used to boot a computer, including the computer’s operating system, and permitting access to the data only after successful authentication with the full disk encryption product.ControlRegulated
Full MaintenancenounComplete diagnostic repair, modification, and overhaul of COMSEC equipment, including repair of defective assemblies by piece part replacement. See Limited Maintenance.ProcessRestrictedCUI
Full-interruption/full-scale test (IT and Staff)nounA business continuity test that activates all the components of the disaster recovery plan at the same time. Hardware, software, staff, communications, utilities, and alternate site processing should be thoroughly tested in this type of testing activity. The exercise should include the business line end users and the IT group to ensure that each business line tests its key applications and is prepared to recover and resume its business operations in the event of an emergency. The full test verifies that systems and staff can recover and resume business within established recovery time objectives. End users should verify the integrity of the data at the alternate site after the IT group has restored systems and applications needed for the staff to perform production activities.ProcessRegulated
Functional drill/parallel testnounThis test involves the actual mobilization of personnel at other sites in an attempt to establish communications and coordination as set forth in the BCP.ProcessInternal
funds transfer terminalnounAn information processing device used for the purpose of executing deposit account transactions between financial institutions and their customers by either the direct transmission of electronic impulses or the recording of electronic impulses for delayed processing.SystemRegulatedPCI
Global Information GridnounThe globally interconnected, end-to-end set of information capabilities for collecting, processing, storing, disseminating, and managing information on demand to warfighters, policy makers, and support personnel. The GIG includes owned and leased communications and computing systems and services, software (including applications), data, security services, other associated services, and National Security Systems. Non-GIG IT includes stand-alone, self-contained, or embedded IT that is not, and will not be, connected to the enterprise network.SystemRegulatedCUI
governance structurenounSpecifies the distribution of rights and responsibilities among different participants in the corporation, such as the board, managers, shareholders and other stakeholders, and spells out the rules and procedures for making decisions on corporate affairs.OrganizationInternal
Governance, Risk, and Compliance frameworknounThe overall structure of procedures of how an organization is controlled and directed , how an organization identifies and mitigates risk, and how the organization adheres to pertinent rules, standards, and regulations that defines the scope, objectives, and activities regrading such procedures.FrameworkInternal
government agencynounA state, county, or federal government organizations that enforce laws, rules, or regulations.OrganizationInternal
government bodynounThe government of any country or of any political subdivision of any country,including: any instrumentality of any such government; any other person or organization authorized by law to perform any executive, legislative, judicial, regulatory, administrative, military, or police functions of any such government, and; any intergovernmental organization.OrganizationRegulated
Government Emergency Telecommunications Service (GETS)nounAcronym for the Government Emergency Telecommunications Service card program. GETS cards provide emergency access and priority processing for voice communications services in emergency situations.CapabilityRegulatedCUI
Gramm-Leach-Bliley Act (GLBA)nounThe act, also known as the Financial Services Modernization Act of 1999, (Pub.L. 106-102, 113 Stat. 1338, enacted November 12, 1999), required the federal banking agencies to establish information security standards for financial institutions.FrameworkRegulatedPII
Grandfather-father-sonnounRetaining multiple versions of the back-up files off-site on a "grandfather-father-son" rotating basis is recommended. This tape methodology creates three sets of back-up tapes: daily incremental sets or "sons," weekly full sets or "fathers," and end-of-month tapes or "grandfathers."ProcessInternal
grant access to the systemnounThe purpose of this task is to permit a user to logically or physical gain entry to computer and/or network.ProcessRegulated
Group AuthenticatornounUsed, sometimes in addition to a sign-on authenticator, to allow access to specific data or functions that may be shared by all members of a particular group.CredentialRestricted
HaircutnounWith respect of an eligible currency, the percentage increase of a negative currency balance or reduction of a positive currency balance and is based on (a) the volatility of the historic foreign exchange movements in the applicable eligible currency determined by CLS Bank and (b) an add-on component.MetricRegulated
Hard Copy KeynounPhysical keying material, such as printed key lists, punched or printed key tapes, or programmable, read-only memories (PROM).PhysicalRegulatedCUI
hardware integritynounThe assurance that any given hardware asset is not a counterfeit, or otherwise falsely represented as being whole and intact as measured against original specifications.SystemRegulated
Hash-based Message Authentication CodenounA message authentication code that uses a cryptographic key in conjunction with a hash function.ControlRegulated
Health Information ExchangenounA health information organization that brings together healthcare stakeholders within a defined geographic area and governs health information exchange among them for the purpose of improving health and care in that community.OrganizationRegulatedPHI
High Assurance GuardnounA guard that has two basic functional capabilities: a Message Guard and a Directory Guard. The Message Guard provides filter service for message traffic traversing the Guard between adjacent security domains. The Directory Guard provides filter service for directory access and updates traversing the Guard between adjacent security domains.SystemRegulatedCUI
High ImpactnounThe loss of confidentiality, integrity, or availability that could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, individuals, other organizations, or the national security interests of the United States; (i.e., 1) causes a severe degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; 2) results in major damage to organizational assets; 3) results in major financial loss; or 4) results in severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries).MetricRegulatedCUI
high impact Bulk Electric System Cyber SystemnounA Bulk Electric System Cyber System in which at least one security objective (i.e., confidentiality, integrity, or availability) is assigned a potential impact value of high.SystemRegulatedCUI
High-Impact SystemnounAn information system in which at least one security objective (i.e., confidentiality, integrity, or availability) is assigned a FIPS 199 potential impact value of high.SystemRegulatedCUI
HijackingnounThe use of an authenticated user's communication session to communicate with system components.ThreatRegulated
Homing beaconsnounDevices that send messages to the institution when they connect to a network and that enable recovery of the device.PhysicalRegulated
Hot SitenounBackup site that includes phone systems with the phone lines already connected. Networks will also be in place, with any necessary routers and switches plugged in and turned on. Desks will have desktop PCs installed and waiting, and server areas will be replete with the necessary hardware to support business-critical functions. Within a few hours, a hot site can become a fully functioning element of an organization.PhysicalRegulated
IA InfrastructurenounThe underlying security framework that lies beyond an enterprise’s defined boundary, but supports its IA and IA-enabled products, its security posture and its risk management plan.SystemRegulatedCUI
ICT supply chain threatnounA man-made threat achieved through exploitation of the information and communications technology (ICT) system’s supply chain, including acquisition processes.ThreatRegulated
Identification and AuthenticationnounThe purpose of this function is to verify the identity of an entity through the use of specific credentials as a prerequisite for granting access to resources in an IT system.CapabilityRegulated
identitynounThe set of attribute values (i.e., characteristics) by which an entity is recognizable and that, within the scope of an identity manager’s responsibility, is sufficient to distinguish that entity from any other entity.IdentityRegulatedPII
Identity BindingnounBinding of the vetted claimed identity to the individual (through biometrics) according to the issuing authority.ProcessRegulatedPII
identity managementnounThe purpose of this task is to implement a set of functions and capabilities used for assurance of identity information (e.g., identifiers, credentials, attributes).CapabilityRegulatedPII
Identity ProofingnounThe process by which a Credentials Service Provider (CSP) and a Registration Authority (RA) collect and verify information about a person for the purpose of issuing credentials to that person.ProcessRegulatedPII
Identity RegistrationnounThe process of making a person’s identity known to the Personal Identity Verification (PIV) system, associating a unique identifier with that identity, and collecting and recording the person’s relevant attributes into the system.ProcessRegulatedPII
Identity VerificationnounThe process of confirming or denying that a claimed identity is correct by comparing the credentials (something you know, something you have, something you are) of a person requesting access with those previously proven and stored in the PIV Card of system and associated with the identity being claimed.ProcessRegulatedCUI
ImagenounAn exact bit-stream copy of all electronic data on a device, performed in a manner that ensures that the information is not altered.ArtifactRegulated
Image archive (Check 21)nounDatabase for storage and easy retrieval of check images.DataRegulatedPII
Image capture (Check 21)nounThe process of digitizing both sides of physical items and their assorted MICR information as they are processed at the Federal Reserve Bank. Also includes storage of the images for up to 60 days.ProcessRegulatedPII
Image exchange (Check 21)nounExchange of some or all of the digitized images of a check.ProcessRegulatedPCI
Imitative Communications DeceptionnounIntroduction of deceptive messages or signals into an adversary's telecommunications signals. See also Communications Deception and Manipulative Communications Deception.ThreatRegulatedCUI
Impact LevelnounThe magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information or information system availability.MetricRegulated
ImplantnounElectronic device or electronic equipment modification designed to gain unauthorized interception of information-bearing emanations.ThreatRegulatedCUI
Implementation plannounA plan that details project management requirements and issues to be addressed during the period between the execution of an outsourcing agreement and the full production use of the outsourced services.ArtifactInternal
in-house developed applicationnounAn application that has been developed within the organization.SystemRegulated
Inadvertent DisclosurenounType of incident involving accidental exposure of information to an individual not authorized access.EventRegulated
incident containment processnounAn established or official method for implementing the policy for incident containment or performing the tasks, processes, or operations to limit and prevent further damage from happening after an incident occurs, along with ensuring that there is no destruction of forensic evidence that may be needed for future legal actions which must be executed in the same manner in order to obtain the same results in the same circumstances.ProcessRegulated
incident detectionnounThe process of identifying that an intrusion has been attempted, is occurring, or has occurred.ProcessInternal
Incident Management SystemnounThe tools (software and otherwise), reports, and processes used to input, process, and close incident reports from input through resolution.SystemRegulated
incident monitoring processnounAn established or official method for implementing the policy for incident monitoring or performing the tasks, processes, or operations to monitor for incidents which must be executed in the same manner in order to obtain the same results in the same circumstances.ProcessInternal
incident monitoring programnounThe documented activities, policies, and procedures within an organization for organizing and directing all activities undertaken to review, track, evaluate, and report on the status of incidents.ProcessRegulated
Incident ReportnounA record containing the details of an incident. Each incident record documents the lifecycle of a single incident.ArtifactRegulated
incident reportingnounThe purpose of this task is to use hotlines and emergency contacts to alert the appropriate individuals to the occurrence of a security event.ProcessRegulated
incident response activitynounAny task performed by an organization in reaction to an incident.ProcessRegulated
incident response notification processnounA series of steps undertaken to detect, triage, and resolve events that disrupt operations and alert applicable personnel and clients in conformance with pertinent standards.ProcessRegulated
Incident response plannounThe documentation of a predetermined set of instructions or procedures to detect, respond to, and limit consequences of a malicious cyber attacks against an organization’s information system(s).ProcessRestricted
incident response policynounThe documented rules and guidelines on how an organization should address and manage the aftermath of a disaster or other significant event that may affect the organization's people or ability to function productively.RequirementInternal
incident response programnounA documented approach for organizing and directing all activities undertaken to handle known security breaches or attacks in such a way as to limit damage and reduce the time it takes for the organization to recover time and costs.ProcessRegulated
incomenounThe consumption and savings opportunity gained by an entity within a specified time frame, which is generally expressed in monetary terms.DataRegulated
incoming debit and credit totalnounThe total balance of all credit and debit postings that go into an account.MetricRegulated
Incomplete Parameter CheckingnounSystem flaw that exists when the operating system does not check all parameters fully for accuracy and consistency, thus making the system vulnerable to penetration.VulnerabilityRegulated
Inculpatory EvidencenounEvidence that tends to increase the likelihood of fault or guilt.ArtifactRestricted
Indemnifying bank (Check 21)nounA financial institution that transfers, presents, or returns a substitute check or a paper or electronic representation of a substitute check for which it receives consideration. The financial institution shall indemnify the recipient and any subsequent recipient (including a collecting or returning financial institution, the depository financial institution, the drawer, the drawee, the payee, the depositor, and any endorser) for any loss incurred by any recipient of a substitute check if that loss occurred due to the receipt of a substitute check instead of the original.OrganizationRegulated
independence standardsnounThe ability, without the service of others, or with a reduced level of the services of others, to function within the community.RequirementRegulated
independent reviewnounAn analysis of findings performed by a third party for an organization to provide impartiality.ProcessInternal
Independent sales organizationnounA non-financial institution organization that provides a variety of merchant processing functions on behalf of the acquirer. These functions include soliciting new merchant accounts, arranging for terminal purchases or leases, and providing backroom services. An Independent sales organization is also referred to as a member service provider (MSP). The acquirer must register all Independent sales organization/MSPs with the bankcard associations.OrganizationRegulatedPCI
Independent Validation AuthoritynounEntity that reviews the soundness of independent tests and system compliance with all stated security controls and risk mitigation actions. IVAs will be designated by the Authorizing Official as needed.OrganizationRegulatedCUI
individualnounA citizen of the United States or an alien lawfully admitted for permanent residence. Agencies may, consistent with individual practice, choose to extend the protections of the Privacy Act and E-Government Act to businesses, sole proprietors, aliens, etc.IdentityRegulatedPII
Individual AccountabilitynounAbility to associate positively the identity of a user with the time, method, and degree of access to an information system.RequirementRegulated
Industrial Control SystnounAn information system used to control industrial processes such as manufacturing, product handling, production, and distribution or to control infrastructure assets.SystemRegulatedCUI
Industrial Control SystemnounAn information system used to control industrial processes such as manufacturing, product handling, production, and distribution. Industrial control systems include supervisory control and data acquisition systems (SCADA) used to control geographically dispersed assets, as well as distributed control systems (DCS) and smaller control systems using programmable logic controllers to control localized processes.SystemRegulatedCUI
Industry testingnounA test designed to validate that business processes, integrated across firms and within the financial industry, which supports the business continuity objectives of the firms, both individually and collectively.ProcessInternal
information and communication(s) technologynounAny information technology, equipment, or interconnected system or subsystem of equipment that processes, transmits, receives, or interchanges data or information.SystemRegulated
Information Assurance CompliancnounIn the NICE Workforce Framework, cybersecurity work where a person: Oversees, evaluates, and supports the documentation, validation, and accreditation processes necessary to assure that new IT systems meet the organization's information assurance and security requirements; ensures appropriate treatment of risk, compliance, and assurance from internal and external perspectives.CapabilityRegulated
Information Assurance ComponentnounAn application (hardware and/or software) that provides one or more Information Assurance capabilities in support of the overall security and operational objectives of a system.CapabilityRegulatedCUI
Information Assurance Vulnerability AlertnounNotification that is generated when an Information Assurance vulnerability may result in an immediate and potentially severe threat to DoD systems and information; this alert requires corrective action because of the severity of the vulnerability risk.VulnerabilityRegulatedCDI
Information Flow ControlnounProcedure to ensure that information transfers within an information system are not made in violation of the security policy.ControlRegulatedCUI
information neednounInsight necessary to manage objectives, goals, risks and problems.RequirementRegulated
Information OperationsnounThe integrated employment of the core capabilities of electronic warfare, computer network operations, psychological operations, military deception, and operations security, in concert with specified supporting and related capabilities, to influence, disrupt, corrupt, or usurp adversarial human and automated decision-making process, information, and information systems while protecting our own.CapabilityRegulatedCUI
Information ResourcesnounInformation and related resources, such as personnel, equipment, funds, and information technology.DataRegulated
Information Security Continuous Monitoring ProcessnounA process to: • Define an ISCM strategy; • Establish an ISCM program; • Implement an ISCM program; • Analyze data and Report findings; • Respond to findings; and • Review and Update the ISCM strategy and program.ProcessRegulated
Information Security Continuous Monitoring ProgramnounA program established to collect information in accordance with pre-established metrics, utilizing information readily available in part through implemented security controls.ProcessRegulated
information security eventnounIdentified occurrence of a system, service or network state indicating a possible breach of information security policy or failure of controls, or a previously unknown situation that may be security relevant.EventRegulated
information security incidentnounA single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security.EventRegulated
Information Security Program PlannounFormal document that provides an overview of the security requirements for an organization-wide information security program and describes the program management controls and common controls in place or planned for meeting those requirements.ArtifactRestrictedCUI
Information Security risknounThe risk to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation due to the potential for unauthorized access, use, disclosure, disruption, modification, or destruction of information and/or information systems. See Risk.MetricRegulatedCUI
information security strategynounA plan to mitigate risks while complying with legal, statutory, contractual, and internally developed requirements.RequirementInternal
information security threatnounAny circumstance or event with the potential to adversely impact the measures taken so that information and information systems are protected from unauthorized access, use, disclosure, disruption, modification, or destruction.ThreatRegulated
Information Sharing Environmentnoun1. An approach that facilitates the sharing of terrorism and homeland security information; or 2. ISE in its broader application enables those in a trusted partnership to share, discover, and access controlled information.SystemRegulatedCUI
Information StewardnounIndividual or group that helps to ensure the careful and responsible management of federal information belonging to the Nation as a whole, regardless of the entity or source that may have originated, created, or compiled the information. Information stewards provide maximum access to federal information to elements of the federal government and its customers, balanced by the obligation to protect the information in accordance with the provisions of FISMA and any associated security-related federal policies, directives, regulations, standards, and guidance.RoleRegulated
Information SystemnounA discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. [Note: Information systems also include specialized systems such as industrial/process controls systems, telephone switching and private branch exchange (PBX) systems, and environmental control systems.]SystemRegulated
information system componentnounA discrete, identifiable information technology asset (e.g., hardware, software, firmware) that represents a building block of an information system. Information system components include commercial information technology products.SystemRegulated
Information System Contingency PlannounManagement policy and procedures designed to maintain or restore business operations, including computer operations, possibly at an alternate location, in the event of emergencies, system failures, or disasters.ProcessRegulatedCUI
Information System-Related Security RisksnounInformation system-related security risks are those risks that arise through the loss of confidentiality, integrity, or availability of information or information systems and consider impacts to the organization (including assets, mission, functions, image, or reputation), individuals, other organizations, and the Nation.ThreatRegulated
Information Systems SecuritynounProtection of information systems against unauthorized access to or modification of information, whether in storage, processing, or transit, and against the denial of service to authorized users, including those measures necessary to detect, document, and counter such threats.CapabilityRegulated
