Glossary
L1 — flat list of every term with classification chips collapsed.
6923 terms
TermTypeDefinitionClassificationsUpdated
Acceptable interruption windownounThe maximum period of time that a system can be unavailable before compromising the achievement of the enterprise's business objectivesRequirementInternal
Acceptable use policynounA document that establishes an agreement between users and the enterprise and defines for all parties the ranges of use that are approved before users can gain access to a network or the Internet.RequirementInternal
Acceptance CriterianounPre-established standards or requirements a product or project must meet.Requirement
accessnounThe ability to physically or logically enter or make use of an IT system or area (secured or unsecured). The process of interacting with a system.Capability
access attemptnounA process of interaction with a communications system by one or more users to enable initiation of user information transfer. The process begins with the granting of an access request by an access originator, and ends in either successful access or access failure.EventRegulated
access codenounNumeric or alphanumeric data which, when entered correctly, authorizes entry into a secure area.CredentialRegulated
access controlnounA system or measures that limit the retrieving, obtaining, or examining of information, or information processing resources, to persons or applications authorized by the system or data classification.Control
Access control listnounAn internal computerized table of access rules regarding the levels of computer access permitted to logon IDs and computer terminals Scope Note: Also referred to as access control tablesControl
access control mechanismnounSecurity measures designed to detect and deny unauthorized access and permit authorized access to an information system or a physical facility.Control
Access Control programnounA documented listing of procedures, schedules, roles and responsibilities, and plans or instructions to be performed to implement access control.ControlRegulatedPCI
Access Control ServicenounA security service that provides protection of system resources against unauthorized access. The two basic mechanisms for implementing this service are ACLs and tickets.Control
Access ListnounRoster of individuals authorized admittance to a controlled area.ArtifactRestrictedPII
access lognounA log that lists who has been permitted to physically or logically gain access.ArtifactRegulatedCUI
Access Management AccessnounManagement is the maintenance of access information which consists of four tasks: account administration, maintenance, monitoring, and revocation.ProcessRegulated
Access MatrixnounAn Access Matrix uses rows to represent subjects and columns to represent objects with privileges listed in each cell.ArtifactConfidential
Access pathnounThe logical route that an end user takes to access computerized information Scope Note: Typically includes a route through the operating system, telecommunications software, selected application software and the access control systemNetwork
Access PointnounA device that logically connects wireless client devices operating in infrastructure to one another and provides access to a distribution system, if connected, which is typically an organization’s enterprise wired network.Network
Access ProfilenounAssociation of a user with a list of protected objects the user may access.Control
access revocation programnounA documented listing of procedures, schedules, roles and responsibilities, and plans to be performed to revoke access privileges.ProcessRegulatedCDI
Access TypenounPrivilege to perform action on an object. Read, write, execute, append, modify, delete, and create are examples of access types. See Write.Requirement
accountverbAn identification means for a group or individual in order to gain access to a resource, such as a computer or the Internet.RememberUnclassified
Account Balancing Monitoring System (ABMS)nounThe Federal Reserve's computing system providing reserve account information to the Federal Reserve Banks and depository institutions on an intraday basis. ABMS serves both as an informational source and a monitoring tool. This information includes opening balances, funds and securities transfers, accounting activity, and depository institutions cap and collateral limits.SystemRegulatedCUI
Account HarvestingnounAccount Harvesting is the process of collecting all the legitimate account names on a system.Threat
Account-To-Account Payment (A2A)nounPayment system that allows the consumer to direct transfer of funds from one account to another account at a different financial institution.ProcessRegulatedPCI
accountabilitynounThe security goal that generates the requirement for actions of an entity to be traced uniquely to that entity. This supports non-repudiation, deterrence, fault isolation, intrusion detection and prevention, and after-action recovery and legal action.Requirement
Accounting Legend CodenounNumeric code used to indicate the minimum accounting controls required for items of accountable communications security (COMSEC) material within the COMSEC Material Control System.RequirementRegulatedCUI
Accounting NumbernounNumber assigned to an item of COMSEC material to facilitate its control.ArtifactRegulatedCDI
Accreditation PackagenounProduct comprised of a System Security Plan (SSP) and a report documenting the basis for the accreditation decision.ArtifactRegulatedCUI
Accrediting AuthoritynounSynonymous with Designated Accrediting Authority (DAA). See also Authorizing Official.OrganizationRegulated
accuracynounThe quality or state of being correct, precise, or near to the true value.MetricRegulated
ACK PiggybackingnounACK piggybacking is the practice of sending an ACK inside another packet going to the same destination.Threat
Acquirer FeenounFee paid to the acquirer of the merchant sales draft. The acquirer of the sales draft collects a merchant discount fee (or processing fee) from the merchant for the costs associated with processing the transaction.RequirementRegulatedPCI
acquisitionnounThe purpose of this function is to manage the act of contracting, assuming, or acquiring possession of something.Process
action itemnounA documented event, task or action that needs to take place. Action items are discreet units that can be handled by a single person.ArtifactRegulated
action plannounSteps that must be taken, or activities that must be performed well, for a strategy to succeed. An action plan has three major elements: (1) Specific tasks: what will be done and by whom. (2) Time horizon: when will it be done. (3) Resource allocation: what specific funds are available for specific activities.ArtifactCUI
actionable intelligencenounInformation that can be acted upon to address, prevent or mitigate a cyber threat. The sum of an information system’s characteristics in the broad categories (software, hardware, network, processes and human) which allows an attacker to probe, enter, attack or maintain a presence in the system and potentially cause damage to an FMI. A smaller attack surface means that the FMI is less exploitable and an attack less likely.CapabilityRestrictedCUI
Activation DatanounPrivate data, other than keys, that are required to access cryptographic modules.DataRegulatedCUI
active attacknounAn attack on the authentication protocol where the Attacker transmits data to the Claimant, Credential Service Provider, Verifier, or Relying Party. Examples of active attacks include man-in-the-middle, impersonation, and session hijacking.Threat
active contentnounSoftware in various forms that is able to automatically carry out or trigger actions on a computer platform without the intervention of a user.Data
Active Security TestingnounSecurity testing that involves direct interaction with a target, such as sending packets to a target.Process
ActivitiesnounAn assessment object that includes specific protection-related pursuits or actions supporting an information system that involve people (e.g., conducting system backup operations, monitoring network traffic).Process
activitynounActivities are the major tasks performed by the organization to accomplish each of its functions. Activities are usually defined as part of processes or plans, and are documented in procedures. Several activities may be associated with each function. An activity is identified by the name it is given and its scope (or definition). The scope of the activity encompasses all of the transactions that take place in relation to it. Depending on the nature of the transactions involved, an activity may be performed in relation to one function, or it may be performed in relation to many functions. In cost accounting, an activity is the actual work task or step performed in producing and delivering products and services. An aggregation of activities performed within an organization that is useful for purposes of activity-based costing.Process
Activity MonitorsnounActivity monitors aim to prevent virus infection by monitoring for malicious activity on a system, and blocking that activity when possible.Capability
activity reportingnounThe action of providing an description of an account holder's activity.ArtifactRegulatedPII
Ad Hoc NetworknounA wireless network that dynamically connects wireless client devices to each other without the use of an infrastructure device, such as an access point or a base station.Network
Add-on SecuritynounIncorporation of new hardware, software, or firmware safeguards in an operational information system.Control
Address Resolution ProtocolnounAddress Resolution Protocol (ARP) is a protocol for mapping an Internet Protocol address to a physical machine address that is recognized in the local network. A table, usually called the ARP cache, is used to maintain a correlation between each MAC address and its corresponding IP address. ARP provides the protocol rules for making this correlation and providing address conversion in both directions.Network
Address Verification Service (AVS)nounBankcard company service that verifies the customer-provided billing address matches the billing address on their credit card account. The bankcard companies will not support merchants that opt for not using AVS if those transactions are disputed and will charge the merchant an additional 1.25% on those sales.CapabilityRegulatedPCI
Adequate SecuritynounSecurity commensurate with the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information. Note: This includes assuring that information systems operate effectively and provide appropriate confidentiality, integrity, and availability, through the use of cost-effective management, personnel, operational, and technical controls.RequirementRegulated
administrative responsibilitynounThe day to day management of a system or process, including tasks like creating accounts, updating role assignments, tracking requests, and so forth.Process
Administrative SafeguardsnounAdministrative actions, policies, and procedures to manage the selection, development, implementation, and maintenance of security measures to protect electronic health information and to manage the conduct of the covered entity's workforce in relation to protecting that information.ControlRegulatedPHI
Administrator privilegesnounComputer system access to resources that are unavailable to most users. Administrator privileges permit execution of actions that would otherwise be restricted.Role
Advanced Encryption StandardnounThe Advanced Encryption Standard specifies a U.S. government-approved cryptographic algorithm that can be used to protect electronic data. The AES algorithm is a symmetric block cipher that can encrypt (encipher) and decrypt (decipher) information. This standard specifies the Rijndael algorithm, a symmetric block cipher that can process data blocks of 128 bits, using cipher keys with lengths of 128, 192, and 256 bits.ControlRegulated
Advanced Key ProcessornounA cryptographic device that performs all cryptographic functions for a management client node and contains the interfaces to 1) exchange information with a client platform, 2) interact with fill devices, and 3) connect a client platform securely to the primary services node (PRSN).PhysicalRegulatedCUI
Advanced persistent threatnounAn adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives using multiple attack vectors (NIST SP800-61) Scope Note: The APT: 1. pursues its objectives repeatedly over an extended period of time 2. adapts to defenders’ efforts to resist it 3. is determined to maintain the level of interaction needed to execute its objectivesThreat
advanced searchverbuse refined or complex search techniques to locate specific informationUnderstandUnclassified
AdversarynounIndividual, group, organization, or government that conducts or has the intent to conduct detrimental activities.Threat
advertiseverbpresent or promote information to a specific audience using persuasive techniquesAnalyzeUnclassified
AdvisorynounNotification of significant new trends or developments regarding the threat to the information systems of an organization. This notification may include analytical insights into trends, intentions, technologies, or tactics of an adversary targeting information systems.ArtifactInternal
AdwarenounA software package that automatically plays, displays or downloads advertising material to a computer after the software is installed on it or while the application is being used Scope Note: In most cases, this is done without any notification to the user or without the user’s consent. The term adware may also refer to software that displays advertisements, whether or not it does so with the user’s consent; such programs display advertisements as an alternative to shareware registration fees. These are classified as adware in the sense of advertising supported software, but not as spyware. Adware in this form does not operate surreptitiously or mislead the user, and it provides the user with a specific service.Threat
affectverbTo have an effect on someone or something; make a difference to someone or something.Unclassified
affected partynounThis role is focused on contracting parties who are affected by organizational activities. Any individual who is in a contract and is affected by organizational activities should be assigned to this role.IdentityRegulated
affiliatenounThis role focuses on persons who are affiliated with other persons or organizations or on organizations or individuals that control or are controlled by a third party. Any person associated with another person or organization or any organization or individual being controlled by or controlling a third party should be assigned to this role.RoleRegulated
afternounThis limits a Control or Mandate's secondary verb to be put into play once the event taking place has concluded.candidate
AgencynounAny executive department, military department, government corporation, government-controlled corporation, or other establishment in the executive branch of the government (including the Executive Office of the President), or any independent regulatory agency, but does not include: 1) the Government Accountability Office; 2) the Federal Election Commission; 3) the governments of the District of Columbia and of the territories and possessions of the United States, and their various subdivisions; or 4) government-owned contractor-operated facilities, including laboratories engaged in national defense research and production activities.OrganizationRegulatedCUI
Agency Certification AuthoritynounA CA that acts on behalf of an agency and is under the operational control of an agency.CapabilityRegulatedCUI
Agent BanknounA member of a bankcard company that agrees to participate in an acquirer's merchant processing program. The agent may be liable for losses incurred on its merchant accounts. An agent is usually a small financial institution that wants to offer merchant processing services as a customer service. Agent banks that only refer merchants to an acquiring financial institution's program are known as referral banks.OrganizationRegulated
Aggregate Short PositionnounThe sum of a Settlement Member's short positions, each such short position expressed in its base currency equivalent and adjusted by the applicable haircut.MetricRegulated
Aggregate Short Position LimitnounIn respect of a Settlement Member, the maximum aggregate short position that such Settlement Member is permitted to incur at any time.RequirementRegulated
AgilitynounIn IT systems, the ability to rapidly incorporate new technologies or changes to technologies allowing an organization to adapt to changing business needs.Capability
agreementnounThis record category contains records of mutual understandings, written or verbal, made by two or more parties regarding a matter of opinion or their rights and obligations toward each other.RequirementRegulated
air gapverbTo physically separate or isolate a system from other systems or networks (verb).Unclassified
Air-gapped environmentnounSecurity measure that isolates a secure network from unsecure networks physically, electrically, and electromagnetically.Control
alertverbNotification that a specific attack has been directed at an organization’s information systems.RememberUnclassified
Alert situationnounThe point in an emergency procedure when the elapsed time passes a threshold and the interruption is not resolved. The enterprise entering into an alert situation initiates a series of escalation steps.Event
AlgorithmnounA finite set of step-by-step instructions for a problem-solving or computation procedure, especially one that can be implemented by a computer.Process
All Source IntelligencenounIn the NICE Workforce Framework, cybersecurity work where a person: Analyzes threat information from multiple sources, disciplines, and agencies across the Intelligence Community. Synthesizes and places intelligence information in context; draws insights about the possible implications.CapabilityRestrictedCUI
AllocationnounThe process an organization employs to determine whether security controls are defined as system-specific, hybrid, or common. The process an organization employs to assign security controls to specific information system components responsible for providing a particular security capability (e.g., router, server, remote sensor).Process
Alternate COMSEC CustodiannounIndividual designated by proper authority to perform the duties of the COMSEC custodian during the temporary absence of the COMSEC custodian.Role
Alternate facilitiesnounLocations and infrastructures from which emergency or backup processes are executed, when the main premises are unavailable or destroyed Scope Note: Includes other buildings, offices or data processing centersPhysicalRestricted
alternate network communications procedurenounA specifically laid out course of action to ensure that communication is not disrupted if the main network is inaccessible; must include access to a secondary communication network.Requirement
Alternate processnounAutomatic or manual process designed and established to continue critical business processes from point-of- failure to return-to-normalProcessRegulated
Alternate Site Test / ExercisenounA business continuity testing activity that tests the capability of staff, systems, and facilities, located at sites other than those generally designated for primary processing and business functions, to effectively support production processing and workloads. During the exercise, business line staff located at recovery site(s) participate in testing business functions and the supporting systems by performing typical production activities, including accessing applications and completing pending transactions. Staff members participate in testing alternate site facilities through the use of PCs, phones, and other equipment needed to perform testing of business activities.ProcessInternal
Alternate Work SitenounGovernmentwide, national program allowing federal employees to work at home or at geographically convenient satellite offices for part of the work week (e.g., telecommuting).PhysicalRegulated
AnalognounA transmission signal that varies continuously in amplitude and time and is generated in wave formation Scope Note: Analog signals are used in telecommunicationsNetwork
AnalysisnounThe examination of acquired data for its significance and probative value to the case.Process
analyzeverbexamine information in detail to identify components, patterns, or causesAnalyzeUnclassified
AnalyzenounTo examine methodically, typically for purposes of explanation and interpretation.Process
analyze candidate architecturesverbevaluate and compare potential system designs or structuresAnalyzeUnclassified
animateverbbring concepts to life through motion graphics or dynamic visual representationCreateUnclassified
anomalous activitynounAny actions that are outside of what is expected, as measured against what "normally" should be happening, occur.Event
anomalous transactionnounA transaction that deviates from the standards, procedures, and processes used to create a transaction.EventRegulatedPCI
Anomaly-Based DetectionnounThe process of comparing definitions of what activity is considered normal against observed events to identify significant deviations.Capability
Anti-jamnounCountermeasures ensuring that transmitted information can be received despite deliberate jamming attempts.ControlRegulatedCUI
Anti-malwarenounA technology widely used to prevent, detect and remove many categories of malware, including computer viruses, worms, Trojans, keyloggers, malicious browser plug-ins, adware and spywareThreat
Anti-spoofnounCountermeasures taken to prevent the unauthorized use of legitimate Identification & Authentication (I&A) data, however it was obtained, to mimic a subject different from the attacker.Control
antimalware softwarenounA program that monitors a computer or network to identify all major types of malware: virus, trojan horse, spyware, Adware, worms, rootkits, etc.Capability
antispyware softwarenounA program that specializes in detecting both malware and non-malware forms of spyware.Capability
Antivirus softwarenounA program that monitors a computer or network to identify all major types of malware and prevent or contain malware incidents.Control
antivirus update processnounA particular series of actions or steps to bring about an antivirus update.Process
Antivirus/anti-malware softwarenounA program that monitors a computer or network to identify all types of malware and prevent or contain malware incidents.Threat
AppletnounJava programs; an application program that uses the client's web browser to provide a user interface.System
applicable requirementnounThe relevant or appropriate necessary condition or conditions.RequirementRegulated
ApplicantnounThe subscriber is sometimes called an “applicant” after applying to a certification authority for a certificate, but before the certificate issuance procedure is completed.Identity
applicationnounSoftware program that performs a specific function directly for a user and can be executed without access to system control, monitoring, or administrative privileges.System
application controlnounControls related to transactions and data within application systems. Application controls ensure the completeness and accuracy of the records and the validity of the entries made resulting from both programmed processing and manual data entry. Examples of application controls include data input validation, agreement of batch totals and encryption of data transmitted.ControlRegulated
application developmentnounThe process of designing and building code to create a computer program (software) used for a particular type of job.Process
Application layernounIn the Open Systems Interconnection (OSI) communications model, the application layer provides services for an application program to ensure that effective communication with another application program in a network is possible. Scope Note: The application layer is not the application that is doing the communication; a service layer that provides these services.Network
Application systemnounAn integrated set of computer programs designed to serve a well- defined function and having specific input, processing, and output activities (e.g., general ledger, manufacturing resource planning, human resource management).System
application whitelistingnounApplication whitelisting is a computer administration practice used to prevent unauthorized programs from running. The purpose is primarily to protect computers and networks from harmful applications, and, to a lesser extent, to prevent unnecessary demand for resources. The whitelist is a simple list of applications that have been granted permission by the user or an administrator. When an application tries to execute, it is automatically checked against the list and, if found, allowed to run. An integrity check measure, such as hashing, is generally added to ensure that the application is in fact the authorized program and not a malicious or otherwise inappropriate one with the same name.Control
applyverbuse learned knowledge, rules, or methods to solve problems in new situationsApplyUnclassified
appraiseverbassess the value, quality, or significance of something using defined criteriaEvaluateUnclassified
Approval to OperatenounThe official management decision issued by a DAA or PAA to authorize operation of an information system and to explicitly accept the residual risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals.ArtifactRegulatedCUI
ApprovednounFederal Information Processing Standard (FIPS)-approved or National Institute of Standards and Technology (NIST)-recommended. An algorithm or technique that is either 1) specified in a FIPS or NIST Recommendation, or 2) adopted in a FIPS or NIST Recommendation.RequirementRegulated
Approved Mode of OperationnounA mode of the cryptographic module that employs only Approved security functions (not to be confused with a specific mode of an Approved security function, e.g., Data Encryption Standard Cipher-Block Chaining (DES CBC) mode).ControlRegulatedCUI
Approved Security FunctionnounA security function (e.g., cryptographic algorithm, cryptographic key management technique, or authentication technique) that is either a) specified in an Approved Standard; b) adopted in an Approved Standard and specified either in an appendix of the Approved Standard or in a document referenced by the Approved Standard; or c) specified in the list of Approved security functions.CapabilityRegulated
ArchitecturenounDescription of the fundamental underlying design of the components of the business system, or of one element of the business system (e.g., technology), the relationships among them, and the manner in which they support enterprise objectivesFramework
ARPANETnounAdvanced Research Projects Agency Network, a pioneer packet-switched network that was built in the early 1970s under contract to the US Government, led to the development of today's Internet, and was decommissioned in June 1990.Network
assessed risknounA detected and evaluated risk. An assessed risk of material misstatement at the assertion level is a significant risk.FindingRegulated
assessmentnounThe purpose of this task is to estimate or determine the nature, value, ability, or quality of someone or something.Process
Assessment FindingsnounAssessment results produced by the application of an assessment procedure to a security control or control enhancement to achieve an assessment objective; the execution of a determination statement within an assessment procedure by an assessor that results in either a satisfied or other than satisfied condition.FindingRestrictedCUI
Assessment MethodnounOne of three types of actions (i.e., examine, interview, test) taken by assessors in obtaining evidence during an assessment.Process
Assessment ObjectnounThe item (i.e., specifications, mechanisms, activities, individuals) upon which an assessment method is applied during an assessment.Artifact
Assessment ObjectivenounA set of determination statements that expresses the desired outcome for the assessment of a security control or control enhancement.RequirementRegulated
Assessment ProcedurenounA set of assessment objectives and an associated set of assessment methods and assessment objects.Requirement
assetnounA major application, general support system, high impact program, physical plant, mission critical system, personnel, equipment, or a logically related group of systems.Data
Asset IdentificationnounSecurity Content Automation Protocol (SCAP) constructs to uniquely identify assets (components) based on known identifiers and/or known information about the assets.Process
asset inventorynounA complete list of all the resources owned by an organization that is used in operations or used to support operations.ArtifactInternal
asset physical securitynounThe protection of assets from theft, vandalism, natural disasters, and accidental damage.ControlRegulated
Asset Reporting FormatnounSCAP data model for expressing the transport format of information about assets (components) and the relationships between assets and reports.ArtifactRegulatedCUI
asset vulnerabilitynounA weakness in any of the organization's property of material value or usefulness or physical layout that could be accidentally triggered or intentionally exploited by a threat in order to gain unauthorized access to information or disrupt processing.Vulnerability
assistverbTo give support or aid to someone, typically by doing a share of the work; help.Unclassified
assistancenounThe activity of contributing to the fulfillment of a need or furtherance of an effort or purpose.Process
AssurancenounGrounds for confidence that the other four security goals (integrity, availability, confidentiality, and accountability) have been adequately met by a specific implementation. “Adequately met” includes (1) functionality that performs correctly, (2) sufficient protection against unintentional errors (by users or software), and (3) sufficient resistance to intentional penetration or by-pass.Capability
Assurance CasenounA structured set of arguments and a body of evidence showing that an information system satisfies specific claims with respect to a given quality attribute.ArtifactConfidential
Assured Information SharingnounThe ability to confidently share information with those who need it, when and where they need it, as determined by operational need and an acceptable level of security risk.CapabilityRegulatedCUI
Assured SoftwarenounComputer application that has been designed, developed, analyzed, and tested using processes, tools, and techniques that establish a level of confidence in it.System
Asymmetric CryptographynounPublic-key cryptography; A modern branch of cryptography in which the algorithms employ a pair of keys (a public key and a private key) and use a different component of the pair for different steps of the algorithm.Capability
Asymmetric keynounA cipher technique in which different cryptographic keys are used to encrypt and decrypt a message Scope Note: See Public key encryption.CredentialRestricted
Asymmetric WarfarenounAsymmetric warfare is the fact that a small investment, properly leveraged, can yield incredible results.Threat
Asynchronous data replicationnounA process for copying data from one source to another while the application processing continues; an acknowledgement of the receipt of data at the copy location is not required for processing to continue. Consequently, the content of databases stored in alternate facilities may differ from those at the original storage site, and copies of data may not contain current information at the time of a disruption in processing as a result of the time (in fractions of a second) required to transmit the data over a communications network to the alternate facility. This technology is typically used to transfer data over greater distances than that allowed with synchronous data replication.Process
Asynchronous transfer modenounThe method of transmitting bits of data one after another with a start bit and a stop bit to mark the beginning and end of each data unit. Can also mean automated teller machine.Network
attacknounAny kind of malicious activity that attempts to collect, disrupt, deny, degrade, or destroy information system resources or the information itself.Threat
Attack mechanismnounA method used to deliver the exploit. Unless the attacker is personally performing the attack, an attack mechanism may involve a payload, or container, that delivers the exploit to the target.Threat
attack methodnounThe manner or technique and means an adversary may use in an assault on information or an information system.Threat
attack pathnounThe steps that an adversary takes or may take to plan, prepare for, and execute an attack.Threat
attack patternnounSimilar cyber events or behaviors that may indicate an attack has occurred or is occurring, resulting in a security violation or a potential security violation.Threat
Attack Sensing and WarningnounDetection, correlation, identification, and characterization of intentional unauthorized activity with notification to decision makers so that an appropriate response can be developed.Capability
attack signaturenounA characteristic byte pattern used in malicious code or an indicator, or set of indicators, that allows the identification of malicious network activities.ArtifactInternal
attack surfacenounThe set of ways in which an adversary can enter a system and potentially cause damage.Vulnerability
Attack vectornounA path or route used by the adversary to gain access to the target (asset) Scope Note: There are two types of attack vectors: ingress and egress (also known as data exfiltration)Threat
Attribute AuthoritynounAn entity, recognized by the Federal Public Key Infrastructure (PKI) Policy Authority or comparable agency body as having the authority to verify the association of attributes to an identity.OrganizationRegulatedCUI
Attribute-Based Access ControlnounAccess control based on attributes associated with and about subjects, objects, targets, initiators, resources, or the environment. An access control rule set defines the combination of attributes under which an access may take place.Control
Attribute-Based AuthorizationnounA structured process that determines when a user is authorized to access information, systems, or services based on attributes of the user and of the information, system, or service.Control
auditnounIndependent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures, and to recommend necessary changes in controls, policies, or procedures.Process
audit activitynounThose activities and procedures through which information is obtained to verify conformance to regulatory or organizational requirementsProcessRegulated
Audit charternounA document approved by the board of directors that defines the IT audit function's responsibility, authority to review records, and accountability.ArtifactInternal
audit committeenounAn operating committee of the Board of Directors charged with oversight of audit operations, including appraising the performance of the CPA firm, financial reporting and disclosure. Committee members are drawn from members of the company's board of directors, with a Chairperson selected from among the committee members.OrganizationRegulated
audit cyclenounThe accounting process that auditors employ in the review of a company's financial information. The audit cycle includes the steps that an auditor will take to ensure that the company's financial information is valid and accurate before releasing any financial statements.ProcessRegulated
Audit DatanounChronological record of system activities to enable the reconstruction and examination of the sequence of events and changes in an event.DataRegulated
audit findingnounThe documented conclusion reached as a result of an official inspection of an organization’s accounts or other item or process being audited, typically by an independent body.FindingRegulated
Audit functionnounThe purpose of this function is to provide an independent, objective assurance and consulting activity to evaluate and improve the effectiveness of risk management, control, and governance.Capability
audit lognounA chronological record of system activities. Includes records of system accesses and operations performed in a given period.ArtifactRegulated
Audit Log eventnounAny of the various triggering actions that cause an application to write a new entry into the log.ArtifactRegulatedCUI
audit manualnounA compilation of current audit policies, procedures, and guidelines.ArtifactInternal
Audit plannounA high level description of the audit work to be performed in a certain period of time (ordinarily a year). It includes the areas to be audited, the type of work planned, the high level objectives and scope of the work, and topics such as budget, resource allocation, schedule dates, type of report, and its intended audience and other general aspects of the work.ArtifactInternal
audit policynounA description of the standards and guidelines an organization uses for going through external audits or conducting internal audits.RequirementInternal
audit procedurenounA detailed description of the steps necessary to implement an audit in conformance with applicable standards.Requirement
Audit programnounThe audit policies, procedures, and strategies that govern the audit function, including Information Technology (IT) audit.ProcessInternal
audit recordnounAn individual entry in an audit log related to an audited event.ArtifactRegulatedCUI
Audit Reduction ToolsnounPreprocessors designed to reduce the volume of audit records to facilitate manual review. Before a security review, these tools can remove many audit records known to have little security significance. These tools generally remove records generated by specified classes of events, such as records generated by nightly backups.Capability
audit reportnounA report issued by an independent Auditor that expresses an opinion about whether the financial statements present fairly a company's financial position, operating results, and cash flows in accordance with generally accepted accounting principles.ArtifactRegulated
Audit ReviewnounThe assessment of an information system to evaluate the adequacy of implemented security controls, assure that they are functioning properly, identify vulnerabilities, and assist in implementation of new security controls where required. This assessment is conducted annually or whenever significant change has occurred and may lead to recertification of the information system.ProcessRegulatedCUI
audit schedulenounThe dates on which a planned, official examination of a system or equipment will be performed.ArtifactInternal
audit scopenounDetermination of the range of the activities and the period (months or years) of records that are to be subjected to an audit examination.RequirementInternal
audit standardnounRules prescribed for auditors by various national and international organizations such as the Auditing Practices Board (in the UK) and the Auditing Standards Board (in the US).FrameworkRegulated
Audit trailnounA chronological record that reconstructs and examines the sequence of activities surrounding or leading to a specific operation, procedure, or event in a security relevant transaction from inception to final result.ArtifactRegulated
audit universenounAn inventory of audit areas that is compiled and maintained to identify areas for audit during the audit planning process.ArtifactInternal
Audit Work PapernounThis record category contains records of working papers that are vital to the successful accomplishment of all audit assignments performed.ArtifactRegulated
AuditingnounAuditing is the information gathering and analysis of assets to ensure such things as policy compliance and security from vulnerabilities.Process
auditornounA person who conducts audits from either inside or outside of the organization being audited.Role
AuthenticationnounThe process of verifying the identity or other attributes claimed by or assumed of an entity (user, process, or device), or to verify the source and integrity of data.Capability
Authentication CodenounA cryptographic checksum based on an Approved security function (also known as a Message Authentication Code [MAC]).CredentialRegulated
authentication controlnounOne of several systems which restrict user access to a network.ControlRegulated
authentication mechanismnounHardware or software-based mechanisms that forces users, devices, or processes to prove their identity before accessing data on an information system.Control
authentication methodnounA method of Verifying the identity of a user, such as a challenge password or a digital certificate.ControlRegulated
Authentication ModenounA block cipher mode of operation that can provide assurance of the authenticity and, therefore, the integrity of data.Control
Authentication PeriodnounThe maximum acceptable period between any initial authentication process and subsequent reauthentication processes during a single terminal session or during the period data is being accessed.RequirementRegulatedCUI
authentication procedurenounThe documented steps necessary to authenticate the identity of an entity through the use of credentials in order to gain access to the system.Requirement
Authentication ProtocolnounA defined sequence of messages between a Claimant and a Verifier that demonstrates that the Claimant has possession and control of a valid token to establish his/her identity, and optionally, demonstrates to the Claimant that he or she is communicating with the intended Verifier.ProcessRegulated
Authentication TagnounA pair of bit strings associated to data to provide assurance of its authenticity.Artifact
Authentication TokennounAuthentication information conveyed during an authentication exchange.Credential
AuthenticatornounThe means used to confirm the identity of a user, process, or device (e.g., user password or token).CredentialRestricted
AuthenticitynounThe property of being genuine and being able to be verified and trusted; confidence in the validity of a transmission, a message, or message originator. See Authentication.Capability
AuthoritynounPerson(s) or established bodies with rights and responsibilities to exert control in an administrative sphere.Organization
authorizationnounAccess privileges granted to a user, program, or process or the act of granting those privileges.Control
Authorization (ACH)nounA written or oral agreement between the originator and a receiver that allows payments processed through the ACH network to be deposited in, or withdrawn from, the receiver's account at a financial institution.RequirementRegulatedPCI
Authorization BoundarynounAll components of an information system to be authorized for operation by an authorizing official and excludes separately authorized systems, to which the information system is connected.RequirementRegulated
authorization recordnounA document or identifier which provides evidence of authorization.ArtifactRegulatedCUI
Authorization to operatenounThe official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls.ArtifactRegulatedCUI
authorizeverbTo give official permission or approval for an undertaking; sanction; empower.Unclassified
authorized accessnounAccess to system components that (a) has been approved by a person designated to do so by management and (b) does not compromise segregation of duties, confidentiality commitments, or otherwise increase risk to the system beyond the levels approved by management (that is, access is appropriate).ControlRegulated
authorized devicenounA computer device that the organization has authorized to be used and connected to the system.Physical
authorized personnounThis role is focused on a person who has been given permission to do something by an authority. Any individual who has been granted permission to do something on behalf of their organization should be assigned to this role.Role