Information Systems Security Equipment ModificationnounModification of any fielded hardware, firmware, software, or portion thereof, under NSA configuration control. There are three classes of modifications: mandatory (to include human safety); optional/special mission modifications; and repair actions. These classes apply to elements, subassemblies, equipment, systems, and software packages performing functions such as key generation, key distribution, message encryption, decryption, authentication, or those mechanisms necessary to satisfy security policy, labeling, identification, or accountability.ProcessRegulatedCUI
information technologynounAny equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the executive agency. For purposes of the preceding sentence, equipment is used by an executive agency if the equipment is used by the executive agency directly or is used by a contractor under a contract with the executive agency which— 1) requires the use of such equipment; or 2) requires the use, to a significant extent, of such equipment in the performance of a service or the furnishing of a product. The term information technology includes computers, ancillary equipment, software, firmware and similar procedures, services (including support services), and related resources.SystemRegulated
Information Technology auditnounAn examination of the controls within an Information technology (IT) infrastructure.ProcessRegulated
Information Technology controlnounRefers to the internal controls over security management, system development and change management, information processing, communications networks and management of technology service providers.ControlRegulated
Information Technology Management programnounA documented listing of procedures, schedules, roles and responsibilities, and plans to manage Information Technology resources of an organization in accordance with its needs and priorities. These resources may include tangible investments like computer hardware, software, data, networks and data center facilities, as well as the staff who are hired to maintain them.ProcessInternal
Information Technology systemnounInformation technology systems are collectively the equipment used to create, store and transmit digital data and any related software owned (or otherwise controlled) and used by the State and its agencies to fulfill its service and obligations to the citizens of Arizona.SystemRegulated
Information TypenounA specific category of information (e.g., privacy, medical, proprietary, financial, investigative, contractor sensitive, security management), defined by an organization or in some instances, by a specific law, Executive Order, directive, policy, or regulation.RequirementRegulated
Initialization VectornounA vector used in defining the starting point of an encryption process within a cryptographic algorithm.DataRestricted
InsidenounAn entity with authorized access (i.e., within the security domain) that has the potential to harm an information system or enterprise through destruction, disclosure, modification of data, and/or denial of service.ThreatRegulated
inside( r) threatnounA person or group of persons within an organization who pose a potential risk through violating security policies.ThreatRestricted
Inspectable SpacenounThree dimensional space surrounding equipment that processes classified and/or sensitive information within which TEMPEST exploitation is not considered practical or where legal authority to identify and remove a potential TEMPEST exploitation exists. Synonymous with zone of control.PhysicalRegulatedCUI
InstructionnounMeans (i) any instruction submitted by a Member through the submission process directing CLS Bank to settle certain payment entitlements and obligations arising pursuant to an FX transaction eligible for settlement in CLS Bank and (ii) any instructions resulting from the split of Settlement Eligible Instructions.RequirementRegulated
insurance coveragenounThe amount of risk or liability covered for an individual or entity by way of insurance services. Insurance coverage is issued by an insurer in the event of an unforeseen or unwanted occurrences.RequirementRegulated
insurance ridernounAn add-on provision to a basic insurance policy that provides additional benefits to the policyholder at an additional cost. Standard policies usually leave little room for modification or customization beyond choosing deductibles and coverage amounts.RequirementRegulated
Intangible assetnounAn asset that is not physical in nature Scope Note: Examples include: intellectual property (patents, trademarks, copyrights, processes), goodwill, and brand recognitionArtifactConfidentialIP
Integrated test/exercisenounThis integrated test/exercise incorporates more than one component or module, as well as external dependencies, to test the effectiveness of the continuity plans for a business line or major function.ProcessInternal
intellectual propertynounCreations of the mind such as musical, literary, and artistic works; inventions; and symbols, names, images, and designs used in commerce, including copyrights, trademarks, patents, and related rights. Under intellectual property law, the holder of one of these abstract “properties” has certain exclusive rights to the creative work, commercial symbol, or invention by which it is covered.DataRestrictedIP
interactive remote accessnounUser-initiated access by a person employing a remote access client or other remote access technology using a routable protocol. Remote access originates from a Cyber Asset that is not an Intermediate System and not located within any of the Responsible Entity’s Electronic Security Perimeter(s) or at a defined Electronic Access Point (EAP). Remote access may be initiated from: 1) Cyber Assets used or owned by the Responsible Entity, 2) Cyber Assets used or owned by employees, and 3) Cyber Assets used or owned by vendors, contractors, or consultants. Interactive remote access does not include system-to-system process communications.ProcessRegulatedCUI
interactive user accessnounUser access to an operating system by means of a log-in through a Graphical User Interface.ProcessRegulated
Interbank checksnounChecks that are not "on-us." They are cleared and settled either by direct presentment, a clearinghouse association, a correspondent bank, or a Federal Reserve Bank.DataRegulated
InterchangenounExchange of transactions between financial institutions participating in a bank card network, based on a common set of rules. Card interchange allows a financial institution's customers to use a bank credit card at any card honoring merchant and to gain access to multiple ATM systems from a single ATM.ProcessRegulatedPCI
Interchange feesnounFees paid by one financial institution to another to cover handling costs and credit risk in a financial institution card transaction. Interchange fees generally flow toward the institution funding the transaction and assuming the risk. In a credit card transaction, the interchange fee is paid by the merchant acquirer accepting the merchant's sales draft to the card-issuing institution, which, in turn, passes the fee to its merchants. In EFT/POS transactions, interchange flows in the opposite direction: the card-issuing institution (or customer) pays the fee to the terminal-owning institution. When a transaction is an off-line debit sale, the card-issuing institution collects an interchange fee from the merchant, rather than from the customer, unlike in an EFT/POS transaction, where the customer pays the interchange fee. Interchange revenue is derived from fees set by the card associations. Depending on the card association, fees can range from 1% to 3% of the value of the transaction. Interchange revenue is recognized as a card issuer's second largest revenue line item.RequirementRegulated
Interconnection Security AgreementnounA document that regulates security-relevant aspects of an intended connection between an agency and an external system. It regulates the security interface between any two systems operating under two different distinct authorities. It includes a variety of descriptive, technical, procedural, and planning information. It is usually preceded by a formal MOA/MOU that defines high-level roles and responsibilities in management of a cross-domain connection.RequirementRegulatedCUI
interconnectivitynounThe state or quality of being connected together. The interaction of a financial institution's internal and external systems and applications and the entities with which they are linked.NetworkRegulated
Interface Control DocumentnounTechnical document describing interface controls and identifying the authorities and responsibilities for ensuring the operation of such controls. This document is baselined during the preliminary design review and is maintained throughout the information system life cycle.ArtifactRegulatedCUI
Interim Approval to OperatenounTemporary authorization granted by a DAA for an information system to process information based on preliminary results of a security evaluation of the system. (To be replaced by ATO and POA&M)ArtifactRegulatedCUI
Interim Approval to TestnounTemporary authorization to test an information system in a specified operational information environment within the time frame and under the conditions or constraints enumerated in the written authorization.RequirementRegulatedCUI
Intermediate Certification AuthoritynounA Certification Authority that is subordinate to another CA, and has a CA subordinate to itself.SystemRegulated
intermediate systemnounA Cyber Asset or collection of Cyber Assets performing access control to restrict Interactive Remote Access to only authorized users. The Intermediate System must not be located inside the Electronic Security Perimeter.SystemRegulatedCUI
Internal "trusted" zonenounA channel in which the end points are known and data integrity is protected in transit. Depending on the communications protocol used, data privacy may be protected in transit. Examples include SSLIP security and a secure physical connection.NetworkInternal
internal auditnounAn audit that is performed for the management and other internal purposes by individuals who are employed by the organization.ProcessConfidential
internal audit functionnounAn appraisal activity established or provided as a service to the entity. Its functions include, amongst other things, examining, evaluating and monitoring the adequacy and effectiveness of internal control.CapabilityInternal
internal audit managernounMonitors the audit scope and risk assessments to ensure that audit coverage remains adequate.RoleInternal
internal audit programnounAn internal audit program defines the type of internal audit being conducted (IT, HR, financial, etc.), the specific subject(s) attended to, the roles and responsibilities of those involved, the method being used to conduct the audit, and the schedule of the audit.ProcessInternal
internal audit reportnounA report issued by an independent auditor within an organization that expresses an opinion about whether the financial statements present fairly a company's financial position, operating results, and cash flows in accordance with generally accepted accounting principles.ArtifactConfidential
internal controlnounThe purpose of this task is to provide reasonable assurance that operations are effective and efficient, financial reporting is reliable, and applicable laws and regulations are being followed.ControlRegulated
Internal NetworknounA network where 1) the establishment, maintenance, and provisioning of security controls are under the direct control of organizational employees or contractors; or 2) cryptographic encapsulation or similar security technology implemented between organization-controlled endpoints provides the same effect (at least with regard to confidentiality and integrity). An internal network is typically organization-owned, yet may be organization-controlled while not being organization-owned.NetworkInternal
internal processnounAll the activities and key processes required in order for the company to excel at providing the value expected by the customers.ProcessInternal
internal risk managementnounInternal risk management involves all activities relating to the processes of analyzing exposure to risk and determining appropriate counter-measures.ProcessInternal
internet accessnounInternet access refers to the means by which users connect to the Internet, and includes the following components: (1) The transmission of information as common carriage; (2) The transmission of information as part of a gateway to an information service, when that transmission does not involve the generation or alteration of the content of information, but may include data transmission, address translation, protocol conversion, billing management, introductory information content, and navigational systems that enable users to access information services, and that do not affect the presentation of such information to users; and (3) Electronic mail services (e-mail).NetworkInternal
Internet StandardnounA specification, approved by the IESG and published as an RFC, that is stable and well-understood, is technically competent, has multiple, independent, and interoperable implementations with substantial operational experience, enjoys significant public support, and is recognizably useful in some or all parts of the Internet.FrameworkPublic
InterrogationnounUsed to obtain prior indicators or relationships, including telephone numbers, IP addresses and names of individuals, from extracted dataProcessRegulatedPII
IntranetnounA private network that is employed within the confines of a given enterprise (e.g., internal to a business or agency).NetworkInternal
investigationnounThe purpose of this task is to discover and examine the facts of an incident or allegation to establish the truth.ProcessRegulated
IT Security Awareness and Training ProgramnounExplains proper rules of behavior for the use of agency information systems and information. The program communicates IT security policies and procedures that need to be followed (i.e., NSTISSD 501, NIST SP 800-50).ProcessRegulatedCUI
IT strategic plannounA comprehensive blueprint that guides the organization's technology management and contains high-level goals and plans for all areas of information technology that affect the business, not just the infrastructure. The plan should include areas that impact technology management, including cost management, human capital management, hardware and software management, third-party management, risk management, and all other considerations in the enterprise IT environment.ArtifactInternal
IT system inventorynounA list containing information about the information resources owned or operated by an organization.ArtifactInternal
JitternounJitter or Noise is the modification of fields in a database while preserving the aggregate characteristics of that make the database useful in the first place.ControlRegulatedPII
keynounA parameter used in conjunction with a cryptographic algorithm that determines its operation. Examples applicable to this Standard include: 1. The computation of a digital signature from data, and 2. The verification of a digital signature.CredentialRestrictedCUI
Key BundlenounThe three cryptographic keys (Key1, Key2, Key3) that are used with a Triple Data Encryption Algorithm (TDEA) mode.CredentialRestricted
key controlnounA type of internal control designed to detect errors or fraud in financial statements.ControlRegulated
Key Distribution CenternounCOMSEC facility generating and distributing key in electronic form.SystemRegulatedCUI
Key Escrownoun1. The processes of managing (e.g., generating, storing, transferring, auditing) the two components of a cryptographic key by two key component holders. 2. A key recovery technique for storing knowledge of a cryptographic key, or parts thereof, in the custody of one or more third parties called "escrow agents," so that the key can be recovered and used in specified circumstances.ProcessRegulatedCUI
Key Escrow SystemnounA system that entrusts the two components comprising a cryptographic key (e.g., a device unique key) to two key component holders (also called "escrow agents").SystemRegulatedCUI
Key EstablishmentnounThe process by which cryptographic keys are securely established among cryptographic modules using manual transport methods (e.g., key loaders), automated methods (e.g., key transport and/or key agreement protocols), or a combination of automated and manual methods (consists of key transport plus key agreement).ProcessRestrictedCUI
Key ExpansionnounRoutine used to generate a series of Round Keys from the Cipher Key.ProcessRegulated
Key fobnounA small portable device equipped with chip technology allowing the holder the ability to access network systems, such as those used for payments, and to store personal data.PhysicalRegulatedPII
Key Generation MaterialnounRandom numbers, pseudo-random numbers, and cryptographic parameters used in generating cryptographic keys.DataRegulatedCUI
Key ListnounPrinted series of key settings for a specific cryptonet. Key lists may be produced in list, pad, or printed tape format.ArtifactRegulatedCUI
Key LoadernounA self-contained unit that is capable of storing at least one plaintext or encrypted cryptographic key or a component of a key that can be transferred, upon request, into a cryptographic module.PhysicalRegulatedCUI
Key ManagementnounThe activities involving the handling of cryptographic keys and other related security parameters (e.g., IVs and passwords) during the entire life cycle of the keys, including their generation, storage, establishment, entry and output, and zeroization.ProcessRegulatedCUI
Key Management DevicenounA unit that provides for secure electronic distribution of encryption keys to authorized users.PhysicalRestricted
Key Management InfrastructurenounAll parts – computer hardware, firmware, software, and other equipment and its documentation; facilities that house the equipment and related functions; and companion standards, policies, procedures, and doctrine that form the system that manages and supports the ordering and delivery of cryptographic material and related information products and services to users.SystemRegulatedCUI
key pairnounTwo mathematically related keys having the properties that (1) one key can be used to encrypt a message that can only be decrypted using the other key, and 2) even knowing one key, it is computationally infeasible to discover the other key.CredentialRestricted
Key Production KeynounKey used to initialize a keystream generator for the production of other electronically generated key.CredentialRestrictedCUI
Key RecoverynounMechanisms and processes that allow authorized parties to retrieve the cryptographic key used for data confidentiality.ProcessRestrictedCUI
key resourcenounA publicly or privately controlled asset necessary to sustain continuity of government and/or economic operations, or an asset that is of great historical significance.PhysicalRegulated
Key StreamnounSequence of symbols (or their electrical or mechanical equivalents) produced in a machine or auto-manual cryptosystem to combine with plain text to produce cipher text, control transmission security processes, or produce key.DataRestrictedCUI
Key TagnounIdentification information associated with certain types of electronic key.ArtifactRegulatedCUI
Key TapenounPunched or magnetic tape containing key. Printed key in tape form is referred to as a key list.PhysicalRegulatedCUI
Key TransportnounThe secure transport of cryptographic keys from one cryptographic module to another module.ProcessRegulated
Key WrapnounA method of encrypting keying material (along with associated integrity information) that provides both confidentiality and integrity protection using a symmetric key algorithm.ControlRestricted
Key-Encryption-KeynounKey that encrypts or decrypts other key for transmission or storage.CredentialRestricted
Keyed-hash based message authentication codenounA message authentication code that uses a cryptographic key in conjunction with a hash function.ControlRegulated
Keying MaterialnounKey, code, or authentication information in physical, electronic, or magnetic form.CredentialRestrictedCUI
Keystroke MonitoringnounThe process used to view or record both the keystrokes entered by a computer user and the computer’s response during an interactive session. Keystroke monitoring is usually considered a special case of audit trails.ProcessRegulatedCUI
KiosknounA publicly accessible computer terminal that permits customers to directly communicate with the financial institution via a network.SystemInternalPCI
KMI Operating AccountnounA KMI business relationship that is established 1) to manage the set of user devices that are under the control of a specific KMI customer organization, and 2) to control the distribution of KMI products to those devices.OrganizationRegulatedCUI
KMI Protected ChannelnounA KMI Communication Channel that provides 1) Information Integrity Service; 2) either Data Origin Authentication Service or Peer Entity Authentication Service, as is appropriate to the mode of communications; and 3) optionally, Information Confidentiality Service.NetworkRegulatedCUI
KMI-Aware DevicenounA user device that has a user identity for which the registration has significance across the entire KMI (i.e., the identity’s registration data is maintained in a database at the PRSN level of the system, rather than only at an MGC) and for which a product can be generated and wrapped by a PSN for distribution to the specific device.SystemRegulatedCUI
KOA AgentnounA user identity that is designated by a KOA manager to access PRSN product delivery enclaves for the purpose of retrieving wrapped products that have been ordered for user devices that are assigned to that KOA.IdentityRegulatedCUI
KOA ManagernounThe Management Role that is responsible for the operation of one or KOA’s (i.e., manages distribution of KMI products to the end cryptographic units, fill devices, and ADPs that are assigned to the manager’s KOA).RoleRegulatedCUI
KOA Registration ManagernounThe individual responsible for performing activities related to registering KOAs.RoleRegulated
Labeled Security ProtectionsnounAccess control protection features of a system that use security labels to make access control decisions.ControlRegulated
Laboratory AttacknounUse of sophisticated signal recovery equipment in a laboratory environment to recover information from data storage media.ThreatRegulatedCUI
Large value funds transfer systemnounA wholesale payment system used primarily by financial institutions in which large values of funds are transferred between parties. Fedwire® and CHIPS are the two large-value transfer systems in the United States.SystemRegulated
law enforcement authoritynounThe various government agencies responsible for preventing crime, apprehending criminals, and enforcing laws.OrganizationRestricted
Level of ConcernnounRating assigned to an information system indicating the extent to which protection measures, techniques, and procedures must be applied. High, Medium, and Basic are identified levels of concern. A separate Level-of-Concern is assigned to each information system for confidentiality, integrity, and availability.MetricRegulatedCUI
Level of ProtectionnounExtent to which protective measures, techniques, and procedures must be applied to information systems and networks based on risk, threat, vulnerability, system interconnectivity considerations, and information assurance needs. Levels of protection are: 1. Basic: information systems and networks requiring implementation of standard minimum security countermeasures. 2. Medium: information systems and networks requiring layering of additional safeguards above the standard minimum security countermeasures. 3. High: information systems and networks requiring the most stringent protection and rigorous security countermeasures.RequirementRegulatedCUI
Limited MaintenancenounCOMSEC maintenance restricted to fault isolation, removal, and replacement of plug-in assemblies. Soldering or unsoldering usually is prohibited in limited maintenance. See Full Maintenance.ProcessRestrictedCUI
Line ConductionnounUnintentional signals or noise induced or conducted on a telecommunications or information system signal, power, control, indicator, or other external interface line.VulnerabilityRegulatedCUI
Local AuthoritynounOrganization responsible for generating and signing user certificates in a PKI-enabled environment.OrganizationRegulated
Local Management Device/Key ProcessornounEKMS platform providing automated management of COMSEC material and generating key for designated users.SystemRegulatedCUI
Local Registration AuthoritynounA Registration Authority with responsibility for a local community in a PKI-enabled environment.OrganizationRegulatedCUI
locally mounted hardwarenounHardware installed inside the perimeter of a defined location. This includes but is not limited to motion sensors, electronic lock control mechanisms, and badge readers.PhysicalRegulated