authorized personnelnounThis role is focused on employees who are granted access to the organizations assets, information, and/or certain areas, or permitted to conduct certain work. Any individual who is sanctioned by management should be assigned to this role.Role
authorized usernounA person who has the authority or permission to manage access or make changes to an account.Identity
Authorized VendornounManufacturer of information assurance equipment authorized to produce quantities in excess of contractual requirements for direct sale to eligible buyers. Eligible buyers are typically U.S. government organizations or U.S. government contractors.OrganizationRegulated
Authorized Vendor ProgramnounProgram in which a vendor, producing an information systems security (INFOSEC) product under contract to NSA, is authorized to produce that product in numbers exceeding the contracted requirements for direct marketing and sale to eligible buyers. Eligible buyers are typically U.S. government organizations or U.S. government contractors. Products approved for marketing and sale through the AVP are placed on the Endorsed Cryptographic Products List (ECPL).ProcessRegulated
Authorizing OfficialnounA senior (federal) official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation.Role
Authorizing Official Designated RepresentativenounAn organizational official acting on behalf of an authorizing official in carrying out and coordinating the required activities associated with security authorization.RoleRegulated
Automated Clearing House (ACH)nounAn electronic clearing system in which a data processing center handles payment orders that are exchanged among financial institutions, primarily via telecommunications networks. ACH systems process large volumes of individual payments electronically. Typical ACH payments include salaries, consumer and corporate bill payments, interest and dividend payments, and Social Security payments.SystemRegulatedPCI
Automated Clearing House (ACH) OperatornounA central clearing facility that depository financial institutions use to transmit and receive ACH entries. ACH operators are typically a Federal Reserve Bank or a private-sector organization that operates on behalf of a depository financial institution.Role
automated clearing house activitynounAny transaction made through the Automated Clearing House network.EventRegulatedPCI
automated clearing house capturenounA service that allows a user to transmit automated clearing house data to a bank for posting and clearing.CapabilityRegulatedPCI
Automated ControlsnounSoftware routines designed into programs to ensure the validity, accuracy, completeness, and availability of input, processed, and stored data.ControlRegulated
Automated Key TransportnounThe transport of cryptographic keys, usually in encrypted form, using electronic means such as a computer network (e.g., key transport/agreement protocols).ProcessRegulated
Automated Password GeneratornounAn algorithm which creates random passwords that have no association with a particular user.Credential
Automated Security MonitoringnounUse of automated procedures to ensure security controls are not circumvented or the use of these tools to track actions taken by subjects suspected of misusing the information system.Capability
Automated Teller Machine (ATM)nounAn electronic funds transfer (EFT) terminal that allows customers using a PIN-based debit (ATM) card to initiate transactions (e.g., deposits, withdrawals, account balance inquiries).PhysicalRegulatedPCI
Automatic Remote RekeyingnounProcedure to rekey a distant crypto-equipment electronically without specific actions by the receiving terminal operator. See Manual Remote Rekeying.ProcessRegulatedCUI
Autonomous SystemnounOne or more routers under a single administration operating the same routing policy.Network
AvailabilitynounThe property of being accessible and useable upon demand by an authorized entity.Requirement
availability requirementnounAvailability requirement relates to the need for information to be available when required.RequirementRegulated
avoidverbrecognize and intentionally prevent errors, risks, or undesirable outcomesApplyUnclassified
awarenessnounHaving or showing knowledge or perception about a situation, fact, or development.Capability
Back Office Conversion (BOC)nounUnder NACHA rules, BOC allows retailers and billers that accept checks at the point-of-sale or at manned bill payment locations to convert eligible checks to ACH debits in the back-office.ProcessRegulatedPCI
Back-up GenerationsnounA tape rotation methodology that creates three sets of back-up tapes: daily incremental sets or "sons," weekly full sets or "fathers," and end-of-month tapes or "grandfathers." This back-up methodology is frequently used to refer to master files for financial applications.ProcessRegulated
BackdoornounAn undocumented way of gaining access to a computer system. A backdoor is a potential security risk.Vulnerability
backgroundnounA persons previous experience, education, or social circumstances.ArtifactRegulatedPII
Backtracking ResistancenounBacktracking resistance is provided relative to time T if there is assurance that an adversary who has knowledge of the internal state of the Deterministic Random Bit Generator (DRBG) at some time subsequent to time T would be unable to distinguish between observations of ideal random bitstrings and (previously unseen) bitstrings that were output by the DRBG prior to time T. The complementary assurance is called Prediction Resistance.ControlRegulated
BandwidthnounTerminology used to indicate the transmission or processing capacity of a system or of a specific location in a system (usually a network system) for information (text, images, video, sound). Bandwidth is usually defined in bits per second (bps) but also is usually described as either large or small. Where a full page of English text is about 16,000 bits, a fast modem can move approx. 15,000 bps. Full-motion, full-screen video requires about 10,000,000 bps, depending on compression.Metric
Bank Identification Number/Interbank Card Company (BIN/ICA)nounA series of assigned numbers used to identify the settling financial institution for both acquiring and issuing bankcard transactions.DataRegulatedPCI
Bank Secrecy ActnounThe Currency and Foreign Transactions Reporting Act, also known as the Bank Secrecy Act (BSA), and its implementing regulation, 31 CFR 103, is a tool the U.S. government uses to fight drug trafficking, money laundering, and other crimes. Congress enacted the BSA to prevent banks and other financial service providers from being used as intermediaries for, or to hide the transfer or deposit of money derived from, criminal activity.FrameworkRegulated
BankcardnounA general-purpose credit card, issued by a financial institution under agreement with the bankcard associations (Visa and MasterCard), which customers can use to purchase goods and services and to obtain cash against a line of credit established by the bankcard issuer.DataRegulatedPCI
Bankcard CompaniesnounVisa and MasterCard International, Inc. are bankcard companies established as bank service companies. Financial institutions must be members of a bankcard company in order to offer their credit card services. The companies have established membership rights and obligations, and membership is limited to financial institutions.OrganizationInternalPCI
Banner GrabbingnounThe process of capturing banner information—such as application type and version—that is transmitted by a remote port when a connection is initiated.Process
BaselinenounHardware, software, databases, and relevant documentation for an information system at a given point in time.ArtifactRegulated
baseline configurationnounA set of specifications for a system, or Configuration Item (CI) within a system, that has been formally reviewed and agreed on at a given point in time, and which can be changed only through change control procedures. The baseline configuration is used as a basis for future builds, releases, and/or changes.Requirement
Baseline SecuritynounThe minimum security controls required for safeguarding an IT system based on its identified needs for confidentiality, integrity, and/or availability protection.Requirement
BaseliningnounMonitoring resources to determine typical utilization patterns so that significant deviations can be detected.Process
Basic AuthenticationnounBasic Authentication is the simplest web-based authentication scheme that works by sending the username and password with each request.CredentialRestrictedPII
Basic TestingnounA test methodology that assumes no knowledge of the internal structure and implementation detail of the assessment object. Also known as black box testing.Process
Bastion HostnounA special-purpose computer on a network specifically designed and configured to withstand attacks.SystemRegulated
Batch ProcessingnounThe transmission or processing of a group of related payment instructions.ProcessRegulatedPCI
be impracticalnounBe something that is not adapted for use or action; not sensible or realistic.candidate
be responsiblenounHave an obligation to do something, or have control over or care for someone, as part of one’s job or role.Role
beforenounThis limits a Control or Mandate's secondary verb to be put into play prior to the event taking place.ControlRegulated
behavior monitoringnounObserving activities of users, information systems, and processes and measuring the activities against organizational policies and rule, baselines of normal activity, thresholds, and trends.Capability
Behavioral OutcomenounWhat an individual who has completed the specific training module is expected to be able to accomplish in terms of IT security-related job performance.Metric
BenchmarknounA standard, or point of reference, against which things may be compared or assessed.Metric
Benign EnvironmentnounA non-hostile location protected from external hostile elements by physical, personnel, and procedural security countermeasures.Physical
Berkeley Internet Name DomainnounBIND stands for Berkeley Internet Name Domain and is an implementation of DNS. DNS is used for domain name to IP address resolution.System
best practicenounProcedures and guidelines that are widely accepted because experience and research has demonstrated that they are optimal and efficient means to produce a desired result.Requirement
Bilateral Key SecuritynounA multi-level data encryption system, based on the exchange of Bilateral Keys, allowing users of SWIFT to create, send, and receive SWIFT messages. Bilateral Keys are unique authenticator keys possessed by only the two parties (either the provider or recipient of a message) involved and provide confirmation in both directions of the legitimacy of a message sent via SWIFT.ControlRegulated
BindingnounAn acknowledgement by a trusted third party that associates an entity’s identity with its public key. This may take place through (1) a certification authority’s generation of a public key certificate, (2) a security officer’s verification of an entity’s credentials and placement of the entity’s public key and identifier in a secure database, or (3) an analogous method.ProcessRegulated
BiometricnounA measurable physical characteristic or personal behavioral trait used to recognize the identity, or verify the claimed identity, of an applicant. Facial images, fingerprints, and iris scan samples are all examples of biometrics.Credential
Biometric InformationnounThe stored electronic information pertaining to a biometric. This information can be in terms of raw or compressed pixels or in terms of some characteristic (e.g., patterns.)Credential
Biometric SystemnounAn automated system capable of: 1) capturing a biometric sample from an end user; 2) extracting biometric data from that sample; 3) comparing the extracted biometric data with data contained in one or more references; 4) deciding how well they match; and 5) indicating whether or not an identification or verification of identity has been achieved.Credential
BitnounA contraction of the term Binary Digit. The smallest unit of information in a binary system of notation.Data
Bit Error RatenounRatio between the number of bits incorrectly received and the total number of bits transmitted in a telecommunications system.Metric
Bits per second (BPS)nounA measurement of how fast data moves from one place to another. A 28.8 modem can move 28,800 bits per second.Metric
BLACKnounDesignation applied to encrypted information and the information systems, the associated areas, circuits, components, and equipment processing that information. See also RED.CapabilityRestrictedCUI
Black CorenounA communication network architecture in which user data traversing a global Internet Protocol (IP) network is end-to-end encrypted at the IP layer. Related to striped core.NetworkRegulatedCUI
Black holingnounA method typically used by ISPs to stop a DDoS attack on one of its customers. This approach to block DDoS attacks makes the site in question completely inaccessible to all traffic, both malicious attack traffic and legitimate user traffic.Control
blacklistnounA list of discrete entities, such as hosts or applications, that have been previously determined to be associated with malicious activity.Control
BlacklistingnounThe process of the system invalidating a user ID based on the user’s inappropriate actions. A blacklisted user ID cannot be used to log on to the system, even with the correct authenticator. Blacklisting and lifting of a blacklisting are both security-relevant events. Blacklisting also applies to blocks placed against IP addresses to prevent inappropriate or unauthorized use of Internet resources.ProcessRegulated
BlindingnounGenerating network traffic that is likely to trigger many alerts in a short period of time, to conceal alerts triggered by a “real” attack performed simultaneously.Threat
BlocknounSequence of binary bits that comprise the input, output, State, and Round Key. The length of a sequence is the number of bits it contains. Blocks are also interpreted as arrays of bytes.DataRegulated
Block ciphernounA symmetric key cryptographic algorithm that transforms a block of information at a time using a cryptographic key. For a block cipher algorithm, the length of the input block is the same as the length of the output block.Capability
Block Cipher AlgorithmnounA family of functions and their inverses that is parameterized by a cryptographic key; the function maps bit strings of a fixed length to bit strings of the same length.Capability
Blue Teamnoun1. The group responsible for defending an enterprise’s use of information systems by maintaining its security posture against a group of mock attackers (i.e., the Red Team). Typically the Blue Team and its supporters must defend against real or simulated attacks 1) over a significant period of time, 2) in a representative operational context (e.g., as part of an operational exercise), and 3) according to rules established and monitored with the help of a neutral group refereeing the simulation or exercise (i.e., the White Team). 2. The term Blue Team is also used for defining a group of individuals that conduct operational network vulnerability evaluations and provide mitigation techniques to customers who have a need for an independent technical review of their network security posture. The Blue Team identifies security threats and risks in the operating environment, and in cooperation with the customer, analyzes the network environment and its current state of security readiness. Based on the Blue Team findings and expertise, they provide recommendations that integrate into an overall community security solution to increase the customer's cyber security readiness posture. Often times a Blue Team is employed by itself or prior to a Red Team employment to ensure that the customer's networks are as secure as possible before having the Red Team test the systems.Organization
boardnounIs the corporate board of directors or any other oversight authority for the organization.Organization
board committeenounA group consisting of the members of a board of directors that is mandated to carry out specified functions, programs, or projects assigned by the board.Organization
Board of DirectorsnounA group of persons chosen to govern the affairs of a corporation or other large institution.Organization
Body of EvidencenounThe set of data that documents the information system’s adherence to the security controls applied. The BoE will include a Requirements Verification Traceability Matrix (RVTM) delineating where the selected security controls are met and evidence to that fact can be found. The BoE content required by an Authorizing Official will be adjusted according to the impact levels selected.ArtifactRegulatedCUI
boolean searchverbuse logical operators (AND, OR, NOT) to refine search queriesUnderstandUnclassified
Boot Record InfectornounA boot record infector is a piece of malware that inserts malicious code into the boot sector of a disk.Threat
Border Gateway ProtocolnounAn inter-autonomous system routing protocol. BGP is used to exchange routing information for the Internet and is the protocol used between Internet service providers (ISP).Network
botnounA computer connected to the Internet that has been surreptitiously / secretly compromised with malicious logic to perform activities under remote the command and control of a remote administrator.ThreatRegulated
bot mastnounThe controller of a botnet that, from a remote location, provides direction to the compromised computers in the botnet.Threat
BotnetnounA term derived from robot network; is a large automated and distributed network of previously compromised computers that can be simultaneously controlled to launch large-scale attacks such as a denial-of-service attack on selected victimsThreat
Boundary ProtectionnounMonitoring and control of communications at the external boundary of an information system to prevent and detect malicious and other unauthorized communication, through the use of boundary protection devices (e.g., proxies, gateways, routers, firewalls, guards, encrypted tunnels).ControlRegulated
boundary protection devicenounA device with appropriate mechanisms that: (i) facilitates the adjudication of different interconnected system security policies (e.g., controlling the flow of information into or out of an interconnected system); and/or (ii) provides information system boundary protection.NetworkRegulated
BridgenounData link layer device developed in the early 1980s to connect local area networks (LANs) or create two separate LAN or wide area network (WAN) network segments from a single segment to reduce collision domains Scope Note: A bridge acts as a store-and-forward device in moving frames toward their destination. This is achieved by analyzing the MAC header of a data packet, which represents the hardware address of an NIC.Network
Bring your own devicenounAn enterprise policy used to permit partial or full integration of user-owned mobile devices for business purposesRequirement
British Standard 7799nounA standard code of practice and provides guidance on how to secure an information system. It includes the management framework, objectives, and control requirements for information security management systems.Framework
Broadcast AddressnounAn address used to broadcast a datagram to all hosts on a given network using UDP or ICMP protocol.Network
BrowsernounA client computer program that can retrieve and display information from servers on the World Wide Web.System
BrowsingnounAct of searching through information system storage or active content to locate or acquire information, without necessarily knowing the existence or format of information being sought.Process
Brute forcenounA class of algorithms that repeatedly try all possible combinations until a solution is foundThreat
Brute force attacknounRepeatedly trying all possible combinations of passwords or encryption keys until the correct one is foundThreat
Brute Force Password AttacknounA method of accessing an obstructed device through attempting multiple combinations of numeric and/or alphanumeric passwords.Credential
budget processnounThe process by which an organization or individual creates and manages a financial plan. Within a larger business, the budget process is typically performed by managers who often obtain projected spending requirements and suggestions from their staff.Process
Buffer overflownounA condition at an interface under which more input can be placed into a buffer or data holding area than the capacity allocated, overwriting other information. Attackers exploit such a condition to crash a system or to insert specially crafted code that allows them to gain control of the system.Vulnerability
Buffer Overflow AttacknounA method of overloading a predefined amount of space in a buffer, which can potentially overwrite and corrupt data in memory.Threat
bugnounAn unexpected and relatively small defect, fault, flaw, or imperfection in an information system or device.Vulnerability
buildverbconstruct or create something by assembling parts or developing componentsCreateUnclassified
Build Security InnounA set of principles, practices, and tools to design, develop, and evolve information systems and software that enhance resistance to vulnerabilities, flaws, and attacks.Capability
buildingnounA structure that has a roof and walls and stands more or less permanently in one place.Physical
Bulk Electric System Cyber SystemnounOne or more Bulk Electric System (BES) Cyber Assets logically grouped by a responsible entity to perform one or more reliability tasks for a functional entity.SystemRegulatedCUI
Bulk Electric System Cyber System InformationnounInformation about the BES Cyber System that could be used to gain unauthorized access or pose a security threat to the BES Cyber System. BES Cyber System Information does not include individual pieces of information that by themselves do not pose a threat or could not be used to allow unauthorized access to BES Cyber Systems, such as, but not limited to, device names, individual IP addresses without context, ESP names, or policy statements. Examples of BES Cyber System Information may include, but are not limited to, security procedures or security information about BES Cyber Systems, Physical Access Control Systems, and Electronic Access Control or Monitoring Systems that is not publicly available and could be used to allow unauthorized access or unauthorized distribution; collections of network addresses; and network topology of the BES Cyber System.DataRegulatedCUI
Bulk EncryptionnounSimultaneous encryption of all channels of a multichannel telecommunications link.Control
businessnounA usually commercial or mercantile activity engaged in as a means of livelihood.Organization
business activitynounThe functions, processes, actions, and transactions of an organization and its employees.Process
business continuitynounThe providing of critical business functions to customers, suppliers, regulators, and other entities at acceptable predefined levels after incidents and business interruptions.ProcessRegulated
Business Continuity PlannounThe documentation of a predetermined set of instructions or procedures that describe how an organization’s mission/business functions will be sustained during and after a significant disruption.ProcessInternal
Business Continuity Plan (BCP)nounA comprehensive written plan to maintain or resume business in the event of a disruption. BCP includes both the technology recovery capability (often referred to as disaster recovery) and the business unit(s) recovery capability.ArtifactInternal
Business Continuity planningnounThe act of creating processes and procedures to put into place to ensure that essential organizational functions can continue during and after a disaster.ProcessRegulated
business continuity programnounA documented approach undertaken by an organization to implement business continuity.ProcessInternal
Business Continuity StrategynounComprehensive strategies to recover, resume, and maintain all critical business functions.ProcessInternal
business continuity testingnounThe act of performing a test to evaluate the effectiveness of an organization's business continuity plan.Process
business functionnounAn activity that is integral to operations or supporting operations within the entity, e.g. sales, marketing, manufacturing, accounting, etc.Process
Business Impact AnalysisnounAn analysis of an enterprise’s requirements, processes, and interdependencies used to characterize information system contingency requirements and priorities in the event of a significant disruption.ProcessInternal
Business Impact Analysis (BIA)nounThe process of identifying the potential impact of uncontrolled, non-specific events on an institution's business processes.ProcessInternal
Business impact analysis/assessmentnounEvaluating the criticality and sensitivity of information assets An exercise that determines the impact of losing the support of any resource to an enterprise, establishes the escalation of that loss over time, identifies the minimum resources needed to recover, and prioritizes the recovery of processes and the supporting system Scope Note: This process also includes addressing: -Income loss -Unexpected expense -Legal issues (regulatory compliance or contractual) -Interdependent processes -Loss of public reputation or public confidenceProcessRestricted
business operationnounThe day-to-day execution, monitoring and management of business processes.Process
business processnounA collection of linked activities that takes one or more kinds of input and creates an output that is of value to an FMI’s stakeholders. A business process may comprise several assets, including information, ICT resources, personnel, logistics and organisational structure, which contribute either directly or indirectly to the added value of the service.Process
business resumption testingnounA form of testing designed to determine the effectiveness of an organization's in-place strategy for full recovery of business functions following a disaster or disruption.ProcessInternal
business strategynounA term used in business planning that implies a careful selection and application of resources to obtain a competitive advantage in anticipation of future events or trends.ProcessIP
business unitnounA division or segment of an organization that operates as an independent enterprise representing a specific business function.Organization
Business ValuenounHow much a business is worth. Business value is a highly subjective measure because it involves estimating the value of intangible assets like trade secrets and brand recognition. It adds to this the value of tangible assets like machinery and stockholder equity. Business value is especially important for potential investors or buyers.MetricConfidentialIP
buyernounA buyer is any person or organization who contracts to acquire an asset or service in return for some form of consideration.Organization
BytenounA fundamental unit of computer storage; the smallest addressable unit in a computer's architecture. Usually holds one character of information and usually means eight bits.Data
cablenounA wire or group of wires covered in a protective casing used for transmitting electricity or telecommunication signals.PhysicalRegulated
CachenounPronounced cash, a special high-speed storage mechanism. It can be either a reserved section of main memory or an independent high-speed storage device. Two types of caching are commonly used in personal computers: memory caching and disk caching.System
Cache CrammingnounCache Cramming is the technique of tricking a browser to run cached Java code from the local disk, instead of the internet zone, so it runs with less restrictive permissions.Threat
Cache PoisoningnounMalicious or misleading data from a remote name server is saved [cached] by another name server. Typically used with DNS cache poisoning attacks.Threat
CalendarnounThis record category contains a document organized chronologically, especially in tabular form, indicating the day of week, date, and month or contains a chronological listing of documents in a collection, which may be comprehensive or selective, and which may include details about the writer, recipient, date, place, summary of content, type of document, and page or leaf count.Artifact
Call Admission ControlnounThe inspection and control all inbound and outbound voice network activity by a voice firewall based on user-defined policies.Control
Call BacknounProcedure for identifying and authenticating a remote information system terminal, whereby the host system disconnects the terminal and reestablishes contact.ProcessRegulated
Call TreenounA documented list of employees and external entities that should be contacted in the event of an emergency declaration.ArtifactInternalPII
CanisternounType of protective package used to contain and dispense keying material in punched or printed tape form.PhysicalRegulatedCUI
Capacity TestingnounActivities structured to determine whether resources (human and IT) can support required processing volumes in recovery environments.Process
Capstone PoliciesnounThose policies that are developed by governing or coordinating institutions of Health Information Exchanges (HIEs). They provide overall requirements and guidance for protecting health information within those HIEs. Capstone Policies must address the requirements imposed by: (1) all laws, regulations, and guidelines at the federal, state, and local levels; (2) business needs; and (3) policies at the institutional and HIE levels.RequirementRegulatedPHI
Card IssuernounA financial institution that issues general-purpose credit cards carrying one of the two bankcard company logos. The issuing financial institution establishes the credit relationship with the consumer.OrganizationRegulatedPCI
Card Verification Code (CVC2)nounNumeric security code printed on the back of MasterCard credit cards. CVC2 reduces credit card fraud and chargeback instances significantly when used in conjunction with AVS. (See Address verification service).CredentialRegulatedPCI
Card Verification Value (CVV2)nounThree-digit security number that is printed on the back of most Visa credit cards. CVV2 reduces credit card fraud and chargeback instances significantly when used in conjunction with AVS.CredentialRegulatedPCI
CardholdernounAn individual possessing an issued Personal Identity Verification (PIV) card.IdentityRegulatedCUI
CascadingnounDownward flow of information through a range of security levels greater than the accreditation range of a system, network, or component.EventRegulatedCUI
Cash LetternounA group of checks accompanied by a paper listing sent to a clearinghouse, a Federal Reserve Bank, or another institution. A cash letter contains a number of negotiable items, mostly checks, accompanied by a letter that lists the amounts and instructions for transmittal to another bank. May also be called a transmittal letter. An incoming cash letter is one that is received by an institution from a clearinghouse, a Federal Reserve Bank, or another institution and contains checks written on accounts at the institution that were cashed elsewhere. An outgoing cash letter is one that is being sent to a clearinghouse, a Federal Reserve Bank, or another institution and contains checks deposited at the institution, which are written on accounts at other institutions.ArtifactRegulatedPII
catalognounThe process of providing such access, plus additional work to prepare the materials for use, such as labeling, marking, and maintenance of authority files.Process
catalogueverbcreate a systematic list or record of items with descriptive detailsAnalyzeUnclassified
categorizeverbarrange or classify items into defined groups based on shared characteristicsCreateUnclassified
CategorynounRestrictive label applied to classified or unclassified information to limit access.RequirementRegulatedCUI
Central Office of RecordnounOffice of a federal department or agency that keeps records of accountable COMSEC material held by elements subject to its oversightOrganizationRegulatedCUI
Central Services NodenounThe Key Management Infrastructure core node that provides central security management and data management services.SystemRestrictedCUI
CertificatenounA digitally signed representation of information that 1) identifies the authority issuing it, 2) identifies the subscriber, 3) identifies its valid operational period (date issued / expiration date). In the information assurance (IA) community, certificate usually implies public key certificate and can have the following types: cross certificate – a certificate issued from a CA that signs the public key of another CA not within its trust hierarchy that establishes a trust relationship between the two CAs. encryption certificate – a certificate containing a public key that can encrypt or decrypt electronic messages, files, documents, or data transmissions, or establish or exchange a session key for these same purposes. Key management sometimes refers to the process of storing, protecting, and escrowing the private component of the key pair associated with the encryption certificate. identity certificate – a certificate that provides authentication of the identity claimed. Within the National Security Systems (NSS) PKI, identity certificates may be used only for authentication or may be used for both authentication and digital signatures.Credential
Certificate ManagementnounProcess whereby certificates (as defined above) are generated, stored, protected, transferred, loaded, used, and destroyed.Credential
Certificate Management AuthoritynounA Certification Authority (CA) or a Registration Authority (RA).Credential
Certificate PolicynounA specialized form of administrative policy tuned to electronic transactions performed during certificate management. A Certificate Policy addresses all aspects associated with the generation, production, distribution, accounting, compromise recovery, and administration of digital certificates. Indirectly, a certificate policy can also govern the transactions conducted using a communications system protected by a certificate-based security system. By controlling critical certificate extensions, such policies and associated enforcement technology can support provision of the security services required by particular applications.Credential
Certificate revocation listnounA list of revoked public key certificates created and digitally signed by a Certification Authority.Credential
Certificate Status AuthoritynounA trusted entity that provides online verification to a Relying Party of a subject certificate's trustworthiness, and may also provide additional attribute information for the subject certificate.Credential
Certificate-Based AuthenticationnounCertificate-Based Authentication is the use of SSL and certificates to authenticate and encrypt HTTP traffic.Credential
Certificate-Related InformationnounInformation, such as a subscriber's postal address, that is not included in a certificate. May be used by a Certification Authority (CA) managing certificates.Credential
CertificationnounA comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.ProcessRegulated
Certification AnalystnounThe independent technical liaison for all stakeholders involved in the C&A process responsible for objectively and independently evaluating a system as part of the risk management process. Based on the security requirements documented in the security plan, performs a technical and non-technical review of potential vulnerabilities in the system and determines if the security controls (management, operational, and technical) are correctly implemented and effective.Role
Certification authoritynoun1. For Certification and Accreditation (C&A) (C&A Assessment): Official responsible for performing the comprehensive evaluation of the security features of an information system and determining the degree to which it meets its security requirements 2. For Public Key Infrastructure (PKI): A trusted third party that issues digital certificates and verifies the identity of the holder of the digital certificate.OrganizationRegulatedCUI
Certification Authority FacilitynounThe collection of equipment, personnel, procedures and structures that are used by a Certification Authority to perform certificate issuance and revocation.PhysicalRestricted
Certification Authority WorkstationnounCommercial off-the-shelf (COTS) workstation with a trusted operating system and special-purpose application software that is used to issue certificatesSystemRestricted
Certification PackagenounProduct of the certification effort documenting the detailed results of the certification activities.ArtifactRegulatedCUI
Certification Practice StatementnounA statement of the practices that a Certification Authority employs in issuing, suspending, revoking, and renewing certificates and providing access to them, in accordance with specific requirements (i.e., requirements specified in this Certificate Policy, or requirements specified in a contract for services).ArtifactInternal
Certification Test and EvaluationnounSoftware and hardware security tests conducted during development of an information system.ProcessRegulated
Certified TEMPEST Technical AuthoritynounAn experienced, technically qualified U.S. government employee who has met established certification requirements in accordance with CNSS-approved criteria and has been appointed by a U.S. government department or agency to fulfill CTTA responsibilities.RoleRegulatedCUI
CertifiernounIndividual responsible for making a technical judgment of the system’s compliance with stated requirements, identifying and assessing the risks associated with operating the system, coordinating the certification activities, and consolidating the final certification and accreditation packages.Role
certifyverbTo recognize as having met certain standards or possessing certain qualifications.Secondary
Chain of custodynounA process that tracks the movement of evidence through its collection, safeguarding, and analysis lifecycle by documenting each person who handled the evidence, the date/time it was collected or transferred, and the purpose for the transfer.ProcessRegulated
Chain of EvidencenounA process and record that shows who obtained the evidence; where and when the evidence was obtained; who secured the evidence; and who had control or possession of the evidence. The “sequencing” of the chain of evidence follows this order: collection and identification; analysis; storage; preservation; presentation in court; return to owner.ProcessRegulatedCUI
Challenge and Reply AuthenticationnounPrearranged procedure in which a subject requests authentication of another and the latter establishes validity with a correct reply.Control
Challenge-Handshake Authentication ProtocolnounThe Challenge-Handshake Authentication Protocol uses a challenge/response authentication mechanism where the response varies every challenge to prevent replay attacks.Credential
Challenge-Response ProtocolnounAn authentication protocol where the verifier sends the claimant a challenge (usually a random value or a nonce) that the claimant combines with a secret (often by hashing the challenge and a shared secret together, or by applying a private key operation to the challenge) to generate a response that is sent to the verifier. The verifier can independently verify the response generated by the Claimant (such as by re-computing the hash of the challenge and the shared secret and comparing to the response, or performing a public key operation on the response) and establish that the Claimant possesses and controls the secret.Control
change in technologynounThis Triggering Event takes place when one technology is swapped out for another.Event
Change managementnounThe broad processes for managing organizational change. Change management encompasses planning, oversight or governance, project management, testing, and implementation.Process
change management processnounActivities performed while following the change management procedures.Process
ChargebacknounA transaction generated when a cardholder disputes a transaction or when the merchant does not follow bankcard company procedures. The issuer and acquirer research the facts to determine which party is responsible for the transaction. If the merchant is unable to pay, the acquirer will have to cover the chargeback.EventRegulatedPCI
ChecknounA written order from one party (payer) to another (payee) requiring the payer's financial institution to pay a specified sum on demand to the payee or to a third party specified by the payeeArtifactRegulatedPCI
Check 21 ActnounFormally known as the Check Clearing for the 21st Century Act. Creates a new document, the IRD (image replacement document or substitute check) that is the legal equivalent of the original check and should be accepted as such. The act does not require institutions to accept electronic images instead of checks or IRDs, but does require the acceptance of IRDs instead of paper checks. The exchange of electronic images is optional and will be done by agreements between individual institutions, groups of institutions, or clearinghouses.FrameworkRegulatedPCI
Check ClearingnounThe movement of a check from the depository institution where it was deposited to the institution on which it was written. The funds move in the opposite direction, with a corresponding credit and debit to the involved accounts.ProcessRegulated
Check ImagenounElectronic or digital image of an original check that is created by a depositor, a bank or other participant in the check collection process. Check images can be exchanged electronically by financial institutions, printed for customer statement purposes, displayed on Internet banking websites, and used to create substitute checks.DataRegulatedPCI
Check TruncationnounThe practice of holding a check at the institution where it was deposited (or at an intermediary institution) and electronically forwarding the essential information on the check to the institution on which it was written. A truncated check is not returned to the writer.ProcessRegulatedPCI
Check WordnounCipher text generated by cryptographic logic to detect failures in cryptography.ControlRegulatedCUI
Checklist ReviewnounA preliminary procedure to testing that employs information checklists to guide staff activities. For example, checklists can be used to verify staff procedures, hardware and software configurations, or alternate communication mechanisms.Process
Chief Information OfficernounAgency official responsible for: 1) providing advice and other assistance to the head of the executive agency and other senior management personnel of the agency to ensure that information systems are acquired and information resources are managed in a manner that is consistent with laws, Executive Orders, directives, policies, regulations, and priorities established by the head of the agency; 2) developing, maintaining, and facilitating the implementation of a sound and integrated information system architecture for the agency; and 3) promoting the effective and efficient design and operation of all major information resources management processes for the agency, including improvements to work processes of the agency. Note: Organizations subordinate to federal agencies may use the term Chief Information Officer to denote individuals filling positions with similar security responsibilities to agency-level Chief Information Officers.RoleRegulated
Chief Information Security OfficernounThe person in charge of information security within the enterpriseRoleRegulated
Chief Security OfficernounThe person usually responsible for all security matters both physical and digital in an enterpriseRole
CIP exceptional circumstancenounA situation that involves or threatens to involve one or more of the following, or similar, conditions that impact safety or Bulk Electric System (BES) reliability: a risk of injury or death; a natural disaster; civil unrest; an imminent or existing hardware, software, or equipment failure; a Cyber Security Incident requiring emergency assistance; a response by emergency services; the enactment of a mutual assistance agreement; or an impediment of large scale workforce availability.RequirementRegulatedCUI
CIP Senior ManagernounA single senior management official with overall authority and responsibility for leading and managing implementation of and continuing adherence to the requirements within the NERC CIP Standards, CIP-002 through CIP-011.RoleRegulatedCUI
CiphernounAny cryptographic system in which arbitrary symbols or groups of symbols, represent units of plain text, or in which units of plain text are rearranged, or both.Control
Cipher Block Chaining-Message Authentication CodenounA secret-key block-cipher algorithm used to encrypt data and to generate a Message Authentication Code (MAC) to provide assurance that the payload and the associated data are authentic.Control
Cipher SuitenounNegotiated algorithm identifiers. Cipher suites are identified in human-readable form using a pneumonic code.Capability
Cipher Text Auto-KeynounCryptographic logic that uses previous cipher text to generate a key stream.Control
Circuit Switched NetworknounA circuit switched network is where a single continuous physical circuit connected two endpoints where the route was immutable once set up.Network
ClaimantnounAn entity which is or represents a principal for the purposes of authentication, together with the functions involved in an authentication exchange on behalf of that entity. A claimant acting on behalf of a principal must include the functions necessary for engaging in an authentication exchange. (e.g., a smartcard [claimant] can act on behalf of a human user [principal])IdentityRegulatedPII
clarifyverbmake a concept or statement easier to understand by providing explanationUnderstandUnclassified
claritynounFree from obscurity and easy to understand; the comprehensibility of clear expression.Requirement
classificationnounThe act of distributing things into classes or categories of the same type.Process
Classified InformationnounInformation that has been determined: (i) pursuant to Executive Order 12958 as amended by Executive Order 13292, or any predecessor Order, to be classified national security information; or (ii) pursuant to the Atomic Energy Act of 1954, as amended, to be Restricted Data (RD).DataRestrictedCUI
Classified Information SpillagenounSecurity incident that occurs whenever classified data is spilled either onto an unclassified information system or to an information system with a lower level of classification.EventRegulatedCUI
Classified National Security InformationnounInformation that has been determined pursuant to Executive Order 13526 or any predecessor order to require protection against unauthorized disclosure and is marked to indicate its classified status when in documentary form.DataRegulatedCUI
classifyverborganize items into categories based on shared attributes or criteriaEvaluateUnclassified
clearverbTo use software or hardware products to overwrite storage space on the media with nonsensitive data. This process may include overwriting not only the logical storage location of a file(s) (e.g., file allocation table) but also may include all addressable locations. See comments on Clear/Purge Convergence.Unclassified
ClearancenounFormal certification of authorization to have access to classified information other than that protected in a special access program (including SCI). Clearances are of three types: confidential, secret, and top secret. A top secret clearance permits access to top secret, secret, and confidential material; a secret clearance, to secret and confidential material; and a confidential clearance, to confidential material.CredentialRegulatedCUI
ClearingnounRemoval of data from an information system, its storage devices, and other peripheral devices with storage capacity, in such a way that the data may not be reconstructed using common system capabilities (i.e., through the keyboard); however, the data may be reconstructed using laboratory methods.ProcessRegulatedCUI
Clearing CorporationnounAlso known as a clearing house or clearing house association. A central processing mechanism whereby members agree to net, clear, and settle transactions involving financial instruments. Clearing corporations fulfill one or all of the following functions: Net many trades so that the number and the amount of payments that have to be made are minimized, determine money obligations among traders, and guarantee that trades will go through by legally assuming the risk of payments not made or securities not delivered. The latter function is implied when it is stated that the clearing corporation becomes the "counterpart" to all trades entered into its system.OrganizationRegulated
Clearing House AssociationsnounVoluntary associations, formed by financial institutions that establish an exchange for checks drawn on them. Typically, institutions participating in check clearing houses use the Federal Reserve's National Settlement Service for the checks exchanged each business day.OrganizationRegulated
Clearing House Interbank Payment Systems (CHIPS)nounA "real time," multilateral, final payments system for large dollar value, business-to-business payment transactions between domestic or foreign institutions that have offices located in the United States. CHIPS is run by CHIP Co. LLC, a subsidiary of The Clearing House Payments Company, LLC.SystemRegulated
ClientnounIndividual or process acting on behalf of an individual who makes requests of a guard or dedicated server. The client’s requests to the guard or dedicated server can involve data transfer to, from, or through the guard or dedicated server.System
Client ApplicationnounA system entity, usually a computer process acting on behalf of a human user, that makes use of a service provided by a server.System
Clinger-Cohen Act of 1996nounAlso known as Information Technology Management Reform Act. A statute that substantially revised the way that IT resources are managed and procured, including a requirement that each agency design and implement a process for maximizing the value and assessing and managing the risks of IT investments.RequirementRegulated
Closed Security EnvironmentnounEnvironment providing sufficient assurance that applications and equipment are protected against the introduction of malicious logic during an information system life cycle. Closed security is based upon a system's developers, operators, and maintenance personnel having sufficient clearances, authorization, and configuration control.SystemRegulatedCUI
Closed StoragenounStorage of classified information within an accredited facility, in General Services Administration-approved secure containers, while the facility is unoccupied by authorized personnel.ControlRegulatedCUI
Cloud computingnounA model for enabling on-demand network access to a shared pool of configurable IT capabilities/ resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. It allows users to access technology-based services from the network cloud without knowledge of, expertise with, or control over the technology infrastructure that supports them. This cloud model is composed of five essential characteristics (on-demand self-service, ubiquitous network access, location independent resource pooling, rapid elasticity, and measured service); three service delivery models (Cloud Software as a Service [SaaS], Cloud Platform as a Service [PaaS], and Cloud Infrastructure as a Service [IaaS]); and four models for enterprise access (Private cloud, Community cloud, Public cloud, and Hybrid cloud). Note: Both the user's data and essential security services may reside in and be managed within the network cloud.System
Cloud storagenounA model of data storage in which the digital data is stored in logical pools, the physical storage spans multiple servers (and often locations), and the physical environment is typically owned and managed by a hosting company.System
ClusteringnounConnecting two or more computers together in such a way that enables them to act as a single computer. Clustering is used for parallel processing, load balancing, and fault tolerance.System
codeverbwrite instructions in a programming language to create software or automate tasksCreateUnclassified
codenounSystem of communication in which arbitrary groups of letters, numbers, or symbols represent units of plain text of varying length.Data
Code BooknounDocument containing plain text and code equivalents in a systematic arrangement, or a technique of machine encryption using a word substitution technique.ArtifactRestrictedCUI
Code GroupnounGroup of letters, numbers, or both in a code system used to represent a plain text word, phrase, or sentence.DataRegulatedCUI
Code VocabularynounSet of plain text words, numerals, phrases, or sentences for which code equivalents are assigned in a code system.Artifact
coding standardnounA set of standards and guidelines which are/should be used when writing the source code for a program.RequirementIP
Cold SitenounBackup site that can be up and operational in a relatively short time span, such as a day or two. Provision of services, such as telephone lines and power, is taken care of, and the basic office furniture might be in place, but there is unlikely to be any computer equipment, even though the building might well have a network infrastructure and a room ready to act as a server room. In most cases, cold sites provide the physical location and basic services.PhysicalRegulated
Cold/Warm/Hot Disaster Recovery Sitenoun* Hot site. It contains fully redundant hardware and software, with telecommunications, telephone and utility connectivity to continue all primary site operations. Failover occurs within minutes or hours, following a disaster. Daily data synchronization usually occurs between the primary and hot site, resulting in minimum or no data loss. Offsite data backup tapes might be obtained and delivered to the hot site to help restore operations. Backup tapes should be regularly tested to detect data corruption, malicious code and environmental damage. A hot site is the most expensive option. * Warm site. It contains partially redundant hardware and software, with telecommunications, telephone and utility connectivity to continue some, but not all primary site operations. Failover occurs within hours or days, following a disaster. Daily or weekly data synchronization usually occurs between the primary and warm site, resulting in minimum data loss. Offsite data backup tapes must be obtained and delivered to the warm site to restore operations. A warm site is the second most expensive option. * Cold site. Hardware is ordered, shipped and installed, and software is loaded. Basic telecommunications, telephone and utility connectivity might need turning on to continue some, but not all primary site operations. Relocation occurs within weeks or longer, depending on hardware arrival time, following a disaster. No data synchronization occurs between the primary and cold site, and could result in significant data loss. Offsite data backup tapes must be obtained and delivered to the cold site to restore operations. A cold site is the least expensive option.PhysicalRestricted
Collect & OperatenounA NICE Workforce Framework category consisting of specialty areas responsible for specialized denial and deception operations and collection of cybersecurity information that may be used to develop intelligence.Capability
Collection OperationounIn the NICE Workforce Framework, cybersecurity work where a person: Executes collection using appropriate strategies and within the priorities established through the collection management process.Process
Command AuthoritynounIndividual responsible for the appointment of user representatives for a department, agency, or organization and their key ordering privileges.RoleRegulated
Commercial COMSEC Evaluation ProgramnounRelationship between NSA and industry in which NSA provides the COMSEC expertise (i.e., standards, algorithms, evaluations, and guidance) and industry provides design, development, and production capabilities to produce a type 1 or type 2 product. Products developed under the CCEP may include modules, subsystems, equipment, systems, and ancillary devices.ProcessRegulatedCUI
Commercial off-the-shelf (COTS)nounCOTS products include software and hardware products that are ready-made and available for sale to the general public. COTS products are typically installed in existing systems and do not require customization. Also known as "shrink-wrap" applications.System
Commercially ReasonablenounPractices and procedures in widespread use in the business community generally considered to represent prudent and reasonable business methods.Requirement
Commodity ServicenounAn information system service (e.g., telecommunications service) provided by a commercial service provider typically to a large and diverse set of consumers. The organization acquiring and/or receiving the commodity service possesses limited visibility into the management structure and operations of the provider, and while the organization may be able to negotiate service-level agreements, the organization is typically not in a position to require that the provider implement specific security controls.CapabilityInternal
Common Access CardnounStandard identification/smart card issued by the Department of Defense that has an embedded integrated chip storing public key infrastructure (PKI) certificates.CredentialRegulatedCUI
Common Attack Pattern Enumeration and ClassificationnounA catalogue of attack patterns as an abstraction mechanism for helping describe how an attack against vulnerable systems or networks is executed published by the MITRE CorporationFrameworkPublicPublicInfo
Common CarriernounIn a telecommunications context, a telecommunications company that holds itself out to the public for hire to provide communications transmission services. Note: In the United States, such companies are usually subject to regulation by federal and state regulatory commissions.OrganizationRegulated
compensationnounSomething, typically money, given or received in recognition of loss, suffering, or injury.candidate
competencenounThe state or quality of possessing the necessary ability, knowledge, or skill to do something successfully.Capability
Competitive IntelligencenounCompetitive Intelligence is espionage using legal, or at least not obviously illegal, means.ThreatIP
compileverbgather and assemble information from multiple sources into one collectionCreateUnclassified
completenessnounThe state of having all the necessary or appropriate parts; having everything that is needed.Metric
completion datenounA date when something will be finished, especially the date when a new building, road, etc. will be finished according to a contract the date when the ownership of a property legally passes from one person to another.Metric
complexitynounThe degree of intricacy of a system or system component, determined by such factors as the number of conditional branches, the degree of nesting and the length and types of data structures. (CMS).Metric
CompliancenounThe state of being in accordance with laws, regulations, industry codes, organizational standards, or contractual arrangements.Process
Compliance documentsnounPolicies, standard and procedures that document the actions that are required or prohibited. Violations may be subject to disciplinary actions.ArtifactInternal
Compliance Enforcement AuthoritynounThe North American Electric Reliability Corporation (NERC) or the Regional Entity in their respective roles of monitoring and enforcing compliance with the NERC Reliability Standards.OrganizationRegulatedCUI
compliance plannounA compliance plan is a system of checks and balances through which a reasonable effort is made to identify potential non-compliance issues regarding applicable laws and regulations, and to eliminate or mitigate those issues.ProcessInternal
compliance policynounAn official expression of principles that direct an organization's approach to compliance.RequirementInternal
compliance procedurenounA detailed description of the steps necessary to implement or perform something in conformance with applicable standards.Requirement
compliance programnounCompliance programs aim to prevent, and where necessary, identify and respond to, breaches of laws, regulations, codes or organizational standards occurring in the organization; and promote a culture of compliance within the organization.ProcessInternal
compliance requirementnounThe various legal, contractual, and service level requirements that an organization must follow.RequirementRegulated
compliance risknounThe risk to current and prospective earnings that arises from violating or not acting in accordance with laws, rules, regulations, prescribed practices, or ethical standards.MetricRegulated
compliance violation is detectednounThis Triggering Event takes place when the condition of someone or something does not conform to the documented policies and standards has been discovered.FindingRegulated
complyverbTo act in accordance with a wish, command, law, standard, or contractual obligation.Unclassified
Component Test/ExercisenounA testing activity designed to validate the continuity of individual systems, processes, or functions, in isolation. For example, component tests may focus on recovering specific network devices, application restoration procedures, off-site tape storage, or proving the validity of data for a particular business line.Process
Comprehensive TestingnounA test methodology that assumes explicit and substantial knowledge of the internal structure and implementation detail of the assessment object. Also known as white box testing.Process
CompromisenounDisclosure of information to unauthorized persons, or a violation of the security policy of a system in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object may have occurred.EventRegulated
Compromising EmanationsnounUnintentional signals that, if intercepted and analyzed, would disclose the information transmitted, received, handled, or otherwise processed by information systems equipment. See TEMPEST.VulnerabilityRegulatedCUI
Computer AbusenounIntentional or reckless misuse, alteration, disruption, or destruction of information processing resources.ThreatRegulated
Computer CryptographynounUse of a crypto-algorithm program by a computer to authenticate or encrypt/decrypt information.Capability
Computer emergency response teamnounA group of people integrated at the enterprise with clear lines of reporting and responsibilities for standby support in case of an information systems emergency This group will act as an efficient corrective control, and should also act as a single point of contact for all incidents and issues related to information systems.Organization
Computer forensicsnounThe practice of gathering, retaining, and analyzing computer-related data for investigative purposes in a manner that maintains the integrity of the data.ProcessRegulated
Computer Incident Response TeamnounGroup of individuals usually consisting of Security Analysts organized to develop, recommend, and coordinate immediate mitigation actions for containment, eradication, and recovery resulting from computer security incidents. Also called a Computer Security Incident Response Team (CSIRT) or a CIRC (Computer Incident Response Center, Computer Incident Response Capability, or Cyber Incident Response Team).Organization
Computer NetworknounA collection of host computers together with the sub-network or inter-network through which they can exchange data.Network
Computer Network AttacknounActions taken through the use of computer networks to disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves.ThreatRegulatedCUI
computer network defensenounActions taken to defend against unauthorized activity within computer networks. CND includes monitoring, detection, analysis (such as trend and pattern analysis), and response and restoration activities.CapabilityRegulated
Computer Network Defense AnalysisnounIn the NICE Workforce Framework, cybersecurity work where a person: Uses defensive measures and information collected from a variety of sources to identify, analyze, and report events that occur or might occur within the network in order to protect information, information systems, and networks from threats.Capability
Computer Network Defense Infrastructure SupportnounIn the NICE Workforce Framework, cybersecurity work where a person: Tests, implements, deploys, maintains, reviews, and administers the infrastructure hardware and software that are required to effectively manage the computer network defense service provider network and resources; monitors network to actively remediate unauthorized activities.Capability
Computer Network ExploitationnounEnabling operations and intelligence collection capabilities conducted through the use of computer networks to gather data from target or adversary information systems or networks.ThreatRegulatedCUI
Computer Network OperationsnounComprised of computer network attack, computer network defense, and related computer network exploitation enabling operations.CapabilityRestrictedCUI
computer operationnounThe function responsible for operating the computer and peripheral equipment, including providing the tape, disk, or paper resources as requested by the application systems.Process
computer portnounA computer port is a connection point or interface between a computer and an external or internal device. Internal ports may connect such devices as hard drives and CD ROM or DVD drives; external ports may connect modems, printers, mice and other devices.Physical
computer roomnounA facility used to house computer systems and associated components, such as telecommunications and storage systems, generally including redundant or backup power supplies, redundant data communications connections, environmental controls (e.g., air conditioning, fire suppression) and various security devices.PhysicalRestricted
Computer SecuritynounMeasures and controls that ensure confidentiality, integrity, and availability of information system assets including hardware, software, firmware, and information being processed, stored, and communicated.Capability
Computer Security Incident Response TeamnounA capability set up for the purpose of assisting in responding to computer security-related incidents; also called a Computer Incident Response Team (CIRT) or a CIRC (Computer Incident Response Center, Computer Incident Response Capability).Capability
Computer Security ObjectnounA resource, tool, or mechanism used to maintain a condition of security in a computerized environment. These objects are defined in terms of attributes they possess, operations they perform or are performed on them, and their relationship with other objects.Control
Computer Security Objects RegisternounA collection of Computer Security Object names and definitions kept by a registration authority.ArtifactInternal
Computer Security SubsystemnounHardware/software designed to provide computer security features in a larger system environment.System
Computing EnvironmentnounWorkstation or server (host) and its operating system, peripherals, and applications.System
COMSEC AccountnounAdministrative entity, identified by an account number, used to maintain accountability, custody, and control of COMSEC material.IdentityRegulatedCUI
COMSEC Account AuditnounExamination of the holdings, records, and procedures of a COMSEC account ensuring all accountable COMSEC material is properly handled and safeguarded.ProcessRegulatedCUI
COMSEC AidnounCOMSEC material that assists in securing telecommunications and is required in the production, operation, or maintenance of COMSEC systems and their components. COMSEC keying material, callsign/frequency systems, and supporting documentation, such as operating and maintenance manuals, are examples of COMSEC aids.DataRegulatedCUI
COMSEC AssemblynounGroup of parts, elements, subassemblies, or circuits that are removable items of COMSEC equipment.PhysicalRegulatedCUI
COMSEC BoundarynounDefinable perimeter encompassing all hardware, firmware, and software components performing critical COMSEC functions, such as key generation, handling, and storage.ControlRegulatedCUI
COMSEC Control ProgramnounComputer instructions or routines controlling or affecting the externally performed functions of key generation, key distribution, message encryption/decryption, or authentication.ControlRegulatedCUI
COMSEC CustodiannounIndividual designated by proper authority to be responsible for the receipt, transfer, accounting, safeguarding, and destruction of COMSEC material assigned to a COMSEC account.Role
COMSEC DemilitarizationnounProcess of preparing COMSEC equipment for disposal by extracting all CCI, classified, or cryptographic (CRYPTO) marked components for their secure destruction, as well as defacing and disposing of the remaining equipment hulk.ProcessRegulatedCUI
COMSEC ElementnounRemovable item of COMSEC equipment, assembly, or subassembly; normally consisting of a single piece or group of replaceable parts.PhysicalRegulatedCUI
COMSEC End-itemnounEquipment or combination of components ready for use in a COMSEC application.PhysicalRegulatedCUI
COMSEC EquipmentnounEquipment designed to provide security to telecommunications by converting information to a form unintelligible to an unauthorized interceptor and, subsequently, by reconverting such information to its original form for authorized recipients; also, equipment designed specifically to aid in, or as an essential element of, the conversion process. COMSEC equipment includes crypto-equipment, crypto-ancillary equipment, cryptographic production equipment, and authentication equipment.PhysicalRegulatedCUI
COMSEC FacilitynounAuthorized and approved space used for generating, storing, repairing, or using COMSEC material.PhysicalRegulatedCUI
COMSEC IncidentnounOccurrence that potentially jeopardizes the security of COMSEC material or the secure electrical transmission of national security information or information governed by 10 U.S.C. Section 2315.EventRegulatedCUI
COMSEC InsecuritynounCOMSEC incident that has been investigated, evaluated, and determined to jeopardize the security of COMSEC material or the secure transmission of information.EventRegulatedCUI
COMSEC MaterialnounItem designed to secure or authenticate telecommunications. COMSEC material includes, but is not limited to key, equipment, devices, documents, firmware, or software that embodies or describes cryptographic logic and other items that perform COMSEC functions.DataRegulatedCUI
COMSEC Material Control SystemnounLogistics and accounting system through which COMSEC material marked "CRYPTO" is distributed, controlled, and safeguarded. Included are the COMSEC central offices of record, crypto logistic depots, and COMSEC accounts. COMSEC material other than key may be handled through the CMCS.SystemRegulatedCUI
COMSEC ModulenounRemovable component that performs COMSEC functions in a telecommunications equipment or system.PhysicalRegulatedCUI
COMSEC MonitoringnounAct of listening to, copying, or recording transmissions of one's own official telecommunications to analyze the degree of security.ProcessRegulatedCUI
COMSEC ProfilenounStatement of COMSEC measures and materials used to protect a given operation, system, or organization.ArtifactRegulatedCUI
COMSEC SurveynounOrganized collection of COMSEC and communications information relative to a given operation, system, or organization.ArtifactRestrictedCUI
COMSEC System DatanounInformation required by a COMSEC equipment or system to enable it to properly handle and control key.DataRegulatedCUI
COMSEC TrainingnounTeaching of skills relating to COMSEC accounting, use of COMSEC aids, or installation, use, maintenance, and repair of COMSEC equipment.ProcessRegulatedCUI
ConcentratornounIn data transmission, a concentrator is a functional unit that permits a common path to handle more data sources than there are channels currently available within the path. A device that connects a number of circuits, which are not all used at once, to a smaller group of circuits for economy.System
concludeverbarrive at a judgment or logical end point based on evidence and reasoningCreateUnclassified
ConfidentialitynounThe property that information is not disclosed to system entities (users, processes, devices) unless they have been authorized to access the information.Requirement
confidentiality, integrity, and availabilitynounA triad of security practices that: (1) prohibit an unauthorized entity from accessing, creating, modifying, disclosing or destroying information; and (2) require information systems are operational when needed by authorized users.Framework
configuration change control processnounAn action that is taken or performed to systematically manage all changes made to an asset's arrangement, system configuration, or security configuration in order to prevent unnecessary disruptions, vulnerabilities, and mitigate threats. Its purpose is to ensure that all changes to a complex system are performed with the knowledge and consent of management.ProcessRegulated
configuration change managementnounA process for managing configuration changes and variances in configurations.ProcessRegulated
Configuration ControlnounProcess of controlling modifications to hardware, firmware, software, and documentation to protect the information system against improper modification prior to, during, and after system implementation.ProcessRegulated
Configuration Control BoardnounA group of qualified people with responsibility for the process of regulating and approving changes to hardware, firmware, software, and documentation throughout the development and operational life cycle of an information system.Organization
Configuration managementnounThe management of security features and assurances through control of changes made to a system's hardware, software, firmware, documentation, testing, test fixtures, and test documentation throughout the development and operational life of the system.Process
configure a systemnounThe setting of various switches and jumpers for hardware and the defining of values of parameters for software. Each parameter specifies a preferred or required setting or policy for a computer system, or a configuration control such as a particular registry key, file, or GPO setting. Every parameter includes descriptive elements in a human-understandable manner.Process
confirmnounEstablish the truth or correctness of something previously believed to be the case.Process
connectverbidentify or establish relationships between ideas, concepts, or informationAnalyzeUnclassified
Connectivity TestingnounA testing activity designed to validate the continuity of network communications.Process
considerverbthink carefully about something before making a judgment or decisionEvaluateUnclassified
constitutenounGive legal or constitutional form to (an institution); establish by law.RequirementRegulated
ConsumernounUsually refers to an individual engaged in non-commercial transactions.IdentityRegulatedPII
Consumer AccountnounA deposit account held by a participating depository financial institution and established by a natural person primarily for personal, family, or household use and not for commercial purposes.DataRegulatedPII
Consumer informationnounFor purposes of the Information Security Standards, “consumer information” means any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report that is maintained by or on behalf of a financial institution for a business purpose, such as information that an institution obtains about a loan applicant or a prospective employee from a consumer report.DataRegulatedPII
ConsumerizationnounA new model in which emerging technologies are first embraced by the consumer market and later spread to the businessThreat
contact informationnounInformation usually containing the person's telephone number(s), fax number, address, and electronic mail address(es).DataRegulatedPII
ContainernounThe file used by a virtual disk encryption technology to encompass and protect other files.SystemRestricted
ContainmentnounActions taken to limit exposure after an incident has been identified and confirmedProcess
ContaminationnounType of incident involving the introduction of data of one security classification or security category into data of a lower security classification or different security category.EventRegulatedCUI
contentnounThe intellectual substance of a document, including text, data, symbols, numerals, images, and sound.Data
Content filteringnounThe process of monitoring communications such as email and Web pages, analyzing them for suspicious content, and preventing the delivery of suspicious content to users.Capability
Contingency KeynounKey held for use under specific operational conditions or in support of specific contingency plans. See Reserve Keying Material.CredentialRegulatedCUI
Contingency PlannounManagement policy and procedures used to guide an enterprise response to a perceived loss of mission capability. The Contingency Plan is the first plan used by the enterprise risk managers to determine what happened, why, and what to do. It may point to the Continuity of Operations Plan (COOP) or Disaster Recovery Plan for major disruptions.RequirementRestrictedCUI
Contingency PlanningnounThe purpose of this task is to support the required actions for planning, responding, and mitigating damaging events.ProcessRegulated
Continuity of GovernmentnounA coordinated effort within the federal government's executive branch to ensure that national essential functions continue to be performed during a catastrophic emergency.ProcessRestrictedCUI
Continuity of Operations PlannounManagement policy and procedures used to guide an enterprise response to a major loss of enterprise capability or damage to its facilities. The COOP is the third plan needed by the enterprise risk managers and is used when the enterprise must recover (often at an alternate site) for a specified period of time. Defines the activities of individual departments and agencies and their sub-components to ensure that their essential functions are performed. This includes plans and procedures that delineate essential functions; specifies succession to office and the emergency delegation of authority; provide for the safekeeping of vital records and databases; identify alternate operating facilities; provide for interoperable communications, and validate the capability through tests, training, and exercises. See also Disaster Recovery Plan and Contingency Plan.ProcessRestricted
continuity plannounA step by step outline of management procedures designed to maintain and restore business operations in the event of an emergency or system failure.ProcessInternal
Continuous MonitoringnounThe process implemented to maintain a current security status for one or more information systems or for the entire suite of information systems on which the operational mission of the enterprise depends. The process includes: 1) The development of a strategy to regularly evaluate selected IA controls/metrics, 2) Recording and evaluating IA relevant events and the effectiveness of the enterprise in dealing with those events, 3) Recording changes to IA controls, or changes that affect IA risks, and 4) Publishing the current security status to enable information-sharing decisions involving the enterprise.ProcessRegulatedCUI
contractnounA document that records the terms and conditions of a legally binding agreement.ArtifactConfidential
contractornounA person or firm that undertakes a contract to provide materials or labor to perform a service or do a job.Role
contractual obligationnounA course of action or conditions that someone is legally bound to because they signed a contract.RequirementRestricted
contractual protectionnounA measure in a contract intended to shield an individual or entity from harm, injury, or liability.Control
contractual requirementnounWritten and signed stipulations (within the said contract) employed in controlling, directing, or managing an activity, organization, or system.RequirementConfidential
controlverbTo exercise authority over; direct; regulate. This include exercising authority over the processesses of issuance and revocation, management, and auditing.EvaluateUnclassified
control and monitorverbTo have the power to direct or operate something in a certain way and regularly observe it.Unclassified
Control InformationnounInformation that is entered into a cryptographic module for the purposes of directing the operation of the module.DataRestrictedCUI
Control requirementsnounProcess used to document and/or track internal processes to determine that those established procedures and/or physical security policies are being followed.RequirementRegulated
Control self-assessmentnounA technique used to internally assess the effectiveness of risk management and control processes.Process
Controlled Access AreanounPhysical area (e.g., building, room, etc.) to which only authorized personnel are granted unrestricted access. All other personnel are either escorted by authorized personnel or are under continuous surveillance.PhysicalRegulated
Controlled Access ProtectionnounMinimum set of security functionality that enforces access control on individual users and makes them accountable for their actions through login procedures, auditing of security-relevant events, and resource isolation.Control
Controlled AreanounAny area or space for which the organization has confidence that the physical and procedural protections provided are sufficient to meet the requirements established for protecting the information and/or information system.PhysicalRestricted
Controlled Cryptographic ItemnounSecure telecommunications or information system, or associated cryptographic component, that is unclassified and handled through the COMSEC Material Control System (CMCS), an equivalent material control system, or a combination of the two that provides accountability and visibility. Such items are marked “Controlled Cryptographic Item,” or, where space is limited, “CCI”.PhysicalRegulatedCUI
Controlled Cryptographic Item AssemblynounDevice embodying a cryptographic logic or other COMSEC design that NSA has approved as a Controlled Cryptographic Item (CCI). It performs the entire COMSEC function, but depends upon the host equipment to operate.PhysicalRegulatedCUI
Controlled Cryptographic Item ComponentnounPart of a Controlled Cryptographic Item (CCI) that does not perform the entire COMSEC function but depends upon the host equipment, or assembly, to complete and operate the COMSEC function.PhysicalRegulatedCUI
Controlled Cryptographic Item EquipmentnounTelecommunications or information handling equipment that embodies a Controlled Cryptographic Item (CCI) component or CCI assembly and performs the entire COMSEC function without dependence on host equipment to operate.PhysicalRegulatedCUI
Controlled InterfacenounA boundary with a set of mechanisms that enforces the security policies and controls the flow of information between interconnected information systems.Control
Controlled SpacenounThree-dimensional space surrounding information system equipment, within which unauthorized individuals are denied unrestricted access and are either escorted by authorized individuals or are under continuous physical or electronic surveillance.PhysicalRegulated
Controlled Unclassified InformationnounA categorical designation that refers to unclassified information that does not meet the standards for National Security Classification under Executive Order 12958, as amended, but is (i) pertinent to the national interests of the United States or to the important interests of entities outside the federal government, and (ii) under law or policy requires protection from unauthorized disclosure, special handling safeguards, or prescribed limits on exchange or dissemination. Henceforth, the designation CUI replaces "Sensitive But Unclassified" (SBU).RequirementRegulatedCUI
Controlling AuthoritynounOfficial responsible for directing the operation of a cryptonet and for managing the operational use and control of keying material assigned to the cryptonet.RoleRegulatedCUI
ControlsnounThis record category contains standards used as a comparison for checking and verifying results of a survey or experiment or contains policies, procedures, practices, and organizational structures designed to provide reasonable assurance that the business objectives will be achieved and undesired events will be prevented or detected.Control
Conversion plannounA plan that details transition planning and implementation issues in the period between the execution of an outsourcing agreement and the full production use of the outsourced services.ProcessRegulated
convinceverbpersuade someone through evidence and reasoning to accept a positionEvaluateUnclassified
CookienounA piece of state information supplied by a Web server to a browser, in a response for a requested resource, for the browser to store temporarily and return to the server on any subsequent visits or requests.Data
Cooperative Key GenerationnounElectronically exchanging functions of locally generated, random components, from which both terminals of a secure circuit construct traffic encryption key or key encryption key for use on that circuit. See Per-Call Key.ProcessRestricted
coordinateverborganize and integrate multiple elements or activities to work together effectivelyApplyUnclassified
Core firmnounCore clearing and settlement organization that serves critical financial markets.OrganizationRegulated
Corrective controlnounA mitigating technique designed to lessen the impact to the institution when adverse events occur.Control
Correctness ProofnounA mathematical proof of consistency between a specification and its implementation.ArtifactIP
correlateverbidentify and establish mutual relationships or connections between data setsAnalyzeUnclassified
Correspondent BanknounAn institution, acting on behalf of other institutions, that can settle the checks they collect for other institutions (respondents) by using accounts on their books or by sending a wire funds transfers. Generally, a provider of banking and payment services to other financial institutions.OrganizationRegulated
CorruptionnounA threat action that undesirably alters system operation by adversely modifying system functions or data.Threat
costnounThe monetary value of resources used or sacrificed or liabilities incurred to achieve an objective such as to acquire or produce a good or to perform an activity or service.Metric
Cost Benefit AnalysisnounA cost benefit analysis compares the cost of implementing countermeasures with the value of the reduced risk.Process
Counter with Cipher Block Chaining-Message Authentication CodenounA mode of operation for a symmetric key block cipher algorithm. It combines the techniques of the Counter (CTR) mode and the Cipher Block Chaining-Message Authentication Code (CBC-MAC) algorithm to provide assurance of the confidentiality and the authenticity of computer data.Control
CountermeasurenounActions, devices, procedures, or techniques that meet or oppose (i.e., counters) a threat, a vulnerability, or an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that corrective action can be taken.Control
coververbTo deal with a subject by describing or analyzing its most important aspects or events.Unclassified
Cover-CodingnounA technique to reduce the risks of eavesdropping by obscuring the information that is transmitted.Control