LockboxnounDeposit mechanism used by commercial firms and businesses to facilitate their deposit transaction volume. Typically, commercial firms and businesses direct customers to send payments directly to a financial institution address or post office box controlled by the institution. Financial institution personnel record payments received and prepare deposit slips, and subsequent processing proceeds as with other deposit taking activities.PhysicalRegulatedPCI
Log ClippingnounLog clipping is the selective removal of log entries from a system log to hide a compromise.ThreatRegulatedCUI
log managementnounThe process for generating, transmitting, storing, analyzing, and disposing of log data.ProcessRegulated
Logic BombnounA piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met.ThreatRegulated
logical securitynounLogical Security consists of software safeguards for an organization's systems, including user identification and password access, authenticating, access rights and authority levels. These measures are to ensure that only authorized users are able to perform actions or access information in a network or a workstation.ControlRegulated
Long positionnounIn respect of a currency balance that is greater than zero, the amount by which such currency balance is greater than zero. A position that appreciates in value if market prices increase. When one buys a currency, their position is long.MetricRegulated
Low ImpactnounThe loss of confidentiality, integrity, or availability that could be expected to have a limited adverse effect on organizational operations, organizational assets, individuals, other organizations, or the national security interests of the United States; (i.e., 1) causes a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced; 2) results in minor damage to organizational assets; 3) results in minor financial loss; or 4) results in minor harm to individuals).RequirementRegulated
low impact Bulk Electric System Cyber SystemnounA Bulk Electric System Cyber System in which at least one security objective (i.e., confidentiality, integrity, or availability) is assigned a potential impact value of low, and none are assigned a potential impact value of medium or high.SystemRegulatedCUI
Low Impact Bulk Electric System Cyber System Electronic Access PointnounA Cyber Asset interface that controls Low Impact External Routable Connectivity. The Cyber Asset containing the LEAP may reside at a location external to the asset or assets containing low impact Bulk Electric System (BES) Cyber Systems.SystemRegulatedCUI
Low Impact External Routable ConnectivitynounDirect user-initiated interactive access or a direct device-to-device connection to a low impact BES Cyber System(s) from a Cyber Asset outside the asset containing those low impact BES Cyber System(s) via a bi-directional routable protocol connection. Point-to-point communications between intelligent electronic devices that use routable communication protocols for time-sensitive protection or control functions between Transmission station or substation assets containing low impact BES Cyber Systems are excluded from this definition (examples of this communication include, but are not limited to, IEC 61850 GOOSE or vendor proprietary protocols).NetworkRegulatedCDI
Low Probability of DetectionnounResult of measures used to hide or disguise intentional electromagnetic transmissions.ControlRegulatedCUI
Low Probability of InterceptnounResult of measures to prevent the intercept of intentional electromagnetic transmissions. The objective is to minimize an adversary’s capability of receiving, processing, or replaying an electronic signal.ControlRegulatedCUI
Low-Impact SystemnounAn information system in which all three security objectives (i.e., confidentiality, integrity, and availability) are assigned a FIPS 199 potential impact value of low.SystemRegulated
Magnetic ink character recognition (MICR)nounMagnetic codes found on the bottom of checks, deposit slips, and general ledger debit and credit tickets that allow a machine to scan (capture) the information. MICR encoding on a check includes the account number, the routing number, the serial number of the check, and the amount of the check. The amount of the check is encoded when the proof department processes the check.DataRegulatedPII
Magnetic RemanencenounMagnetic representation of residual information remaining on a magnetic medium after the medium has been cleared. See Clearing.VulnerabilityRegulatedCUI
Maintenance HooknounSpecial instructions (trapdoors) in software allowing easy maintenance and additional feature development. Since maintenance hooks frequently allow entry into the code without the usual checks, they are a serious security risk if they are not removed prior to live implementation.VulnerabilityRegulatedCUI
Major ApplicationnounAn application that requires special attention to security due to the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application. Note: All federal applications require some level of protection. Certain applications, because of the information in them, however, require special management oversight and should be treated as major. Adequate security for other applications should be provided by security of the systems in which they operate.SystemRegulatedCUI
Major Information SystemnounAn information system that requires special management attention because of its importance to an agency mission; its high development, operating, or maintenance costs; or its significant role in the administration of agency programs, finances, property, or other resources.SystemRegulatedCUI
malicious actnounAn intentional, wrongful act performed against another without legal justification or excuse.ThreatRegulated
malicious activitynounActivity with a harmful intent, such as fraud, theft, blackmail, vandalism, looting, sabotage, etc.ThreatRegulated
malicious codenounSoftware or firmware intended to perform an unauthorized process that will have adverse impact on the confidentiality, integrity, or availability of an information system. A virus, worm, Trojan horse, or other code-based entity that infects a host. Spyware and some forms of adware are also examples of malicious code.ThreatRegulated
Malicious Code PreventionnounThis purpose of policy is to prevent malicious code attacks from happening, and if they should happen, to quarantine the infected systems and eradicate the malicious code before it spreads further.ControlRegulated
malicious logicnounHardware, firmware, or software that is intentionally included or inserted in a system for a harmful purpose.ThreatRegulated
management authorizationnounOfficial permission or approval given by the senior executives of an organization.RequirementRegulated
Management ClientnounA configuration of a client node that enables a KMI external operational manager to manage KMI products and services by either 1) accessing a PRSN, or 2) exercising locally provided capabilities. An MGC consists of a client platform and an advanced key processor (AKP).SystemRegulatedCUI
Management Security ControlsnounThe security controls (i.e., safeguards or countermeasures) for an information system that focus on the management of risk and the management of information systems security.ControlRestrictedCUI
Mandatory ModificationnounChange to a COMSEC end-item that NSA requires to be completed and reported by a specified date. See Optional Modification.ControlRegulatedCUI
Manipulative Communications DeceptionnounAlteration or simulation of friendly telecommunications for the purpose of deception. See Communications Deception and Imitative Communications Deception.ThreatRegulatedCUI
manualnounA book of instructions, especially for operating a machine or learning a subject.ArtifactInternal
Manual CryptosystemnounCryptosystem in which the cryptographic processes are performed without the use of crypto-equipment or auto-manual devices.SystemRegulatedCUI
Manual Key TransportnounA non-automated means of transporting cryptographic keys by physically moving a device, document, or person containing or possessing the key or key component.ProcessRegulatedCUI
Manual Remote RekeyingnounProcedure by which a distant crypto-equipment is rekeyed electronically, with specific actions required by the receiving terminal operator. Synonymous with cooperative remote rekeying. See also Automatic Remote Keying.ProcessRegulatedCUI
Market-wide testsnounMarket-wide tests are also called cross-market tests or "street tests" that are sponsored by the Securities Industry Association, Bond Market Association, and Futures Industry Association. These tests validate the connectivity from alternate sites and include transaction, settlement, and payment processes, to the extent practical.ProcessInternal
Master Cryptographic Ignition KeynounKey device with electronic logic and circuits providing the capability for adding more operational CIKs to a keyset.PhysicalRegulatedCUI
Match/matchingnounThe process of comparing biometric information against a previously stored template(s) and scoring the level of similarity.ProcessRegulatedPII
Matched instructionsnounTwo Instructions in which the information set forth in a specific CLS Bank Rule is matched in accordance with the parameters and procedures set forth in the CLS Bank Rules.ArtifactRegulated
MatchingnounWith respect to compared and non-compared transactions, the process of comparing the trade or settlement details provided by counterparties to ensure they agree with respect to the terms of the transaction. Also called comparison checking.ProcessRegulated
material changenounA change in the affairs of a company that is expected to have a significant effect on the market value of its securities - such as a change in the nature of the business, a change in the Board of Directors or the principal officers, a change in the share ownership of the company that could affect control, or the acquisition or disposition of any securities in another company. A material change must be reported to the applicable self-regulatory organization.EventRegulated
MedianounPhysical devices or writing surfaces including but not limited to magnetic tapes, optical disks, magnetic disks, Large Scale Integration (LSI) memory chips, and printouts (but not including display media) onto which information is recorded, stored, or printed within an information system.PhysicalRegulated
Media SanitizationnounA general term referring to the actions taken to render data written on media unrecoverable by both ordinary and extraordinary means.ProcessRegulated
medium impact Bulk Electric System Cyber SystemnounA Bulk Electric System Cyber System in which at least one security objective (i.e., confidentiality, integrity, or availability) is assigned a potential impact value of medium, and none are assigned a potential impact value of high.SystemRegulatedCUI
Memorandum of Understanding/AgreementnounA document established between two or more parties to define their respective responsibilities in accomplishing a particular goal or mission. In this guide, an MOU/A defines the responsibilities of two or more organizations in establishing, operating, and securing a system interconnection.ArtifactInternalCUI
Merchant acquirernounBankcard association members that initiate and maintain contractual agreements with merchants for the purpose of accepting and processing bankcard transactions.OrganizationRegulatedPCI
Merchant processingnounActivity for the acceptance and settlement of bankcard products and transactions from merchants through the payment system.ProcessRegulatedPCI
Message IndicatornounSequence of bits transmitted over a communications system for synchronizing cryptographic equipment.DataRegulatedCUI
methodnounA means or particular procedure for accomplishing or approaching something.ProcessRegulated
migrationnounThe purpose of this task is to move records from one system or storage medium to another while maintaining authenticity, integrity, reliability, and usability.ProcessRegulated
Minor ApplicationnounAn application, other than a major application, that requires attention to security due to the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application. Minor applications are typically included as part of a general support system.SystemRegulated
Misnamed FilesnounA technique used to disguise a file’s content by changing the file’s name to something innocuous or altering its extension to a different type of file, forcing the examiner to identify the files by file signature versus file extension.ThreatRegulated
Mission Assurance CategorynounA Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) term primarily used to determine the requirements for availability and integrity.RequirementRegulatedCDI
Mission CriticalnounAny telecommunications or information system that is defined as a national security system (Federal Information Security Management Act of 2002 - FISMA) or processes any information the loss, misuse, disclosure, or unauthorized access to or modification of, would have a debilitating impact on the mission of an agency.RequirementRegulatedCUI
MnemonicnounA symbol or expression that can help someone remember something. For example, the phrase "Hello! My name is Bill. I'm 9 years old." might help an individual remember a secure 10-character password of "H!MniBI9yo."ArtifactRestricted
mobile codenounSoftware programs or parts of programs obtained from remote information systems, transmitted across a network, and executed on a local information system without explicit installation or execution by the recipient. Note: Some examples of software technologies that provide the mechanisms for the production and use of mobile code include Java, JavaScript, ActiveX, VBScript, etc.ThreatRegulated
mobile devicenounPortable cartridge/disk-based, removable storage media (e.g., floppy disks, compact disks, USB flash drives, external hard drives, and other flash memory cards/drives that contain nonvolatile memory). Portable computing and communications device with information storage capability (e.g., notebook/laptop computers, personal digital assistants, cellular telephones, digital cameras, and audio recording devices).PhysicalRegulated
Mobile financial servicesnounThe products and services that a financial institution provides to its customers through mobile devices.CapabilityRegulatedPII
Mobile sitenounThe use of a mobile/temporary facility to serve as a business resumption location The facility can usually be delivered to any site and can house information technology and staff.PhysicalRegulated
Mode of OperationnounDescription of the conditions under which an information system operates based on the sensitivity of information processed and the clearance levels, formal access approvals, and need-to-know of its users. Four modes of operation are authorized for processing or transmitting information: dedicated mode, system high mode, compartmented/partitioned mode, and multilevel mode.RequirementRegulatedCUI
Moderate ImpactnounThe loss of confidentiality, integrity, or availability that could be expected to have a serious adverse effect on organizational operations, organizational assets, individuals, other organizations, or the national security interests of the United States; (i.e., 1) causes a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; 2) results in significant damage to organizational assets; 3) results in significant financial loss; or 4) results in significant harm to individuals that does not involve loss of life or serious life threatening injuries).MetricRegulatedCUI
Moderate-Impact SystemnounAn information system in which at least one security objective (i.e., confidentiality, integrity, or availability) is assigned a FIPS 199 potential impact value of moderate and no security objective is assigned a FIPS 199 potential impact value of high.SystemRegulated
Multi-ReleasablenounA characteristic of an information domain where access control mechanisms enforce policy-based release of information to authorized users within the information domain.RequirementRegulatedCUI
Multilateral netting settlement systemnounMultilateral netting is an arrangement among three or more parties to net their obligations. In these settlement systems transfers are irrevocable but are only final after the completion of end-of-day-settlement.SystemRegulated
Multilevel DevicenounEquipment trusted to properly maintain and separate data of different security domains.SystemRegulatedCUI
Multilevel ModenounMode of operation wherein all the following statements are satisfied concerning the users who have direct or indirect access to the system, its peripherals, remote terminals, or remote hosts: 1) some users do not have a valid security clearance for all the information processed in the information system; 2) all users have the proper security clearance and appropriate formal access approval for that information to which they have access; and 3) all users have a valid need-to-know only for information to which they have access.ProcessRegulatedCUI
Multilevel SecuritynounConcept of processing information with different classifications and categories that simultaneously permits access by users with different security clearances and denies access to users who lack authorization.CapabilityRegulatedCUI
Multiple Security LevelsnounCapability of an information system that is trusted to contain, and maintain separation between, resources (particularly stored data) of different security domains.CapabilityRegulatedCUI
multiple sourcesnounInformation classified based on two or more source documents, classification guides or combination of both.DataRegulatedCUI
National Information Assurance PartnershipnounA U.S. government initiative established to promote the use of evaluated information systems products and champion the development and use of national and international standards for information technology security. NIAP was originally established as a collaboration between the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) in fulfilling their respective responsibilities under P.L. 100-235 (Computer Security Act of 1987). NIST officially withdrew from the partnership in 2007 but NSA continues to manage and operate the program. The key operational component of NIAP is the Common Criteria Evaluation and Validation Scheme (CCEVS) which is the only U.S. government-sponsored and endorsed program for conducting internationally recognized security evaluations of commercial off-the-shelf (COTS) Information Assurance (IA) and IA-enabled information technology products. NIAP employs the CCEVS to provide government oversight or “validation” to U.S. CC evaluations to ensure correct conformance to the International Common Criteria for IT Security Evaluation (ISO/IEC 15408).OrganizationRegulated
National Information InfrastructurenounNationwide interconnection of communications networks, computers, databases, and consumer electronics that make vast amounts of information available to users. It includes both public and private networks, the Internet, the public switched network, and cable, wireless, and satellite communications.NetworkRegulated
National Security Emergency Preparedness Telecommunications ServicesnounTelecommunications services that are used to maintain a state of readiness or to respond to and manage any event or crisis (local, national, or international) that causes or could cause injury or harm to the population, damage to or loss of property, or degrade or threaten the national security or emergency preparedness posture of the United States.CapabilityRegulatedCUI
National Security InformationnounInformation that has been determined pursuant to Executive Order 12958 as amended by Executive Order 13292, or any predecessor order, or by the Atomic Energy Act of 1954, as amended, to require protection against unauthorized disclosure and is marked to indicate its classified status.DataRegulatedCUI
National Security SystemnounAny information system (including any telecommunications system) used or operated by an agency or by a contractor of any agency, or other organization on behalf of an agency, the function, operation, or use of which: I. involves intelligence activities; II. involves cryptologic activities related to national security; III. Involves command and control of military forces; IV. involves equipment that is an integral part of a weapon or weapon system; or V. subject to subparagraph (B), is critical to the direct fulfillment of military or intelligence missions; or is protected at all times by procedures established for information that have been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy. Subparagraph (B). Does not include a system that is to be used for routine administrative and business applications (including payroll, finance, logistics, and personnel management applications). (Title 44 U.S. Code Section 3542, Federal Information Security Management Act of 2002.)SystemRegulatedCUI
National Settlement Service (NSS)nounAlso referred to as Deferred Net Settlement. The Federal Reserve Banks' multilateral settlement service. NSS is offered to depository institutions that settle for participants in clearinghouses, financial exchanges, and other clearing and settlement groups. Settlement agents acting on behalf of those depository institutions electronically submit settlement files to the Federal Reserve Banks. Files are processed on receipt, and entries are automatically posted to the depository institutions' Reserve Bank accounts. Entries are final when posted.OrganizationRegulated
National Vulnerability DatabasenounThe U.S. government repository of standards-based vulnerability management data. This data enables automation of vulnerability management, security measurement, and compliance (e.g., FISMA).VulnerabilityRegulated
need to knownounAn administrative action officially declaring a particular individual requires access to specified sensitive or classified information in order to perform their assigned duties.RequirementRegulatedCUI
Need To Know DeterminationnounDecision made by an authorized holder of official information that a prospective recipient requires access to specific official information to carry out official duties.ProcessRegulatedCUI
negative effectnounA measure, expressed as a function of the likelihood that an event may occur, how fast the event may impact objectives and the estimated negative impact that an event may have on objectives or the impact that an event had on objectives.MetricRegulated
Net debit capnounThe maximum dollar amount of uncollateralized daylight overdrafts that an institution is authorized to incur in its Federal Reserve account. The net debit cap is generally equal to an institution's capital times the cap multiple for its cap category.RequirementRegulated
network activity baselinenounEstablishing a trusted baseline document involves identifying the following: - network data points of interest - length of the baseline data collection period - methods and tools used to collect and store data Suggested network data points of interest include the following: - a list of predetermined devices a given workstation or server should communicate with - VPN usage, including access times, bandwidth and resources used, source IP addresses, and geolocation information - the known set of ports and protocols in use by the network - firewall and intrusion detection system logs - normal traffic patterns and flows.ArtifactInternalCUI
network diagramnounA description of any kind of locality in terms of its physical layout. In the context of communication networks, a topology describes pictorially the configuration or arrangement of a network, including its nodes and connecting communication lines.ArtifactConfidential
network portnounA network port is a process-specific or an application-specific software construct serving as a communication endpoint, which is used by the Transport Layer protocols of Internet Protocol suite, such as User Diagram Protocol (UDP) and Transmission Control Protocol (TCP).NetworkRegulated
no longer needed for legal, regulatory, or business reasonnounSomething that is not needed anymore for business, regulatory, or legal reasons.RequirementRegulated
No-Lone ZonenounArea, room, or space that, when staffed, must be occupied by two or more appropriately cleared individuals who remain within sight of each other. See Two-Person Integrity.ControlRegulatedCUI
non-compliancenounThe failure to achieve performance criteria of a regulation or authority.FindingRegulated
non-compliance informationnounInformation regarding a failure to act in accordance with applicable standards and regulations.FindingRegulatedCUI
Non-Local MaintenancenounMaintenance activities conducted by individuals communicating through a network; either an external network (e.g., the Internet) or an internal network.ProcessRegulated
noticenounAny documented (in print or electronic format) notice or notification to another person by taking such steps as may be reasonably required to inform the other person in ordinary course, whether or not the other person actually comes to know of it.ArtifactRegulated