CoveragenounAn attribute associated with an assessment method that addresses the scope or breadth of the assessment objects included in the assessment (e.g., types of objects to be assessed and the number of objects to be assessed by type). The values for the coverage attribute, hierarchically from less coverage to more coverage, are basic, focused, and comprehensive.Metric
Covered EntitynounAny Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.OrganizationRegulated
Covert ChannelnounAn unauthorized communication path that manipulates a communications medium in an unexpected, unconventional, or unforeseen way in order to transmit information without detection by anyone other than the entities operating the covert channel.VulnerabilityRestrictedCUI
Covert Channel AnalysisnounDetermination of the extent to which the security policy model and subsequent lower-level program descriptions may allow unauthorized access to information.ProcessRestrictedCUI
Covert Storage ChannelnounCovert channel involving the direct or indirect writing to a storage location by one process and the direct or indirect reading of the storage location by another process. Covert storage channels typically involve a finite resource (e.g., sectors on a disk) that is shared by two subjects at different security levels.VulnerabilityRegulatedCUI
Covert TestingnounTesting performed using covert methods and without the knowledge of the organization’s IT staff, but with the full knowledge and permission of upper management.ProcessInternal
Covert Timing ChannelnounCovert channel in which one process signals information to another process by modulating its own use of system resources (e.g., central processing unit time) in such a way that this manipulation affects the real response time observed by the second process.VulnerabilityRegulated
credentialnounAn object or data structure that authoritatively binds an identity (and optionally, additional attributes) to a token possessed and controlled by a Subscriber.CredentialRestricted
Credential Service ProvidernounA trusted entity that issues or registers Subscriber tokens and issues electronic credentials to Subscribers. The CSP may encompass Registration Authorities (RAs) and Verifiers that it operates. A CSP may be an independent third party, or may issue credentials for its own use.OrganizationRegulated
Credit CardnounA card indicating the holder has been granted a line of credit. It enables the holder to make purchases or withdraw cash up to a prearranged ceiling. The credit granted can be settled in full by the end of a specified period or can be settled in part, with the balance taken as extended credit. Interest is charged based on the terms of the credit card agreement and the holder is sometimes charged an annual fee.DataRegulatedPCI
Credit EntrynounAn entry to the record of an account that represents the transfer or placement of funds into the account.ArtifactRegulatedPCI
credit policynounA company's policy on when its customers should pay for goods or services they have ordered a government's policy at a particular time on how easy or difficult it should be for people and businesses to borrow and how much it should cost. The government influences this through changes in interest rates.RequirementRegulated
CrimewarenounA type of malware used by cyber criminals. The malware is designed to enable the cyber criminal to make money off of the infected system (such as harvesting key strokes, using the infected systems to launch Denial of Service Attacks, etc.).Threat
criminal records checknounThe purpose of this task is to determine if a person has been convicted of a crime.ProcessRegulatedPII
Crisis managementnounThe process of managing an institution's operations in response to an emergency or event that threatens business continuity. An institution's ability to communicate with employees, customers, and the media, using various communications devices and methods, is a key component of crisis management.Process
Crisis Management Test/ExercisenounA testing exercise that validates the capabilities of crisis management teams to respond to specific events. Crisis management exercises typically test the call tree notification process with employees, vendors, and key clients. Escalation procedures and disaster declaration criteria may also be validated.ProcessInternal
criteriaverbidentify or apply the standards used for making judgments or decisionsEvaluateUnclassified
critical business processnounA business process that must be restored immediately after a disruption to ensure the affected firm's ability to protect its assets, meet its critical needs, and satisfy mandatory regulations and requirements.ProcessRegulated
critical employeenounAn employee whose skills and knowledge are vital to organization's operations.Role
Critical Financial MarketsnounFinancial markets whose operations are critical to the economy. Critical financial markets provide the means for financial institutions to adjust their cash and securities positions and those of their customers in order to manage liquidity, market, and other risks to their organizations. Critical financial markets also provide support for the provision of a wide range of financial services to businesses and consumers in the United States and support the implementation of monetary policy. Examples of "critical financial markets" include: • Federal funds, foreign exchange, and commercial paper; • U.S. Government and agency securities; and • Corporate debt and equity securities.SystemRegulated
critical functionnounBusiness activities or information that could not be interrupted or unavailable for several business days without significantly jeopardizing operation of the organization.CapabilityRestricted
Critical infrastructurenounSystem and assets, whether physical or virtual, so vital to the U.S. that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters. [Critical Infrastructures Protection Act of 2001, 42 U.S.C. 5195c(e)]SystemRegulatedCUI
Critical Market ParticipantsnounParticipants in the financial markets that perform critical operations or provide critical services. Their inability to perform these operations or services could result in major disruptions in the financial system.OrganizationRegulated
critical operationsnounAny activity, function, process, or service, the loss of which, for even a short period of time, would materially affect the continued operation of an FMI, its participants, the market it serves, and/or the broader financial system.ProcessRegulated
Critical PathnounThe critical path represents the business processes or systems that must receive the highest priority during the recovery phase.ProcessRegulated
Critical Security ParameternounSecurity-related information (e.g., secret and private cryptographic keys, and authentication data such as passwords and Personal Identification Numbers [PINs]) whose disclosure or modification can compromise the security of a cryptographic module.DataRestrictedCUI
critical servicenounA service that could not be interrupted or unavailable for several business days without significantly jeopardizing operation of the organization.SystemRestricted
Critical system (infrastructure)nounThe systems and assets, whether physical or virtual, that are so vital that the incapacity or destruction of such may have a debilitating impact.SystemRegulated
critical third partynounA necessary third party that is vital to an organization's operations.Organization
criticalitynounA measure of the degree to which an organization depends on the information or information system for the success of a mission or of a business function.Metric
Criticality analysisnounAn analysis to evaluate resources or business functions to identify their importance to the enterprise, and the impact if a function cannot be completed or a resource is not availableProcess
Criticality LevelnounRefers to the (consequences of) incorrect behavior of a system. The more serious the expected direct and indirect effects of incorrect behavior, the higher the criticality level.Metric
critiqueverbprovide a detailed, balanced analysis of the strengths and weaknesses of somethingEvaluateUnclassified
CronnounCron is a Unix application that runs jobs for users and administrators at scheduled times of the day.Process
Cross Site ScriptingnounA vulnerability that allows attackers to inject malicious code into an otherwise benign website. These scripts acquire the permissions of scripts generated by the target website and can therefore compromise the confidentiality and integrity of data transfers between the website and client. Websites are vulnerable if they display user supplied data from requests or forms without sanitizing the data so that it is not executable.VulnerabilityRegulated
Cross-CertificatenounA certificate used to establish a trust relationship between two Certification Authorities.Credential
Cross-Domain CapabilitiesnounThe set of functions that enable the transfer of information between security domains in accordance with the policies of the security domains involved.CapabilityRegulated
Cross-Domain SolutionnounA form of controlled interface that provides the ability to manually and/or automatically access and/or transfer information between different security domains.ControlRegulatedCUI
Cross-Market TestsnounCross-market tests are also called market-wide tests or "street tests" that are sponsored by the Securities Industry Association, Bond Market Association, and Futures Industry Association. These tests validate the connectivity from alternate sites and include transaction, settlement, and payment processes, to the extent practical.ProcessInternal
Crossover CablenounA crossover cable reverses the pairs of cables at the other end and can be used to connect devices directly together.Physical
cryptanalysisnoun1) Operations performed in defeating cryptographic protection without an initial knowledge of the key employed in providing the protection. 2) The study of mathematical techniques for attempting to defeat cryptographic techniques and information system security. This includes the process of looking for errors or weaknesses in the implementation of an algorithm or of the algorithm itself.Capability
Crypto OfficernounAn operator or process (subject), acting on behalf of the operator, performing cryptographic initialization or management functions.RoleRegulated
Cryptographic AlarmnounCircuit or device that detects failures or aberrations in the logic or operation of crypto-equipment. Crypto-alarm may inhibit transmission or may provide a visible and/or audible alarm.EventRegulatedCUI
cryptographic algorithmnounA well-defined computational procedure that takes variable inputs, including a cryptographic key, and produces an output.Control
Cryptographic Algorithm or HashnounAn algorithm that employs the science of cryptography, including encryption algorithms, cryptographic hash algorithms, digital signature algorithms, and key agreement algorithms.Control
Cryptographic Ancillary EquipmentnounEquipment designed specifically to facilitate efficient or reliable operation of cryptographic equipment, without performing cryptographic functions itself.PhysicalRegulatedCUI
Cryptographic BindingnounAssociating two or more related elements of information using cryptographic techniques.Control
Cryptographic BoundarynounAn explicitly defined continuous perimeter that establishes the physical bounds of a cryptographic module and contains all the hardware, software, and/or firmware components of a cryptographic module.ControlRegulated
Cryptographic ComponentnounHardware or firmware embodiment of the cryptographic logic. A cryptographic component may be a modular assembly, a printed wiring assembly, a microcircuit, or a combination of these items.PhysicalRegulatedCUI
Cryptographic Hash FunctionnounA function that maps a bit string of arbitrary length to a fixed length bit string. Approved hash functions satisfy the following properties: 1) (One-way) It is computationally infeasible to find any input which maps to any pre-specified output, and 2) (Collision resistant) It is computationally infeasible to find any two distinct inputs that map to the same output.Capability
Cryptographic Ignition KeynounDevice or electronic key used to unlock the secure mode of crypto-equipment.CredentialRegulatedCUI
Cryptographic InitializationnounFunction used to set the state of a cryptographic logic prior to key generation, encryption, or other operating mode.Process
Cryptographic KeynounA parameter used in conjunction with a cryptographic algorithm that determines - the transformation of plaintext data into ciphertext data, - the transformation of ciphertext data into plaintext data, - a digital signature computed from data, - the verification of a digital signature computed from data, - an authentication code computed from data, or - an exchange agreement of a shared secret.Credential
Cryptographic LogicnounThe embodiment of one (or more) cryptographic algorithm(s) along with alarms, checks, and other processes essential to effective and secure performance of the cryptographic process(es).CapabilityRegulated
Cryptographic MaterialnounCOMSEC material used to secure or authenticate information.CredentialRegulatedCUI
Cryptographic ModulenounThe set of hardware, software, firmware, or some combination thereof that implements cryptographic logic or processes, including cryptographic algorithms, and is contained within the cryptographic boundary of the module.SystemRegulated
Cryptographic Module Security PolicynounA precise specification of the security rules under which a cryptographic module will operate, including the rules derived from the requirements of this standard (FIPS 140-2) and additional rules imposed by the vendor.Requirement
Cryptographic Module Validation ProgramnounValidates cryptographic modules to Federal Information Processing Standard (FIPS) 140-2 and other cryptography-based standards. The CMVP is a joint effort between National Institute of Standards and Technology (NIST) and the Communications Security Establishment (CSE) of the government of Canada. Products validated as conforming to FIPS 140-2 are accepted by the federal agencies of both countries for the protection of sensitive information (United States) or Designated Information (Canada). The goal of the CMVP is to promote the use of validated cryptographic modules and provide federal agencies with a security metric to use in procuring equipment containing validated cryptographic modules.CapabilityRegulatedCUI
Cryptographic ProductnounA cryptographic key (public, private, or shared) or public key certificate, used for encryption, decryption, digital signature, or signature verification; and other items, such as compromised key lists (CKL) and certificate revocation lists (CRL), obtained by trusted means from the same source which validate the authenticity of keys or certificates. Protected software which generates or regenerates keys or certificates may also be considered a cryptographic product.CredentialRestrictedCUI
Cryptographic RandomizationnounFunction that randomly determines the transmit state of a cryptographic logic.Capability
Cryptographic SecuritynounComponent of COMSEC resulting from the provision of technically sound cryptographic systems and their proper use.CapabilityRegulatedCUI
Cryptographic StrengthnounA measure of the expected number of operations required to defeat a cryptographic mechanism.Metric
Cryptographic SynchronizationnounProcess by which a receiving decrypting cryptographic logic attains the same internal state as the transmitting encrypting logic.ProcessRegulated
Cryptographic SystemnounAssociated information assurance items interacting to provide a single means of encryption or decryption.SystemRegulated
Cryptographic System AnalysisnounProcess of establishing the exploitability of a cryptographic system, normally by reviewing transmitted traffic protected or secured by the system under study.ProcessRegulatedCUI
Cryptographic System EvaluationnounProcess of determining vulnerabilities of a cryptographic system and recommending countermeasures.ProcessRegulated
Cryptographic System ReviewnounExamination of a cryptographic system by the controlling authority ensuring its adequacy of design and content, continued need, and proper distribution.ProcessRegulatedCUI
Cryptographic System SurveynounManagement technique in which actual holders of a cryptographic system express opinions on the system's suitability and provide usage information for technical evaluations.ProcessInternal
Cryptographic TokennounA portable, user-controlled physical device (e.g., smart card or PCMCIA card) used to store cryptographic information and possibly also perform cryptographic functions.Credential
CryptographynounIs categorized as either secret key or public key. Secret key cryptography is based on the use of a single cryptographic key shared between two parties. The same key is used to encrypt and decrypt data. This key is kept secret by the two parties. Public key cryptography is a form of cryptography which makes use of two keys: a public key and a private key. The two keys are related but have the property that, given the public key, it is computationally infeasible to derive the private key [FIPS 140-1]. In a public key cryptosystem, each party has its own public/private key pair. The public key can be known by anyone; the private key is kept secret.Capability
cryptologynounThe science that deals with hidden, disguised, or encrypted communications. It includes communications security and communications intelligence.Capability
CryptosystemnounA pair of algorithms that take a key and convert plaintext to ciphertext and backCapability
Currency BalancenounAs at the time calculated, the current amount (positive or negative) of a particular eligible currency included in an account, as indicated on the books and records of CLS Bank. A currency balance is not a separate account.DataRegulated
Custom redirect servicenounThis service enables control over the location of incoming calls or the redirection of calls to various locations or pre-established phone numbers to ensure customer service continuity.CapabilityInternal
CustomernounFor purposes of the Information Security Standards, “customer” means a consumer with whom a financial institution has a continuing relationship under which the institution provides one or more financial products or services to the consumer that are to be used primarily for personal, family, or household purposes. In the case of a credit union, a customer relationship will exist between a credit union and certain consumers that are not the credit union’s members.Identity
customer accessnounA customer’s ability and means to communicate or interact with a system, use system resources or to control system components and functions.CapabilityRegulated
customer accountnounA client's formal contract with an individual or organization whereby the client receives goods or services.IdentityRegulatedPII
customer data privacynounThe ability an organization or individual has to determine what customer data in a computer system can be shared with third parties.RequirementRegulatedPII
customer educational materialnounEducational materials used to inform customers about topics regarding the products and/or services that they use.ArtifactInternal
customer informationnounA term used in the Information Security Standards to mean any record containing non-public personal information about a customer, whether in paper, electronic, or other form, that is maintained by or on behalf of a financial institution.DataRegulatedPII
customer information systemnounFor purposes of the Information Security Standards, “customer information systems” means any methods used to access, collect, store, use, transmit, protect, or dispose of customer information.SystemRegulatedPII
Customer ServicenounThe purpose of this function is to provide and manage information delivery and support to an organization's clients regarding its products and/or services.Capability
Customer Service and Technical SupportnounIn the NICE Workforce Framework, cybersecurity work where a person: Addresses problems, installs, configures, troubleshoots, and provides maintenance and training in response to customer requirements or inquiries (e.g., tiered-level customer support).Capability
Cut-ThroughnounCut-Through is a method of switching where only the header of a packet is read before it is forwarded to its destination.Network
cybernounRefers to the interconnected information infrastructure of interactions among persons, processes, data, and information and communications technologies, along with the environment and conditions that influence those interactions.System
cyber assetnounProgrammable electronic devices and communication networks including hardware, software and data.SystemRegulatedCUI
Cyber AttacknounAn attack, via cyberspace, targeting an enterprise’s use of cyberspace for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment/infrastructure; or destroying the integrity of the data or stealing controlled information.ThreatRegulated
cyber ecosystemnounThe interconnected information infrastructure of interactions among persons, processes, data, and information and communications technologies, along with the environment and conditions that influence those interactions.System
cyber eventnounA cybersecurity change or occurrence that may have an impact on organizational operations (including mission, capabilities, or reputation).Event
cyber exercisenounA planned event during which an organization simulates a cyber disruption to develop or test capabilities such as preventing, detecting, mitigating, responding to or recovering from the disruption.Process
cyber governancenounArrangements an organisation puts in place to establish, implement and review its approach to managing cyber risks.Process
cyber incidentnounActions taken through the use of computer networks that result in an actual or potentially adverse effect on an information system and/or the information residing therein. See Incident.EventRegulated
cyber incident response plannounThe series of actions and processes associated with a security event associated with 'cyberspace' (i.e. the Internet, corporate networks, etc.).ProcessRegulated
cyber incident response procedurenounA documented series of steps that are taken to detect, triage, and resolve events regarding cybersecurity that disrupt operations and alert applicable personnel and clients in conformance with pertinent standards.Requirement
cyber incident response roles and responsibilitiesnounThe functions and duties of personnel who are responsible for triaging, and resolving events regarding cybersecurity events that disrupt operations and alerting interested personnel and affected parties in conformance with pertinent standards.ProcessRegulated
cyber infrastructurenounIncludes electronic information and communications systems and services and the information contained in these systems and services. Information and communications systems and services are composed of all hardware and software that process, store, and communicate information, or any combination of all of these elements. Processing includes the creation, access, modification, and destruction of information. Storage includes paper, magnetic, electronic, and all other media types. Communications include sharing and distribution of information. For example: computer systems; control systems (e.g., supervisory control and data acquisition–SCADA); networks, such as the Internet; and cyber services (e.g., managed security services) are part of cyber infrastructure.SystemRegulated
cyber maturity modelnounA mechanism to have cyber resilience controls, methods and processes assessed according to management best practice, against a clear set of external benchmarks.Framework
Cyber OperationsnounIn the NICE Workforce Framework, cybersecurity work where a person: Performs activities to gather evidence on criminal or foreign intelligence entities in order to mitigate possible or real-time threats, protect against espionage or insider threats, foreign sabotage, international terrorist activities, or to support other intelligence activities.CapabilityRestrictedCUI
Cyber Operations Planningnounin the NICE Workforce Framework, cybersecurity work where a person: Performs in-depth joint targeting and cyber planning process. Gathers information and develops detailed Operational Plans and Orders supporting requirements. Conducts strategic and operational-level planning across the full range of operations for integrated information and cyberspace operationsProcessRestrictedCUI
cyber resiliencenounThe ability of a system or domain to withstand cyber attacks or failures and, in such events, to reestablish itself quickly.Capability
cyber resilience frameworknounConsists of the policies, procedures and controls an FMI has established to identify, protect, detect, respond to and recover from the plausible sources of cyber risks it faces.FrameworkRegulated
cyber resilience strategynounAn FMI’s high level principles and medium term plans to achieve its objective of managing cyber risks.ProcessInternal
cyber risknounThe combination of the probability of an event occurring within the realm of an organisation’s information assets, computer and communication resources and the consequences of that event for an organisation.Metric
cyber risk managementnounThe process used by an FMI to establish an enterprise-wide framework to manage the likelihood of a cyber attack and develop strategies to mitigate, respond to, learn from and coordinate its response to the impact of a cyber attack. The management of an FMI’s cyber risk should support the business processes and be integrated in the FMI’s overall risk management framework.ProcessRegulated
cyber risk profilenounThe cyber risk actually assumed, measured at a given point in time.MetricInternal
cyber risk tolerancenounThe propensity to incur cyber risk, being the level of cyber risk that an FMI intends to assume in pursuing its strategic objectives.MetricInternal
cyber supply chain risk assessment processnounThe foundational task in the cyber supply chain risk assessment process, cyber supply chain risk assessments are aimed at identifying and assessing applicable risk of Information and operational technology (IT/OT) outsourcing, diverse distribution routes, assorted technologies, laws, policies, procedures, and practices.ProcessRegulated
Cyber Supply Chain Risk Management PlannounA plan that includes confidentiality, integrity, and availability controls for mitigating the risks associated with the distributed and interconnected nature of IT/OT product and service supply chains. It covers the entire life cycle of a system (including design, development, distribution, deployment, acquisition, maintenance, and destruction) as supply chain threats and vulnerabilities may intentionally or unintentionally compromise an IT/OT product or service at any stage.ProcessInternal
cyber supply chain risk management processnounA detailed description of the steps necessary to mitigating the risks associated with the distributed and interconnected nature of IT/OT product and service supply chains. It covers the entire life cycle of a system (including design, development, distribution, deployment, acquisition, maintenance, and destruction) as supply chain threats and vulnerabilities may intentionally or unintentionally compromise an IT/OT product or service at any stage.ProcessRegulated
cyber system recovery plannounA step-by-step outline of the processes and procedures to be performed to bring a cyber system back to working order after an incident has occurred.ProcessRegulatedCUI
cyber threatnounAn internal or external circumstance, event, action, occurrence, or person with the potential to exploit technology-based vulnerabilities and to adversely impact (create adverse consequences for) organizational operations, organizational assets (including information and information systems), individuals, other organizations, or society.ThreatRegulated
cyber threat intelligencenounOrganized, analyzed and refined information about potential or current attacks that threaten an organization. The primary purpose of threat intelligence is helping organizations understand the risks of the most common and severe external threats, such as zero-day threats, advanced persistent threats (APTs) and exploits. Although threat actors also include internal (or insider) and partner threats, the emphasis is on the types that are most likely to affect a particular organization's environment. Threat intelligence includes in-depth information about specific threats to help an organization protect itself from the types of attacks that could do them the most damage. In a military, business or security context, intelligence is information that provides an organization with decision support and possibly a strategic advantage. Threat intelligence is a component of security intelligence and, like SI, includes both the information relevant to protecting an organization from external and inside threats as well as the processes, policies and tools designed to gather and analyze that information. Threat intelligence services provide organizations with current information related to potential attack sources relevant to their businesses; some also offer consultation service.CapabilityRestricted
cyber threat response strategynounA plan of action designed to achieve a long-term or overall aim regarding how to resolve cyber incidents.ProcessInternal
CyberespionagenounActivities conducted in the name of security, business, politics or technology to find information that ought to remain secret. It is not inherently military.ThreatRestrictedCUI
CybersecuritynounThe ability to protect or defend the use of cyberspace from cyber attacks.Capability
Cybersecurity architecturenounDescribes the structure, components and topology (connections and layout) of security controls within an enterprise's IT infrastructure Scope Note: The security architecture shows how defense-in-depth is implemented and how layers of control are linked and is essential to designing and implementing security controls in any complex environment.Capability
cybersecurity awarenessnounThe extent to which individuals of an organization or those who have access to an organizations information understand their individual responsibilities regarding cybersecurity risks and the need to identify, assess, and mitigate these risks in light of the increasing volume and sophistication of cyber threats.CapabilityInternal
Cybersecurity CategorynounThe subdivision of a Function into groups of cybersecurity outcomes, closely tied to programmatic needs and particular activities. Examples of Cybersecurity Categories include “Asset Management,” “Identity Management and Access Control,” and “Detection Processes.”.Framework
cybersecurity controlnounPractices and procedures established to protect organizational assets, user assets, and the cyber environment from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality, and availability.ControlRegulated
cybersecurity eventnounAny act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System.EventRegulated
Cybersecurity Framework CorenounA set of cybersecurity activities and references that are common across critical infrastructure sectors and are organized around particular outcomes. The Framework Core comprises four types of elements: Functions, Categories, Subcategories, and Informative References.FrameworkPublic
Cybersecurity Framework Implementation TiernounA lens through which to view the characteristics of an organization’s approach to risk—how an organization views cybersecurity risk and the processes in place to manage that risk.FrameworkInternal
cybersecurity functionnounOne of the main components of the Cybersecurity Framework. Cybersecurity functions provide the highest level of structure for organizing basic cybersecurity activities into Cybersecurity Categories and Cybersecurity Subcategories. The five Cybersecurity functions are the Identify function, Protect function, Detect function, Respond function, and Recover function.Capability
cybersecurity incident responsenounThe process of managing and resolving cybersecurity events that disrupt the organization's operations and restoring services.ProcessRegulated
cybersecurity incident response groupnounA group of people that prepares for and resolves events that disrupt an organization's cybersecurity operations.Organization
cybersecurity law, rule, or regulationnounAny federal, state, or local statute or ordinance or any rule or regulation adopted according to any federal, state, or local statute or ordinance that deals specifically with the topic of protecting or defending computerized environments, organizational computerized assets, and user’s computerized assets.RequirementRegulated
Cybersecurity outcomenounA Cybersecurity outcome is the business need defined and tiered implementation of the outcomes listed in either the Categories or Subcategories section of Table 2 in the NIST Cybersecurity Framework.RequirementRegulated
cybersecurity personnelnounAll people who are employed by an organization to perform cybersecurity activities.Role
cybersecurity plannounFormal document that provides an overview of the cybersecurity requirements for an Information Technology and industrial control system and describes the cybersecurity controls in place or planned for meeting those requirements.RequirementRegulatedCUI
cybersecurity policynounA set of criteria for the provision of security services.RequirementRegulated
cybersecurity procedurenounA detailed description of the steps necessary to implement cybersecurity in conformance with applicable standards.Requirement
Cybersecurity ProfilenounA representation of the outcomes that a particular system or organization has selected from the Framework Categories and Subcategories.ArtifactInternal
cybersecurity programnounAn integrated group of activities designed and managed to meet cybersecurity objectives for the organization and/or the function. A cybersecurity program may be implemented at either the organization or the function level, but a higher-level implementation and enterprise viewpoint may benefit the organization by integrating activities and leveraging resource investments across the entire enterprise.ProcessRegulated
cybersecurity requirementnounRequirements levied on an Information Technology and Operations Technology that are derived from organizational mission and business case needs (in the context of applicable legislation, Executive Orders, directives, policies, standards, instructions, regulations, procedures) to ensure the confidentiality, integrity, and availability of the services being provided by the organization and the information being processed, stored, or transmitted.RequirementRegulated
cybersecurity risknounA risk to organizational operations, (including mission, functions, image, and reputation), resources, and other organizations due to the potential for unauthorized access, use, disclosure, disruption, modification, or destruction of information, Information Technology, and/or Operations Technology.ThreatRegulated
cybersecurity risk managementnounThe process of identifying risks and vulnerabilities and applying administrative actions and comprehensive solutions to ensure that the organization is adequately protected.Process
cybersecurity roles and responsibilitiesnounThe functions and duties of personnel who are responsible for preventing cybersecurity events that disrupt operations or affected parties, assigned and performed in conformance with pertinent laws and standards.Role
Cybersecurity SubcategorynounThe subdivision of a Cybersecurity Category into specific outcomes of technical and/or management activities. Examples of Subcategories include “External information systems are catalogued,” “Data-at-rest is protected,” and “Notifications from detection systems are investigated.”.Framework
cybersecurity trainingnounActivities that are used to teach people about tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and organization and user’s assets.ProcessInternal
cybersecurity vulnerabilitynounA flaw in a organization's system which leaves it exposed to and defenseless against a cyberthreat.Vulnerability
cyberspacenounA global domain within the information environment consisting of the interdependent network of information systems infrastructures including the Internet, telecommunications networks, computer systems, and embedded processors and controllers.Network
CyberwarfarenounActivities supported by military organizations with the purpose to threat the survival and well-being of society/foreign entityThreatRegulatedCUI
Cyclic Redundancy ChecknounSometimes called "cyclic redundancy code." A type of checksum algorithm that is not a cryptographic hash but is used to implement data integrity service where accidental changes to data are expected.Control
Cyclical Redundancy ChecknounError checking mechanism that verifies data integrity by computing a polynomial algorithm based checksum.Control
DaemonnounA program which is often started at the time the system boots and runs continuously without intervention from any of the users on the system. The daemon program forwards the requests to other programs (or processes) as appropriate. The term daemon is a Unix term, though many other operating systems provide support for daemons, though they're sometimes called other names. Windows, for example, refers to daemons and System Agents and services.System
datanounA subset of information in an electronic format that allows it to be retrieved or transmitted.Data
Data AdministrationnounIn the NICE Workforce Framework, cybersecurity work where a person: Develops and administers databases and/or data management systems that allow for the storage, query, and utilization of data.Role
data aggregationnounCompilation of individual data systems and data that could result in the totality of the information being classified, or classified at a higher level, or of beneficial use to an adversary.ProcessRegulatedCUI
Data Assetnoun1. Any entity that is comprised of data. For example, a database is a data asset that is comprised of data records. A data asset may be a system or application output file, database, document, or Web page. A data asset also includes a service that may be provided to access data from an application. For example, a service that returns individual records from a database would be a data asset. Similarly, a Web site that returns data in response to specific queries (e.g., www.weather.com) would be a data asset. 2. An information-based resource.Data
data backupnounThe physical copying of data files to a removable storage device that allows the data to be stored in another location.DataRegulated
data breachnounThe unauthorized movement or disclosure of sensitive information to a party, usually outside the organization, that is not authorized to have or see the information.EventRegulated
Data centernounA facility that houses an institution's most important information systems components, including computer systems, telecommunications components, and storage systems.PhysicalRegulated
data classificationnounThe assignment of a level of sensitivity to data (or information) that results in the specification of controls for each level of classification. Levels of sensitivity of data are assigned according to predefined categories as data are created, amended, enhanced, stored or transmitted. The classification level is an indication of the value or importance of the data to the organization.Process
Data classification programnounA program that categorizes data to convey required safeguards for information confidentiality, integrity, and availability; establishes controls required based on value and level of sensitivity.ProcessInternal
data controlnounThe function responsible for seeing that all data necessary for processing is present and that all output is complete and distributed properly. This function is generally responsible for reconciling record counts and control totals submitted by users with similar counts and totals generated during processing.Control
Data corruptionnounErrors in computer data that occur during writing, reading, storage, transmission, or processing, which introduce unintended changes to the original data.Event
Data custodiannounThe individual(s) and department(s) responsible for the storage and safeguarding of computerized dataRole
Data ElementnounA basic unit of information that has a unique meaning and subcategories (data items) of distinct value. Examples of data elements include gender, race, and geographic location.DataPII
data encryptionnounThe reversible transformation of data from the original, plain text, version to a difficult-to-interpret format for security purposes.Control
Data Encryption AlgorithmnounThe DEA cryptographic engine that is used by the Triple Data Encryption Algorithm (TDEA).ControlRegulated
Data Encryption StandardnounCryptographic algorithm designed for the protection of unclassified data and published by the National Institute of Standards and Technology (NIST) in Federal Information Processing Standard (FIPS) Publication 46. (FIPS 46-3 withdrawn 19 May 2005) See Triple DES.ControlRegulated
data flownounThe path of data from input to output, which includes the traveling of data through the communication lines, routers, switches and firewalls as well as processing through various applications on servers that process the data from user input to storage in the organizations central database.Process
data flow diagramnounA simplified drawing of how data moves throughout an application, system, or network.Artifact
data governancenounA set of processes that ensures that important data assets are formally managed throughout the enterprise.Process
data integritynounThe property that data has not been altered in an unauthorized manner. Data integrity covers data in storage, during processing, and while in transit.Requirement
data lossnounThe exposure of proprietary, sensitive, or classified information through either data theft or data leakage.EventRegulatedIP
data loss preventionnounA set of procedures and mechanisms to stop sensitive data from leaving a security boundary.Capability
Data loss prevention (DLP) programnounA comprehensive approach (covering people, processes, and systems) of implementing policies and controls designed specifically to discover, monitor, and protect confidential data wherever it is stored, used, or in transit over the network and at the perimeter.ProcessRegulated
data miningnounThe process or techniques used to analyze large sets of existing information to discover previously unrevealed patterns or correlations.Process
Data mirroringnounA back-up process that involves writing the same data to two physical disks or servers simultaneously.Process
Data Origin AuthenticationnounThe process of verifying that the source of the data is as claimed and that the data has not been modified.Control
Data ownernounThe individual(s), normally a manager or director, who has responsibility for the integrity, accurate reporting and use of computerized dataRole
data preparationnounA process by which cardholder data is managed and processed by the vendor for subsequent use in the personalization process.Process
data processing servicenounWork performed by an organization to fulfill a need for a customer or client regarding data processing.Capability
data recoverynounThe purpose of this task is to restore data that has been damaged, lost, or corrupted.Process
Data replicationnounThe process of copying data, usually with the objective of maintaining identical sets of data in separate locations. Two common data replication processes used for information systems are synchronous and asynchronous mirroring.Process
Data retentionnounRefers to the policies that govern data and records management for meeting internal, legal and regulatory data archival requirementsRequirementRegulated
Data SecuritynounProtection of data from unauthorized (accidental or intentional) modification, destruction, or disclosure.Capability
data storage medianounThe physical form of how data is stored (e.g. magnetic tape, CD-ROM, paper).PhysicalRegulated
Data synchronizationnounThe comparison and reconciliation of interdependent data files at the same time so that they contain the same information.Process
Data Transfer DevicenounFill device designed to securely store, transport, and transfer electronically both COMSEC and TRANSEC key, designed to be backward compatible with the previous generation of COMSEC common fill devices, and programmable to support modern mission systems.PhysicalRegulatedCUI
Data WarehousingnounData Warehousing is the consolidation of several previously independent databases into one location.System
Data-At-RestnounRefers to all data stored on hard drives, thumb drives, DVDs, CDs, floppy diskettes, and similar storage media. It excludes data that is traversing a network or temporarily residing in computer memory to be read or updated.DataRegulated
data-in-motionnounData being transferred between devices, such as data being sent from one application to another.Data
DatagramnounRequest for Comment 1594 says, "a self-contained, independent entity of data carrying sufficient information to be routed from the source to the destination computer without reliance on earlier exchanges between this source and destination computer and the transporting network." The term has been generally replaced by the term packet. Datagrams or packets are the message units that the Internet Protocol deals with and that the Internet transports. A datagram or packet needs to be self-contained without reliance on earlier exchanges because there is no connection of fixed duration between the two communicating points as there is, for example, in most voice telephone conversations. (This kind of protocol is referred to as connectionless.)Data
Day ZeronounThe "Day Zero" or "Zero Day" is the day a new vulnerability is made known. In some cases, a "zero day" exploit is referred to an exploit for which no patch is available yet. ("day one"- day at which the patch is made available).Vulnerability
Daylight overdraftnounA daylight overdraft occurs at any point in the business day when the balance in an institution's account becomes negative. Daylight overdrafts can occur in accounts at Federal Reserve Banks as well as at private financial institutions. Daylight credit can also arise in the form of net debit positions of participants in private payment systems. A daylight overdraft occurs at a Federal Reserve Bank when there are insufficient funds in an institution's Federal Reserve Bank account to cover outgoing funds transfers or incoming book-entry securities transfers. An overdraft can also be the result of other payment activity processed by the Federal Reserve Bank, such as check or automated clearinghouse transactions.EventRegulated
Debit cardnounA payment card issued as either a PIN-based debit (ATM) card or as a signature-based debit card from one of the bankcard associations. A payment card issued to a person for purchasing goods and services through an electronic transfer of funds from a demand deposit account rather than using cash, checks, or drafts at the point-of-sale.PhysicalRegulatedPCI
Debit entrynounAn entry to the record of an account to represent the transfer or removal of funds from the account.DataRegulated
DecapsulationnounDecapsulation is the process of stripping off one layer's headers and passing the rest of the packet up to the next higher layer on the protocol stack.Process
DecentralizationnounThe process of distributing computer processing to different locations within an enterpriseProcess
DecertificationnounRevocation of the certification of an information system item or equipment for cause.EventRegulated
decipherverbConvert enciphered text to plain text by means of a cryptographic system.RememberUnclassified
decision-makingnounThe action or process of reaching important conclusions or resolutions after consideration; action or process of making important decisions.Process
deconstructverbbreak down a complex structure or argument to examine its fundamental partsAnalyzeUnclassified
decryptverbtransform ciphertext back into plaintext using the appropriate cryptographic key or algorithmApplyUnclassified
DecryptionnounThe process of changing ciphertext into plaintext using a cryptographic algorithm and key.Process
Decryption keynounA digital piece of information used to recover plaintext from the corresponding ciphertext by decryptionCredentialRestricted
Dedicated ModenounInformation systems security mode of operation wherein each user, with direct or indirect access to the system, its peripherals, remote terminals, or remote hosts, has all of the following: 1. valid security clearance for all information within the system, 2. formal access approval and signed nondisclosure agreements for all the information stored and/or processed (including all compartments, subcompartments, and/or special access programs), and 3. valid need-to-know for all information contained within the information system. When in the dedicated security mode, a system is specifically and exclusively dedicated to and controlled for the processing of one particular type or classification of information, either for full-time operation or for a specified period of time.RequirementRegulatedCUI
deduceverbarrive at a logical conclusion by reasoning from general principles to specific casesEvaluateUnclassified
deductverbsubtract or remove; also, reach a conclusion through logical reasoningEvaluateUnclassified
Deep packet inspectionnounThe capability to analyze network traffic to compare vendor-developed profiles of benign protocol activity against observed events to identify deviations.Capability
DefacementnounDefacement is the method of modifying the content of a website in such a way that it becomes "vandalized" or embarrassing to the website owner.Threat
Default ClassificationnounClassification reflecting the highest classification being processed in an information system. Default classification is included in the caution statement affixed to an object.RequirementRegulatedCUI
default passwordnounPassword on system administration, user, or service accounts predefined in a system, application, or device; usually associated with default account. Default accounts and passwords are published and well known, and therefore easily guessed.Credential
defence in depthnounThe security controls deployed throughout the various layers of the network to provide for resiliency in the event of the failure or the exploitation of a vulnerability of another control (may also be referred to as “layered protection”).Control
Defense in depthnounThe practice of layering defenses to provide added protection Defense in depth increases security by raising the effort needed in an attack. This strategy places multiple barriers between an attacker and an enterprise's computing and information resources.Capability
Defense-in-BreadthnounA planned, systematic set of multidisciplinary activities that seek to identify, manage, and reduce risk of exploitable vulnerabilities at every stage of the system, network, or sub-component life cycle (system, network, or product design and development; manufacturing; packaging; assembly; system integration; distribution; operations; maintenance; and retirement).Control
define and assign roles and responsibilitiesverbTo specify and designate roles and responsibilities for functions within an organization.Unclassified
DegaussnounProcedure that reduces the magnetic flux to virtual zero by applying a reverse magnetizing field. Also called demagnetizing.ProcessRegulatedCUI
Delegated Development ProgramnounINFOSEC program in which the Director, NSA, delegates, on a case-by-case basis, the development and/or production of an entire telecommunications product, including the INFOSEC portion, to a lead department or agency.ProcessRegulatedCUI
delegation procedurenounA detailed description of the steps necessary to assign a task or responsibility to another role in conformance with applicable standards.Requirement
Deleted FilenounA file that has been logically, but not necessarily physically, erased from the operating system, perhaps to eliminate potentially incriminating evidence. Deleting files does not always necessarily eliminate the possibility of recovering all or part of the original data.Data
DeliverablenounA project goal or expectation. Deliverables include broadly-defined, project or phase requirements and specifically-defined tasks within project phases.Artifact
Demilitarized zonenounPerimeter network segment that is logically between internal and external networks. Its purpose is to enforce the internal network’s Information Assurance policy for external information exchange and to provide external, untrusted sources with restricted access to releasable information while shielding the internal networks from outside attacks.Network
Demilitarized zone (DMZ)nounA computer or small subnetwork that sits between a trusted internal network, such as a corporate private LAN, and an untrusted external network, such as the public Internet.Network
demonstrateverbshow or prove something through evidence, examples, or practical applicationApplyUnclassified
denial of servicenounThe prevention of authorized access to resources or the delaying of time-critical operations. (Time-critical may be milliseconds or it may be hours, depending upon the service provided.)Threat
Denial-of-service attacknounAn assault on a service from a single source that floods it with so many requests that it becomes overwhelmed and is either stopped completely or operates at a significantly reduced rateThreat
dependencynounA relationship between processes or activities that directly or indirectly relies upon another process or activity to occur, begin, or finish.Process
deploymentnounThe purpose of this task is to bring new software or hardware up and running properly in its environment.Process
DepositorynounAn institution that holds funds or marketable securities for safekeeping. Depositories may be privately or publicly operated and allow securities transfers through book-entry and offer funds accounts permitting funds transfers as a means of payment.PhysicalRegulatedPCI
Depository banknounThe institution at which a check is first deposited. While this term is often used interchangeably with "depository," "depositary" is a term of art in laws and regulations related to check processing.OrganizationRegulated
Depository bank (Check 21)nounAlso known as Bank of First Deposit (BOFD). The first bank to which a check is transferred even though it is also the paying bank or the payee. A check deposited in an account is deemed to be transferred to the financial institution holding the account into which the check is deposited, even though the check is physically received and endorsed first by another financial institution.OrganizationRegulatedPCI
depreciateverbreduce the recorded value of something over time; account for diminishing worthApplyUnclassified
DepthnounAn attribute associated with an assessment method that addresses the rigor and level of detail associated with the application of the method. The values for the depth attribute, hierarchically from less depth to more depth, are basic, focused, and comprehensive.Metric
describeverbgive a detailed account of the characteristics or features of somethingUnderstandUnclassified
Descriptive Top-Level SpecificationnounA natural language descriptive of a system’s security requirements, an informal design notation, or a combination of the two.RequirementRegulatedCUI
Designated Approval AuthoritynounOfficial with the authority to formally assume responsibility for operating a system at an acceptable level of risk. This term is synonymous with authorizing official, designated accrediting authority, and delegated accrediting authority.Role
destroyverbTo render target data recovery infeasible and media unusable for the storage of data.Unclassified
destructionnounThe purpose of this task is to remove an asset from existence and to ensure media cannot be reused as originally intended and information is virtually impossible to recover or prohibitively expensive to recover.ProcessRegulated
destruction of datanounThe complete physical destruction of data or of the data carrier containing them.ProcessRegulated
Detect FunctionnounDevelop and implement the appropriate activities to identify the occurrence of a cybersecurity event.Capability
detectionnounThe identifying the existence of malicious content (by signature or heuristic).Capability
Detection devicenounA device designed to recognize an event and alert management when events occur.Capability
detective activitynounAn activity designed to identify undesirable events that do occur and alert management about what has happened. This enables management to take corrective action promptly.Process
Detective controlnounA mitigating technique designed to recognize an event and alert management when events occur.Control
deternounDiscourage (someone) from doing something by instilling doubt or fear of the consequences.candidate
determineverbestablish or ascertain something through investigation, calculation, or analysisEvaluateUnclassified
Deterministic Random Bit GeneratornounA Random Bit Generator (RBG) that includes a DRBG mechanism and (at least initially) has access to a source of entropy input. The DRBG produces a sequence of bits from a secret initial value called a seed, along with other possible inputs. A DRBG is often called a Pseudorandom Number (or Bit) Generator. Source of entropy input. The DRBG produces a sequence of bits from a secret initial value called a seed, along with other possible inputs. A DRBG is often called a Pseudorandom Number (or Bit) Generator.CapabilityRegulated
Deterministic Random Bit Generator MechanismnounThe portion of an RBG that includes the functions necessary to instantiate and uninstantiate the RBG, generate pseudorandom bits, (optionally) reseed the RBG and test the health of the DRBG mechanism.CapabilityRegulated
developverbcreate, elaborate, or advance something over time through iterative workCreateUnclassified
development environmentnounThe set of processes and programming tools used to develop, test, and debug an application or program.System
devicenounA generic term for a server, storage, client platform, computer, or any part of a computer other than the CPU or working memory.System
Device Distribution ProfilenounAn approval-based Access Control List (ACL) for a specific product that 1) names the user devices in a specific key management infrastructure (KMI) Operating Account (KOA) to which PRSNs distribute the product, and 2) states conditions of distribution for each device.ControlRegulatedCUI
device managementnounManaging the implementation, operation, and maintenance of a physical and/or virtual device. This includes the use of various administrative tools and processes for the maintenance and upkeep of a computing, network, mobile and/or virtual device.ProcessRegulated
Device Registration ManagernounThe management role that is responsible for performing activities related to registering users that are devices.Role
deviseverbplan or invent a new method, procedure, or solution through creative thinkingCreateUnclassified
diagnoseverbidentify the nature or cause of a problem through systematic analysisAnalyzeUnclassified
dial-up connectivitynounThe state of being connect through standard phone line and analog modem to access the Internet at data transfer rates (DTR) of up to 56 Kbps.Network
Dictionary AttacknounDiscovery of authenticators by encrypting likely authenticators and comparing the actual encrypted authenticator with the newly encrypted possible authenticators.Threat
Differential Power AnalysisnounAn analysis of the variations of the electrical power consumption of a cryptographic module, using advanced statistical methods and/or other techniques, for the purpose of extracting information correlated to cryptographic keys used in a cryptographic algorithm.ThreatRegulated
differentiateverbidentify and explain the distinctions between two or more itemsEvaluateUnclassified
Diffie-HellmannounA key agreement algorithm published in 1976 by Whitfield Diffie and Martin Hellman. Diffie-Hellman does key establishment, not encryption. However, the key that it produces may be used for encryption, for further key management operations, or for any other cryptography.Capability
Digest AuthenticationnounDigest Authentication allows a web client to compute MD5 hashes of the password to prove it has the password.ControlPII
Digital certificatenounThe electronic equivalent of an ID card that authenticates the originator of a digital signature.Credential
Digital EnvelopenounA digital envelope is an encrypted message with the encrypted session key.DataRegulated
Digital forensicsnounThe application of science to the identification, collection, examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data.ProcessRegulated
digital rights managementnounA form of access control technology to protect and manage use of digital content or devices in accordance with the content or device provider's intentions.Control
Digital signaturenounAn asymmetric key operation where the private key is used to digitally sign data and the public key is used to verify the signature. Digital signatures provide authenticity protection, integrity protection, and non-repudiation.CredentialRegulated
Digital Signature StandardnounThe US Government standard that specifies the Digital Signature Algorithm (DSA), which involves asymmetric cryptography.FrameworkRegulated
Digital subscriber line (DSL)nounA technology that uses existing copper telephone lines and advanced modulation schemes to provide high-speed telecommunications to businesses and homes.Network
Direct access storage device (DASD)nounA magnetic disk storage device historically used in mainframe environments. DASD may also include hard drives used in personal computers.Physical
Direct data feednounA process used by information aggregators to gather information directly from a website operator rather than copying it from a displayed webpage.Process
Direct debitnounElectronic transfer, usually through ACH, out of an individual's checking (or savings) account to pay bills, such as mortgage payments, insurance premiums, and utility payments. Also referred to as "direct payment."DataRegulatedPII
Direct depositnounElectronic deposits or credit, usually through ACH, to an individual's deposit account. Common uses of direct deposit include payroll payments, Social Security benefits, and income from investments such as CDs, annuities, and mutual funds.DataRegulatedPII
Direct presentmentnounDepositary banks can present checks directly to the paying institution. The paying institution may be the depositary bank (no settlement is needed), or, if not, may settle on the books of the Federal Reserve, using the Federal Reserve's national settlement service.ProcessRegulated
Direct ShipmentnounShipment of COMSEC material directly from NSA to user COMSEC accounts.ProcessRegulatedCUI
Disasternoun1. A sudden, unplanned calamitous event causing great damage or loss. Any event that creates an inability on an enterprise's part to provide critical business functions for some predetermined period of time. Similar terms are business interruption, outage and catastrophe. 2. The period when enterprise management decides to divert from normal production responses and exercises its disaster recovery plan (DRP). It typically signifies the beginning of a move from a primary location to an alternate location.EventRegulated
Disaster recovery plannounManagement policy and procedures used to guide an enterprise response to a major loss of enterprise capability or damage to its facilities. The DRP is the second plan needed by the enterprise risk managers and is used when the enterprise must recover (at its original facilities) from a loss of capability over a period of hours or days. See Continuity of Operations Plan and Contingency Plan.ProcessInternal
discloseverbTo release, transfer, spread widely, or communicate verbally, in writing, electronically, or any other means to a third party.Unclassified
DisconnectionnounThe termination of an interconnection between two or more IT systems. A disconnection may be planned (e.g., due to changed business needs) or unplanned (i.e., due to an attack or other contingency).Event
Discretionary access controlnounA means of restricting access to objects (e.g., files, data entities) based on the identity and need-to-know of subjects (e.g., users, processes) and/or groups to which the object belongs. The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject (unless restrained by mandatory access control).Control
discriminateverbrecognize and identify fine distinctions or differences between itemsEvaluateUnclassified
Disk ImagingnounGenerating a bit-for-bit copy of the original media, including free space and slack space.ProcessRegulated
Disk shadowingnounA back-up process that involves writing images to two physical disks or servers simultaneously.Process
disposalnounThe purpose of this task is to address the final disposition of regulated data by discarding media with no other sanitization considerations or transferring records to their final state: either destruction or transfer to an archive.ProcessRegulatedCUI
disruptionnounAn unplanned event that causes the general system or major application to be inoperable for an unacceptable length of time (e.g., minor or extended power outage, extended unavailable network, or equipment or facility damage or destruction).Event
dissectverbanalyze something in fine detail by separating it into its component partsAnalyzeUnclassified
Distance VectornounDistance vectors measure the cost of routes to determine the best route to all known networks.Metric
Distinguished NamenounA unique name or character string that unambiguously identifies an entity according to the hierarchical naming conventions of X.500 directory service.Credential
Distinguishing IdentifiernounInformation which unambiguously distinguishes an entity in the authentication process.CredentialRestrictedPII
distributed denial of servicenounA Denial of Service technique that uses numerous hosts to perform the attack.Threat
Distributed denial of service (DDoS)nounA type of attack that makes a computer resource or resources unavailable to its intended users. Although the means to carry out, motives for, and targets of a DDoS attack may vary, it generally consists of the concerted efforts of a group that intends to affect an institution's reputation by preventing an Internet site, service, or application from functioning efficiently.Threat
Distributed environmentnounA computer system with data and program components physically distributed across more than one computer.System
Distributed ScansnounDistributed Scans are scans that use multiple source addresses to gather information.Capability
DiversitynounA description of financial services sectors in which primary and back-up telecommunications capabilities do not share a single point of failure.Requirement
documentverbrecord information systematically for reference, evidence, or communicationAnalyzeUnclassified
documentationnounInstructions, specifications, and other descriptive information relating to the installation and use of hardware, software, systems, or files.Artifact
DomainnounAn environment or context that includes a set of system resources and a set of system entities that have the right to access the resources as defined by a common security policy, security model, or security architecture.Network
Domain HijackingnounDomain hijacking is an attack by which an attacker takes over a domain by first blocking access to the domain's DNS server and then putting his own server up in its place.Threat
Domain NamenounA domain name locates an organization or other entity on the Internet. For example, the domain name "www.sans.org" locates an Internet address for "sans.org" at Internet point 199.0.0.2 and a particular host server named "www". The "org" part of the domain name reflects the purpose of the organization or entity (in this example, "organization") and is called the top-level domain name. The "sans" part of the domain name defines the organization or entity and together with the top-level is called the second-level domain name.Network
Domain name systemnounA hierarchical database that is distributed across the Internet that allows names to be resolved into IP addresses (and vice versa) to locate services such as web and e-mail serversNetwork
Domain Name System security extensions (DNSSEC)nounA technology that was developed to, among other things, protect against such attacks by digitally 'signing' data so you can be assured it is valid.Control
Drop AccountabilitynounProcedure under which a COMSEC account custodian initially receipts for COMSEC material, and provides no further accounting for it to its central office of record. Local accountability of the COMSEC material may continue to be required. See Accounting Legend Code.ProcessRegulatedCUI
Dual controlnounDividing the responsibility of a task into separate, accountable actions to ensure the integrity of the process.Control
Dual-Use CertificatenounA certificate that is intended for use with both digital signature and data encryption services.Credential
Due carenounThe level of care expected from a reasonable person of similar competency under similar conditionsRequirementRegulated
due diligencenounThe purpose of this task is to take reasonable action in order to comply with a law or industry standard.ProcessRegulated
Due diligence for service provider selectionnounTechnical, functional, and financial review to verify a third-party service provider's ability to deliver the requirements specified in its proposal. The intent is to verify that the service provider has a well-developed plan and adequate resources and experience to ensure acceptable service, controls, systems backup, availability, and continuity of service to its clients.ProcessInternal
due diligence processnounThe series of actions an organization takes to implement the steps needed to ensure they respect human rights and do not contribute to conflict.ProcessRegulated
DumpSecnounDumpSec is a security tool that dumps a variety of information about a system's users, file system, registry, permissions, password policy, and services.Capability
Dumpster DivingnounDumpster Diving is obtaining passwords and corporate directories by searching through discarded media.ThreatRestrictedIP
Duplicate Digital EvidencenounA duplicate is an accurate digital reproduction of all data objects contained on the original physical item and associated media.ArtifactRegulatedCUI
DurationnounA field within a certificate that is composed of two subfields; “date of issue” and “date of next issue.”ArtifactRestricted
duringnounThis limits a Control or Mandate's secondary verb to be put into play as the event is happening.candidate
dynamic attack surfacenounThe automated, on-the-fly changes of an information system's characteristics to thwart actions of an adversary.Capability
Dynamic Link LibrarynounA collection of small programs, any of which can be called when needed by a larger program that is running in the computer. The small program that lets the larger program communicate with a specific device such as a printer or scanner is often packaged as a DLL program (usually referred to as a DLL file).System
Dynamic portsnounDynamic and/or private ports--49152 through 65535: Not listed by IANA because of their dynamic nature.Network
Dynamic Routing ProtocolnounAllows network devices to learn routes. Ex. RIP, EIGRP Dynamic routing occurs when routers talk to adjacent routers, informing each other of what networks each router is currently connected to. The routers must communicate using a routing protocol, of which there are many to choose from. The process on the router that is running the routing protocol, communicating with its neighbor routers, is usually called a routing daemon. The routing daemon updates the kernel's routing table with information it receives from neighbor routers.Network
Dynamic SubsystemnounA subsystem that is not continually present during the execution phase of an information system. Service-oriented architectures and cloud computing architectures are examples of architectures that employ dynamic subsystems.System
E-BankingnounThe remote delivery of new and traditional banking products and services through electronic delivery channels.SystemRegulatedPCI
E-commercenounThe processes by which enterprises conduct business electronically with their customers, suppliers and other external business partners, using the Internet as an enabling technology Scope Note: E-commerce encompasses both business-to-business (B2B) and business-to-consumer (B2C) e-commerce models, but does not include existing non-Internet e-commerce methods based on private networks such as electronic data interchange (EDI) and Society for Worldwide Interbank Financial Telecommunication (SWIFT).Process
E-GovernmentnounThe use by the U.S. government of Web-based Internet applications and other information technology.CapabilityRegulatedCUI
Easter EggnounHidden functionality within an application program, which becomes activated when an undocumented, and often convoluted, set of commands and keystrokes are entered. Easter eggs are typically used to display the credits for the development team and are intended to be nonthreatening.Vulnerability
Eavesdropping AttacknounAn attack in which an Attacker listens passively to the authentication protocol to capture information which can be used in a subsequent active attack to masquerade as the Claimant.ThreatRegulated
Echo ReplynounAn echo reply is the response a machine that has received an echo request sends over ICMP.Network
Echo RequestnounAn echo request is an ICMP message sent to a machine to determine if it is online and how long traffic takes to get to it.Network
ecosystemnounA system or group of interconnected elements, formed linkages and dependencies. For an FMI, this may include participants, linked FMIs, service providers, vendors and vendor products.SystemRegulated
editorializeverbexpress opinions or commentary on a subject, particularly in writingEvaluateUnclassified
educateverbTo give or provide with information or intellectual, social, or moral instruction; inform.Unclassified
educationnounThe process of receiving or giving systematic instruction, especially at a school or university.Process
Education and TrainingnounIn the NICE Workforce Framework, cybersecurity work where a person: Conducts training of personnel within pertinent subject domain; develop, plan, coordinate, deliver, and/or evaluate training courses, methods, and techniques as appropriate.Process
Education Information SecuritynounEducation integrates all of the security skills and competencies of the various functional specialties into a common body of knowledge . . . and strives to produce IT security specialists and professionals capable of vision and proactive response.Capability
effectivenessnounThe degree to which information is relevant and pertinent to the business process as well as delivered in a timely, correct, consistent, and usable manner.Metric
Electricity Sector Information Sharing and Analysis CenternounThe Electricity Sector Information Sharing and Analysis Center (ES-ISAC) shares critical information with industry participants about infrastructure protection. The ES-ISAC serves the electricity sector by facilitating communications between electricity sector participants, federal governments, and other critical infrastructures. It is the job of the ES-ISAC to promptly disseminate threat indications, vulnerabilities, analyses, and warnings, together with interpretations, to help electricity sector participants take protective actions.OrganizationRegulatedCUI
electronic accessnounThe right or opportunity to use or retrieve something or enter a place through electronic means.ControlRegulated
electronic access controlnounA cyber asset that performs electronic access control of the Electronic Security Perimeter(s) or BES Cyber Systems.ControlRegulatedCUI
Electronic Access PointnounA Cyber Asset interface on an Electronic Security Perimeter that allows routable communication between Cyber Assets outside an Electronic Security Perimeter and Cyber Assets inside an Electronic Security Perimeter.NetworkRegulatedCUI
Electronic AuthenticationnounThe process of establishing confidence in user identities electronically presented to an information system.Process
Electronic Benefits Transfer (EBT)nounA type of EFT system involving the transfer of public entitlement payments, such as welfare or food stamps, through direct deposit or point-of-sale technology (see POS). The recipient can be given an identification card, similar to a benefit card, and a PIN allowing access to the benefits through an electronic network.SystemRegulatedPII
Electronic bill presentment and payment (EBPP)nounAn electronic alternative to traditional bill payment, allowing a merchant or utility to present its customers with an electronic bill and the payer to pay the bill electronically. EBPP systems usually fall within two models: direct and consolidation-aggregation. In the direct model, the merchant or utility generates an electronic version of the consumer's billing information, and notifies the consumer of a pending bill, generally via e-mail. The consumer can initiate payment of the electronically presented bill using a variety of payment mechanisms, typically a credit card. In the consolidation-aggregation model, the consumer's bills are consolidated by a consolidator acting on behalf of merchants and utilities (or aggregated on behalf of the consumer), combining data from multiple bills and presenting a single source for the consumer to initiate payment. Some consolidators present bills at their own web sites, typically most support the aggregation of bills by consumer service providers such an Internet portals, financial institutions, and brokerage web sites.SystemRegulatedPCI
Electronic check conversionnounThe process by which a check is used as a source of information for the check number, the customer's account number, and the number that identifies the financial institution. The information is used to make a one-time electronic payment from the customer's account -- an electronic fund transfer. The check itself is not the method of payment.ProcessRegulatedPII
Electronic check presentment (ECP)nounCheck truncation methodology in which the paper check's MICR line information is captured and stored electronically for presentment. The physical checks may or may not be presented after the electronic files are delivered, depending on the type of ECP service that is used.ProcessRegulatedPCI
Electronic commerce (E-Commerce)nounA broad term encompassing the remote procurement and payment by businesses or consumers of goods and services through electronic systems such as the Internet.Process
Electronic CredentialsnounDigital documents used in authentication that bind an identity or an attribute to a subscriber's token.CredentialRestrictedCUI
Electronic data capture (EDC)nounProcess used for capturing and transferring the encoded information on the magnetic strip from a bankcard or debit card at the point-of-sale to the processor's database.ProcessRegulatedPCI
Electronic EvidencenounInformation and data of investigative value that is stored on or transmitted by an electronic device.ArtifactRegulated
electronic funds transfernounThe use of telecommunications networks to transfer funds from one financial institution, as a bank, to another, or to withdraw funds from one's own account to deposit in a creditor's.ProcessRegulatedPCI
Electronic funds transfer (EFT)nounA generic term describing any transfer of funds between parties or depository institutions through electronic data systems.ProcessRegulatedPCI
Electronic Funds Transfer Act (EFTA)nounThe Electronic Funds Transfer Act and Regulation E are designed to ensure adequate disclosure of basic terms, costs, and rights relating to electronic fund transfer (EFT) services provided to consumers. Institutions offering EFT services must disclose to consumers certain information, including: initial and updated EFT terms, transaction information, periodic statements of activity, the consumer's potential liability for unauthorized transfers, and error resolution rights and procedures. EFT services include automated teller machines, telephone bill payment, point-of-sale transfers in retail stores, fund transfers initiated through the Internet, and pre-authorized transfers to or from a consumer's account.FrameworkRegulated
electronic funds transfer activitynounAny transfer of funds which is initiated through an electronic terminal, telephonic instrument, computer, or magnetic tape so as to order, instruct, or authorize a financial institution to debit or credit an account. ... These are normally considered retail funds transfer systems.DataRegulatedPCI
electronic funds transfer functionnounAny activity that corresponds with or relates to the transfer of funds electronicallyCapabilityRegulated
Electronic funds transfer point of sale equipmentnounAny, instruments or machinery required for an electric transfer of money to take place.PhysicalRegulatedPCI
Electronic Key EntrynounThe entry of cryptographic keys into a cryptographic module using electronic methods such as a smart card or a key-loading device. (The operator of the key may have no knowledge of the value of the key being entered.)ProcessRegulatedCUI
Electronic Key Management SystemnounInteroperable collection of systems being developed by services and agencies of the U.S. government to automate the planning, ordering, generating, distributing, storing, filling, using, and destroying of electronic key and management of other types of COMSEC material.SystemRegulatedCUI
Electronic Messaging ServicesnounServices providing interpersonal messaging capability; meeting specific functional, management, and technical requirements; and yielding a business-quality electronic mail service suitable for the conduct of official government business.CapabilityRegulatedCUI
Electronic Security PerimeternounThe logical border surrounding a network to which Critical Cyber Assets are connected and for which access is controlled.NetworkRegulatedCUI
electronic signaturenounThe process of applying any mark in electronic form with the intent to sign a data object. See also Digital Signature.CredentialRegulated
Electronic vaultingnounA back-up procedure that copies changed files and transmits them to an off-site location using a batch process.ProcessRegulated
Electronically Generated KeynounKey generated in a COMSEC device by introducing (either mechanically or electronically) a seed key into the device and then using the seed, together with a software algorithm stored in the device, to produce the desired key.CredentialRegulatedCUI
Electronically-created payment ordersnounThese are payment orders received by merchants from consumers, typically by telephone or the Internet. These payment orders are processed through the check processing system although they were not initiated as paper checks. These payment orders are not subject to check law and are not warranted by the Federal Reserve Banks.DataRegulatedPCI
elevated accessnounRoles or permissions that, if misused or compromised, could allow a person to exploit the system for his or her own gain or illicit purpose.ControlRegulated
Elliptical curve cryptographynounAn algorithm that combines plane geometry with algebra to achieve stronger authentication with smaller keys compared to traditional methods, such as RSA, which primarily use algebraic factoring. Scope Note: Smaller keys are more suitable to mobile devices.Capability
Emanations AnalysisnounGaining direct knowledge of communicated data by monitoring and resolving a signal that is emitted by a system and that contains the data but is not intended to communicate the data.CapabilityRestrictedCUI
Emanations SecuritynounProtection resulting from measures taken to deny unauthorized individuals information derived from intercept and analysis of compromising emissions from crypto-equipment or an information system. See TEMPEST.ControlRegulatedCUI
Embedded Cryptographic SystemnounCryptosystem performing or controlling a function as an integral element of a larger system or subsystem.SystemRegulatedCUI
Embedded CryptographynounCryptography engineered into an equipment or system whose basic function is not cryptographic.Control
Emergency plannounThe steps to be followed during and immediately after an emergency such as a fire, tornado, bomb threat, etc.ProcessInternal
emerging issuenounA known topic or problem that is changing or a topic or problem that most people are not aware of.Finding
employeenounThis role focuses on individuals who work directly for an organization, e.g. university, government, company. Any individual who works directly for an organization and is paid a wage or salary for their work should be assigned to this role.Role
employee accessnounThe privileges to gain entry to somewhere or to use something given only to employees.ControlRegulated
EncapsulationnounThe inclusion of one data structure within another structure so that the first data structure is hidden for the time being.Control
Encapsulation security payloadnounProtocol, which is designed to provide a mix of security services in IPv4 and IPv6. ESP can be used to provide confidentiality, data origin authentication, connectionless integrity, an anti-replay service (a form of partial sequence integrity), and (limited) traffic flow confidentiality. (RFC 4303) Scope Note: The ESP header is inserted after the IP header and before the next layer protocol header (transport mode) or before an encapsulated IP header (tunnel mode).Network
encipherverbConvert plain text to cipher text by means of a cryptographic system.RememberUnclassified
EnclavenounCollection of information systems connected by one or more internal networks under the control of a single authority and security policy. The systems may be structured by physical proximity or by function, independent of location.SystemRegulated
Enclave BoundarynounPoint at which an enclave’s internal network service layer connects to an external network’s service layer, i.e., to another enclave or to a Wide Area Network (WAN).NetworkRegulated
encrypted connectionnounA connection between a computer and another computer where the traffic between the two systems have been encrypted.Network
Encrypted KeynounA cryptographic key that has been encrypted using an Approved security function with a key encrypting key, a PIN, or a password in order to disguise the value of the underlying plaintext key.CredentialRegulatedCUI
Encrypted NetworknounA network on which messages are encrypted (e.g., using DES, AES, or other appropriate algorithms) to prevent reading by unauthorized parties.NetworkRestricted
EncryptionnounThe process of changing plaintext into ciphertext for the purpose of security or privacy.Control
Encryption algorithmnounSet of mathematically expressed rules for rendering data unintelligible by executing a series of conversions controlled by a key.Control
Encryption CertificatenounA certificate containing a public key that is used to encrypt electronic messages, files, documents, or data transmissions, or to establish or exchange a session key for these same purposes.Credential
Encryption keynounA piece of information, in a digitized form, used by an encryption algorithm to convert the plaintext to the ciphertextCredentialRestrictedCUI
End Cryptographic UnitnounDevice that (1) performs cryptographic functions, (2) typically is part of a larger system for which the device provides security services, and (3) from the viewpoint of a supporting security infrastructure (e.g., a key management system), is the lowest level of identifiable component with which a management transaction can be conducted.SystemRegulatedCUI