notificationnounThe act of giving notice of or reporting something formally or officially.EventRegulated
notification requirementnounThe obligation to officially inform a party of something important.RequirementRegulated
NullnounDummy letter, letter symbol, or code group inserted into an encrypted message to delay or prevent its decryption or to complete encrypted groups for transmission or transmission security purposes.ControlRegulatedCUI
Null SessionnounKnown as Anonymous Logon, it is a way of letting an anonymous user retrieve information such as user names and shares over the network or connect without authentication. It is used by applications such as explorer.exe to enumerate shares on remote servers.VulnerabilityRegulated
Object IdentifiernounA specialized formatted number that is registered with an internationally recognized standards organization. The unique alphanumeric/numeric identifier registered under the ISO registration standard to reference a specific object or object class. In the federal government PKI, they are used to uniquely identify each of the four policies and cryptographic algorithms supported.ArtifactRegulatedCUI
Object ReusenounReassignment and reuse of a storage medium containing one or more objects after ensuring no residual data remains on the storage medium.ControlRegulated
Off-CardnounRefers to data that is not stored within the PIV card or computation that is not done by the Integrated Circuit Chip (ICC) of the PIV card.DataRegulatedCUI
Office of Foreign Asset Control (OFAC)nounThe Office of Foreign Assets Control, United States Department of the Treasury, administers and enforces economic sanctions programs primarily against countries and groups of individuals such as terrorists and narcotics traffickers. The sanctions can be either comprehensive or selective, using the blocking of assets and trade restrictions to accomplish foreign policy and national security goals.OrganizationRegulated
Office of Foreign Assets Control (OFAC)nounThe Office of Foreign Assets Control, Department of the Treasury, administers and enforces economic sanctions programs primarily against countries and groups of individuals such as terrorists and narcotics traffickers. The sanctions can be either comprehensive or selective, using the blocking of assets and trade restrictions to accomplish foreign policy and national security goals.OrganizationRegulated
Official InformationnounAll information in the custody and control of a U.S. government department or agency that was acquired by U.S. government employees as a part of their official duties or because of their official status and has not been cleared for public release.DataRegulatedCUI
offsite backupnounA backup process or facility that stores backup data or applications external to the organization or core IT environmentProcessRegulated
Offsite rotationnounUsed for backup and/or disaster recovery; moving a copy of the most current database, information, file, or tape to an offsite storage facility to be used only in an emergency.ProcessRegulated
On-CardnounRefers to data that is stored within the PIV card or computation that is done by the ICC of the PIV card.DataRegulatedCUI
On-us checksnounChecks that are deposited into the same institution on which they are drawn.DataRegulatedPII
One-time TapenounPunched paper tape used to provide key streams on a one-time basis in certain machine cryptosystems.PhysicalRegulatedCUI
Online AttacknounAn attack against an authentication protocol where the Attacker either assumes the role of a Claimant with a genuine Verifier or actively alters the authentication channel. The goal of the attack may be to gain authenticated access or learn authentication secrets.ThreatRegulated
Online CryptosystemnounCryptographic system in which encryption and decryption are performed in association with the transmitting and receiving functions.CapabilityRegulated
online terminalnounA web-browser-based access to an acquirer, processor or third party service provider website to authorize payment card transactions, where the merchant manually enters payment card data via a securely connected web browser. Unlike physical terminals, virtual payment terminals do not read data directly from a payment card. Because payment card transactions are entered manually, virtual payment terminals are typically used instead of physical terminals in merchant environments with low transaction volumes.SystemRegulatedPCI
Open StoragenounAny storage of classified national security information outside of approved containers. This includes classified information that is resident on information systems media and outside of an approved storage container, regardless of whether or not that media is in use (i.e., unattended operations).FindingRegulatedCUI
operational controlnounThe day-to-day security procedures and mechanisms to protect operational systems. The operational controls consist of the physical, environmental and personnel security controls. These controls deal with the everyday operation of a company or organization to ensure all objectives are achieved.ControlRegulated
Operational KeynounKey intended for use over-the-air for protection of operational information or for the production or secure electrical transmission of key streams.CredentialRegulatedCUI
operational performance reportnounA report that details the findings of a performance review of a business's operations.ArtifactInternal
operational resiliencenounThe ability of an FMI to: (i) maintain essential operational capabilities under adverse conditions or stress, even if in a degraded or debilitated state; and (ii) recover to effective operational capability in a time frame consistent with the provision of critical economic services.CapabilityRegulated
Operational risknounThe risk of failure or loss resulting from inadequate or failed processes, people, or systems.ThreatRegulated
Operational Vulnerability InformationnounInformation that describes the presence of an information vulnerability within a specific operational setting or network.VulnerabilityRegulatedCUI
Operational WaivernounAuthority for continued use of unmodified COMSEC end-items pending the completion of a mandatory modification.RequirementRegulatedCUI
Operations CodenounCode composed largely of words and phrases suitable for general communications use.ArtifactRegulatedCUI
Operations SecuritynounSystematic and proven process by which potential adversaries can be denied information about capabilities and intentions by identifying, controlling, and protecting generally unclassified evidence of the planning and execution of sensitive activities. The process involves five steps: identification of critical information, analysis of threats, analysis of vulnerabilities, assessment of risks, and application of appropriate countermeasures.ProcessRegulatedCUI
Operations TechnologynounThe hardware and software systems used to operate industrial control devices.SystemRegulated
Optional ModificationnounNSA-approved modification not required for universal implementation by all holders of a COMSEC end-item. This class of modification requires all of the engineering/doctrinal control of mandatory modification but is usually not related to security, safety, TEMPEST, or reliability. See Mandatory Modification.ControlRegulatedCUI
Organizational Registration AuthoritynounEntity within the PKI that authenticates the identity and the organizational affiliation of the users.OrganizationRegulatedPII
Originating depository financial institution (ODFI)nounA participating financial institution that originates entries at the request of and by agreement with its originators in accordance with the provisions of the NACHA rules.OrganizationRegulated
origination functionnounAny of the processes required to initiate an automated clearing house transaction.ProcessRegulatedPCI
OriginatornounA person that has authorized an ODFI to transmit a credit or debit entry to the deposit account of a receiver at an RDFI.IdentityRegulatedPII
Out-of-bandnounActivity outside of the primary means of interfacing with the customer. For example, if a user is performing activity online, he or she may be authenticated through a one-time password sent via text message.ControlRegulated
outside( r) threatnounA person or group of persons external to an organization who are not authorized to access its assets and pose a potential risk to the organization and its assets.ThreatRestricted
outsourced applicationnounAn application that is contracted out to an external provider for the development, deployment, and management.SystemRegulated
outsourcing arrangementnounA contract between the institution and an audit services firm to provide internal audit services.ProcessRegulated
outsourcing contractnounThe outsourcing contract is one of the most important document in an outsourcing relationship. The contract, terms and the quality of the contract will largely influence the outsourcing relations, governance and overall the success of the outsourcing venture.RequirementConfidential
Outsourcing Service ContractnounThis record contains acquisition or outsourcing contracts for IT services.ArtifactConfidential
Over-The-Air Key DistributionnounProviding electronic key via over-the-air rekeying, over-the-air key transfer, or cooperative key generation.ProcessRestrictedCUI
Over-The-Air Key TransfernounElectronically distributing key without changing traffic encryption key used on the secured communications path over which the transfer is accomplished.ProcessRegulatedCUI
Over-The-Air RekeyingnounChanging traffic encryption key or transmission security key in remote cryptographic equipment by sending new key directly to the remote cryptographic equipment over the communications path it secures.ProcessRegulatedCUI
overdraftnounThe amount by which withdrawals exceed deposits, or the extension of credit by a lending institution to allow for such a situation.DataRegulatedPII
Partitioned Security ModenounInformation systems security mode of operation wherein all personnel have the clearance, but not necessarily formal access approval and need-to-know, for all information handled by an information system.RequirementRegulatedCUI
Passive WiretappingnounThe monitoring or recording of data while it is being transmitted over a communications link, without altering or affecting the data.ThreatRegulated
passwonounA string of characters (letters, numbers, and other symbols) used to authenticate an identity or to verify access authorization.CredentialRestricted
passwordnounA protected/private string of letters, numbers, and/or special characters used to authenticate an identity or to authorize access to data.CredentialRestricted
patch and vulnerability management processnounOne of the many process associated with the patching of software applications and the situations when an organization is forced to make emergency configuration changes that may reduce functionality to protect the organization from exploitation of the vulnerability.VulnerabilityRegulated
patch lognounA list that shows patches that been installed and need to be installed to update software.ArtifactInternal
Path HistoriesnounMaintaining an authenticatable record of the prior platforms visited by a mobile software agent, so that a newly visited platform can determine whether to process the agent and what resource constraints to apply.ArtifactInternalCUI
Paying banknounA paying bank is the institution where a check is payable and to which it is sent for payment.OrganizationRegulated
PayloadnounThe input data to the CCM generation-encryption process that is both authenticated and encrypted.DataRestricted
payment cardnounA range of different cards that can be used to access cash assets through point-of-sale terminals or other facilities in order to make payments, receive cash money, exchange currency and perform other actions determined by the card issuer and its terms.PhysicalRegulatedPCI
Payment systemnounThe mechanism, the rules, institutions, people, markets, and agreements that make the exchange of payments possible.SystemRegulatedPCI
Payments System Risk Policy (PSR)nounThe Federal Reserve's Payments System Risk (PSR) policy addressing the risks that payment systems present to the Federal Reserve Banks, the banking system, and to other sectors of the economy.RequirementRegulated
Payroll card accountnounA bank account that is established directly or indirectly by an employer on behalf of an employee to which an electronic funds transfers the employee's wages or compensation on a recurring basis. The payroll card, often branded by one of the credit/debit card associations, provides the employee access to the funds.DataRegulatedPII
PCI Security Standards CouncilnounThe governing body, representing key participants of the payment card industry, which establishes and maintains security standards for payment cards.OrganizationRegulatedPCI
PenetrationnounGaining unauthorized logical access to sensitive data by circumventing a system's protections.ThreatRegulated
Penetration testnounThe process of using approved, qualified personnel to conduct real-world attacks against a system to identify and correct security weaknesses before they are discovered and exploited by others.ProcessRestricted
Penetration testingnounSecurity testing in which evaluators mimic real-world attacks in an attempt to identify ways to circumvent the security features of an application, system, or network. Penetration testing often involves issuing real attacks on real systems and data, using the same tools and techniques used by actual attackers. Most penetration tests involve looking for combinations of vulnerabilities on a single system or multiple systems that can be used to gain more access than could be achieved through a single vulnerability.ProcessRegulated
Per-Call KeynounUnique traffic encryption key generated automatically by certain secure telecommunications systems to secure single voice or data transmissions. See Cooperative Key Generation.CredentialRegulatedCUI
Performance Reference ModelnounFramework for performance measurement providing common output measurements throughout the federal government. It allows agencies to better manage the business of government at a strategic level by providing a means for using an agency’s EA to measure the success of information systems investments and their impact on strategic outcomes.FrameworkInternal
Perimeternoun(C&A) Encompasses all those components of the system that are to be accredited by the DAA, and excludes separately accredited systems to which the system is connected. (Authorization) Encompasses all those components of the system or network for which a Body of Evidence is provided in support of a formal approval to operate.SystemRegulatedCUI
Periods ProcessingnounThe processing of various levels of classified and unclassified information at distinctly different times. Under the concept of periods processing, the system must be purged of all information from one processing period before transitioning to the next.ProcessRegulatedCUI
PermuternounDevice used in cryptographic equipment to change the order in which the contents of a shift register are used in various nonlinear combining circuits.PhysicalRestrictedCUI
Person-to-person (P2P) paymentnounOnline payments using electronic mail messages to invoke a transfer of value between the parties over existing proprietary networks as on-us transactions.ProcessRegulatedPCI
Personal digital assistant (PDA)nounA pocket-sized, special-purpose personal computer that lacks a conventional keyboard.PhysicalRegulated
Personal identification numbernounA secret that a claimant memorizes and uses to authenticate his or her identity. PINs are generally only decimal digits.CredentialRegulatedPII
personal identification number informationnounInformation containing an account-holder's secret code that is used to verify the identity of their identity when trying to access a computer system, network, credit card account, ATM, etc.DataRegulatedPII
Personal Identifying Information / Personally Identifiable InformationnounThe information that permits the identity of an individual to be directly or indirectly inferred.DataRegulatedPII
Personal Identity VerificationnounThe process of creating and using a governmentwide secure and reliable form of identification for federal employees and contractors, in support of HSPD 12, Policy for a Common Identification Standard for Federal Employees and Contractors.ProcessRegulatedCUI
Personal Identity Verification AccreditationnounThe official management decision to authorize operation of a PIV Card Issuer after determining that the Issuer’s reliability has satisfactorily been established through appropriate assessment and certification processes.ProcessRegulatedCUI
Personal Identity Verification Authorizing OfficialnounAn individual who can act on behalf of an agency to authorize the issuance of a credential to an applicant.RoleRegulatedCUI
Personal Identity Verification CardnounPhysical artifact (e.g., identity card, “smart” card) issued to an individual that contains stored identity credentials (e.g., photograph, cryptographic keys, digitized fingerprint representation, etc.) such that a claimed identity of the cardholder may be verified against the stored credentials by another person (human-readable and verifiable) or an automated process (computer-readable and verifiable).PhysicalRegulatedCUI
Personal Identity Verification IssuernounAn authorized identity card creator that procures FIPS-approved blank identity cards, initializes them with appropriate software and data elements for the requested identity verification and access control application, personalizes the cards with the identity credentials of the authorized subjects, and delivers the personalized card to the authorized subjects along with appropriate instructions for protection and use.OrganizationRegulatedCUI
Personal Identity Verification RegistrarnounAn entity that establishes and vouches for the identity of an applicant to a PIV Issuer. The PIV RA authenticates the applicant’s identity by checking identity source documents and identity proofing, and that ensures a proper background check has been completed, before the credential is issued.OrganizationRegulatedPII
Personal Identity Verification SponsornounAn individual who can act on behalf of a department or agency to request a PIV Card for an applicant.RoleRegulatedCUI
Personally identifiable financial informationnounFor purposes of the Information Security Standards, personally identifiable financial information means information (i) a consumer provides to a financial institution to obtain a financial product or service; (ii) about a consumer resulting from any transaction involving a financial product or service between the financial institution and a consumer; or (iii) that a financial institution otherwise obtains about a consumer in connection with providing a financial product or service, such as account balance information, payment history, overdraft history, and credit or debit card purchase information; or the fact that an individual is one of the financial institution’s customers.DataRegulatedPII
Personally Identifiable InformationnounAny information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.DataRegulatedPII
personnel policynounA set of rules that define the manner in which an organization deals with a human resources or personnel-related matter.RequirementInternal
personnel risk assessmentnounThe purpose of this task is to determine the risk that personnel pose to the organization.ProcessRegulatedPII
personnel risk assessment programnounA documented listing of procedures and instructions to be performed to complete a personnel risk assessment.ProcessRegulated
physical accessnounThe ability of people to physically gain access to a computer system or facility.ControlRegulated
physical access control systemnounPhysical access control enables an authority to control admission to areas and resources in a physical facility. A physical access control system may restrict access via swipe cards, Personal Identity Verification (PIV) 'Smart' cards, and biometric (i.e. fingerprint) readers. Physical access control systems are generally seen as the second layer in the security of a physical facility after fences, doors and barriers.ControlRegulated
Physical Access Control system maintenance and testing programnounA documented listing of procedures, schedules, roles and responsibilities, and plans to be performed to ensure continued maintenance and testing of the Physical Access Control System.ControlRegulatedCUI
physical operating environment authority documentnounStatutes, regulations, safe harbors, audit guidelines, best practices, Service Level Agreements, Contractual Obligations, organizational policies and procedures, and any other documents that defines the temperatures, humidity levels, electromagnetic levels, vibration levels, power levels, and space required for any device to operate properly.RequirementInternal
physical securitynounThe protection of personnel, hardware, programs, networks, and data from physical circumstances and events that could cause serious losses or damage to an enterprise, agency, or institution. This includes protection from fire, natural disasters, burglary, theft, vandalism, and terrorism.ControlRegulated
physical security perimeternounA type of gate, door, wall, or fence system that is intended to restrict and control the physical access or egress of personnel.PhysicalRegulated
physical security plannounA formal document that provides an overview of the security requirements for a physical security program and describes the security controls in place or planned for meeting those requirements.ArtifactRegulatedCUI
Physically Isolated NetworknounA network that is not connected to entities or systems outside a physically controlled space.NetworkRestricted
PII Confidentiality Impact LevelnounThe PII confidentiality impact level—low, moderate, or high—indicates the potential harm that could result to the subject individuals and/or the organization if PII were inappropriately accessed, used, or disclosed.MetricRegulatedPII
plaintextnounIntelligible data that has meaning and can be understood without the application of decryption.DataRegulated
Plan of Action and MilestonesnounA document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones.ArtifactRegulatedCUI
Point-of-sale (POS) networknounA network of institutions, debit cardholders, and merchants that permit consumers to make direct payment electronically at the place of purchase. The funds are withdrawn from the account of the cardholder.NetworkRegulatedPCI
Policy Approving AuthoritynounFirst level of the PKI Certification Management Authority that approves the security policy of each PCA.RoleRegulated
Policy Certification AuthoritynounSecond level of the PKI Certification Management Authority that formulates the security policy under which it and its subordinate CAs will issue public key certificates.OrganizationRegulated
Policy Management AuthoritynounBody established to oversee the creation and update of Certificate Policies, review Certification Practice Statements, review the results of CA audits for policy compliance, evaluate non-domain policies for acceptance within the domain, and generally oversee and manage the PKI certificate policies. For the FBCA, the PMA is the Federal PKI Policy Authority.OrganizationRegulated
Policy MappingnounRecognizing that, when a CA in one domain certifies a CA in another domain, a particular certificate policy in the second domain may be considered by the authority of the first domain to be equivalent (but not necessarily identical in all respects) to a particular certificate policy in the first domain.ProcessRegulated
portnounA physical entry or exit point of a cryptographic module that provides access to the module for physical signals, represented by logical information flows (physically separated ports do not share the same physical pin or wire).NetworkRegulated
Portable Electronic DevicenounAny nonstationary electronic apparatus with singular or multiple capabilities of recording, storing, and/or transmitting data, voice, video, or photo images. This includes but is not limited to laptops, personal digital assistants, pocket personal computers, palmtops, MP3 players, cellular telephones, thumb drives, video cameras, and pagers.PhysicalRegulatedCUI
Positive Control MaterialnounGeneric term referring to a sealed authenticator system, permissive action link, coded switch system, positive enable system, or nuclear command and control documents, material, or devices.PhysicalRegulatedCUI
Positive paynounA technique that can reduce check fraud by requesting businesses to send electronic files of information to the financial institution on all checks the business has issued.ControlRegulated