End usernounThis role is focused on the consumers of a product or the access to and use of information systems and networks within the organization. Any individual who who uses the product should be assigned to this role.Role
End-Item AccountingnounAccounting for all the accountable components of a COMSEC equipment configuration by a single short title.ProcessRegulatedCUI
End-of-lifenounAll software products have life cycles. End-of-life refers to the date when a software development company no longer provides automatic fixes, updates, or online technical assistance for the product.Requirement
End-point securitynounRefers to a methodology of protecting the corporate network when accessed with remote devices, such as laptops, or other wireless and mobile devices. Each device with a remote connection to the network creates a potential entry (or exit) point for security threats.Capability
End-to-End EncryptionnounCommunications encryption in which data is encrypted when being passed through a network, but routing information remains visible.Control
End-to-end process flownounDocument that details the flow of the processes, considering automated and manual control points, hardware, databases, network protocols, and real-time versus periodic processing characteristics.Process
End-to-end recoverabilitynounThe ability of an institution to recover a business process from initiation, such as customer contact, through process finalization, such as transaction closure.CapabilityRegulated
End-to-End SecuritynounSafeguarding information in an information system from point of origin to point of destination.Control
enforceverbTo compel obedience to, observance of, or compliance with laws, rules, duties, or commitments.Unclassified
Engagement LetternounThis record contains formal agreements to perform services in exchange for compensation.ArtifactConfidential
Enrollment ManagernounThe management role that is responsible for assigning user identities to management and non-management roles.Role
EnterprisenounAn organization with a defined mission/goal and a defined boundary, using information systems to execute that mission, and with responsibility for managing its own risks and performance. An enterprise may consist of all or some of the following business aspects: acquisition, program management, financial management (e.g., budgets), human resources, security, and information systems, information and mission management.Organization
Enterprise ArchitecturenounThe description of an enterprise’s entire set of information systems: how they are configured, how they are integrated, how they interface to the external environment at the enterprise’s boundary, how they are operated to support the enterprise mission, and how they contribute to the enterprise’s overall security posture.Framework
enterprise risk managementnounThe methods and processes used by an enterprise to manage risks to its mission and to establish the trust necessary for the enterprise to support shared missions. It involves the identification of mission dependencies on enterprise capabilities, the identification and prioritization of risks due to defined threats, the implementation of countermeasures to provide both a static risk posture and an effective dynamic response to active threats; and it assesses enterprise performance against threats and adjusts countermeasures as necessary.Process
Enterprise ServicenounA set of one or more computer applications and middleware systems hosted on computer hardware that provides standard information systems capabilities to end users and hosted mission applications and services.System
Enterprise-widenounAcross an entire organization, rather than a single business department or function.Organization
EntitynounEither a subject (an active element that operates on information or the system state) or an object (a passive element that contains or receives information).candidate
entrance of a visitornounThis Triggering Event takes place when a visitor enters the organization's facility.EventInternal
EntrapmentnounDeliberate planting of apparent flaws in an IS for the purpose of detecting attempted penetrations.ControlRestricted
EntropynounA measure of the amount of uncertainty that an Attacker faces to determine the value of a secret. Entropy is usually stated in bits.Metric
entry pointnounAn entry point is a memory address, corresponding to a point in the code of a computer program which is intended as destination of a long jump, be it internal or external.SystemRegulated
EnvironmentnounAggregate of external procedures, conditions, and objects affecting the development, operation, and maintenance of an information system.System
Environment of OperationnounThe physical, technical, and organizational setting in which an information system operates, including but not limited to: missions/business functions; mission/business processes; threat space; vulnerabilities; enterprise and information security architectures; personnel; facilities; supply chain relationships; information technologies; organizational governance and culture; acquisition and procurement processes; organizational policies and procedures; organizational assumptions, constraints, risk tolerance, and priorities/trade-offs).Physical
environmental controlnounA mechanism that prevents or mitigates damage to facilities and interruptions in service. Smoke detectors, fire alarms and extinguishers, and uninterruptible power supplies are some examples of environmental controls.Control
Ephemeral KeynounA cryptographic key that is generated for each execution of a key establishment process and that meets other requirements of the key type (e.g., unique to each message or session). In some cases, ephemeral keys are used more than once within a single session (e.g., broadcast applications) where the sender generates only one ephemeral key pair per message, and the private key is combined separately with each recipient’s public key.CredentialRestricted
Ephemeral PortnounAlso called a transient port or a temporary port. Usually is on the client side. It is set up when a client application wants to connect to a server and is destroyed when the client application terminates. It has a number chosen at random that is greater than 1023.Network
equivalentnounA person or thing equal to another in value or measure or force or effect or significance etc.candidate
EradicationnounWhen containment measures have been deployed after an incident occurs, the root cause of the incident must be identified and removed from the network. Scope Note: Eradication methods include: restoring backups to achieve a clean state of the system, removing the root cause, improving defenses and performing vulnerability analysis to find further potential damage from the same root cause.Process
ErasurenounProcess intended to render magnetically stored information irretrievable by normal means.Process
Error Detection CodenounA code computed from data and comprised of redundant bits of information designed to detect, but not correct, unintentional changes in the data.ControlRegulated
escortverbTo accompany someone or something somewhere, especially for protection, guidance, or as a mark of rank.Unclassified
escrownounSomething (e.g., a document, an encryption key) that is "delivered to a third person to be given to the grantee only upon the fulfillment of a condition."ArtifactRegulated
Escrow PasswordsnounEscrow Passwords are passwords that are written down and stored in a secure location (like a safe) that are used by emergency personnel when privileged personnel are unavailable.CredentialRestricted
establishverbset up, create, or demonstrate something on a firm or permanent basisCreateUnclassified
establish and implementverbTo lay the groundwork for something and then put it into practice.Unclassified
establish and maintainverbTo lay the groundwork for something and uphold it or ensure continuation by requiring maintenance.Unclassified
EthernetnounA popular network protocol and cabling scheme that uses a bus topology and carrier sense multiple access/collision detection (CSMA/CD) to prevent network failures or collisions when two devices try to access the network at the same timeNetwork
evaluateverbassess the quality, importance, or value of something against defined criteriaEvaluateSecondary
evaluationnounAct of ascertaining or making a judgment about the amount, number, value, or worth of something.Process
Evaluation Assurance LevelnounSet of assurance requirements that represent a point on the Common Criteria predefined assurance scale.RequirementRegulated
Evaluation Products ListnounList of validated products that have been successfully evaluated under the National Information Assurance Partnership (NIAP) Common Criteria Evaluation and Validation Scheme (CCEVS).ArtifactPublicPublicInfo
eventnounAny observable occurrence in a system and/or network. Events sometimes provide indication that an incident is occurring.Event
event informationnounThe data fields and information that needs to be captured during monitoring so that the organization knows what happened when the event was triggered.Artifact
event lognounA basic resource that helps provide information about network traffic, usage and other conditions. An event log stores these data for retrieval by security professionals or automated security systems to help network administrators manage various aspects such as security, performance and transparency.ArtifactRegulated
event loggingnounThe purpose of this task is to record the actions performed on a system.ArtifactRegulated
ExaminationnounA technical review that makes the evidence visible and suitable for analysis; tests performed on the evidence to determine the presence or absence of specific data.Process
ExaminenounA type of assessment method that is characterized by the process of checking, inspecting, reviewing, observing, studying, or analyzing one or more assessment objects to facilitate understanding, achieve clarification, or obtain evidence, the results of which are used to support the determination of security control effectiveness over time.Process
exampleverbprovide a specific instance that illustrates a concept or principleUnderstandUnclassified
Exculpatory EvidencenounEvidence that tends to decrease the likelihood of fault or guilt.ArtifactRestricted
execution statusnounThe status of the implementation or enactment of a plan, order, or course of action.MetricRegulated
Executive AgencynounAn executive department specified in 5 United States Code (U.S.C.), Sec. 101; a military department specified in 5 U.S.C., Sec. 102; an independent establishment as defined in 5 U.S.C., Sec. 104(1); and a wholly owned government corporation fully subject to the provisions of 31 U.S.C., Chapter 91.OrganizationRegulatedCUI
Exercise KeynounCryptographic key material used exclusively to safeguard communications transmitted over-the-air during military or organized civil training exercises.CredentialRegulatedCUI
existing controlnounControls that are already present in an organization to protect against the identified threats and vulnerabilities.Control
Expected OutputnounAny data collected from monitoring and assessments as part of the Information Security Continuous Monitoring (ISCM) strategy.DataInternalCUI
experiencenounThe accumulation of knowledge or skill that results from direct participation in events or activities.candidate
experimentverbconduct a test or trial to discover, verify, or demonstrate somethingEvaluateUnclassified
ExploitnounA technique or code that uses a vulnerability to provide system access to the attacker. An exploit is an intentional attack to impact an operating system or application program.Vulnerability
Exploit CodenounA program that allows attackers to automatically break into a system.VulnerabilityRestricted
Exploitable ChannelnounChannel that allows the violation of the security policy governing an information system and is usable or detectable by subjects external to the trusted computing base. See Covert Channel.VulnerabilityRestricted
Exploitation AnalysisnounIn the NICE Workforce Framework, cybersecurity work where a person: Analyzes collected information to identify vulnerabilities and potential for exploitation.Process
Exponential Backoff AlgorithmnounAn exponential backoff algorithm is used to adjust TCP timeout values on the fly so that network devices don't continue to timeout sending data over saturated links.Control
exposurenounThe potential loss to an area due to the occurrence of an adverse event.VulnerabilityRegulated
Exposure limitnounIn reference to the settlement of operating services, this is the maximum amount an ACH originator is allowed to originate. This amount can be based on the originator's credit rating, historical or predicted funding requirements, and the type of obligation.RequirementRegulated
Extended ACLsnounExtended ACLs are a more powerful form of Standard ACLs on Cisco routers. They can make filtering decisions based on IP addresses (source or destination), Ports (source or destination), protocols, and whether a session is established.Control
Extensible Authentication ProtocolnounA framework that supports multiple, optional authentication mechanisms for PPP, including clear-text passwords, challenge-response, and arbitrary dialog sequences.Credential
Extensible Configuration Checklist Description FormatnounSCAP language for specifying checklists and reporting checklist results.FrameworkInternal
Extensible Markup Language (XML)nounXML (Extensible Markup Language) is a "metalanguage", a language for describing other languages – which lets you design your own customized markup languages for different types of documents. It is designed to improve the functionality of the Web by providing more flexible and adaptable information identification.Data
extentnounA range of values or locations; The space, area, volume, etc., to which something extends.candidate
Exterior Gateway ProtocolnounA protocol which distributes routing information to the routers which connect autonomous systems.Network
external auditornounAn auditor who is independent of the legal entity whose financial statements they perform audits on.Role
external connectionnounA link between a system within the organizational boundaries and a secondary (or multiple) system(s) outside of the organizational boundaries.NetworkRegulated
external connectivitynounA computer or network connection to an outside, uncontrolled network that is unprotected by perimeter security, e.g., a modem connection to a network computer.NetworkRegulated
external information systemnounAn information system or component of an information system that is outside of the accreditation boundary established by the organization and for which the organization typically has no direct control over the application of required security controls or the assessment of security control effectiveness.SystemRegulated
External Information System or ComponentnounAn information system or component of an information system that is outside of the authorization boundary established by the organization and for which the organization typically has no direct control over the application of required security controls or the assessment of security control effectiveness.SystemRegulated
External Information System ServicenounAn information system service that is implemented outside of the authorization boundary of the organizational information system (i.e., a service that is used by, but not a part of, the organizational information system) and for which the organization typically has no direct control over the application of required security controls or the assessment of security control effectiveness.SystemRegulated
External Information System Service ProvidernounA provider of external information system services to an organization through a variety of consumer-producer relationships, including but not limited to: joint ventures; business partnerships; outsourcing arrangements (i.e., through contracts, interagency agreements, lines of business arrangements); licensing agreements; and/or supply chain exchanges.OrganizationRegulated
external requirementnounAny law, contractual obligation, code of connection, service level agreement, or even international agreement.RequirementRegulated
external routable connectivitynounThe ability to access a Bulk Electric System Cyber System from a Cyber Asset that is outside of its associated Electronic Security Perimeter via a bi-directional routable protocol connection.NetworkRegulated
External Security TestingnounSecurity testing conducted from outside the organization’s security perimeter.Process
external service providernounAn independent business that provides its services to other business.Organization
external usernounIndividuals that are non-workforce members or personnel who are authorized by customers, entity management, or other authorized persons to interact with the system.IdentityRegulated
Extraction ResistancenounCapability of crypto-equipment or secure telecommunications equipment to resist efforts to extract key.ControlRegulated
ExtranetnounA private network that uses Web technology, permitting the sharing of portions of an enterprise’s information or operations with suppliers, vendors, partners, customers, or other enterprises.Network
extrapolateverbestimate or project beyond known data based on existing trends or patternsAnalyzeUnclassified
Fail SafenounAutomatic protection of programs and/or processing systems when hardware or software failure is detected.Control
Fail SoftnounSelective termination of affected nonessential processing when hardware or software failure is determined to be imminent.Control
FailovernounThe capability to switch over automatically (typically without human intervention or warning) to a redundant or standby information system upon the failure or abnormal termination of the previously active system.Capability
Failure AccessnounType of incident in which unauthorized access to data results from hardware or software failure.EventRegulated
Failure ControlnounMethodology used to detect imminent hardware or software failure and provide fail safe or fail soft recovery.Control
False AcceptancenounIn biometrics, the instance of a security system incorrectly verifying or identifying an unauthorized person. It typically is considered the most serious of biometric security errors as it gives unauthorized users access to systems that expressly are trying to keep them out.VulnerabilityRegulated
False Acceptance RatenounThe measure of the likelihood that the biometric security system will incorrectly accept an access attempt by an unauthorized user. A system’s false acceptance rate typically is stated as the ratio of the number of false acceptances divided by the number of identification attempts.Metric
False RejectionnounIn biometrics, the instance of a security system failing to verify or identify an authorized person. It does not necessarily indicate a flaw in the biometric system; for example, in a fingerprint-based system, an incorrectly aligned finger on the scanner or dirt on the scanner can result in the scanner misreading the fingerprint, causing a false rejection of the authorized user.EventRegulated
False Rejection RatenounThe measure of the likelihood that the biometric security system will incorrectly reject an access attempt by an authorized user. A system’s false rejection rate typically is stated as the ratio of the number of false rejections divided by the number of identification attempts.Metric
False RejectsnounFalse Rejects are when an authentication system fails to recognize a valid user.Event
Fast File SystemnounThe first major revision to the Unix file system, providing faster read access and faster (delayed, asynchronous) write access through a disk cache and better file system layout on disk. It uses inodes (pointers) and data blocks.System
Fast FluxnounProtection method used by botnets consisting of a continuous and fast change of the DNS records for a domain name through different IP addresses.Threat
Fault Line AttacksnounFault Line Attacks use weaknesses between interfaces of systems to exploit gaps in coverage.Threat
Federal Bridge Certification AuthoritynounThe Federal Bridge Certification Authority consists of a collection of Public Key Infrastructure components (Certificate Authorities, Directories, Certificate Policies and Certificate Practice Statements) that are used to provide peer-to-peer interoperability among Agency Principal Certification Authorities.SystemRegulatedCUI
Federal Bridge Certification Authority MembranenounThe Federal Bridge Certification Authority Membrane consists of a collection of Public Key Infrastructure components including a variety of Certification Authority PKI products, Databases, CA specific Directories, Border Directory, Firewalls, Routers, Randomizers, etc.SystemRegulatedCUI
Federal Bridge Certification Authority Operational AuthoritynounThe Federal Bridge Certification Authority Operational Authority is the organization selected by the Federal Public Key Infrastructure Policy Authority to be responsible for operating the Federal Bridge Certification Authority.OrganizationRegulatedCUI
Federal Enterprise ArchitecturenounA business-based framework for governmentwide improvement developed by the Office of Management and Budget that is intended to facilitate efforts to transform the federal government to one that is citizen-centered, results-oriented, and market-based.FrameworkInternal
Federal Information Processing StandardnounA standard for adoption and use by federal departments and agencies that has been developed within the Information Technology Laboratory and published by the National Institute of Standards and Technology, a part of the U.S. Department of Commerce. A FIPS covers some topic in information technology in order to achieve a common level of quality or some level of interoperability.FrameworkRegulatedCUI
Federal Information Security Management ActnounA statute (Title III, P.L. 107-347) that requires agencies to assess risk to information systems and provide information security protections commensurate with the risk. FISMA also requires that agencies integrate information security into their capital planning and enterprise architecture processes, conduct annual information systems security reviews of all programs and systems, and report the results of those reviews to OMB.FrameworkRegulated
Federal Information SystemnounAn information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency.SystemRegulatedCUI
Federal Information Systems Security Educators’ AssociationnounAn organization whose members come from federal agencies, industry, and academic institutions devoted to improving the IT security awareness and knowledge within the federal government and its related external workforce.OrganizationInternal
Federal Public Key Infrastructure Policy AuthoritynounThe Federal PKI Policy Authority is a federal government body responsible for setting, implementing, and administering policy decisions regarding interagency PKI interoperability that uses the FBCA.Credential
Federal Reserve BanksnounThe Federal Reserve Banks provide a variety of financial services including retail and wholesale payments. The Federal Reserve Bank operates a nationwide system for clearing and settling checks drawn on depository institutions located in all regions of the United States.OrganizationRegulated
federal securities lawnounConsists of a handful of laws passed between 1933 and 1940, as well as legislation enacted in 1970. The federal laws stem from Congress's power to regulate interstate commerce. Therefore the laws are generally limited to transactions involving transportation or communication using interstate commerce or the mail.FrameworkRegulated
FedwirenounThe Federal Reserve Bank's nationwide real time gross settlement electronic funds and securities transfer network. Fedwire® is a credit transfer system. Each funds transfer is settled individually against an institution's reserve or clearing account on the books of the Federal Reserve. The transaction is considered an irrevocable payment as it is processed.NetworkRegulated
Fedwire Funds ServicenounThe Federal Reserve Banks' high-speed electronic funds transfer system. As a real-time gross settlement system, the Fedwire® Funds Service processes and settles individual payments between participants immediately in central bank money. Once processed, these payments are final.SystemRegulated
Fedwire Securities ServicenounThe Federal Reserve Banks' high-speed electronic payments system for maintaining securities accounts and for effecting securities transfers. The Fedwire® Securities Service provides a real-time, delivery-versus-payment (DVP), gross settlement system that allows for the immediate, simultaneous transfer of securities against payment. Once processed, securities transfers are final.SystemRegulated
Fibre channelnounA high performance serial link supporting its own, as well as higher-level protocols such as the small computer system interface, high performance parallel interface framing protocol and intelligent peripheral interface. The Fibre Channel standard addresses the need for very fast transfers of large amounts of information. The fast (up to 1 Giga byte per second) technology can be converted for LAN technology by adding a switch specified in the Fibre Channel standard that handles multipoint addressing. Fibre Channel gives users one port that supports both channel and network interfaces, unburdening the computers from large number of input and output (I/O) ports. Fibre Channel provides control and complete error checking over the link.Network
filenounCollections of data or information under unique identifying names kept in a computers memory or a storage device.Data
File EncryptionnounThe process of encrypting individual files on a storage medium and permitting access to the encrypted data only after proper authentication is provided.Control
File Name Anomalynoun1. A mismatch between the internal file header and its external extension; or 2. A file name inconsistent with the content of the file (e.g., renaming a graphics file with a non-graphical extension.Event
File ProtectionnounAggregate of processes and procedures designed to inhibit unauthorized access, contamination, elimination, modification, or destruction of a file or any of its contents.Control
File SecuritynounMeans by which access to computer files is limited to authorized users only.Control
File Transfer ProtocolnounA protocol used to transfer files over a Transmission Control Protocol/Internet Protocol (TCP/IP) network (Internet, UNIX, etc.)Network
File transfer protocol (FTP)nounA standard high-level protocol for transferring files from one computer to another, usually implemented as an application level program.Network
Fill DevicenounCOMSEC item used to transfer or store key in electronic form or to insert key into cryptographic equipment.PhysicalRegulatedCUI
filternounIn Computing: a piece of software that transforms data in some way, such as removing unwanted spaces from text or formats it for use in another application.Control
Filtering RouternounAn inter-network router that selectively prevents the passage of data packets according to a security policy. A filtering router may be used as a firewall or part of a firewall. A router usually receives a packet from a network and decides where to forward it on a second network. A filtering router does the same, but first decides whether the packet should be forwarded at all, according to some security policy. The policy is implemented by rules (packet filters) loaded into the router.Network
FIN (Financial Application)nounThe SWIFT application within which all SWIFT user-to-user messages are input and output.SystemRegulatedPCI
FinalitynounIrrevocable and unconditional transfer of payment during settlement.RequirementRegulatedPCI
Financial AuthoritynounA supervisory organization that is responsible for safeguarding and maintaining consumer confidence in the financial system.OrganizationRegulated
financial conditionnounThe status of a firm's assets, liabilities and equity positions at a specific point in time, often described in a financial statement.DataRegulated
Financial EDI (FEDI)nounFinancial electronic data interchange. An instrument for settling invoices by initiating payments, processing remittance data and automating reconciliation, through the exchange of electronic messages.DataRegulatedPII
Financial industry participantsnounFinancial institutions and other companies that are involved in the banking, securities, and/or insurance industry and are regulated by supervisory authorities.OrganizationRegulated
financial institutionnounAny bank licensed under the Banking Act (Cap. 19); any finance company licensed under the Finance Companies Act (Cap. 108); any person that is approved as a financial institution under section 28; any money-changer licensed to conduct money-changing business, or any remitter licensed to conduct remittance business, under the Money-changing and Remittance Businesses Act (Cap. 187); any insurer licensed or regulated under the Insurance Act (Cap. 142); any insurance intermediary registered or regulated under the Insurance Act; any licensed financial adviser under the Financial Advisers Act (Cap. 110); any approved holding company, securities exchange, futures exchange, recognised market operator, licensed trade repository, licensed foreign trade repository, approved clearing house, recognised clearing house or holder of a capital markets services licence under the Securities and Futures Act (Cap. 289); any trustee for a collective investment scheme authorised under section 286 of the Securities and Futures Act, that is approved under that Act; any trustee-manager of a business trust that is registered under the Business Trusts Act (Cap. 31A); any licensed trust company under the Trust Companies Act (Cap. 336); any holder of a stored value facility under the Payment Systems (Oversight) Act (Cap. 222A); any designated financial holding company under the Financial Holding Companies Act 2013 (Act 13 of 2013); any person licensed under the Banking Act (Cap. 19) to carry on the business of issuing credit cards or charge cards in Singapore; and any other person licensed, approved, registered or regulated by the Authority under any written law, but does not include such person or class of persons as the Authority may, by regulations made under this section, prescribe.OrganizationRegulated
financial market infrastructurenounA multilateral system among participating institutions, including the operator of the system, used for the purposes of clearing, settling or recording payments, securities, derivatives or other financial transactions.SystemRegulated
Financial Services Information Sharing and Analysis Center (FS-ISAC)nounA nonprofit, information-sharing forum established by financial services industry participants to facilitate the public and private sectors' sharing of physical and cybersecurity threat and vulnerability information.OrganizationRegulated
financial transactionnounAn event or agreement carried out between a buyer and a seller to exchange an asset for payment.EventRegulated
FingernounA protocol to lookup user information on a given host. A Unix program that takes an e-mail address as input and returns information about the user who owns that e-mail address. On some systems, finger only reports whether the user is currently logged on. Other systems return additional information, such as the user's full name, address, and telephone number. Of course, the user must first enter this information into the system. Many e-mail programs now have a finger utility built into them.NetworkPII
FingerprintingnounSending strange packets to a system in order to gauge how it responds to determine the operating system.Threat
FIPS PUBnounAn acronym for Federal Information Processing Standards Publication. FIPS publications (PUB) are issued by NIST after approval by the Secretary of Commerce.FrameworkRegulatedCUI
FIPS-Approved Security MethodnounA security method (e.g., cryptographic algorithm, cryptographic key generation algorithm or key distribution technique, random number generator, authentication technique, or evaluation criteria) that is either a) specified in a FIPS, or b) adopted in a FIPS.ControlRegulatedCUI
FIPS-Validated CryptographynounA cryptographic module validated by the Cryptographic Module Validation Program (CMVP) to meet requirements specified in FIPS 140-2 (as amended). As a prerequisite to CMVP validation, the cryptographic module is required to employ a cryptographic algorithm implementation that has successfully passed validation testing by the Cryptographic Algorithm Validation Program (CAVP). See NSA-Approved Cryptography.ControlRegulated
firewallnounA hardware/software capability that limits access between networks and/or systems in accordance with a specific security policy.Network
firewall and router configuration standardnounThe organizational document that defines the parameters for each Configurable Item on each of the organization's router and firewall components, and then how each of those individual components should be configured as a part of the overall networking system.Network
Firewall Control ProxynounThe component that controls a firewall’s handling of a call. The firewall control proxy can instruct the firewall to open specific ports that are needed by a call, and direct the firewall to close these ports at call termination.Network
firewall rulenounFirewall rules examine the control information in individual packets. The rules either block or allow those packets based on rules that are defined on these pages. Firewall rules are assigned directly to computers or to policies that are in turn assigned to a computer or collection of computers.Network
FirmwarenounComputer programs and data stored in hardware - typically in read-only memory (ROM) or programmable read-only memory (PROM) - such that the programs and data cannot be dynamically written or modified during execution of the programs.System
Fixed COMSEC FacilitynounCOMSEC facility located in an immobile structure or aboard a ship.PhysicalRegulatedCUI
FlawnounError of commission, omission, or oversight in an information system that may allow protection mechanisms to be bypassed.Vulnerability
Flaw Hypothesis MethodologynounSystem analysis and penetration technique in which the specification and documentation for an information system are analyzed to produce a list of hypothetical flaws. This list is prioritized on the basis of the estimated probability that a flaw exists, on the ease of exploiting it, and on the extent of control or compromise it would provide. The prioritized list is used to perform penetration testing of a system.Process
FloatnounFunds held by an institution during the check-clearing process before being made available to a depositor. Interest may be earned on these funds.DataRegulated
FloodingnounAn attack that attempts to cause a failure in a system by providing more input than the system can process properly.Threat
FlowchartsnounTraditional flowcharts involve the use of geometric symbols, such as diamonds, ovals, and rectangles to represent the sequencing of program logic. Software packages are available that automatically chart programs or enable a programmer to chart a program without the need to draw it manually.ArtifactIP
Focused TestingnounA test methodology that assumes some knowledge of the internal structure and implementation detail of the assessment object. Also known as gray box testing.Process
Forensic CopynounAn accurate bit-for-bit reproduction of the information contained on an electronic device or associated media, whose validity and integrity has been verified using an accepted algorithm.ArtifactRegulated
Forensic examinationnounThe process of collecting, assessing, classifying and documenting digital evidence to assist in the identification of an offender and the method of compromiseProcessRegulated
forensic investigationnounThe application of investigative and analytical techniques to gather and preserve evidence from a digital device impacted by a cyber attack.ProcessRegulated
forensic readinessnounThe ability of an FMI to maximise the use of digital evidence to identify the nature of a cyber attack.CapabilityRegulated
Forensic SpecialistnounA professional who locates, identifies, collects, analyzes, and examines data while preserving the integrity and maintaining a strict chain of custody of information discovered.Role
Forensically CleannounDigital media that is completely wiped of all data, including nonessential and residual data, scanned for malware, and verified before use.Control
forensicsnounThe practice of gathering, retaining, and analyzing computer-related data for investigative purposes in a manner that maintains the integrity of the data.ProcessRegulated
ForestnounA forest is a set of Active Directory domains that replicate their databases with each other.System
Fork BombnounA Fork Bomb works by using the fork() call to create a new process which is a copy of the original. By doing this repeatedly, all available processes on the machine can be taken up.Threat
Form-Based AuthenticationnounForm-Based Authentication uses forms on a webpage to ask a user to input username and password information.Control
Formal Access ApprovalnounA formalization of the security determination for authorizing access to a specific type of classified or sensitive information, based on specified access requirements, a determination of the individual’s security eligibility and a determination that the individual’s official duties require the individual be provided access to the information.ControlRegulatedCUI
formal contractnounAn officially recognized agreement between two or more parties.RequirementConfidentialIP
Formal Development MethodologynounSoftware development strategy that proves security design specifications.Process
Formal MethodnounMathematical argument which verifies that the system satisfies a mathematically-described security policy.Control
Formal ProofnounComplete and convincing mathematical argument presenting the full logical justification for each proof step and for the truth of a theorem or set of theorems.Artifact
Formatting FunctionnounThe function that transforms the payload, associated data, and nonce into a sequence of complete blocks.Capability
formulateverbcreate or develop a plan, strategy, theory, or expression methodicallyCreateUnclassified
Forward CiphernounOne of the two functions of the block cipher algorithm that is determined by the choice of a cryptographic key. The term “forward cipher operation” is used for TDEA, while the term “forward transformation” is used for DEA.Control
Forward ProxynounForward Proxies are designed to be the server through which all requests are made.Network
Fragment OffsetnounThe fragment offset field tells the sender where a particular fragment falls in relation to other fragments in the original larger packet.Network
Fragment Overlap AttacknounA TCP/IP Fragmentation Attack that is possible because IP allows packets to be broken down into fragments for more efficient transport across various media. The TCP packet (and its header) are carried in the IP packet. In this attack the second fragment contains incorrect offset. When packet is reconstructed, the port number will be overwritten.Threat
FragmentationnounThe process of storing a data file in several "chunks" or fragments rather than in a single contiguous sequence of bits in one place on the storage medium.Process
Frame relaynounA high-performance wide area network protocol that operates at the physical and data link layers of the Open Systems Interconnect (OSI) reference model. Frame Relay is an example of a packet-switched technology. Packet-switched networks enable end stations to dynamically share the network medium and the available bandwidth. Frame relay uses existing T-1 and T-3 lines and provides connection speeds from 56 Kbps to T-1.Network
FramesnounData that is transmitted between network points as a unit complete with addressing and necessary protocol control information. A frame is usually transmitted serial bit by bit and contains a header field and a trailer field that "frame" the data. (Some control frames contain no data.)Data
FramingnounA frame is an area of a webpage that scrolls independently of the rest of the webpage. Framing generally refers to the use of a standard frame containing information (like company name and navigation bars) that remains on the screen while the user moves around the text in another frame.candidate
Frequency HoppingnounRepeated switching of frequencies during radio transmission according to a specified algorithm, to minimize unauthorized interception or jamming of telecommunications.ControlRegulatedCUI
Full Disk EncryptionnounThe process of encrypting all the data on the hard disk drive used to boot a computer, including the computer’s operating system, and permitting access to the data only after successful authentication with the full disk encryption product.ControlRegulated
Full MaintenancenounComplete diagnostic repair, modification, and overhaul of COMSEC equipment, including repair of defective assemblies by piece part replacement. See Limited Maintenance.ProcessRestrictedCUI
Full-interruption/full-scale test (IT and Staff)nounA business continuity test that activates all the components of the disaster recovery plan at the same time. Hardware, software, staff, communications, utilities, and alternate site processing should be thoroughly tested in this type of testing activity. The exercise should include the business line end users and the IT group to ensure that each business line tests its key applications and is prepared to recover and resume its business operations in the event of an emergency. The full test verifies that systems and staff can recover and resume business within established recovery time objectives. End users should verify the integrity of the data at the alternate site after the IT group has restored systems and applications needed for the staff to perform production activities.ProcessRegulated
Fully-Qualified Domain NamenounA Fully-Qualified Domain Name is a server name with a hostname followed by the full domain name.Network
functionverbdescribe or identify the purpose or role of something within a systemAnalyzeUnclassified
Functional drill/parallel testnounThis test involves the actual mobilization of personnel at other sites in an attempt to establish communications and coordination as set forth in the BCP.ProcessInternal
Functional requirementsnounThe business, operational, and security features an organization wants included in a program.Requirement
Functional TestingnounSegment of security testing in which advertised security mechanisms of an information system are tested under operational conditions.Process
Functionality testingnounA test designed to validate that a business process or activity accomplishes expected results.Process
funds transfer terminalnounAn information processing device used for the purpose of executing deposit account transactions between financial institutions and their customers by either the direct transmission of electronic impulses or the recording of electronic impulses for delayed processing.SystemRegulatedPCI
FuzzingnounThe use of special regression testing tools to generate out-of-spec input for an application in order to find security vulnerabilities. Also see "regression testing".Process
Gap analysisnounA comparison that identifies the difference between actual and desired outcomes.Process
GatewaynounInterface providing compatibility between networks by converting transmission speeds, protocols, codes, or security measures.Network