Practice StatementnounA formal statement of the practices followed by an authentication entity (e.g., RA, CSP, or Verifier). It usually describes the policies and practices of the parties and can become legally binding.ArtifactInternal
Prediction ResistancenounPrediction resistance is provided relative to time T if there is assurance that an adversary who has knowledge of the internal state of the DRBG at some time prior to T would be unable to distinguish between observations of ideal random bitstrings and bitstrings output by the DRBG at or subsequent to time T. The complementary assurance is called Backtracking Resistance.ControlRegulated
Presentment feenounA fee that an institution receiving a check may impose on the institution that presents the check for payment. No presentment fee may be charged for checks presented by 8 a.m. local time.RequirementRegulated
previous residencenounA location where someone was living before where that person is currently living.DataRegulatedPII
Primary Services NodenounA Key Management Infrastructure core node that provides the users’ central point of access to KMI products, services, and information.SystemRegulatedCUI
Principal Accrediting AuthoritynounSenior official with authority and responsibility for all intelligence systems within an agency.RoleRestrictedCUI
Principal Certification AuthoritynounThe Principal Certification Authority is a CA designated by an agency to interoperate with the FBCA. An agency may designate multiple Principal CAs to interoperate with the FBCA.IdentityRegulatedCUI
Print SuppressionnounEliminating the display of characters in order to preserve their secrecy.ControlRegulated
prior tonounThis limits a Control or Mandate's secondary verb to be put into play before the event takes place.RequirementRegulated
PrivacynounRestricting access to subscriber or Relying Party information in accordance with federal law and agency policy.RequirementRegulated
Privacy Impact AssessmentnounAn analysis of how information is handled: 1) to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy; 2) to determine the risks and effects of collecting, maintaining, and disseminating information in identifiable form in an electronic information system; and 3) to examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks.ArtifactConfidentialPII
Privacy SystemnounCommercial encryption system that affords telecommunications limited protection to deter a casual listener, but cannot withstand a technically competent cryptanalytic attack.SystemRegulated
Privileged accessnounIndividuals with the ability to override system or application controls.CapabilityRestricted
Privileged AccountnounAn information system account with approved authorizations of a privileged user.IdentityRestricted
Privileged CommandnounA human-initiated command executed on an information system involving the control, monitoring, or administration of the system including security functions and associated security-relevant information.ProcessRegulatedCUI
privileged utility programnounSpecialized system software used to perform a particular function or system maintenance that requires the ability to bypass, modify, or disable the technical or operational system security controls.SystemRestricted
processing requirementnounA condition that must be fulfilled in order for something to be processed.RequirementRegulated
Product Source NodenounThe Key Management Infrastructure core node that provides central generation of cryptographic key material.SystemRegulatedCUI
productionnounThe purpose of this task is to transform tangible inputs and intangible inputs into goods or services, to create output or deliverables (goods or services) for another party, and to retrieve documents and make them available for use in a legal proceeding, especially as part of discovery.ProcessRegulated
ProfilingnounMeasuring the characteristics of expected activity so that changes to it can be more easily identified.ProcessRegulatedPII
Program PolicynounA program policy is a high-level policy that sets the overall tone of an organization's security approach.RequirementInternal
Proof of deposit (POD)nounThe verification of the dollar amount written on a negotiable instrument being deposited.ArtifactRegulated
Proprietary InformationnounMaterial and information relating to or associated with a company's products, business, or activities, including but not limited to financial information; data or statements; trade secrets; product research and development; existing and future product designs and performance specifications; marketing plans or techniques; schematics; client lists; computer programs; processes; and know-how that has been clearly identified and properly marked by the company as proprietary information, trade secrets, or company confidential information. The information must have been developed by the company and not be available to the government or to the public without restriction from another source.DataRestrictedIP
Protected Distribution SystemnounWire line or fiber optic system that includes adequate safeguards and/or countermeasures (e.g., acoustic, electric, electromagnetic, and physical) to permit its use for the transmission of unencrypted information through an area of lesser classification or control.NetworkRegulatedCUI
Protection ProfilenounCommon Criteria specification that represents an implementation-independent set of security requirements for a category of Target of Evaluations (TOE) that meets specific consumer needs.FrameworkInternal
Protective Distribution SystemnounWire line or fiber optic system that includes adequate safeguards and/or countermeasures (e.g., acoustic, electric, electromagnetic, and physical) to permit its use for the transmission of unencrypted information.SystemRegulatedCUI
Protective PackagingnounPackaging techniques for COMSEC material that discourage penetration, reveal a penetration has occurred or was attempted, or inhibit viewing or copying of keying material prior to the time it is exposed for use.ControlRegulatedCUI
Protective TechnologiesnounSpecial tamper-evident features and materials employed for the purpose of detecting tampering and deterring attempts to compromise, modify, penetrate, extract, or substitute information processing equipment and keying material.ControlRegulatedCUI
protective technologynounSpecial tamper-evident features and materials employed for the purpose of detecting tampering and deterring attempts to compromise, modify, penetrate, extract, or substitute information processing equipment and keying material.ControlRegulated
protocols, ports, applications, and services listnounA compilation of all protocols, ports, applications, and services that are available.ArtifactInternal
Pseudonymnoun1. A subscriber name that has been chosen by the subscriber that is not verified as meaningful by identity proofing. 2. An assigned identity that is used to protect an individual’s true identity.CredentialRestrictedPII
Public Domain SoftwarenounSoftware not protected by copyright laws of any nation that may be freely used without permission of, or payment to, the creator, and that carries no warranties from, or liabilities to the creator.DataPublicPublicInfo
public networknounA network established and operated by a third party telecommunications provider for specific purpose of providing data transmission services for the public. Data over public networks can be intercepted, modified, and/or diverted while in transit. Examples of public networks include, but are not limited to, the Internet, wireless, and mobile technologies.NetworkPublic
Public SeednounA starting value for a pseudorandom number generator. The value produced by the random number generator may be made public. The public seed is often called a “salt.”DataPublic
QuadrantnounShort name referring to technology that provides tamper-resistant protection to cryptographic equipment.PhysicalRegulatedCUI
Radiation MonitoringnounRadiation monitoring is the process of receiving images, data, or audio from an unprotected source by listening to radiation signals.ProcessRegulated
Random Number GeneratornounRandom Number Generators (RNGs) used for cryptographic applications typically produce a sequence of zero and one bits that may be combined into sub-sequences or blocks of random numbers. There are two basic classes: deterministic and nondeterministic. A deterministic RNG consists of an algorithm that produces a sequence of bits from an initial value called a seed. A nondeterministic RNG produces output that is dependent on some unpredictable physical source that is outside human control.CapabilityRestricted
RandomizernounAnalog or digital source of unpredictable, unbiased, and usually independent bits. Randomizers can be used for several different functions, including key generation or to provide a starting state for a key generator.CapabilityRegulated
Real time gross settlement (RTGS) SystemnounA type of payments system operating in real time rather than batch processing mode. It provides immediate finality of transactions. Gross settlement refers to the settlement of each transfer individually rather than netting. FedwireÒ is an example of a real time gross settlement system.SystemRegulated
receiptnounA written or printed acknowledgment that something has been paid for or that goods have been received.ArtifactInternal
ReceivernounAn individual, corporation, or other entity that has authorized a company or an originator to initiate a credit or debit entry to a transaction account belonging to the receiver held at its RDFI.IdentityRegulatedPII
Receiving depository financial institution (RDFI)nounAny financial institution qualified to receive debits or credits through its ACH operator in accordance with the ACH rules.OrganizationRegulated
Recipient Usage PeriodnounThe period of time during the cryptoperiod of a symmetric key when protected information is processed.MetricRegulated
Reciprocal agreementnounAn agreement whereby two organizations with similar computer systems agree to provide computer processing time for the other in the event one of the systems is rendered inoperable. Processing time may be provided on a "best effort" or as "time available" basis; therefore, reciprocal agreements are not usually acceptable as a primary recovery option.RequirementInternal
reconcilementnounThe purpose of this task is to reestablish a close relationship or to settle or resolve something.ProcessInternal
Reconverting bank (Check 21)nounThe financial institution that creates a substitute check. With respect to a substitute check that was created by a person that is not a financial institution, the reconverting bank is the first financial institution that transfers, presents, or returns that substitute check or, in lieu thereof, the first paper or electronic representation of that substitute check. The reconverting bank warrants that (1) the substitute check is the legal equivalent of the original check; and (2) the original check cannot be presented again in any form so the customer pays the check only once.OrganizationRegulated
recordnounAnything that is put down in permanent form and preserved as evidence.ArtifactRegulatedPII
Records ManagementnounThe process for tagging information for records-keeping requirements as mandated in the Federal Records Act and the National Archival and Records Requirements.ProcessRegulatedCUI
Recover FunctionnounDevelop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.ProcessRegulated
recovery plannounThe written expression of a recovery process which consists of defining rules, processes, and disciplines to ensure that the critical business processes will continue to function if there is a failure of one or more of the information processing or telecommunications resources upon which their operations depends. The following are key elements to a disaster recovery plan: 1) Establish a planning group, 2) Perform risk assessment and audits, 3) Establish priorities for applications and networks, 4) Develop recovery strategies, 5) Prepare inventory and documentation of the plan, 6) Develop verification criteria and procedures, 5) Implement the plan.ProcessRegulated
recovery planningnounThe activities undertaken to define a recovery process which consists of defining rules, processes, and disciplines to ensure that the critical business processes will continue to function if there is a failure of one or more of the information processing or telecommunications resources upon which their operations depends.ProcessInternal
Recovery point objective (RPO)nounThe amount of data that can be lost without severely impacting the recovery of operations or the point in time in which systems and data must be recovered (e.g., the date and time of a business disruption).MetricInternal
Recovery ProceduresnounActions necessary to restore data files of an information system and computational capability after a system failure.ProcessRegulatedCUI
Recovery service levelsnounCollectively, terms that define the speed, quality, and quantity of recovery capability in response to a disaster, including recovery time objective, recovery point objective, timely notification, percentage of normal production service level agreements (SLAs) that will be delivered during recovery mode, etc.RequirementRegulated
Recovery sitenounAn alternate location for processing information (and possibly conducting business) in an emergency. Usually distinguished as "hot" sites that are fully configured centers with compatible computer equipment and "cold" sites that are operational computer centers without the computer equipment.PhysicalInternal
recovery strategynounA strategy to resume the minimum set of critical services identified in the business impact analysis (e.g. use of another delivery channel to provide the same service.ProcessInternal
Recovery time objective (RTO)nounThe maximum allowable downtime that can occur without severely impacting the recovery of operations or the time in which systems, applications, or business functions must be recovered after an outage (e.g. the point in time that a process can no longer be inoperable).MetricInternal
REDnounIn cryptographic systems, refers to information or messages that contain sensitive or classified information that is not encrypted. See also BLACK.DataRegulatedCUI
Red SignalnounAny electronic emission (e.g., plain text, key, key stream, subkey stream, initial fill, or control signal) that would divulge national security information if recovered.VulnerabilityRegulatedCUI
Red Team exercisenounAn exercise, reflecting real-world conditions, that is conducted as a simulated adversarial attempt to compromise organizational missions and/or business processes to provide a comprehensive assessment of the security capability of the information system and organization.ProcessRestricted
Red/Black ConceptnounSeparation of electrical and electronic circuits, components, equipment, and systems that handle unencrypted information (Red), in electrical form, from those that handle encrypted information (Black) in the same form.ControlRegulatedCUI
RegistrationnounThe process through which a party applies to become a subscriber of a Credentials Service Provider (CSP) and a Registration Authority validates the identity of that party on behalf of the CSP.ProcessRegulatedPII
Registration authoritynounA trusted entity that establishes and vouches for the identity of a Subscriber to a CSP. The RA may be an integral part of a CSP, or it may be independent of a CSP, but it has a relationship to the CSP(s).OrganizationRegulatedPII
Regulation CCnounA regulation (12 CFR 229) promulgated by the Board of Governors of the Federal Reserve System regarding the availability of funds and the collection of checks. The regulation governs the availability of funds deposited in checking accounts and the collection and return of checks.RequirementRegulated
Regulation EnounA regulation (12 CFR 205) promulgated by the Board of Governors of the Federal Reserve System to ensure consumers a minimum level of protection in disputes arising from electronic fund transfers.RequirementRegulated
Regulation ZnounRegulation Z, the Truth in Lending Act (TILA) (12 CFR 226) promulgated by the Board of Governors of the Federal Reserve System. The regulation prescribes uniform methods for computing the cost of credit, disclosing credit terms, and resolving errors on certain types of credit accounts.RequirementRegulated
regulatory agencynounGovernment body formed or mandated under the terms of a legislative act to ensure compliance with the provisions of the act, and in carrying out its purpose.OrganizationInternal
regulatory noticenounAny documented (in print or electronic format) notice used to inform affected parties regarding regulatory issues.ArtifactRegulated
Regulatory requirementsnounRules or laws that regulate conduct and that the enterprise must obey to become compliantRequirementRegulated
Release PrefixnounPrefix appended to the short title of U.S.-produced keying material to indicate its foreign releasability. "A" designates material that is releasable to specific allied nations, and "U.S." designates material intended exclusively for U. S. use.ArtifactRegulatedCUI
RemanencenounResidual information remaining on storage media after clearing. See Magnetic Remanence and Clearing.VulnerabilityRegulatedCUI
remedial actionnounAction taken to implement long-term restoration of environmental quality.ControlRegulated
Remediation PlannounA plan to perform the remediation of one or more threats or vulnerabilities facing an organization’s systems. The plan typically includes options to remove threats and vulnerabilities and priorities for performing the remediation.ArtifactInternal
Remittance cardsnounPayment cards that are typically used to facilitate cross-border movement of funds by individuals and for person-to-person transactions.DataRegulatedPCI
remote accessnounAccess to an organization's nonpublic information system by an authorized user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet).CapabilityRegulated
Remote access servicenounRefers to any combination of hardware and software to enable the remote access to tools or information that typically reside on a network of IT devices Scope Note: Originally coined by Microsoft when referring to their built-in NT remote access tools, RAS was a service provided by Windows NT which allowed most of the services that would be available on a network to be accessed over a modem link. Over the years, many vendors have provided both hardware and software solutions to gain remote access to various types of networked information. In fact, most modern routers include a basic RAS capability that can be enabled for any dial-up interface.SystemRegulated
Remote control softwarenounSoftware that is used to obtain access to a computer or network from a remote distance.SystemRestricted
Remote deletionsnounUse of a technology to remove data from a portable device without touching the device.CapabilityRegulated
Remote deposit capture (RDC)nounA service that enables users at remote locations to scan digital images of checks and transmit the captured data to a financial institution or a merchant that is a customer of a financial institution.CapabilityRegulatedPCI
Remote Diagnostics/MaintenancenounMaintenance activities conducted by authorized individuals communicating through an external network (e.g., the Internet).ProcessRegulated
Remote journalingnounProcess used to transmit journal or transaction logs in real time to a back-up location.ProcessRegulated
remote maintenancenounMaintenance activities conducted by individuals communicating external to an information system security perimeter.ProcessRegulated
Remote RekeyingnounProcedure by which a distant crypto-equipment is rekeyed electrically. See Automatic Remote Rekeying and Manual Remote Rekeying.ProcessRegulatedCUI
Remotely created check (RCC)nounA check that is drawn on a customer account at a financial institution, is created by the payee, and does not bear a signature in the format agreed to by the paying financial institution and customer. RCCs are also known as "demand drafts," "telechecks," "preauthorized drafts," "paper drafts," or "digital checks."DataRegulatedPCI
Removable medianounPortable electronic storage media such as magnetic, optical, and solid-state devices, which can be inserted into and removed from a computing device, and that is used to store text, video, audio, and image information. Such devices have no independent processing capabilities. Examples include hard disks, floppy disks, zip drives, compact disks (CDs), thumb drives, pen drives, and similar USB storage devices.PhysicalRegulated
removable storage medianounPortable electronic storage media such as magnetic, optical, and solid-state devices, which can be inserted into and removed from a computing device, and that is used to store text, video, audio, and image information. Such devices have no independent processing capabilities. Examples include hard disks, floppy disks, zip drives, compact disks (CDs), thumb drives, pen drives, and similar USB storage devices.PhysicalRegulated
Repair ActionnounNSA-approved change to a COMSEC end-item that does not affect the original characteristics of the end-item and is provided for optional application by holders. Repair actions are limited to minor electrical and/or mechanical improvements to enhance operation, maintenance, or reliability. They do not require an identification label, marking, or control but must be fully documented by changes to the maintenance manual.ControlRegulatedCUI
reportnounTo give a spoken or written account of something that has been seen, done etc.ArtifactRegulated
Report of ExaminationnounThe report prepared by the Board, or other federal or state financial institution supervisory agency, concerning the examination of a financial institution, and includes reports of inspection and reports of examination of U.S. branches or agencies of foreign banks and representative offices of foreign organizations, and other institutions examined by the Federal Reserve System.ArtifactRegulated
reportable cyber incidentnounA Cyber Security Incident that has compromised or disrupted one or more reliability tasks of a functional entity.EventRegulatedCUI
reporting requirementnounSet by the organization, this requires third parties to provide certain update and other status reports, such as work status, Service Level Agreement status, etc.RequirementRegulated
RepositorynounA database containing information and data relating to certificates as specified in a CP; may also be referred to as a directory.DataRegulated
RepudiationnounThe denial by one of the parties to a transaction of participation in all or part of that transaction or of the content of the communication.RequirementRegulated
Request for CommentnounA series of notes about the Internet, started in 1969 (when the Internet was the ARPANET). An Internet Document can be submitted to the IETF by anyone, but the IETF decides if the document becomes an RFC. Eventually, if it gains enough interest, it may evolve into an Internet standard.ArtifactPublicPublicInfo
Reserve accountnounA non-interest-earning balance account institutions maintain with the Federal Reserve Bank or with a correspondent bank to satisfy the Federal Reserve's reserve requirements. Reserve account balances play a central role in the exchange of funds between depository institutions.DataRegulated
Reserve Keying MaterialnounKey held to satisfy unplanned needs. See Contingency Key.CredentialRegulatedCUI
Reserve requirementsnounThe percentage of deposits that a depository institution may not lend out or invest and must hold either as vault cash or on deposit at a Federal Reserve Bank. Reserve requirements affect the potential of the banking system to create transaction deposits.RequirementRegulated
ResiduenounData left in storage after information-processing operations are complete, but before degaussing or overwriting has taken place.DataRegulatedCUI
resilience by designnounThe embedding of security in technology and system development from the earliest stages of conceptualisation and design.RequirementRegulated
Resilience testingnounTesting of an institution's business continuity and disaster recovery resumption plans.ProcessInternal
responsenounAn action taken that addresses an incident and assesses the level of containment and control activity required.ProcessRegulated
response and recovery strategynounA systematic plan of action consisting of documented procedures for mitigating and recovering from a disruptive event.ProcessInternal
response plannounA document detailing the steps that must be taken, or the activities that must be performed well, in response to risk assessment or audit findings.ProcessInternal
responsible entitynounAny group or even individual with an organization that has been given a particular responsibility for a particular process.RoleRegulated
Restricted DatanounAll data concerning (i) design, manufacture, or utilization of atomic weapons; (ii) the production of special nuclear material; or (iii) the use of special nuclear material in the production of energy, but shall not include data declassified or removed from the Restricted Data category pursuant to Section 142 [of the Atomic Energy Act of 1954].DataRestrictedCUI
Retail paymentsnounPayments, typically small, made in the goods and services market.DataRegulatedPCI
Retention requirementnounRequirement established by a company or by regulation for the length of time and/or for the amount of information that should be retained.RequirementRegulated
Return (ACH)nounAny ACH entry that has been returned to the ODFI by the RDFI or by the ACH operator because it cannot be processed. The reason for each return is included with the return in the form of a "return reason code." (See the NACHA "Operating Rules and Guidelines" for a complete reason code listing.)ArtifactRegulatedPCI
Reverse EngineeringnounAcquiring sensitive data by disassembling and analyzing the design of a system component.ThreatRestrictedIP
risk assessmentnounThe process of identifying, prioritizing, and estimating risks. This includes determining the extent to which adverse circumstances or events could impact an enterprise. Uses the results of threat and vulnerability assessments to identify risk to organizational operations and evaluates those risks in terms of likelihood of occurrence and impacts if they occur. The product of a risk assessment is a list of estimated potential impacts and unmitigated vulnerabilities. Risk assessment is part of risk management and is conducted throughout the Risk Management Framework (RMF).ProcessRegulated
Risk Assessment ReportnounThe report which contains the results of performing a risk assessment or the formal output from the process of assessing risk.ArtifactConfidential
risk management controlnounControls associated with instruments that introduce risks that require effective adherence to the relevant clearing house, association, interchange, and regulatory requirements.ControlRegulated
risk management programnounA documented listing of procedures, schedules, roles and responsibilities, and plans to be performed to identify, control, and reduce or eliminate risks to operations, assets, or individuals that are inherent to system development and operations.ProcessRegulated
Risk measurementnounA process to determine the likelihood of an adverse event or threat occurring and the potential impact of such an event on the institution. The result of risk measurement leads to the prioritization of potential risks based on severity and likelihood of occurrence.ProcessInternal
Risk Mitigation PlannounThis record contains detailed proposals intended to reduce the risks to a critical asset, typically including actions or countermeasures designed to counter the threats to assets.ControlRegulatedCUI
Risk ProfilenounThis record contains an outline of the number, type, and potential effects of risks to which an asset or organization are exposed.ArtifactRegulated
risk-based approachnounAn approach whereby FMIs identify, assess and understand the risks to which they are exposed to and take measures commensurate with these risks.ProcessRegulated
risk-based authenticationnounAny risk-based system of authentication that detects anomalies or changes in the normal use patterns of a Person and require s additional verification of the Person’s identity when such deviations or changes are detected, such as through the use of challenge questions.ControlRegulatedPII
RloginnounRemote login. A UNIX utility that allows a user to login to a remote host on a network, as if it were directly connected, and make use of various services. Remote login is an information exchange between network-connected devices where the information cannot be reliably protected end-to-end by a single organization's security controls.CapabilityRegulated
Root Certification AuthoritynounIn a hierarchical Public Key Infrastructure, the Certification Authority whose public key serves as the most trusted datum (i.e., the beginning of trust paths) for a security domain.CredentialRestricted
Round KeynounRound keys are values derived from the Cipher Key using the Key Expansion routine; they are applied to the State in the Cipher and Inverse Cipher.CredentialRestricted
Routing numbernounAlso referred to as the ABA number. A nine-digit number (eight digits and a check digit) that identifies a specific financial institution.DataRegulated
rulenounA principle, condition, or regulation that customarily governs behavior or procedure within a particular area of activity.RequirementRegulated
Rules of EngagementnounDetailed guidelines and constraints regarding the execution of information security testing. The ROE is established before the start of a security test, and gives the test team authority to conduct defined activities without the need for additional permissions.RequirementInternal
RulesetnounA set of directives that govern the access control functionality of a firewall. The firewall uses these directives to determine how packets should be routed between its interfaces.ControlRegulated
S/KeynounA security mechanism that uses a cryptographic hash function to generate a sequence of 64-bit, one-time passwords for remote user login. The client generates a one-time password by applying the MD4 cryptographic hash function multiple times to the user's secret key. For each successive authentication of the user, the number of hash applications is reduced by one.CredentialRegulated
Safeguarding StatementnounStatement affixed to a computer output or printout that states the highest classification being processed at the time the product was produced and requires control of the product, at that level, until determination of the true classification by an authorized individual. Synonymous with banner.ArtifactRegulatedCUI
SandboxnounA restricted, controlled execution environment that prevents potentially malicious software, such as mobile code, from accessing any system resources except those for which the software is authorized.SystemInternal
SanitizationnounA general term referring to the actions taken to render data written on media unrecoverable by both ordinary and, for some forms of sanitization, extraordinary means.ProcessRegulated
SAS 70 reportnounAn audit report of a servicing institution prepared in accordance with guidance provided in the American Institute of Certified Public Accountant's Statement of Auditing Standards Number 70. Replaced by SSAE 16.ArtifactRegulated
Satellite technologynounThese links efficiently extend the reach of typical communication systems to distant areas and provide alternative traffic routing in an emergency.SystemRegulated
SchedulesnounThis record category contains ordered lists of times at which things are planned to occur.ArtifactInternal
Scoping GuidancenounA part of tailoring guidance providing organizations with specific policy/regulatory-related, technology-related, system component allocation-related, operational/environmental-related, physical infrastructure-related, public access-related, scalability-related, common control-related, and security objective-related considerations on the applicability and implementation of individual security controls in the security control baseline.RequirementRegulatedCUI
secret keynounA cryptographic key that is used with a secret-key (symmetric) cryptographic algorithm that is uniquely associated with one or more entities and is not made public. The use of the term “secret” in this context does not imply a classification level, but rather implies the need to protect the key from disclosure.CredentialRestrictedCUI
Secret Key symmetric Cryptographic AlgorithmnounA cryptographic algorithm that uses a single key (i.e., a secret key) for both encryption and decryption.CredentialRestricted
Secret SeednounA secret value used to initialize a pseudorandom number generator.CredentialRestrictedCUI
Secure CommunicationsnounTelecommunications deriving security through use of NSA-approved products and/or Protected Distribution Systems.CapabilityRegulatedCUI
secure development practicenounA software development practice where the confidentiality, integrity, and availability of the software code is protected against threats and vulnerabilities.ProcessRegulatedIP
secure disposalnounThe process of erasing or overwriting data stored on media before relinquishing control of said media when no longer required, in a manner that ensures that no data can be recovered from the media.ProcessRegulated
Secure Electronic TransactionnounA standard that will ensure that credit card and associated payment order information travels safely and securely between the various involved parties on the Internet.FrameworkRegulatedPCI
Secure ErasenounAn overwrite technology using firmware-based process to overwrite a hard drive. Is a drive command defined in the ANSI ATA and SCSI disk drive interface specifications, which runs inside drive hardware. It completes in about 1/8 the time of 5220 block erasure.ControlRegulated
Secure Hash StandardnounThis Standard specifies secure hash algorithms -SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224 and SHA-512/256 -for computing a condensed representation of electronic data (message). When a message of any length less than 264 bits (for SHA-1, SHA-224 and SHA-256) or less than 2128 bits (for SHA-384, SHA-512, SHA-512/224 and SHA-512/256) is input to a hash algorithm, the result is an output called a message digest. The message digests range in length from 160 to 512 bits, depending on the algorithm. Secure hash algorithms are typically used with other cryptographic algorithms, such as digital signature algorithms and keyed-hash message authentication codes, or in the generation of random numbers (bits). The hash algorithms specified in this Standard are called secure because, for a given algorithm, it is computationally infeasible 1) to find a message that corresponds to a given message digest, or 2) to find two different messages that produce the same message digest. Any change to a message will, with a very high probability, result in a different message digest. This will result in a verification failure when the secure hash algorithm is used with a digital signature algorithm or a keyed-hash message authentication algorithm.FrameworkPublic
Secure Socket LayernounA protocol used for protecting private information during transmission via the Internet. Note: SSL works by using a public key to encrypt data that's transferred over the SSL connection. Most Web browsers support SSL, and many Web sites use the protocol to obtain confidential user information, such as credit card numbers. By convention, URLs that require an SSL connection start with “https:” instead of “http:.”NetworkRegulatedPCI
Secure Sockets LayernounA protocol that is used to transmit private documents through the Internet Scope Note: The SSL protocol uses a private key to encrypt the data that are to be transferred through the SSL connection.NetworkRegulated
Secure SubsystemnounSubsystem containing its own implementation of the reference monitor concept for those resources it controls. Secure subsystem must depend on other controls and the base operating system for the control of subjects and the more primitive system objects.SystemRegulated
Secure/Multipurpose Internet Mail ExtensionsnounA set of specifications for securing electronic mail. S/MIME is based upon the widely used MIME standard [MIME] and describes a protocol for adding cryptographic security services through MIME encapsulation of digitally signed and encrypted objects. The basic security services offered by S/MIME are authentication, non-repudiation of origin, message integrity, and message privacy. Optional security services include signed receipts, security labels, secure mailing lists, and an extended method of identifying the signer’s certificate(s).ControlRegulated
security assessment reportnounAny published finding of security component audits such as a vulnerability assessment.ArtifactConfidential
Security AttributenounAn abstraction representing the basic properties or characteristics of an entity with respect to safeguarding information; typically associated with internal data structures (e.g., records, buffers, files) within the information system which are used to enable the implementation of access control and flow control policies; reflect special dissemination, handling, or distribution instructions; or support other aspects of the information security policy.DataRegulatedCUI
Security auditnounAn independent review and examination of system records and activities to test for adequacy of system controls, ensure compliance with established policy and operational procedures, and recommend any indicated changes in control, policy, and procedures.ProcessRegulated
Security Awareness programnounThe documented plan and documented activities to create well-informed interest in being free from danger or threat.ProcessRegulatedCUI
security awareness trainingnounThe process of educating personnel on critical business processes.ProcessInternal
Security BannernounA banner at the top or bottom of a computer screen that states the overall classification of the system in large, bold type. Also can refer to the opening screen that informs users of the security implications of accessing a computer resource.ControlRegulatedCUI
Security breachnounA security event that results in unauthorized access of data, applications, services, networks, or devices by bypassing underlying security mechanisms.EventRegulated
Security CategorizationnounThe process of determining the security category for information or an information system. Security categorization methodologies are described in CNSS Instruction 1253 for national security systems and in FIPS 199 for other than national security systems.ProcessRegulatedCUI
Security CategorynounThe characterization of information or an information system based on an assessment of the potential impact that a loss of confidentiality, integrity, or availability of such information or information system would have on organizational operations, organizational assets, individuals, other organizations, and the Nation.RequirementRegulated
Security Concept of OperationsnounA security-focused description of an information system, its operational policies, classes of users, interactions between the system and its users, and the system’s contribution to the operational mission.ArtifactRestrictedCUI
security controlnounA safeguard or countermeasure to avoid, counteract or minimize security risks relating to personal property, or any company property. For business-to-business facing organizations whose service may affect the financial statements of the other company, the prospect may require successful audit reports of policy controls.ControlRegulated
Security Control AssessmentnounThe testing and/or evaluation of the management, operational, and technical security controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.ControlRegulatedCUI
Security Control BaselinenounOne of the sets of minimum security controls defined for federal information systems in NIST Special Publication 800-53 and CNSS Instruction 1253.ControlRegulated
Security Controls BaselinenounThe set of minimum security controls defined for a low-impact, moderate-impact, or high-impact information system.RequirementRegulatedCUI
security eventnounAn event that potentially compromises the confidentiality, integrity, availability, or accountability of an information system.EventRegulated
Security Event LognounThis record contains records of any security-related and auditing-related events.EventRegulatedCUI
Security Features Users GuidenounGuide or manual explaining how the security mechanisms in a specific system work.ArtifactInternal
Security Impact AnalysisnounThe analysis conducted by an organizational official to determine the extent to which changes to the information system have affected the security state of the system.ProcessInternal
security incidentnounAn adverse event where a threat or exploit may compromise a computer system and cause: loss of data confidentiality, disruption of system or data integrity, or disruption or denial of availability of the system and/or data.EventRegulated
security incident response plannounThe steps taken during an incident. An incident response plan brings together and organizes the resources for dealing with any event that harms or threatens the security of information assets. Such an event may be a malicious code attack, an unauthorized access to information or systems, the unauthorized use of services, a denial of service attack, or a hoax.ProcessRegulated
Security KernelnounHardware, firmware, and software elements of a trusted computing base implementing the reference monitor concept. Security kernel must mediate all accesses, be protected from modification, and be verifiable as correct.SystemRegulated
Security LabelnounInformation that represents or designates the value of one or more security relevant-attributes (e.g., classification) of a system resource.ControlRegulated
Security lognounA record that contains log-in and logout activity and other security-related events and that is used to track security-related information on a computer system.ArtifactRegulated
Security MarkingnounHuman-readable information affixed to information system components, removable media, or output indicating the distribution limitations, handling caveats, and applicable security markings.ArtifactRegulatedCUI
Security Net Control StationnounManagement system overseeing and controlling implementation of network security policy.SystemRegulatedCUI
security patchnounComputer code intended to repair or lessen the impact of vulnerabilities within application software.ControlRegulated
security patchingnounThe purpose of this task is to distribute patches to apply security patches to organizational operating systems and applications.ProcessRegulated
security patching processnounThe series of steps taken to acquire, test, and distribute security patches to the appropriate administrators and users throughout the organization.ProcessRegulated
Security PlannounFormal document that provides an overview of the security requirements for an information system or an information security program and describes the security controls in place or planned for meeting those requirements. See ‘System Security Plan’ or ‘Information Security Program Plan.’ArtifactRestricted
Security PosturenounThe security status of an enterprise’s networks, information, and systems based on IA resources (e.g., people, hardware, software, policies) and capabilities in place to manage the defense of the enterprise and to react as the situation changes.MetricInternal
security practicenounThe actions an organization takes to initiate, implement, and maintain organizational security.ProcessRegulated
Security Program PlannounFormal document that provides an overview of the security requirements for an organization-wide information security program and describes the program management security controls and common security controls in place or planned for meeting those requirements.ArtifactRestrictedCUI
Security RangenounHighest and lowest security levels that are permitted in or on an information system, system component, subsystem, or network.RequirementRegulatedCUI
security requirementnounA necessary condition that must be met to ensure the confidentiality, integrity, and availability of the information being processed, stored, or transmitted.RequirementRegulated
Security Requirements BaselinenounDescription of the minimum requirements necessary for an information system to maintain an acceptable level of risk.RequirementRegulated
Security Requirements RequirementsnounRequirements levied on an information system that are derived from applicable laws, Executive Orders, directives, policies, standards, instructions, regulations, or procedures, or organizational mission/business case needs to ensure the confidentiality, integrity, and availability of the information being processed, stored, or transmitted.RequirementRegulated
Security Requirements Traceability MatrixnounMatrix that captures all security requirements linked to potential risks and addresses all applicable C&A requirements. It is, therefore, a correlation statement of a system’s security features and compliance methods for each security requirement.ArtifactRegulatedCUI
Security TagnounInformation unit containing a representation of certain security-related information (e.g., a restrictive attribute bit map).DataRegulatedCUI
Security TargetnounCommon Criteria specification that represents a set of security requirements to be used as the basis of an evaluation of an identified Target of Evaluation (TOE).RequirementRegulated
Security Test & EvaluationnounExamination and analysis of the safeguards required to protect an information system, as they have been applied in an operational environment, to determine the security posture of that system.ProcessRegulatedCUI
Security violationnounAn instance in which a user or other person circumvents or defeats the controls of a system to obtain unauthorized access to information or system resources.EventRegulated
Security-Relevant InformationnounAny information within the information system that can potentially impact the operation of security functions in a manner that could result in failure to enforce the system security policy or maintain isolation of code and data.DataRestrictedCUI
Senior Agency Information Security OfficernounOfficial responsible for carrying out the Chief Information Officer responsibilities under the Federal Information Security Management Act (FISMA) and serving as the Chief Information Officer’s primary liaison to the agency’s authorizing officials, information system owners, and information system security officers. SP 800-53 Note: Organizations subordinate to federal agencies may use the term Senior Information Security Officer or Chief Information Security Officer to denote individuals filling positions with similar responsibilities to Senior Agency Information Security Officers.RoleRegulated
Sensitive Compartmented InformationnounClassified information concerning or derived from intelligence sources, methods, or analytical processes, which is required to be handled within formal access control systems established by the Director of National Intelligence.DataRegulatedCUI
Sensitive Compartmented Information FacilitynounAccredited area, room, or group of rooms, buildings, or installation where SCI may be stored, used, discussed, and/or processed.PhysicalRegulatedCUI
Sensitive customer informationnounA customer’s name, address, or telephone number, in conjunction with the customer’s social security number, driver’s license number, account number, credit or debit card number, or personal identification number or password that would permit access to the customer’s account. Sensitive customer information also includes any combination of components of customer information that would allow someone to log into or access the customer’s account, such as user name and password or password and account number.DataRegulatedPII
sensitive datanounInformation whose loss, misuse, unauthorized access to, modification, or destruction, could adversely affect the national interest or the conduct of federal programs, or privacy to which individuals are entitled, but which has not been specifically authorized to be kept secret in the interest of national defense or foreign policy, etc.DataRegulatedCUI
Sensitive InformationnounInformation, the loss, misuse, or unauthorized access to or modification of, that could adversely affect the national interest or the conduct of federal programs, or the privacy to which individuals are entitled under 5 U.S.C. Section 552a (the Privacy Act), but that has not been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy. (Systems that are not national security systems, but contain sensitive information, are to be protected in accordance with the requirements of the Computer Security Act of 1987 [P.L.100-235].)DataRegulatedCUI
Sensitivity LabelnounInformation representing elements of the security label(s) of a subject and an object. Sensitivity labels are used by the trusted computing base (TCB) as the basis for mandatory access control decisions. See Security Label.DataRegulatedCUI
service contractnounA formal agreement between a service provider and consumer that specifies the details of the service performed by the provider.RequirementInternal