Gateway servernounA computer (server) that connects a private network to the private network of a servicer or other business.Network
general controlnounControls, other than application controls, that relate to the environment within which application systems are developed, maintained, and operated, and that are therefore applicable to all the applications at an institution. The objectives of general controls are to ensure the proper development and implementation of systems, and the integrity of program and data files and of computer operations.Control
General Support SystemnounAn interconnected set of information resources under the same direct management control which shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and people. A system can be, for example, a local area network (LAN) including smart terminals that supports a branch office, an agency-wide backbone, a communications network, a departmental data processing center including its operating system and utilities, a tactical radio network, or a shared information processing service organization (IPSO).System
generalizeverbdraw broad conclusions or principles from specific cases or examplesCreateUnclassified
generalizedverbform broad conclusions or principles from specific observations or examplesUnderstandUnclassified
gethostbyaddrnounThe gethostbyaddr DNS query is when the address of a machine is known and the name is needed.Process
gethostbynamenounThe gethostbyname DNS quest is when the name of a machine is known and the address is needed.Process
give exampleverbprovide a specific instance that demonstrates a concept or principleUnderstandUnclassified
give examples ofverbprovide multiple specific instances that demonstrate a concept or principleUnderstandUnclassified
Global Information GridnounThe globally interconnected, end-to-end set of information capabilities for collecting, processing, storing, disseminating, and managing information on demand to warfighters, policy makers, and support personnel. The GIG includes owned and leased communications and computing systems and services, software (including applications), data, security services, other associated services, and National Security Systems. Non-GIG IT includes stand-alone, self-contained, or embedded IT that is not, and will not be, connected to the enterprise network.SystemRegulatedCUI
Global Information InfrastructurenounWorldwide interconnections of the information systems of all countries, international and multinational organizations, and international commercial communications.Network
GNUnounGNU is a Unix-like operating system that comes with source code that can be copied, modified, and redistributed. The GNU project was started in 1983 by Richard Stallman and others, who formed the Free Software Foundation.System
GnutellanounAn Internet file sharing utility. Gnutella acts as a server for sharing files while simultaneously acting as a client that searches for and downloads files from other users.System
goalnounThe object of a person or processes' ambition or effort; the aim or desired result.Requirement
GovernancenounIn computer security, governance means setting clear expectations for the conduct (behaviors and actions) of the entity being governed and directing, controlling, and strongly influencing the entity to achieve these expectations. Governance includes specifying a framework for decision making, with assigned decision rights and accountability, intended to consistently produce desired behaviors and actions.Organization
governance structurenounSpecifies the distribution of rights and responsibilities among different participants in the corporation, such as the board, managers, shareholders and other stakeholders, and spells out the rules and procedures for making decisions on corporate affairs.OrganizationInternal
Governance, Risk Management and CompliancenounA business term used to group the three close-related disciplines responsible for the protection of assets, and operationsFramework
Governance, Risk, and Compliance frameworknounThe overall structure of procedures of how an organization is controlled and directed , how an organization identifies and mitigates risk, and how the organization adheres to pertinent rules, standards, and regulations that defines the scope, objectives, and activities regrading such procedures.FrameworkInternal
government agencynounA state, county, or federal government organizations that enforce laws, rules, or regulations.OrganizationInternal
government bodynounThe government of any country or of any political subdivision of any country,including: any instrumentality of any such government; any other person or organization authorized by law to perform any executive, legislative, judicial, regulatory, administrative, military, or police functions of any such government, and; any intergovernmental organization.OrganizationRegulated
Government Emergency Telecommunications Service (GETS)nounAcronym for the Government Emergency Telecommunications Service card program. GETS cards provide emergency access and priority processing for voice communications services in emergency situations.CapabilityRegulatedCUI
Graduated SecuritynounA security system that provides several levels (e.g., low, moderate, high) of protection based on threats, risks, available technology, support services, time, human concerns, and economics.Framework
Gramm-Leach-Bliley Act (GLBA)nounThe act, also known as the Financial Services Modernization Act of 1999, (Pub.L. 106-102, 113 Stat. 1338, enacted November 12, 1999), required the federal banking agencies to establish information security standards for financial institutions.FrameworkRegulatedPII
Grandfather-father-sonnounRetaining multiple versions of the back-up files off-site on a "grandfather-father-son" rotating basis is recommended. This tape methodology creates three sets of back-up tapes: daily incremental sets or "sons," weekly full sets or "fathers," and end-of-month tapes or "grandfathers."ProcessInternal
grant accessverbTo give someone or some process permission to communicate someone or something, use something, or enter some place.Unclassified
grant access to the systemnounThe purpose of this task is to permit a user to logically or physical gain entry to computer and/or network.ProcessRegulated
Group AuthenticatornounUsed, sometimes in addition to a sign-on authenticator, to allow access to specific data or functions that may be shared by all members of a particular group.CredentialRestricted
GuardnounA mechanism limiting the exchange of information between information systems or subsystems.Control
Guessing EntropynounA measure of the difficulty that an Attacker has to guess the average password used in a system. In this document, entropy is stated in bits. When a password has n-bits of guessing entropy then an attacker has as much difficulty guessing the average password as in guessing an n-bit random quantity. The attacker is assumed to know the actual password frequency distribution.Metric
guidancenounInformation that provides direction or advice as to a decision or course of action.Requirement
GuidelinenounA description of a particular way of accomplishing something that is less prescriptive than a procedureRequirement
HaircutnounWith respect of an eligible currency, the percentage increase of a negative currency balance or reduction of a positive currency balance and is based on (a) the volatility of the historic foreign exchange movements in the applicable eligible currency determined by CLS Bank and (b) an add-on component.MetricRegulated
Handshaking ProceduresnounDialogue between two information systems for synchronizing, identifying, and authenticating themselves to one another.Process
Hard Copy KeynounPhysical keying material, such as printed key lists, punched or printed key tapes, or programmable, read-only memories (PROM).PhysicalRegulatedCUI
HardeningnounConfiguring a host’s operating systems and applications to reduce the host’s security weaknesses.Process
hardwarenounThe physical components of an information system. See also Software and Firmware.Physical
hardware integritynounThe assurance that any given hardware asset is not a counterfeit, or otherwise falsely represented as being whole and intact as measured against original specifications.SystemRegulated
hashverbapply a one-way function to produce a fixed-length digest from arbitrary input dataApplyUnclassified
HashnounA fixed length cryptographic output of variables, such as a message, being operated on by a formula or cryptographic algorithm.Data
Hash functionnounA function that maps a bit string of arbitrary length to a fixed length bit string. Approved hash functions are specified in FIPS 180 and are designed to satisfy the following properties: 1. (One-way) It is computationally infeasible to find any input that maps to any new prespecified output, and 2. (Collision resistant) It is computationally infeasible to find any two distinct inputs that map to the same output.Control
Hash-based Message Authentication CodenounA message authentication code that uses a cryptographic key in conjunction with a hash function.ControlRegulated
HashingnounThe process of using a mathematical algorithm against data to produce a numeric value that is representative of that data.Process
HeadernounA header is the extra information in a packet that is needed for the protocol stack to process the packet.Data
Health Information ExchangenounA health information organization that brings together healthcare stakeholders within a defined geographic area and governs health information exchange among them for the purpose of improving health and care in that community.OrganizationRegulatedPHI
help filenounA help file (sometimes called a help system ) is a documentation component of a software program that explains the features of the program and helps the user understand its capabilities. A bit like an extensive, organized, and thorough collection of FAQ s (frequently asked questions), the help system's purpose is to provide the answers that a user needs to understand to use the program effectively.Artifact
Hierarchical storage management (HSM)nounHSM is used to dynamically manage the back-up and retrieval of files based on how often they are accessed using storage media and devices that vary in speed and cost.System
High Assurance GuardnounA guard that has two basic functional capabilities: a Message Guard and a Directory Guard. The Message Guard provides filter service for message traffic traversing the Guard between adjacent security domains. The Directory Guard provides filter service for directory access and updates traversing the Guard between adjacent security domains.SystemRegulatedCUI
High AvailabilitynounA failover feature to ensure availability during device or component interruptions.Capability
High ImpactnounThe loss of confidentiality, integrity, or availability that could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, individuals, other organizations, or the national security interests of the United States; (i.e., 1) causes a severe degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; 2) results in major damage to organizational assets; 3) results in major financial loss; or 4) results in severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries).MetricRegulatedCUI
high impact Bulk Electric System Cyber SystemnounA Bulk Electric System Cyber System in which at least one security objective (i.e., confidentiality, integrity, or availability) is assigned a potential impact value of high.SystemRegulatedCUI
High-Impact SystemnounAn information system in which at least one security objective (i.e., confidentiality, integrity, or availability) is assigned a FIPS 199 potential impact value of high.SystemRegulatedCUI
Hijack AttacknounA form of active wiretapping in which the attacker seizes control of a previously established communication association.Threat
HijackingnounThe use of an authenticated user's communication session to communicate with system components.ThreatRegulated
Homing beaconsnounDevices that send messages to the institution when they connect to a network and that enable recovery of the device.PhysicalRegulated
HoneymonkeynounAutomated system simulating a user browsing websites. The system is typically configured to detect web sites which exploit vulnerabilities in the browser. Also known as Honey Client.System
HoneypotnounA system (e.g., a Web server) or system resource (e.g., a file on a server) that is designed to be attractive to potential crackers and intruders and has no authorized users other than its administrators.System
HopnounEach step of a trip a data packet takes from its origination to its destination. For example, on the Internet a data packet may go through several routers before reaching its final destination.Network
Horizontal defense-in depthnounControls are placed in various places in the path to access an asset (this is functionally equivalent to concentric ring model above).Control
Host bus adapter (HBA)nounA host bus adapter provides I/O processing and physical connectivity between a server and storage. As the only part of a storage area network that resides in a server, HBAs also provide a critical link between the storage area network and the operating system and application software.Physical
Host-Based IDnounHost-based intrusion detection systems use information from the operating system audit records to watch all operations occurring on the host that the intrusion detection software has been installed upon. These operations are then compared with a pre-defined security policy. This analysis of the audit trail imposes potentially significant overhead requirements on the system because of the increased amount of processing power which must be utilized by the intrusion detection system. Depending on the size of the audit trail and the processing ability of the system, the review of audit data could result in the loss of a real-time analysis capability.Capability
Host=based Intrusion Detection SystemsnounIDSs which operate on information collected from within an individual computer system. This vantage point allows host-based IDSs to determine exactly which processes and user accounts are involved in a particular attack on the Operating System. Furthermore, unlike network-based IDSs, host-based IDSs can more readily “see” the intended outcome of an attempted attack, because they can directly access and monitor the data files and system processes usually targeted by attacks.Capability
Hot SitenounBackup site that includes phone systems with the phone lines already connected. Networks will also be in place, with any necessary routers and switches plugged in and turned on. Desks will have desktop PCs installed and waiting, and server areas will be replete with the necessary hardware to support business-critical functions. Within a few hours, a hot site can become a fully functioning element of an organization.PhysicalRegulated
Hot WashnounA debrief conducted immediately after an exercise or test with the staff and participants.Process
HTTP ProxynounAn HTTP Proxy is a server that acts as a middleman in the communication between HTTP clients and servers.Network
HTTPSnounWhen used in the first part of a URL (the part that precedes the colon and specifies an access scheme or protocol), this term specifies the use of HTTP enhanced by a security mechanism, which is usually SSL.Network
HubnounSimple devices that pass all data traffic in both directions between the LAN sections they link. Hubs forward every message they receive to the other sections of the LAN, even those that do not need to go there.Network
Human firewallnounA person prepared to act as a network layer of defense through education and awarenessNetwork
human resources processnounThe steps necessary to support the general management of the organizational workforce, including staffing, employee compensation and benefits, and defining/designing work.Process
Hybrid AttacknounA Hybrid Attack builds on the dictionary attack method by adding numerals and symbols to dictionary words.Threat
Hybrid EncryptionnounAn application of cryptography that combines two or more encryption algorithms, particularly a combination of symmetric and asymmetric encryption.Control
Hybrid Security ControlnounA security control that is implemented in an information system in part as a common control and in part as a system-specific control. See also Common Control and System-Specific Security Control.Control
HyperlinknounAn item on a webpage that, when selected, transfers the user directly to another location in a hypertext document or to another webpage, perhaps on a different machine. Also simply called a "link."Data
Hypertext Markup LanguagenounThe set of markup symbols or codes inserted in a file intended for display on a World Wide Web browser page.Data
Hypertext Markup Language (HTML)nounA set of codes that can be inserted into text files to indicate special typefaces, inserted images, and links to other hypertext documents.Data
Hypertext Transfer ProtocolnounA communication protocol used to connect to servers on the World Wide Web. Its primary function is to establish a connection with a web server and transmit hypertext markup language (HTML), extensible markup language (XML) or other pages to client browsersNetwork
Hypertext Transfer Protocol SecurenounA protocol for accessing a secure web server, whereby all data transferred are encrypted.Network
HypervisornounA piece of software that provides abstraction of all physical resources (such as central processing units, memory, network, and storage) and thus enables multiple computing stacks (consisting of an operating system, middleware and application programs) called virtual machines to be run on a single physical host.System
hypothesizeverbpropose a testable explanation or prediction based on limited evidenceCreateUnclassified
IA ArchitecturenounA description of the structure and behavior for an enterprise’s security processes, information security systems, personnel and organizational sub-units, showing their alignment with the enterprise’s mission and strategic plans.Framework
IA InfrastructurenounThe underlying security framework that lies beyond an enterprise’s defined boundary, but supports its IA and IA-enabled products, its security posture and its risk management plan.SystemRegulatedCUI
IA ProductnounProduct whose primary purpose is to provide security services (e.g., confidentiality, authentication, integrity, access control, non-repudiation of data); correct known vulnerabilities; and/or provide layered defense against various categories of non-authorized or malicious penetrations of information systems or networks.Capability
IA-Enabled Information Technology ProductnounProduct or technology whose primary role is not security, but which provides security services as an associated feature of its intended operating capabilities. Examples include such products as security-enabled Web browsers, screening routers, trusted operating systems, and security-enabled messaging systems.System
IA-Enabled ProductnounProduct whose primary role is not security, but provides security services as an associated feature of its intended operating capabilities. Note: Examples include such products as security-enabled Web browsers, screening routers, trusted operating systems, and security enabling messaging systems.System
ICTnounInformation and communications technologies. ICT can also be read as IT (information technology) in this document.System
ICT supply chain threatnounA man-made threat achieved through exploitation of the information and communications technology (ICT) system’s supply chain, including acquisition processes.ThreatRegulated
IdentificationnounAn act or process that presents an identifier to a system so that the system can recognize a system entity (e.g., user, process, or device) and distinguish that entity from all others.Process
Identification and AuthenticationnounThe purpose of this function is to verify the identity of an entity through the use of specific credentials as a prerequisite for granting access to resources in an IT system.CapabilityRegulated
IdentifiernounA data object - often, a printable, non-blank character string - that definitively represents a specific identity of a system entity, distinguishing that identity from all others.DataPII
identifyverbrecognize, name, or distinguish specific items, features, or conceptsEvaluateUnclassified
identify and defineverbTo establish what something is and describe exactly the nature, scope, or meaning of it.Unclassified
identify and documentnounEstablish, indicate, or verify who or what someone or something is and record that in detail through photography, writing, or other form.Process
Identify FunctionnounDevelop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.Capability
identitynounThe set of attribute values (i.e., characteristics) by which an entity is recognizable and that, within the scope of an identity manager’s responsibility, is sufficient to distinguish that entity from any other entity.IdentityRegulatedPII
identity and access managementnounThe methods and processes used to manage subjects and their authentication and authorizations to access specific objects.Capability
Identity BindingnounBinding of the vetted claimed identity to the individual (through biometrics) according to the issuing authority.ProcessRegulatedPII
identity managementnounThe purpose of this task is to implement a set of functions and capabilities used for assurance of identity information (e.g., identifiers, credentials, attributes).CapabilityRegulatedPII
Identity ProofingnounThe process by which a Credentials Service Provider (CSP) and a Registration Authority (RA) collect and verify information about a person for the purpose of issuing credentials to that person.ProcessRegulatedPII
Identity RegistrationnounThe process of making a person’s identity known to the Personal Identity Verification (PIV) system, associating a unique identifier with that identity, and collecting and recording the person’s relevant attributes into the system.ProcessRegulatedPII
Identity TokennounSmart card, metal key, or other physical object used to authenticate identity.Credential
Identity ValidationnounTests enabling an information system to authenticate users or resources.Control
Identity VerificationnounThe process of confirming or denying that a claimed identity is correct by comparing the credentials (something you know, something you have, something you are) of a person requesting access with those previously proven and stored in the PIV Card of system and associated with the identity being claimed.ProcessRegulatedCUI
Identity-Based Access ControlnounAccess control based on the identity of the user (typically relayed as a characteristic of the process acting on behalf of that user) where access authorizations to specific objects are assigned based on user identity.Control
Identity-Based Security PolicynounA security policy based on the identities and/or attributes of the object (system resource) being accessed and of the subject (user, group of users, process, or device) requesting access.Requirement
IEEE 802.11nounA family of specifications developed by the Institute of Electrical and Electronics Engineers (IEEE) for wireless local area network (WLAN) technology. 802.11 specifies an over-the-air interface between a wireless client and a base station or between two wireless clients.Network
ifnounThis limits a Control or Mandate's secondary verb to be put into play should the event occur.Requirement
illustrateverbclarify or explain using examples, diagrams, or visual representationsAnalyzeUnclassified
ImagenounAn exact bit-stream copy of all electronic data on a device, performed in a manner that ensures that the information is not altered.ArtifactRegulated
Image archive (Check 21)nounDatabase for storage and easy retrieval of check images.DataRegulatedPII
Image capture (Check 21)nounThe process of digitizing both sides of physical items and their assorted MICR information as they are processed at the Federal Reserve Bank. Also includes storage of the images for up to 60 days.ProcessRegulatedPII
Image exchange (Check 21)nounExchange of some or all of the digitized images of a check.ProcessRegulatedPCI
ImagingnounA process that allows one to obtain a bit-for-bit copy of data to avoid damage of original data or information when multiple analyses may be performed. Scope Note: The imaging process is made to obtain residual data, such as deleted files, fragments of deleted files and other information present, from the disk for analysis. This is possible because imaging duplicates the disk surface, sector by sector.Process
Imitative Communications DeceptionnounIntroduction of deceptive messages or signals into an adversary's telecommunications signals. See also Communications Deception and Manipulative Communications Deception.ThreatRegulatedCUI
ImpactnounThe magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information or information system availability.Metric
Impact analysisnounA study to prioritize the criticality of information resources for the enterprise based on costs (or consequences) of adverse events In an impact analysis, threats to assets are identified and potential business losses determined for different time periods. This assessment is used to justify the extent of safeguards that are required and recovery time frames. This analysis is the basis for establishing the recovery strategy.Process
Impact LevelnounThe magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information or information system availability.MetricRegulated
Impact ValuenounThe assessed potential impact resulting from a compromise of the confidentiality, integrity, or availability of an information type, expressed as a value of low, moderate, or high.Metric
ImplantnounElectronic device or electronic equipment modification designed to gain unauthorized interception of information-bearing emanations.ThreatRegulatedCUI
Implementation plannounA plan that details project management requirements and issues to be addressed during the period between the execution of an outsourcing agreement and the full production use of the outsourced services.ArtifactInternal
improveverbmake something better by enhancing its quality, value, or effectivenessCreateUnclassified
in response tonounThis limits a Control or Mandate's secondary verb to be put into play precisely because the event has taken place.Requirement
in-house developed applicationnounAn application that has been developed within the organization.SystemRegulated
Inadvertent DisclosurenounType of incident involving accidental exposure of information to an individual not authorized access.EventRegulated
incidentnounAn assessed occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system; or the information the system processes, stores, or transmits; or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.Event
incident alertnounAny form of security alert, security alarm, or logged event notification that has been triggered by any form of detection. The triggering of an incident alert begins the incident response process.Event
incident alert thresholdnounThe magnitude or intensity that must be exceeded before a detected incident triggers an alert, who receives the alert, and the priority of the alert.Event
incident containment processnounAn established or official method for implementing the policy for incident containment or performing the tasks, processes, or operations to limit and prevent further damage from happening after an incident occurs, along with ensuring that there is no destruction of forensic evidence that may be needed for future legal actions which must be executed in the same manner in order to obtain the same results in the same circumstances.ProcessRegulated
incident detectionnounThe process of identifying that an intrusion has been attempted, is occurring, or has occurred.ProcessInternal
Incident HandlingnounThe mitigation of violations of security policies and recommended practices.Process
incident managemenounThe management and coordination of activities associated with an actual or potential occurrence of an event that may result in adverse consequences to information or information systems.Process
incident managementnounThe process of identifying, analyzing, and correcting disruptions to operations and preventing future recurrences. The goal of incident management is to limit the disruption and restore operations as quickly as possible.Process
incident management procedurenounA detailed description of the steps necessary to identify, analyze, and correct incidents in order to return service back to normal as quickly as possible and in conformance with applicable standards.Requirement
incident management processnounAn activity undertaken to direct personnel and resources to respond to an incident.Process
Incident Management SystemnounThe tools (software and otherwise), reports, and processes used to input, process, and close incident reports from input through resolution.SystemRegulated
incident monitoring processnounAn established or official method for implementing the policy for incident monitoring or performing the tasks, processes, or operations to monitor for incidents which must be executed in the same manner in order to obtain the same results in the same circumstances.ProcessInternal
incident monitoring programnounThe documented activities, policies, and procedures within an organization for organizing and directing all activities undertaken to review, track, evaluate, and report on the status of incidents.ProcessRegulated
incident monitoring roles and responsibilitiesnounThe position and collection of tasks, duties, obligations that participants undertake to perform the daily and all special tasks associated with reviewing, trackIng, evaluatIng, and reportIng on the status of incidents..Role
Incident ReportnounA record containing the details of an incident. Each incident record documents the lifecycle of a single incident.ArtifactRegulated
incident reportingnounThe purpose of this task is to use hotlines and emergency contacts to alert the appropriate individuals to the occurrence of a security event.ProcessRegulated
incident responsenounThe purpose of this task is to address and manage the aftermath of a disaster or other significant event that may affect the organization's people or ability to function productively.Process
incident response activitynounAny task performed by an organization in reaction to an incident.ProcessRegulated
incident response notification procedurenounA detailed description of the steps necessary to tell interested personnel and affected parties about disruptions in service and operations in conformance with applicable standards.Requirement
incident response notification processnounA series of steps undertaken to detect, triage, and resolve events that disrupt operations and alert applicable personnel and clients in conformance with pertinent standards.ProcessRegulated
incident response personnelnounPersonnel assigned by an organization to manage or engage in incident response tasks.Role
Incident response plannounThe documentation of a predetermined set of instructions or procedures to detect, respond to, and limit consequences of a malicious cyber attacks against an organization’s information system(s).ProcessRestricted
incident response policynounThe documented rules and guidelines on how an organization should address and manage the aftermath of a disaster or other significant event that may affect the organization's people or ability to function productively.RequirementInternal
incident response processnounAn established or official method for implementing the policy for incident response or performing the tasks, processes, or operations to address and manage the aftermath of a disaster or other significant event that may affect the organization’s people or ability to function productively which must be executed in the same manner in order to obtain the same results in the same circumstances.Process
incident response programnounA documented approach for organizing and directing all activities undertaken to handle known security breaches or attacks in such a way as to limit damage and reduce the time it takes for the organization to recover time and costs.ProcessRegulated
incident response roles and responsibilitiesnounThe position and collection of tasks, duties, obligations that participants undertake to perform the daily and all special tasks associated with managing the aftermath of a disaster or other significant event that may affect the organization's people or ability to function productively..Process
incident response team member's role and responsibilitynounThe functions and duties of individuals who are suppose to return service or operations back to normal after a disruption has occurred.Role
incomenounThe consumption and savings opportunity gained by an entity within a specified time frame, which is generally expressed in monetary terms.DataRegulated
incoming debit and credit totalnounThe total balance of all credit and debit postings that go into an account.MetricRegulated
Incomplete Parameter CheckingnounSystem flaw that exists when the operating system does not check all parameters fully for accuracy and consistency, thus making the system vulnerable to penetration.VulnerabilityRegulated
Incremental BackupsnounIncremental backups only backup the files that have been modified since the last backup. If dump levels are used, incremental backups only backup files changed since last backup of a lower dump level.Process
Inculpatory EvidencenounEvidence that tends to increase the likelihood of fault or guilt.ArtifactRestricted
Indemnifying bank (Check 21)nounA financial institution that transfers, presents, or returns a substitute check or a paper or electronic representation of a substitute check for which it receives consideration. The financial institution shall indemnify the recipient and any subsequent recipient (including a collecting or returning financial institution, the depository financial institution, the drawer, the drawee, the payee, the depositor, and any endorser) for any loss incurred by any recipient of a substitute check if that loss occurred due to the receipt of a substitute check instead of the original.OrganizationRegulated
IndependencenounSelf-governance, freedom from conflict of interest and undue influence. The IT auditor should be free to make his or her own decisions, not influenced by the organization being audited, or by its managers and employees.Requirement
independence standardsnounThe ability, without the service of others, or with a reduced level of the services of others, to function within the community.RequirementRegulated
independent reviewnounAn analysis of findings performed by a third party for an organization to provide impartiality.ProcessInternal
Independent sales organizationnounA non-financial institution organization that provides a variety of merchant processing functions on behalf of the acquirer. These functions include soliciting new merchant accounts, arranging for terminal purchases or leases, and providing backroom services. An Independent sales organization is also referred to as a member service provider (MSP). The acquirer must register all Independent sales organization/MSPs with the bankcard associations.OrganizationRegulatedPCI
Independent Validation AuthoritynounEntity that reviews the soundness of independent tests and system compliance with all stated security controls and risk mitigation actions. IVAs will be designated by the Authorizing Official as needed.OrganizationRegulatedCUI
Independent Verification & ValidationnounA comprehensive review, analysis, and testing (software and/or hardware) performed by an objective third party to confirm (i.e., verify) that the requirements are correctly defined, and to confirm (i.e., validate) that the system correctly implements the required functionality and security requirements.Process
indicatornounRecognized action, specific, generalized, or theoretical, that an adversary might be expected to take in preparation for an attack.Event
individualnounA citizen of the United States or an alien lawfully admitted for permanent residence. Agencies may, consistent with individual practice, choose to extend the protections of the Privacy Act and E-Government Act to businesses, sole proprietors, aliens, etc.IdentityRegulatedPII
Individual AccountabilitynounAbility to associate positively the identity of a user with the time, method, and degree of access to an information system.RequirementRegulated
IndividualsnounAn assessment object that includes people applying specifications, mechanisms, or activities.Role
Industrial Control SystnounAn information system used to control industrial processes such as manufacturing, product handling, production, and distribution or to control infrastructure assets.SystemRegulatedCUI
Industrial Control SystemnounAn information system used to control industrial processes such as manufacturing, product handling, production, and distribution. Industrial control systems include supervisory control and data acquisition systems (SCADA) used to control geographically dispersed assets, as well as distributed control systems (DCS) and smaller control systems using programmable logic controllers to control localized processes.SystemRegulatedCUI
industry sectornounThe world of business and commerce is often divided up in to a selection of broad and commonly recognised groups, called sectors. Often a more general term, a sector represents a group of industries and markets that share common attributes.Organization
industry standardnounA norm or requirement established within an industry; it is typically a formal document establishing uniform technical or engineering, processes, processes, or criteria.Requirement
Industry testingnounA test designed to validate that business processes, integrated across firms and within the financial industry, which supports the business continuity objectives of the firms, both individually and collectively.ProcessInternal
InetdnounInetd (or Internet Daemon) is an application that controls smaller internet services like telnet, ftp, and POP.System
Inference AttacknounInference Attacks rely on the user to make logical connections between seemingly unrelated pieces of information.Threat
Informal Security PolicynounNatural language description, possibly supplemented by mathematical arguments, demonstrating the correspondence of the functional specification to the high-level design.Requirement
informationnounAny communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual.Data
information and communication(s) technologynounAny information technology, equipment, or interconnected system or subsystem of equipment that processes, transmits, receives, or interchanges data or information.SystemRegulated
information assetnounAny piece of data, device or other component of the environment that supports information-related activities. In the context of this report, information assets include data, hardware and software.25 Information assets are not limited to those that are owned by the entity. They also include those that are rented or leased, and those that are used by service providers to deliver their services.Data
information assurancenounMeasures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities.Capability
Information Assurance CompliancnounIn the NICE Workforce Framework, cybersecurity work where a person: Oversees, evaluates, and supports the documentation, validation, and accreditation processes necessary to assure that new IT systems meet the organization's information assurance and security requirements; ensures appropriate treatment of risk, compliance, and assurance from internal and external perspectives.CapabilityRegulated
Information Assurance ComponentnounAn application (hardware and/or software) that provides one or more Information Assurance capabilities in support of the overall security and operational objectives of a system.CapabilityRegulatedCUI
Information Assurance ProfessionalnounIndividual who works IA issues and has real-world experience plus appropriate IA training and education commensurate with their level of IA responsibility.Role
Information Assurance Vulnerability AlertnounNotification that is generated when an Information Assurance vulnerability may result in an immediate and potentially severe threat to DoD systems and information; this alert requires corrective action because of the severity of the vulnerability risk.VulnerabilityRegulatedCDI
Information DomainnounA three-part concept for information sharing, independent of, and across information systems and security domains that 1) identifies information sharing participants as individual members, 2) contains shared information objects, and 3) provides a security policy that identifies the roles and privileges of the members and the protections required for the information objects.Framework
Information EnvironmentnounAggregate of individuals, organizations, and/or systems that collect, process, or disseminate information, also included is the information itself.System
Information Flow ControlnounProcedure to ensure that information transfers within an information system are not made in violation of the security policy.ControlRegulatedCUI
Information ManagementnounThe planning, budgeting, manipulating, and controlling of information throughout its life cycle.Process
information neednounInsight necessary to manage objectives, goals, risks and problems.RequirementRegulated
Information OperationsnounThe integrated employment of the core capabilities of electronic warfare, computer network operations, psychological operations, military deception, and operations security, in concert with specified supporting and related capabilities, to influence, disrupt, corrupt, or usurp adversarial human and automated decision-making process, information, and information systems while protecting our own.CapabilityRegulatedCUI
Information OwnernounOfficial with statutory or operational authority for specified information and responsibility for establishing the controls for its generation, collection, processing, dissemination, and disposal. See Information Steward.Role
Information ResourcesnounInformation and related resources, such as personnel, equipment, funds, and information technology.DataRegulated
Information Resources ManagementnounThe planning, budgeting, organizing, directing, training, controlling, and management activities associated with the burden, collection, creation, use, and dissemination of information by agencies.Process
Information SecuritynounProtecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide— 1) integrity, which means guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity; 2) confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and 3) availability, which means ensuring timely and reliable access to and use of information.Capability
Information Security ArchitectnounIndividual, group, or organization responsible for ensuring that the information security requirements necessary to protect the organization’s core missions and business processes are adequately addressed in all aspects of enterprise architecture including reference models, segment and solution architectures, and the resulting information systems supporting those missions and business processes.Role
Information Security ArchitecturenounAn embedded, integral part of the enterprise architecture that describes the structure and behavior for an enterprise’s security processes, information security systems, personnel and organizational sub-units, showing their alignment with the enterprise’s mission and strategic plans.Framework
Information Security AwarenessnounActivities which seek to focus an individual’s attention on an (information security) issue or set of issues.Process