Service Level Agreement (SLA)nounFormal documents between an institution and its third-party service provider that outline an institution’s predetermined requirements for a service and establish incentives to meet, or penalties for failure to meet, the requirements. SLAs should specify and clarify performance expectations, establish accountability, and detail remedies or consequences if performance or service quality standards are not met.RequirementInternal
service providernounFor purposes of the Information Security Standards, service provider means any person or entity that maintains, processes, or otherwise is permitted access to customer information or consumer information through its provision of services directly to a financial institution.OrganizationRegulatedPII
Session KeynounIn the context of symmetric encryption, a key that is temporary or is used for a relatively short period of time. Usually, a session key is used for a defined period of communication between two computers, such as for the duration of a single connection or transaction set, or the key is used in an application that protects relatively large amounts of data and, therefore, needs to be re-keyed frequently.CredentialRestricted
SettlementnounThe final step in the transfer of ownership involving the physical exchange of securities or payment. In a banking transaction, settlement is the process of recording the debit and credit positions of the parties involved in a transfer of funds. In a financial instrument transaction, settlement includes both the transfer of securities by the seller and the payment by the buyer. Settlements can be "gross" or "net." Gross settlement means each transaction is settled individually. Net settlement means parties exchanging payments will offset mutual obligations to deliver identical items (e.g., dollars or EUROS), at a specified time, after which only one net amount of each item is exchanged.ProcessRegulated
Settlement date (ACH)nounThe date on which an exchange of funds with respect to an entry is reflected on the books of the Federal Reserve Bank.DataRegulated
Shadow ITnounA term used to describe IT systems or applications used inside institutions without explicit approval.SystemInternal
shared accountnounA single local account created for a group, with one user name and one password.IdentityRegulatedCUI
Shared SecretnounA secret used in authentication that is known to the Claimant and the Verifier.CredentialRestricted
Shielded EnclosurenounRoom or container designed to attenuate electromagnetic radiation, acoustic signals, or emanations.PhysicalRegulatedCUI
Short positionnounIn respect of a currency balance that is less than zero, the amount by which such currency balance is less than zero. An investment position that benefits from a decline in market price. When one sells a currency their position is short.MetricRegulated
Short position limitnounIn respect of an eligible currency, the maximum short position a Settlement Member may have at any time in that eligible currency and, unless otherwise reduced pursuant to the CLS Bank Rules, shall equal (i) the total amount of all available committed liquidity facilities in such eligible currency (or such lesser amount that CLS Bank may determine from time to time) minus (ii) the amount of the largest available committed liquidity facility among such liquidity facilities (after taking into account any amounts already drawn.RequirementRegulated
Short TitlenounIdentifying combination of letters and numbers assigned to certain COMSEC materials to facilitate handling, accounting, and controlling.ArtifactRegulatedCUI
Signals AnalysisnounGaining indirect knowledge of communicated data by monitoring and analyzing a signal that is emitted by a system and that contains the data but is not intended to communicate the data.CapabilityRegulated
Signature GenerationnounThe process of using a digital signature algorithm and a private key to generate a digital signature on data.ProcessRegulated
Signature ValidationnounThe (mathematical) verification of the digital signature and obtaining the appropriate assurances (e.g., public key validity, private key possession, etc.).ControlRegulated
Significant firmsnounFirms that process a significant share of transactions in critical financial markets.OrganizationRegulated
Simulated loss of data center site(s) test/exercisenounA type of disaster recovery test that involves the simulation of the loss of the primary, alternate, and/or tertiary data processing sites to verify that the institution can continue its data processing activities.PhysicalInternal
Single Point KeyingnounMeans of distributing key to multiple, local crypto equipment or devices from a single fill point.ProcessRegulatedCUI
Single-Entry (ACH)nounA one-time transfer of funds initiated by an originator in accordance with the receiver's authorization for a single ACH credit or debit to the receiver's consumer account.DataRegulatedPCI
SkimmingnounThe unauthorized use of a reader to read tags without the authorization or knowledge of the tag’s owner or the individual in possession of the tag.ThreatRegulatedPII
Smart cardnounA credit card-sized card with embedded integrated circuits that can store, process, and communicate information.PhysicalRegulated
software assurancenounLevel of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at any time during its life cycle, and that the software functions in the intended manner.CapabilityRegulated
Software System Test and Evaluation ProcessnounProcess that plans, develops, and documents the qualitative/quantitative demonstration of the fulfillment of all baseline functional performance, operational, and interface requirements.ProcessRegulated
Sound practicesnounDefined in the "Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System," which was issued by the Board of Governors of the Federal Reserve System, Office of the Comptroller of the Currency, and Securities and Exchange Commission.RequirementRegulated
Source codenounSoftware program instructions written in a format (language) readable by humans.DataConfidentialIP
Special Access ProgramnounA program established for a specific class of classified information that imposes safeguarding and access requirements that exceed those normally required for information at the same classification level.ProcessRegulatedCUI
Special Access Program FacilitynounFacility formally accredited by an appropriate agency in accordance with DCID 6/9 in which SAP information may be processed.PhysicalRegulatedCDI
SpillagenounSecurity incident that results in the transfer of classified or CUI information onto an information system not accredited (i.e., authorized) for the appropriate security level.EventRegulatedCUI
Split KeynounA cryptographic key that is divided into two or more separate data items that individually convey no knowledge of the whole key that results from combining the items.CredentialRestricted
Split Knowledgenoun1. Separation of data or information into two or more parts, each part constantly kept under control of separate authorized individuals or teams so that no one individual or team will know the whole data. 2. A process by which a cryptographic key is split into multiple key components, individually sharing no knowledge of the original key, which can be subsequently input into, or output from, a cryptographic module by separate entities and combined to recreate the original cryptographic key.ControlRegulatedCUI
SpotnounThe most common foreign exchange transaction. Spot or spot date refers to the spot transaction value date that requires settlement within two business days, subject to value date calculation.ProcessRegulated
Sreen scrapingnounA process used by information aggregators to gather information from a customer's website, whereby the aggregator accesses the target site by logging in as the customer, electronically reads and copies selected information from the displayed webpage(s), then redisplays the information on the aggregator's site. The process is analogous to "scraping" the information off the computer screen.ProcessRegulatedPII
StandardnounA published statement on a topic specifying characteristics, usually measurable, that must be satisfied or achieved in order to comply with the standard.RequirementInternal
Standard Entry Class (SEC) codenounThree-character code in an ACH company/batch header record used to identify the payment type within an ACH batch.DataRegulated
Start-Up KEKnounKey-encryption-key held in common by a group of potential communicating entities and used to establish ad hoc tactical networks.CredentialRegulatedCUI
StatenounIntermediate Cipher result that can be pictured as a rectangular array of bytes.DataRegulated
Static KeynounA key that is intended for use for a relatively long period of time and is typically intended for use in many instances of a cryptographic key establish schemeCredentialRegulated
SteganographynounThe art and science of communicating in a way that hides the existence of the communication. For example, a child pornography image can be hidden inside another graphic image file, audio file, or other file format.ThreatRegulatedPHI
stipulationnoun(law) an agreement or concession made by parties in a judicial proceeding (or by their attorneys) relating to the business before the court; must be in writing unless they are part of the court record.ArtifactRegulated
Store cardnounA credit card issued by a financial institution for a specific merchant or vendor that does not carry a bankcard association logo. Store cards can only be used at the merchant or vendor whose name appears on the front of the card.PhysicalRegulatedPCI
Stored-value cardnounA card-based payment system that assigns a value to the card. The card's value can be stored on the card itself (i.e., on the magnetic stripe or in a computer chip) or in a network database. As the card is used for transactions, the transaction amounts are subtracted from the card's balance. As the balance approaches zero, some cards can be "reloaded" through various methods and others are designed to be discarded. These cards are often used in closed systems for specific types of purchases.PhysicalRegulatedPCI
Street testsnounStreet tests are also called cross-market tests or market-wide tests that are sponsored by the Securities Industry Association, Bond Market Association, and Futures Industry Association. These tests validate the connectivity from alternate sites and include transaction, settlement, and payment processes, to the extent practical.ProcessInternal
Striped CorenounA network architecture in which user data traversing a core IP network is decrypted, filtered and re-encrypted one or more times. Note: The decryption, filtering, and re-encryption are performed within a “Red gateway”; consequently, the core is “striped” because the data path is alternately Black, Red, and Black.NetworkRegulatedCUI
Strong AuthenticationnounThe requirement to use multiple factors for authentication and advanced technology, such as dynamic passwords or digital certificates, to verify an entity’s identity.ControlRegulated
strong cryptographynounCryptographic techniques that make it almost impossible to decrypt without having the key. The strength relies on the cryptographic key used. Effective size of the key should meet the minimum key size of comparable strengths recommendations based on industry-tested and accepted algorithms and strong key lengths. Examples of industry-tested and accepted standards and algorithms for encryption include AES (128 bits and higher), TDES (minimum double-length keys), RSA (1024 bits and higher), ECC (160 bits and higher), and ElGamal (1024 bits and higher). See NIST Special Publication 800-57 (http://csrc.nist.gov/publications/) for more information.ControlRegulated
Strong Star PropertynounIn Strong Star Property, a user cannot write data to higher or lower classifications levels than their own.RequirementRegulated
Subject Security LevelnounSensitivity label(s) of the objects to which the subject has both read and write access. Security level of a subject must always be dominated by the clearance level of the user associated with the subject.IdentityRegulatedCUI
Subordinate Certification AuthoritynounIn a hierarchical PKI, a Certification Authority whose certificate signature key is certified by another CA, and whose activities are constrained by that other CA.SystemRegulatedCUI
SubscribernounA party who receives a credential or token from a CSP (Credentials Service Provider) and becomes a claimant in an authentication protocol.IdentityRegulated
Substitute check (Check 21)nounAlso known as the Image Replacement Document (IRD). A paper reproduction of an original check that (1) contains an image of the front and back of the original check; (2) bears a MICR line that, except as provided under ANS X9.100-140, contains all the information appearing on the MICR line of the original check when it was issued and any additional information that was encoded on the original check's MICR line before an image of the original check was captured; (3) conforms in paper stock, dimension, and otherwise with ANS X9.100-140; and (4) is suitable for automated processing in the same manner as the original check. The Federal Reserve Board of Governors can by rule or order determine different standards.ArtifactRegulatedPCI
Suite AnounA specific set of classified cryptographic algorithms used for the protection of some categories of restricted mission-critical information.RequirementRegulatedCUI
Suite BnounA specific set of cryptographic algorithms suitable for protecting national security systems and information throughout the U.S. government and to support interoperability with allies and coalition partners.RequirementRegulatedCUI
SuperencryptionnounProcess of encrypting encrypted information. Occurs when a message, encrypted off-line, is transmitted over a secured, online circuit, or when information encrypted by the originator is multiplexed onto a communications trunk, which is then bulk encrypted.ProcessRegulatedCUI
Superior Certification AuthoritynounIn a hierarchical PKI, a Certification Authority who has certified the certificate signature key of another CA, and who constrains the activities of that CA.SystemRestrictedCUI
SupersessionnounScheduled or unscheduled replacement of COMSEC material with a different edition.ProcessRegulatedCUI
supervisory agencynounThis role focuses on the examination or auditing of financial records of financial institutions. Any state authority that is required by law to examine or audit financial records should be assigned to this role.OrganizationRegulated
Supervisory control and data acquisitionnounA generic name for a computerized system that is capable of gathering and processing data and applying operational controls over long distances. Typical uses include power transmission and distribution and pipeline systems. SCADA was designed for the unique communication challenges (delays, data integrity, etc.) posed by the various media that must be used, such as phone lines, microwave, and satellite. Usually shared rather than dedicated.SystemRegulatedCUI
Supplementation Security ControlsnounThe process of adding security controls or control enhancements to a security control baseline from NIST Special Publication 800-53 or CNSS Instruction 1253 in order to adequately meet the organization’s risk management needs.ProcessInternal
suppliernounProduct and service providers used for an organization’s internal purposes (e.g., IT infrastructure) or integrated into the products of services provided to that organization’s Buyers.OrganizationInternal
Supply Chain AttacknounAttacks that allow the adversary to utilize implants or other vulnerabilities inserted prior to installation in order to infiltrate data, or manipulate information technology hardware, software, operating systems, peripherals (information technology products) or services at any point during the life cycle.ThreatRegulatedCUI
supply chain risknounA risk measured by the likelihood and severity of damage if an Information Technology or Operations Technology system is compromised by a supply chain attack, and takes into account the importance of the system and the impact of compromise on organizational operations and assets, individuals, other organizations, and the Nation. Supply chain attacks may involve manipulating computing system hardware, software, or services at any point during the life cycle. Supply chain attacks are typically conducted or facilitated by individuals or organizations that have access through commercial ties, leading to stolen critical data and technology, corruption of the system/ infrastructure, and/or disabling of mission-critical operations.ThreatRegulated
Supply Chain Risk ManagementnounThe process of identifying, analyzing, and assessing supply chain risk and accepting, avoiding, transferring or controlling it to an acceptable level considering associated costs and benefits of any actions taken.ProcessRegulated
supply chain risk management processnounThe implementation through controls and structures of strategies to manage both everyday and exceptional risks along the supply chain based on continuous risk assessment with the objective of reducing vulnerability and ensuring continuity.ProcessRegulated
Suppression MeasurenounAction, procedure, modification, or device that reduces the level of, or inhibits the generation of, compromising emanations in an information system.ControlRegulatedCUI
Suspicious activity report (SAR)nounReports required to be filed by the Bank Secrecy Act when a financial institution identifies or suspects fraudulent activity.ArtifactRegulated
symmetric keynounA cryptographic key that is used to perform both the cryptographic operation and its inverse, for example to encrypt and decrypt, or create a message authentication code and to verify the code.CredentialRestrictedCUI
Synchronous Crypto-OperationnounEncryption algorithms using the same secret key for encryption and decryption.CapabilityRegulated
Synchronous data replicationnounA process for copying data from one source to another in which an acknowledgement of the receipt of data at the copy location is required for application processing to continue. Consequently, the content of databases stored in alternate facilities is identical to those at the original storage site, and copies of data contain current information at the time of a disruption in processing.ProcessRegulated
system documentationnounDetailed information about a computer system its architecture, design, data flow, and programming logic.ArtifactInternalIP
System hardeningnounConfiguring all configurable items within an entire system to reduce the host’s security weaknesses.ProcessRegulated
System High ModenounInformation systems security mode of operation wherein each user, with direct or indirect access to the information system, its peripherals, remote terminals, or remote hosts, has all of the following: a. valid security clearance for all information within an information system; b. formal access approval and signed nondisclosure agreements for all the information stored and/or processed (including all compartments, subcompartments and/or special access programs); and c. valid need-to-know for some of the information contained within the information system.ProcessRegulatedCUI
System IndicatornounSymbol or group of symbols in an off-line encrypted message identifying the specific cryptosystem or key used in the encryption.DataRegulatedCUI
System InterconnectionnounThe direct connection of two or more IT systems for the purpose of sharing data and other information resources.NetworkRegulated
System Of RecordsnounA group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual.DataRegulatedPII
System ProfilenounDetailed security description of the physical structure, equipment component, location, relationships, and general operating environment of an information system.ArtifactRegulatedCUI
TEMPEST ZonenounDesignated area within a facility where equipment with appropriate TEMPEST characteristics (TEMPEST zone assignment) may be operated.PhysicalRegulatedCUI
Terminal servicesnounA component of Microsoft Windows operating systems (both client and server versions) that allows a user to access applications or data stored on a remote computer over a network connection.SystemRestricted
Test plannounA document that is based on the institution's test scope and objectives and includes various testing methods.ArtifactInternal
test resultnounA formal document defining the subject of the test, the test plan, approach, analysis tools, and conclusions found during the testing process.ArtifactRegulated
Test scenarionounA potential event, identified as the operating environment for a business continuity or disaster recovery test, which the institution's recovery and resumption plan must address.ArtifactInternal
Test strategynounTesting strategies establish expectations for individual business lines across the testing life cycle of planning, execution, measurement, reporting, and test process improvement. Testing strategies include the testing scope and objectives, which clearly define what functions, systems, or processes are going to be tested and what will constitute a successful test.ProcessInternal
The process of both entities involved in a transaction verifying each other.nounSource: CNSSI-4009ProcessRegulated
third partynounA person or group besides the two primarily involved in a situation, agreement, business, etc.IdentityRegulated
third party and supply chain managementnounSupply chain management is the oversight of materials, information, and finances as they move in a process from supplier to manufacturer to wholesaler to retailer to consumer. Supply chain management involves coordinating and integrating these flows both within and among companies, i.e., Third Parties. Third party management is the process whereby companies monitor and manage interactions with all external parties with which it has a relationship.ProcessRegulated
third party contractnounMeans a contract or purchase order awarded by the Recipient or subrecipient to a vendor or contractor.RequirementConfidential
third party dependencynounA third party that may have no interest in an organization's project or operations, but can can have an impact on them.RequirementRegulated
third party managementnounAn arrangement where a company will assume the day-to-day management of a property or package of properties it does not own for another company or institution in return for a fee.ProcessRegulated
third party management policynounThe guidelines and rules on how an organization should to direct and supervise business activities and relations with a third party.RequirementRegulated
third party risk assessmentnounThe process of identifying and determining the risk associated to a specific third party.ProcessInternal
Third Party Service ProvidernounAs defined in the PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms, a service provider is a business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This also includes companies that provide services that control or could impact the security of cardholder data. There are many types of businesses that could fall into the category of “service provider,” dependent on the services provided. Most commonly, a TPSP could be a legally separate entity; but it can also be a separate business unit or component of the entity under assessment—for example, an internal service provider—where the provider is outside the direct management control of the entity assessed.OrganizationRegulatedPCI
Third Party Service Provider ListnounThis record contains lists of all third party service providers and their contacts within each organization.ArtifactInternal
Third-party relationshipnounAny business arrangement between a financial institution and another entity, by contract or otherwise.ProcessRegulated
Third-party sendernounA special subset of a technology service provider that is authorized to transmit ACH files on behalf of an originator. Typically, the ODFI must rely upon warranties by the third- party sender regarding the originators' identity and credit worthiness, which places additional risks on the ODFI.IdentityRegulated
Third-party service provider (ACH)nounA third party, other than the ODFI or RDFI, that performs any function on behalf of the ODFI or the RDFI related to ACH processing. These functions would include the creation and sending of ACH files or acting as a sending or receiving point on behalf of a participating depository financial institution.OrganizationRegulatedPCI
Threat and Vulnerability Management processnounA process that includes vulnerability assessments, vulnerability scanning, penetration testing. Also included in the process is the cataloging of the assets that are in scope, assigning value and importance to those resources, and mitigating or eliminating any vulnerabilities discovered during the process.VulnerabilityRestricted
threat informationnounInformation about a potential source of danger or undesirable event.ThreatInternal
threat information sharingnounThe act of providing threat information between two or more parties for the mutual benefit to use such information to mitigate risks.ProcessInternal
threat monitoring processnounA particular series of actions or steps to analyze, assess and review audit trails and other information collected for the purpose of searching out system events that may constitute violations of system security.ProcessInternal
ticketnounIn access control, data that authenticates the identity of a client or a service and, together with a temporary encryption key (a session key), forms a credential.ArtifactRestricted
time framenounA specified period of time for something to be done or take place.RequirementRegulated
Time-Compliance DatenounDate by which a mandatory modification to a COMSEC end-item must be incorporated if the item is to remain approved for operational use.RequirementRegulatedCUI
timelinessnounPublic and private parties, nationally and internationally, should act in a timely coordinately manner to prevent and respond to breaches of security of information systems.RequirementRegulated
TOE Security FunctionsnounSet consisting of all hardware, software, and firmware of the TOE that must be relied upon for the correct enforcement of the TOE Security Policy (TSP).CapabilityRegulatedCUI
Tracking CookienounA cookie placed on a user’s computer to track the user’s activity on different Web sites, creating a detailed profile of the user’s behavior.DataRegulatedPII
Tradecraft IdentitynounAn identity used for the purpose of work-related interactions that may or may not be synonymous with an individual’s true identity.IdentityRestrictedCUI
Traditional INFOSEC ProgramnounProgram in which NSA acts as the central procurement agency for the development and, in some cases, the production of INFOSEC items. This includes the Authorized Vendor Program. Modifications to the INFOSEC end-items used in products developed and/or produced under these programs must be approved by NSA.ProcessRegulatedCUI
Traffic Encryption KeynounKey used to encrypt plain text or to superencrypt previously encrypted text and/or to decrypt cipher text.CredentialRestrictedCUI
trainingnounOrganized activity aimed at imparting information and/or instructions to improve the recipient's performance or to help him or her attain a required level of knowledge or skill.ProcessRegulated
Training Effectiveness EvaluationnounInformation collected to assist employees and their supervisors in assessing individual students’ subsequent on-the-job performance, to provide trend data to assist trainers in improving both learning and teaching, and to be used in return-on-investment statistics to enable responsible officials to allocate limited resources in a thoughtful, strategic manner among the spectrum of IT security awareness, security literacy, training, and education options for optimal results among the workforce as a whole.MetricInternalPII
transaction filenounA group of one or more computerized records containing current business activity and processed with an associated master file. Transaction files are sometimes accumulated during the day and processed in batch production overnight or during off-peak processing periods.DataRegulated
transient cyber assetnounA Cyber Asset that (i) is capable of transmitting or transferring executable code, (ii) is not included in a BES Cyber System, (iii) is not a Protected Cyber Asset (PCA), and (iv) is directly connected (e.g., using Ethernet, serial, Universal Serial Bus, or wireless, including near field or Bluetooth communication) for 30 consecutive calendar days or less to a BES Cyber Asset, a network within an ESP, or a PCA. Examples include, but are not limited to, Cyber Assets used for data transfer, vulnerability assessment, maintenance, or troubleshooting purposes.SystemRegulatedCUI
transmission equipmentnounAny instruments required to electronically transfer data over a network.PhysicalRegulated
Transmission SecuritynounMeasures (security controls) applied to transmissions in order to prevent interception, disruption of reception, communications deception, and/or derivation of intelligence by analysis of transmission characteristics such as signal parameters or message externals. Note: TRANSEC is that field of COMSEC which deals with the security of communication transmissions, rather than that of the information being communicated.ControlRegulatedCUI
Trap Doornoun1. A means of reading cryptographically protected information by the use of private knowledge of weaknesses in the cryptographic algorithm used to protect the data. 2. In cryptography, one-to-one function that is easy to compute in one direction, yet believed to be difficult to invert without special information.VulnerabilityRegulatedCUI
Triple-WrappednounS/MIME usage: data that has been signed with a digital signature, and then encrypted, and then signed again.DataRegulated
Truncating bank (Check 21)nounThe financial institution that truncates the original check. If a person other than a financial institution truncates the original check, the truncating bank is the first financial institution that transfers, presents, or returns, in lieu of such original check, a substitute check or, by agreement with the recipient, information relating to the original check (including data taken from the MICR line of the original check or an electronic image of the original check), whether with or without the subsequent delivery of the original check.OrganizationRegulatedPCI
Trust AnchornounAn established point of trust (usually based on the authority of some person, office, or organization) from which an entity begins the validation of an authorized process or authorized (signed) package. A "trust anchor" is sometimes defined as just a public key used for different purposes (e.g., validating a Certification Authority, validating a signed software package or key, validating the process [or person] loading the signed software or key).CredentialRestricted
Trust ListnounThe collection of trusted certificates used by Relying Parties to authenticate other certificates.ArtifactRegulated
Trusted AgentnounEntity authorized to act as a representative of an agency in confirming Subscriber identification during the registration process. Trusted Agents do not have automated interfaces with Certification Authorities.RoleRestrictedCUI
Trusted Computer SystemnounA system that employs sufficient hardware and software assurance measures to allow its use for processing simultaneously a range of sensitive or classified information.SystemRegulatedCUI
Trusted DistributionnounMethod for distributing trusted computing base (TCB) hardware, software, and firmware components that protects the TCB from modification during distribution.ProcessRegulatedCUI
Trusted FoundrynounFacility that produces integrated circuits with a higher level of integrity assurance.PhysicalRegulatedCDI
Trusted Identification ForwardingnounIdentification method used in information system networks whereby the sending host can verify an authorized user on its system is attempting a connection to another host. The sending host transmits the required user authentication information to the receiving host.ControlRegulatedCUI
Trusted PathnounA mechanism by which a user (through an input device) can communicate directly with the security functions of the information system with the necessary confidence to support the system security policy. This mechanism can only be activated by the user or the security functions of the information system and cannot be imitated by untrusted software.ControlRegulated
Trusted Platform Module ChipnounA tamper-resistant integrated circuit built into some computer motherboards that can perform cryptographic operations (including key generation) and protect small amounts of sensitive information, such as passwords and cryptographic keys.PhysicalRestricted
Trusted TimestampnounA digitally signed assertion by a trusted authority that a specific digital object existed at a particular time.ArtifactRegulated
TSEC NomenclaturenounSystem for identifying the type and purpose of certain items of COMSEC material.FrameworkRestrictedCUI
Two-Person ControlnounContinuous surveillance and control of positive control material at all times by a minimum of two authorized individuals, each capable of detecting incorrect and unauthorized procedures with respect to the task being performed and each familiar with established security and safety requirements.ControlRegulatedCUI
Two-Person IntegritynounSystem of storage and handling designed to prohibit individual access by requiring the presence of at least two authorized individuals, each capable of detecting incorrect or unauthorized security procedures with respect to the task being performed. See No-Lone Zone.ControlRegulatedCUI
Two-way pollingnounAn emergency notification system that allows management to ensure that all employees are contacted and have confirmed delivery of pertinent messages.ProcessInternal
Type 1 KeynounGenerated and distributed under the auspices of NSA for use in a cryptographic device for the protection of national security information.CredentialRegulatedCUI
Type 1 ProductnounCryptographic equipment, assembly or component classified or certified by NSA for encrypting and decrypting national security information when appropriately keyed. Developed using established NSA business processes and containing NSA-approved algorithms. Used to protect systems requiring the most stringent protection mechanisms.PhysicalRegulatedCUI
Type 2 KeynounGenerated and distributed under the auspices of NSA for use in a cryptographic device for the protection of unclassified information.CredentialRegulatedCUI
Type 2 ProductnounCryptographic equipment, assembly, or component certified by NSA for encrypting or decrypting sensitive information when appropriately keyed. Developed using established NSA business processes and containing NSA-approved algorithms. Used to protect systems requiring protection mechanisms exceeding best commercial practices including systems used for the protection of unclassified information.PhysicalRegulatedCUI
Type 3 KeynounUsed in a cryptographic device for the protection of unclassified sensitive information, even if used in a Type 1 or Type 2 product.CredentialRegulatedCUI
Type 3 ProductnounUnclassified cryptographic equipment, assembly, or component used, when appropriately keyed, for encrypting or decrypting unclassified sensitive U.S. government or commercial information, and to protect systems requiring protection mechanisms consistent with standard commercial practices. Developed using established commercial standards and containing NIST-approved cryptographic algorithms/modules or successfully evaluated by the National Information Assurance Partnership (NIAP).PhysicalRegulatedCUI
Type 4 KeynounUsed by a cryptographic device in support of its Type 4 functionality, i.e., any provision of key that lacks U.S. government endorsement or oversight.CredentialRegulatedCUI
Type 4 ProductnounUnevaluated commercial cryptographic equipment, assemblies, or components that neither NSA nor NIST certify for any government usage. These products are typically delivered as part of commercial offerings and are commensurate with the vendor’s commercial practices. These products may contain either vendor proprietary algorithms, algorithms registered by NIST, or algorithms registered by NIST and published in a FIPS.ArtifactRegulatedCUI
Type AccreditationnounA form of accreditation that is used to authorize multiple instances of a major application or general support system for operation at approved locations with the same type of computing environment. In situations where a major application or general support system is installed at multiple locations, a type accreditation will satisfy C&A requirements only if the application or system consists of a common set of tested and approved hardware, software, and firmware.ProcessRegulated
Type CertificationnounThe certification acceptance of replica information systems based on the comprehensive evaluation of the technical and nontechnical security features of an information system and other safeguards, made as part of and in support of the formal approval process, to establish the extent to which a particular design and implementation meet a specified set of security requirements.ProcessRegulatedCUI
U.S. PersonnounFederal law and Executive Order define a U.S. Person as: a citizen of the United States; an alien lawfully admitted for permanent residence; an unincorporated association with a substantial number of members who are citizens of the U.S. or are aliens lawfully admitted for permanent residence; and/or a corporation that is incorporated in the U.S.IdentityRegulatedPII
U.S.-Controlled FacilitynounBase or building to which access is physically controlled by U.S. individuals who are authorized U.S. government or U.S. government contractor employees.PhysicalRegulatedCUI
U.S.-Controlled SpacenounRoom or floor within a facility that is not a U.S.-controlled facility, access to which is physically controlled by U.S. individuals who are authorized U.S. government or U.S. government contractor employees. Keys or combinations to locks controlling entrance to U.S.-controlled spaces must be under the exclusive control of U.S. individuals who are U.S. government or U.S. government contractor employees.PhysicalRegulatedCUI
Ultra forward servicenounThis service allows control over the re-routing of incoming phone calls to pre-determined alternate locations in the event of a telecommunications outage.CapabilityInternal
unapproved Information Technology resourcenounAn unsanctioned Information Technology resource.SystemRegulated
unauthorized accessnounOccurs when a user, legitimate or unauthorized, accesses a resource that the user is not permitted to use.EventRegulated
unauthorized access is detectednounThis Triggering Event takes place when a person, legitimate or unauthorized, accesses a resource that the person is not permitted to use or enters a facility or area the person is not permitted to enterEventRegulated
unauthorized attemptnounA try at gaining access to a system without authorization or approval.EventRegulated
unauthorized changenounA purposeful and perhaps unlawful modification of financial data to hide wrong-doing, loss or other disclosure.EventRegulated
Unauthorized DisclosurenounAn event involving the exposure of information to entities not authorized access to the information.EventRegulated
unauthorized mobile codenounA program (e.g., script, macro, or other portable instruction) that can be shipped unchanged to a heterogeneous collection of platforms and executed with identical semantics -- that has not been permitted by the controlling authority.ThreatRegulated
unauthorized physical accessnounAccess to a building, room, site, etc that is not permitted.EventRegulated
unauthorized softwarenounAn application or device driver who use is not been permitted by the controlling authority.ThreatRegulated
unauthorized usenounUse of an asset for a person's own purpose without the consent of the owner.ThreatRegulated
UnclassifiednounInformation that has not been determined pursuant to E.O. 12958, as amended, or any predecessor order, to require protection against unauthorized disclosure and that is not designated as classified.RequirementRegulatedCUI
unescorted accessnounNot having to be escorted to gain access to a facility, area, or system.ControlRegulated
Uniform Rating System For Information TechnologynounAn internal rating system used by federal and state regulators to uniformly assess financial institution and service provider risks introduced by IT.FrameworkRegulated
United States Government Configuration BaselinenounThe United States Government Configuration Baseline (USGCB) provides security configuration baselines for Information Technology products widely deployed across the federal agencies. The USGCB baseline evolved from the federal Desktop Core Configuration mandate. The USGCB is a Federal government-wide initiative that provides guidance to agencies on what should be done to improve and maintain an effective configuration settings focusing primarily on security.FrameworkRegulatedCUI
unnecessary default accountnounDefault accounts that are not necessary to be installed on the system.VulnerabilityRegulated
unpatched softwarenounSoftware which has not undergone a vulnerability correction, a defect correction, or an improvement of code function.VulnerabilityRegulated
unposted suspense itemnounA transaction that has not yet been processed, but may affect the amount of credit available.ArtifactRegulatedPCI
Unprotected SharenounIn Windows terminology, a "share" is a mechanism that allows a user to connect to file systems and printers on other systems. An "unprotected share" is one that allows anyone to connect to it.VulnerabilityRestricted
Unsigned datanounData included in an authentication token, in addition to a digital signature.DataRestricted
unsuccessful authentication attemptnounA failed attempt to receive authentication to access a system.EventRegulated
Untrusted ProcessnounProcess that has not been evaluated or examined for correctness and adherence to the security policy. It may include incorrect or malicious code that attempts to circumvent the security mechanisms.ProcessRegulated
USA Patriot ActnounThe USA PATRIOT Act (Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (Public Law Pub.L. 107-56), commonly known as the "Patriot Act", was enacted by Congress to deter and punish terrorist acts in the United States and around the world by enhancing the law enforcement investigatory tools of both domestic law enforcement and foreign intelligence agencies.RequirementRegulatedCUI
user access reviewnounA process that an organization implements to actively monitor and verify the appropriateness of a users' access to systems and applications based on an understanding of the minimum necessary for users to perform or support business activities or functions. The responsibility for granting access and performing periodic verification of the appropriateness of that access rests with the system and/or business owner of the system or application.ProcessRegulated
user accountnounInformation that tells a computer which files and folders to access for a specific user, which personal preferences to have in place, and what can be accessed by the user.IdentityRegulated
User account activitynounAll events and processes executed including logons and logouts associated with a system user account.IdentityRegulated
User Contingency PlannounUser contingency plan is the alternative methods of continuing business operations if IT systems are unavailable.ProcessInternal
User IDnounUnique symbol or character string used by an information system to identify a specific user.IdentityRegulatedPII
User IdentificationnounThe process, control, or information by which a user identifies himself or herself to the system as a valid user (as opposed to authentication).ProcessRegulatedPII
User InitializationnounA function in the life cycle of keying material; the process whereby a user initializes its cryptographic application (e.g., installing and initializing software and hardware).ProcessRegulatedCUI
User Partnership ProgramnounPartnership between the NSA and a U.S. government agency to facilitate development of secure information system equipment incorporating NSA-approved cryptography. The result of this program is the authorization of the product or system to safeguard national security information in the user’s specific application.ProcessRegulatedCUI
User RepresentativenounIndividual authorized by an organization to order COMSEC keying material and interface with the keying system, provide information to key users, and ensure the correct type of key is ordered.RoleRegulatedCUI
Verifier Impersonation AttacknounA scenario where the Attacker impersonates the Verifier in an authentication protocol, usually to capture information that can be used to masquerade as a Claimant to the real Verifier.ThreatRegulated
Very early smoke detection alert (VESDA)nounA system that samples the air on a continuing basis and can detect fire at the pre-combustion stage.EventRestricted
Virtual private networknounProtected information system link utilizing tunneling, security controls (see Information Assurance), and endpoint address translation giving the impression of a dedicated lineNetworkRegulated
virtual private network accessnounPermission or ability for an external user to connect to a Virtual Private Network.ControlRegulated
visitor accessnounThe processes and mechanisms of ensuring visitors are allowed in specific areas and with specific permissions. Mechanisms such as guarded entries, logged entry, badges, and escorting of visitors are common.ProcessRegulated
visitor control programnounA documented listing of procedures, schedules, roles and responsibilities, and plans to be performed to identify, control, and reduce or eliminate the risks inherent to visitors.ProcessRegulated
visitor lognounA paper or electronic record of any non-employee entering a facility, construction site, structure or website.ArtifactRegulatedCUI
Vulnerability AssessmentnounSystematic examination of an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation.VulnerabilityRegulated
Vulnerability Management plannounThis purpose of this plan is to establish the organization's assessment and testing process to ensure systems are less susceptible to cyber attack.VulnerabilityInternal
vulnerability scannounThe check of a system for known vulnerabilities from beginning to end with resultant errors, and status information.VulnerabilityRegulated
Wallet cardnounPortable information cards that provide emergency communications information for customers and employees.PhysicalInternal
Warm sitenounBackup site which typically contains the data links and preconfigured equipment necessary to rapidly start operations, but does not contain live data. Thus commencing operations at a warm site will (at a minimum) require the restoration of current data.PhysicalInternal
weaknessnounAn exception noted in tests of properly designed internal controls that may indicate ineffectiveness. Management must consider the extent of a weakness in such cases. Weaknesses can be classified as a simple deficiency, significant deficiency, or a material weakness.VulnerabilityRegulated
Web BugnounMalicious code, invisible to a user, placed on Web sites in such a way that it allows third parties to track use of Web servers and collect information about the user, including IP address, host name, browser type and version, operating system name and version, and Web browser cookie.ThreatRegulatedPII
WEB SEC codenounAn ACH debit entry initiated by an originator resulting from the receiver's authorization through the Internet to make a transfer of funds from a consumer account of the receiver.ArtifactRegulatedPII
Website hostingnounThe service of providing ongoing support and monitoring of an Internet-addressable computer that stores webpages and processes transactions initiated over the Internet.SystemRegulated
Wi-Fi Protected Access-2nounThe approved Wi-Fi Alliance interoperable implementation of the IEEE 802.11i security standard. For federal government use, the implementation must use FIPS-approved encryption, such as AES.ControlRegulated
wire servicernounA financial institution that offers electronic funds transfer serviceOrganizationRegulatedPCI
WiretappingnounMonitoring and recording data that is flowing between two points in a communication system.ThreatRegulated
work papernounThe written record of the basis for the auditor's conclusions that provides the support for the auditor's representations, whether those representations are contained in the auditor's report or otherwise.ArtifactRegulated
Work transfernounWork-transfer is a process whereby the staff located at a recovery site accepts the workload of staff located at a primary production site, and a data center located at a recovery site accepts the workload of the primary data processing site.ProcessRegulated
Write blockernounA devices that allows the acquisition of information on a drive without creating the possibility of accidentally damaging the drivePhysicalRegulated
Zero-day-exploitnounA vulnerability that is exploited before the software creator/vendor is even aware of it's existenceVulnerabilityRestricted
ZeroizationnounA method of erasing electronically stored data, cryptographic keys, and Credentials Service Providers (CSPs) by altering or deleting the contents of the data storage to prevent recovery of the data.ControlRegulatedCUI
Zone Of ControlnounThree-dimensional space surrounding equipment that processes classified and/or sensitive information within which TEMPEST exploitation is not considered practical or where legal authority to identify and remove a potential TEMPEST exploitation exists.PhysicalRestrictedCUI