Information Security Continuous MonitoringnounMaintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. [Note: The terms “continuous” and “ongoing” in this context mean that security controls and organizational risks are assessed and analyzed at a frequency sufficient to support risk-based security decisions to adequately protect organization information.]Capability
Information Security Continuous Monitoring ProcessnounA process to: • Define an ISCM strategy; • Establish an ISCM program; • Implement an ISCM program; • Analyze data and Report findings; • Respond to findings; and • Review and Update the ISCM strategy and program.ProcessRegulated
Information Security Continuous Monitoring ProgramnounA program established to collect information in accordance with pre-established metrics, utilizing information readily available in part through implemented security controls.ProcessRegulated
information security controlnounPractices and procedures established to protect information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality, and availability.Control
information security eventnounIdentified occurrence of a system, service or network state indicating a possible breach of information security policy or failure of controls, or a previously unknown situation that may be security relevant.EventRegulated
information security incidentnounA single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security.EventRegulated
information security policynounThe rules and guidelines of an organization on how to ensure the confidentiality, integrity, and availability of the organization's information.Requirement
Information Security Program PlannounFormal document that provides an overview of the security requirements for an organization-wide information security program and describes the program management controls and common controls in place or planned for meeting those requirements.ArtifactRestrictedCUI
Information Security risknounThe risk to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation due to the potential for unauthorized access, use, disclosure, disruption, modification, or destruction of information and/or information systems. See Risk.MetricRegulatedCUI
information security roles and responsibilitiesnounThe position and collection of tasks, duties, obligations that participants undertake to perform the daily and all special tasks in the role of information security.Role
information security strategynounA plan to mitigate risks while complying with legal, statutory, contractual, and internally developed requirements.RequirementInternal
information security threatnounAny circumstance or event with the potential to adversely impact the measures taken so that information and information systems are protected from unauthorized access, use, disclosure, disruption, modification, or destruction.ThreatRegulated
information security trainingnounTraining strives to produce relevant and needed (information) security skills and competencies.Process
information sharingnounThe requirements for information sharing by an IT system with one or more other IT systems or applications, for information sharing to support multiple internal or external organizations, missions, or public programs.Process
Information Sharing Environmentnoun1. An approach that facilitates the sharing of terrorism and homeland security information; or 2. ISE in its broader application enables those in a trusted partnership to share, discover, and access controlled information.SystemRegulatedCUI
information sharing forumnounAn assembly in which participants share problems, solutions, updates, and data on topics relevant to its discourse.Capability
Information StewardnounIndividual or group that helps to ensure the careful and responsible management of federal information belonging to the Nation as a whole, regardless of the entity or source that may have originated, created, or compiled the information. Information stewards provide maximum access to federal information to elements of the federal government and its customers, balanced by the obligation to protect the information in accordance with the provisions of FISMA and any associated security-related federal policies, directives, regulations, standards, and guidance.RoleRegulated
Information SystemnounA discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. [Note: Information systems also include specialized systems such as industrial/process controls systems, telephone switching and private branch exchange (PBX) systems, and environmental control systems.]SystemRegulated
information system componentnounA discrete, identifiable information technology asset (e.g., hardware, software, firmware) that represents a building block of an information system. Information system components include commercial information technology products.SystemRegulated
Information System Contingency PlannounManagement policy and procedures designed to maintain or restore business operations, including computer operations, possibly at an alternate location, in the event of emergencies, system failures, or disasters.ProcessRegulatedCUI
Information System Life CyclenounThe phases through which an information system passes, typically characterized as initiation, development, operation, and termination (i.e., sanitization, disposal and/or destruction).Process
Information System OwnernounOfficial responsible for the overall procurement, development, integration, modification, or operation and maintenance of an information system.Role
Information System Owner or Program ManagernounOfficial responsible for the overall procurement, development, integration, modification, or operation and maintenance of an information system.Role
information system resiliencenounThe ability of an information system to continue to: (i) operate under adverse conditions or stress, even if in a degraded or debilitated state, while maintaining essential operational capabilities; and (ii) recover to an effective operational posture in a time frame consistent with mission needs.Capability
Information System Security OfficernounIndividual assigned responsibility by the senior agency information security officer, authorizing official, management official, or information system owner for ensuring that the appropriate operational security posture is maintained for an information system or program.Role
Information System-Related Security RisksnounInformation system-related security risks are those risks that arise through the loss of confidentiality, integrity, or availability of information or information systems and consider impacts to the organization (including assets, mission, functions, image, or reputation), individuals, other organizations, and the Nation.ThreatRegulated
Information Systems SecuritynounProtection of information systems against unauthorized access to or modification of information, whether in storage, processing, or transit, and against the denial of service to authorized users, including those measures necessary to detect, document, and counter such threats.CapabilityRegulated
Information Systems Security EngineernounIndividual assigned responsibility for conducting information system security engineering activities.Role
Information Systems Security EngineeringnounProcess of capturing and refining information protection requirements to ensure their integration into information systems acquisition and information systems development through purposeful security design or configuration.Process
Information Systems Security Equipment ModificationnounModification of any fielded hardware, firmware, software, or portion thereof, under NSA configuration control. There are three classes of modifications: mandatory (to include human safety); optional/special mission modifications; and repair actions. These classes apply to elements, subassemblies, equipment, systems, and software packages performing functions such as key generation, key distribution, message encryption, decryption, authentication, or those mechanisms necessary to satisfy security policy, labeling, identification, or accountability.ProcessRegulatedCUI
Information Systems Security ManagernounIndividual responsible for the information assurance of a program, organization, system, or enclave.Role
Information Systems Security OfficernounIndividual assigned responsibility by the senior agency information security officer, authorizing official, management official, or information system owner for maintaining the appropriate operational security posture for an information system or program.Role
Information Systems Security OperationsnounIn the NICE Workforce Framework, cybersecurity work where a person: Oversees the information assurance program of an information system in or outside the network environment; may include procurement duties (e.g., Information Systems Security Officer).Capability
Information Systems Security ProductnounItem (chip, module, assembly, or equipment), technique, or service that performs or relates to information systems security.Capability
information technologynounAny equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the executive agency. For purposes of the preceding sentence, equipment is used by an executive agency if the equipment is used by the executive agency directly or is used by a contractor under a contract with the executive agency which— 1) requires the use of such equipment; or 2) requires the use, to a significant extent, of such equipment in the performance of a service or the furnishing of a product. The term information technology includes computers, ancillary equipment, software, firmware and similar procedures, services (including support services), and related resources.SystemRegulated
Information Technology auditnounAn examination of the controls within an Information technology (IT) infrastructure.ProcessRegulated
Information Technology controlnounRefers to the internal controls over security management, system development and change management, information processing, communications networks and management of technology service providers.ControlRegulated
Information Technology Management programnounA documented listing of procedures, schedules, roles and responsibilities, and plans to manage Information Technology resources of an organization in accordance with its needs and priorities. These resources may include tangible investments like computer hardware, software, data, networks and data center facilities, as well as the staff who are hired to maintain them.ProcessInternal
Information Technology operationnounThe activities and work involving Information Technology equipment and personnel.Process
Information Technology risknounAny possibility of harm or damage related to Information Technology systems and data.Metric
information technology risk managementnounInformation Technology risk management is the application of the principles of risk management to an Information Technology organization in order to manage the risks associated with the field. Information Technology risk management aims to manage the risks that come with the ownership, involvement, operation, influence, adoption and use of Information Technology as part of a larger enterprise. Information Technology risk management is a component of a larger enterprise risk management system. This encompasses not only the risks and negative effects of service and operations that can degrade organizational value, but it also takes the potential benefits of risky ventures into account.Process
Information Technology servicenounA service provided to one or more customers by an Information Technology (IT) service provider. An IT service is based on the use of information technology and supports the customer’s business processes. An IT service is made up from a combination of people, processes, and technology and should be defined in a service level agreement.Capability
information technology suppliernounInformation systems, components and services providers used for an organization’s internal purposes (e.g., IT infrastructure) or integrated into the products of services provided to that organization’s buyers.Organization
Information Technology systemnounInformation technology systems are collectively the equipment used to create, store and transmit digital data and any related software owned (or otherwise controlled) and used by the State and its agencies to fulfill its service and obligations to the citizens of Arizona.SystemRegulated
Information TypenounA specific category of information (e.g., privacy, medical, proprietary, financial, investigative, contractor sensitive, security management), defined by an organization or in some instances, by a specific law, Executive Order, directive, policy, or regulation.RequirementRegulated
Information ValuenounA qualitative measure of the importance of the information based upon factors such as: level of robustness of the Information Assurance controls allocated to the protection of information based upon: mission criticality, the sensitivity (e.g., classification and compartmentalization) of the information, releasability to other countries, perishability/longevity of the information (e.g., short life data versus long life intelligence source data), and potential impact of loss of confidentiality and integrity and/or availability of the information.Metric
Information WarfarenounInformation Warfare is the competition between offensive and defensive players over information resources.Threat
Informative ReferencenounA specific section of standards, guidelines, and practices common among critical infrastructure sectors that illustrates a method to achieve the outcomes associated with each Cybersecurity Subcategory. An example of an Informative Reference is ISO/IEC 27001 Control A.10.8.3, which supports the “Data-in-transit is protected” Subcategory of the “Data Security” Category in the “Protect” function.Artifact
InfrastructurenounDescribes what has been implemented by IT architecture and often include support facilities such as power, cooling, ventilation, server and data redundancy and resilience, and telecommunications lines. Specific architecture types may exist for the following: enterprise, data (information), technology, security, and application.System
Infrastructure as a ServicenounOffers the capability to provision processing, storage, networks and other fundamental computing resources, enabling the customer to deploy and run arbitrary software, which can include operating systems (OSs) and applicationsCapability
IngestionnounA process to convert information extracted to a format that can be understood by investigators. Scope Note: See also Normalization.Process
Inherent risknounThe risk level or exposure without taking into account the actions that management has taken or might take (e.g., implementing controls)Metric
Initialization VectornounA vector used in defining the starting point of an encryption process within a cryptographic algorithm.DataRestricted
InitializenounSetting the state of a cryptographic logic prior to key generation, encryption, or other operating mode.Process
InjectionnounA general term for attack types which consist of injecting code that is then interpreted/executed by the application. (OWASP)Threat
Input Validation AttacksnounInput Validations Attacks are where an attacker intentionally sends unusual input in the hopes of confusing an application.Threat
InsidenounAn entity with authorized access (i.e., within the security domain) that has the potential to harm an information system or enterprise through destruction, disclosure, modification of data, and/or denial of service.ThreatRegulated
Inside ThreatnounAn entity with authorized access that has the potential to harm an information system through destruction, disclosure, modification of data, and/or denial of service.Threat
inside( r) threatnounA person or group of persons within an organization who pose a potential risk through violating security policies.ThreatRestricted
Inspectable SpacenounThree dimensional space surrounding equipment that processes classified and/or sensitive information within which TEMPEST exploitation is not considered practical or where legal authority to identify and remove a potential TEMPEST exploitation exists. Synonymous with zone of control.PhysicalRegulatedCUI
Institute of Electrical and Electronics EngineersnounPronounced I-triple-E; IEEE is an organization composed of engineers, scientists and students Scope Note: Best known for developing standards for the computer and electronics industryOrganization
institutionnounAn organization founded for a specific purpose, such as religious, educational, professional, or social.Organization
InstructionnounMeans (i) any instruction submitted by a Member through the submission process directing CLS Bank to settle certain payment entitlements and obligations arising pursuant to an FX transaction eligible for settlement in CLS Bank and (ii) any instructions resulting from the split of Settlement Eligible Instructions.RequirementRegulated
insurance coveragenounThe amount of risk or liability covered for an individual or entity by way of insurance services. Insurance coverage is issued by an insurer in the event of an unforeseen or unwanted occurrences.RequirementRegulated
insurance ridernounAn add-on provision to a basic insurance policy that provides additional benefits to the policyholder at an additional cost. Standard policies usually leave little room for modification or customization beyond choosing deductibles and coverage amounts.RequirementRegulated
Intangible assetnounAn asset that is not physical in nature Scope Note: Examples include: intellectual property (patents, trademarks, copyrights, processes), goodwill, and brand recognitionArtifactConfidentialIP
integrated risk managementnounThe structured approach that enables an enterprise or organization to share risk information and risk analysis and to synchronize independent yet complementary risk management strategies to unify efforts across the enterprise.Process
Integrated Systems Digital Networking (ISDN)nounA hierarchy of digital switching and transmission systems that provides voice, data, and image in a unified manner. Integrated Systems Digital Networking (ISDN) is synchronized so that all digital elements communicate in the same protocol at the same speed.Network
Integrated test/exercisenounThis integrated test/exercise incorporates more than one component or module, as well as external dependencies, to test the effectiveness of the continuity plans for a business line or major function.ProcessInternal
IntegritynounGuarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.Control
integrity check mechanismnounAny software, hardware, or methodology that checks a program, system, or records for unauthorized modifications.Control
Integrity Check ValuenounChecksum capable of detecting modification of an information system.Control
Integrity Star PropertynounIn Integrity Star Property a user cannot read data of a lower integrity level then their own.Control
intellectual propertynounCreations of the mind such as musical, literary, and artistic works; inventions; and symbols, names, images, and designs used in commerce, including copyrights, trademarks, patents, and related rights. Under intellectual property law, the holder of one of these abstract “properties” has certain exclusive rights to the creative work, commercial symbol, or invention by which it is covered.DataRestrictedIP
interactive remote accessnounUser-initiated access by a person employing a remote access client or other remote access technology using a routable protocol. Remote access originates from a Cyber Asset that is not an Intermediate System and not located within any of the Responsible Entity’s Electronic Security Perimeter(s) or at a defined Electronic Access Point (EAP). Remote access may be initiated from: 1) Cyber Assets used or owned by the Responsible Entity, 2) Cyber Assets used or owned by employees, and 3) Cyber Assets used or owned by vendors, contractors, or consultants. Interactive remote access does not include system-to-system process communications.ProcessRegulatedCUI
interactive user accessnounUser access to an operating system by means of a log-in through a Graphical User Interface.ProcessRegulated
Interbank checksnounChecks that are not "on-us." They are cleared and settled either by direct presentment, a clearinghouse association, a correspondent bank, or a Federal Reserve Bank.DataRegulated
InterchangenounExchange of transactions between financial institutions participating in a bank card network, based on a common set of rules. Card interchange allows a financial institution's customers to use a bank credit card at any card honoring merchant and to gain access to multiple ATM systems from a single ATM.ProcessRegulatedPCI
Interchange feesnounFees paid by one financial institution to another to cover handling costs and credit risk in a financial institution card transaction. Interchange fees generally flow toward the institution funding the transaction and assuming the risk. In a credit card transaction, the interchange fee is paid by the merchant acquirer accepting the merchant's sales draft to the card-issuing institution, which, in turn, passes the fee to its merchants. In EFT/POS transactions, interchange flows in the opposite direction: the card-issuing institution (or customer) pays the fee to the terminal-owning institution. When a transaction is an off-line debit sale, the card-issuing institution collects an interchange fee from the merchant, rather than from the customer, unlike in an EFT/POS transaction, where the customer pays the interchange fee. Interchange revenue is derived from fees set by the card associations. Depending on the card association, fees can range from 1% to 3% of the value of the transaction. Interchange revenue is recognized as a card issuer's second largest revenue line item.RequirementRegulated
Interconnection Security AgreementnounA document that regulates security-relevant aspects of an intended connection between an agency and an external system. It regulates the security interface between any two systems operating under two different distinct authorities. It includes a variety of descriptive, technical, procedural, and planning information. It is usually preceded by a formal MOA/MOU that defines high-level roles and responsibilities in management of a cross-domain connection.RequirementRegulatedCUI
interconnectivitynounThe state or quality of being connected together. The interaction of a financial institution's internal and external systems and applications and the entities with which they are linked.NetworkRegulated
InterdependenciesnounWhen two or more departments, processes, functions, or third-party providers support one another in some fashion.Process
interested personnelnounThis role focuses on persons or organizations that have a recognizable stake in the outcome of a court matter or who are potentially being affected by a situation or hoping to make money off of the situation. Any individual or organization that has a recognizable stake in the outcome of a court matter, may be affected by a situation, or make money from the situation should be assigned to this role.Role
interfaceverbcreate connections or interactions between different systems or componentsCreateUnclassified
InterfacenounCommon boundary between independent systems or modules where interactions take place.System
Interface Control DocumentnounTechnical document describing interface controls and identifying the authorities and responsibilities for ensuring the operation of such controls. This document is baselined during the preliminary design review and is maintained throughout the information system life cycle.ArtifactRegulatedCUI
Interim Approval to OperatenounTemporary authorization granted by a DAA for an information system to process information based on preliminary results of a security evaluation of the system. (To be replaced by ATO and POA&M)ArtifactRegulatedCUI
Interim Approval to TestnounTemporary authorization to test an information system in a specified operational information environment within the time frame and under the conditions or constraints enumerated in the written authorization.RequirementRegulatedCUI
Intermediate Certification AuthoritynounA Certification Authority that is subordinate to another CA, and has a CA subordinate to itself.SystemRegulated
intermediate systemnounA Cyber Asset or collection of Cyber Assets performing access control to restrict Interactive Remote Access to only authorized users. The Intermediate System must not be located inside the Electronic Security Perimeter.SystemRegulatedCUI
Internal "trusted" zonenounA channel in which the end points are known and data integrity is protected in transit. Depending on the communications protocol used, data privacy may be protected in transit. Examples include SSLIP security and a secure physical connection.NetworkInternal
internal auditnounAn audit that is performed for the management and other internal purposes by individuals who are employed by the organization.ProcessConfidential
internal audit functionnounAn appraisal activity established or provided as a service to the entity. Its functions include, amongst other things, examining, evaluating and monitoring the adequacy and effectiveness of internal control.CapabilityInternal
internal audit managernounMonitors the audit scope and risk assessments to ensure that audit coverage remains adequate.RoleInternal
internal audit programnounAn internal audit program defines the type of internal audit being conducted (IT, HR, financial, etc.), the specific subject(s) attended to, the roles and responsibilities of those involved, the method being used to conduct the audit, and the schedule of the audit.ProcessInternal
internal audit reportnounA report issued by an independent auditor within an organization that expresses an opinion about whether the financial statements present fairly a company's financial position, operating results, and cash flows in accordance with generally accepted accounting principles.ArtifactConfidential
internal auditornounThis role is focused on providing independent and objective evaluations of the organization's financial records, systems, or anything else being audited. Any individual who performs internal audits should be assigned to this role.Role
internal controlnounThe purpose of this task is to provide reasonable assurance that operations are effective and efficient, financial reporting is reliable, and applicable laws and regulations are being followed.ControlRegulated
Internal NetworknounA network where 1) the establishment, maintenance, and provisioning of security controls are under the direct control of organizational employees or contractors; or 2) cryptographic encapsulation or similar security technology implemented between organization-controlled endpoints provides the same effect (at least with regard to confidentiality and integrity). An internal network is typically organization-owned, yet may be organization-controlled while not being organization-owned.NetworkInternal
internal processnounAll the activities and key processes required in order for the company to excel at providing the value expected by the customers.ProcessInternal
internal risk managementnounInternal risk management involves all activities relating to the processes of analyzing exposure to risk and determining appropriate counter-measures.ProcessInternal
Internal Security ControlsnounHardware, firmware, or software features within an information system that restrict access to resources only to authorized subjects.Control
Internal Security TestingnounSecurity testing conducted from inside the organization’s security perimeter.Process
International Organization for Standardization (ISO)nounAn independent, non-governmental, international organization that brings together experts to share knowledge and develop voluntary, consensus-based, market-relevant international standards.Organization
International Standards OrganizationnounThe world’s largest developer of voluntary International StandardsOrganization
InternetnounThe Internet is the single, interconnected, worldwide system of commercial, governmental, educational, and other computer networks that share (a) the protocol suite specified by the Internet Architecture Board (IAB), and (b) the name and address spaces managed by the Internet Corporation for Assigned Names and Numbers (ICANN).Network
internet accessnounInternet access refers to the means by which users connect to the Internet, and includes the following components: (1) The transmission of information as common carriage; (2) The transmission of information as part of a gateway to an information service, when that transmission does not involve the generation or alteration of the content of information, but may include data transmission, address translation, protocol conversion, billing management, introductory information content, and navigational systems that enable users to access information services, and that do not affect the presentation of such information to users; and (3) Electronic mail services (e-mail).NetworkInternal
Internet Assigned Numbers AuthoritynounResponsible for the global coordination of the DNS root, IP addressing, and other Internet protocol resourcesOrganization
Internet Control Message ProtocolnounA set of protocols that allow systems to communicate information about the state of services on other systems Scope Note: For example, ICMP is used in determining whether systems are up, maximum packet sizes on links, whether a destination host/network/port is available. Hackers typically use (abuse) ICMP to determine information about the remote site.Network
Internet Engineering Task ForcenounThe body that defines standard Internet operating protocols such as TCP/IP. The IETF is supervised by the Internet Society Internet Architecture Board (IAB). IETF members are drawn from the Internet Society's individual and organization membership.Organization
Internet Message Access ProtocolnounA protocol that defines how a client should fetch mail from and return mail to a mail server. IMAP is intended as a replacement for or extension to the Post Office Protocol (POP). It is defined in RFC 1203 (v3) and RFC 2060 (v4).Network
Internet protocolnounStandard protocol for transmission of data from source to destinations in packet-switched communications networks and interconnected systems of such networks.Network
Internet protocol (IP)nounIP is a standard format for routing data packets between computers. IP is efficient, flexible, routable, and widely used with many applications, and is gaining acceptance as the preferred communication protocol.Network
Internet Protocol SecuritynounA developing standard for security at the network or packet processing layer of network communication.Control
Internet service providernounA third party that provides individuals and enterprises with access to the Internet and a variety of other Internet-related servicesOrganization
Internet service provider (ISP)nounA company that provides its customers with access to the Internet (e.g., AT&T, Verizon, CenturyLink).Organization
Internet Small Computer System Interface (iSCSI)nounAn Internet protocol based storage networking standard for linking data storage facilities, used to facilitate. iSCSI is data transfers over intranets and to manage storage over long distances.Network
Internet StandardnounA specification, approved by the IESG and published as an RFC, that is stable and well-understood, is technically competent, has multiple, independent, and interoperable implementations with substantial operational experience, enjoys significant public support, and is recognizably useful in some or all parts of the Internet.FrameworkPublic
Internetwork Packet Exchange/Sequenced Packet ExchangenounIPX is layer 3 of the open systems interconnect (OSI) model network protocol; SPX is layer 4 transport protocol. The SPX layer sits on top of the IPX layer and provides connection-oriented services between two nodes on the network.Network
interoperabilitynounFor the purposes of this standard, interoperability allows any government facility or information system, regardless of the PIV Issuer, to verify a cardholder’s identity using the credentials on the PIV Card.Capability
Interoperability standards/protocolsnounCommonly agreed on standards that enable different computers or programs to share information. Example: HTTP (Hypertext Transfer Protocol) is a standard method of publishing information as hypertext in HTML format on the Internet.Requirement
interpolateverbestimate a value within a range based on surrounding known valuesUnderstandUnclassified
interpretverbexplain the meaning or significance of information, data, or eventsEvaluateUnclassified
InterrogationnounUsed to obtain prior indicators or relationships, including telephone numbers, IP addresses and names of individuals, from extracted dataProcessRegulatedPII
InterviewnounA type of assessment method that is characterized by the process of conducting discussions with individuals or groups within an organization to facilitate understanding, achieve clarification, or lead to the location of evidence, the results of which are used to support the determination of security control effectiveness over time.Process
IntranetnounA private network that is employed within the confines of a given enterprise (e.g., internal to a business or agency).NetworkInternal
introductionnounThe act of starting something for the first time; introducing something new.candidate
IntrudernounIndividual or group gaining access to the network and it's resources without permissionThreat
Intrusion detectionnounTechniques that attempt to detect unauthorized entry or access into a computer or network by observation of actions, security logs, or audit data; detection of break-ins or attempts, either manually or via software expert systems that operate on logs or other information available on the network.Capability
Intrusion Detection and Prevention SystemnounSoftware that automates the process of monitoring the events occurring in a computer system or network and analyzing them for signs of possible incidents and attempting to stop detected possible incidents.Capability
Intrusion detection systemnounInspects network and host security activity to identify suspicious patterns that may indicate a network or system attackCapability
Intrusion detection system (IDS)nounSoftware or hardware product that detects and logs inappropriate, incorrect, or anomalous activity. It gathers and analyzes information from various areas within a computer or a network to identify possible security breaches, which include both intrusions (attacks from outside the organizations) and misuse (attacks from within the organizations). IDS are typically characterized based on the source of the data they monitor: host or network. A host-based IDS uses system log files and other electronic audit data to identify suspicious activity. A network-based IDS uses a sensor to monitor packets on the network to which it is attached.Capability
Intrusion preventionnounA preemptive approach to network security used to identify potential threats and respond to them to stop, or at least limit, damage or disruptionCapability
Intrusion prevention systemnounSystem(s) which can detect an intrusive activity and can also attempt to stop the activity, ideally before it reaches its targets.System
Intrusion prevention systems (IPS)nounA system that can detect an intrusive activity and can also attempt to stop the activity, ideally before it reaches its target.System
Inverse CiphernounSeries of transformations that converts ciphertext to plaintext using the Cipher Key.Capability
InvestigatenounTo carry out a formal or systematic inquiry to discover and examine the facts of an event, incident, etc. in order to establish the truth.Process
investigationnounThe purpose of this task is to discover and examine the facts of an incident or allegation to establish the truth.ProcessRegulated
involveverbTo include someone or something in an activity or situation, or as a necessary part.Unclassified
IP Authentication HeadernounProtocol used to provide connectionless integrity and data origin authentication for IP datagrams (hereafter referred to as just integrity) and to provide protection against replays. (RFC 4302). Scope Note: AH ensures data integrity with a checksum that a message authentication code, such as MD5, generates. To ensure data origin authentication, AH includes a secret shared key in the algorithm that it uses for authentication. To ensure replay protection, AH uses a sequence number field within the IP authentication header.Network
IP FloodnounA denial of service attack that sends a host more echo request ("ping") packets than the protocol implementation can handle.Threat
IP ForwardingnounIP forwarding is an Operating System option that allows a host to act as a router. A system that has more than 1 network interface card must have IP forwarding turned on in order for the system to be able to act as a router.Capability
IP SecuritynounSuite of protocols for securing Internet Protocol (IP) communications at the network layer, layer 3 of the OSI model by authenticating and/or encrypting each IP packet in a data stream. IPsec also includes protocols for cryptographic key establishment.Network
ISOnounInternational Organization for Standardization, a voluntary, non-treaty, non-government organization, established in 1947, with voting members that are designated standards bodies of participating nations and non-voting observer organizations.Organization
Issue-Specific PolicynounAn Issue-Specific Policy is intended to address specific needs within an organization, such as a password policy.Requirement
IT architecturenounA subset of enterprise architecture, with detail to support data processing and access, including fundamental requirements for centralized or distributed computing, real or virtual servers, devices and workstations, and networking design. Architecture plans may also exist for data (information), security, and applications.Framework
IT governancenounAn integral part of governance that consists of the leadership and organizational structures and processes that ensure that the institution's IT sustains and extends the organization's strategies and objectives.Process
IT Security ArchitecturenounA description of security principles and an overall approach for complying with the principles that drive the system design; i.e., guidelines on the placement and implementation of specific security services within various distributed computing environments.Framework
IT Security AwarenessnounThe purpose of awareness presentations is simply to focus attention on security. Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly.Capability
IT Security Awareness and Training ProgramnounExplains proper rules of behavior for the use of agency information systems and information. The program communicates IT security policies and procedures that need to be followed (i.e., NSTISSD 501, NIST SP 800-50).ProcessRegulatedCUI
IT Security EducationnounIT Security Education seeks to integrate all of the security skills and competencies of the various functional specialties into a common body of knowledge, adds a multidisciplinary study of concepts, issues, and principles (technological and social), and strives to produce IT security specialists and professionals capable of vision and proactive response.Process
IT Security InvestmentnounAn IT application or system that is solely devoted to security. For instance, intrusion detection systems (IDS) and public key infrastructure (PKI) are examples of IT security investments.Capability
IT Security PolicynounThe “documentation of IT security decisions” in an organization. NIST SP 800-12 categorizes IT Security Policy into three basic types: 1) Program Policy—high-level policy used to create an organization’s IT security program, define its scope within the organization, assign implementation responsibilities, establish strategic direction, and assign resources for implementation. 2) Issue-Specific Policies—address specific issues of concern to the organization, such as contingency planning, the use of a particular methodology for systems risk management, and implementation of new regulations or law. These policies are likely to require more frequent revision as changes in technology and related factors take place. 3) System-Specific Policies—address individual systems, such as establishing an access control list or in training users as to what system actions are permitted. These policies may vary from system to system within the same organization. In addition, policy may refer to entirely different matters, such as the specific managerial decisions setting an organization’s electronic mail (email) policy or fax security policy.Requirement
IT Security TrainingnounIT Security Training strives to produce relevant and needed security skills and competencies by practitioners of functional specialties other than IT security (e.g., management, systems design and development, acquisition, auditing). The most significant difference between training and awareness is that training seeks to teach skills, which allow a person to perform a specific function, while awareness seeks to focus an individual’s attention on an issue or set of issues. The skills acquired during training are built upon the awareness foundation, in particular, upon the security basics and literacy material.Process
IT strategic plannounA comprehensive blueprint that guides the organization's technology management and contains high-level goals and plans for all areas of information technology that affect the business, not just the infrastructure. The plan should include areas that impact technology management, including cost management, human capital management, hardware and software management, third-party management, risk management, and all other considerations in the enterprise IT environment.ArtifactInternal
IT system inventorynounA list containing information about the information resources owned or operated by an organization.ArtifactInternal
IT-Related RisknounThe net mission/business impact considering 1) the likelihood that a particular threat source will exploit, or trigger, a particular information system vulnerability, and 2) the resulting impact if this should occur. IT-related risks arise from legal liability or mission/business loss due to, but not limited to: - Unauthorized (malicious, non-malicious, or accidental) disclosure, modification, or destruction of information; - Non-malicious errors and omissions; - IT disruptions due to natural or man-made disasters; or - Failure to exercise due care and diligence in the implementation and operation of the IT.Metric
IterativenounRepetitive or cyclical. Iterative software development involves the completion of project tasks or phases in repetitive cycles. Tasks and phase activities are repeated until a desired result is achieved.Process
ITU-TnounInternational Telecommunications Union, Telecommunication Standardization Sector (formerly "CCITT"), a United Nations treaty organization that is composed mainly of postal, telephone, and telegraph authorities of the member countries and that publishes standards called "Recommendations."Organization
JammingnounAn attack in which a device is used to emit electromagnetic energy on a wireless network’s frequency to make it unusable.Threat
JitternounJitter or Noise is the modification of fields in a database while preserving the aggregate characteristics of that make the database useful in the first place.ControlRegulatedPII
Jump BagnounA Jump Bag is a container that has all the items necessary to respond to an incident inside to help mitigate the effects of delayed reactions.Physical
justifyverbprovide reasons, evidence, or arguments to support a decision or conclusionCreateUnclassified
KerberosnounA widely used authentication protocol developed at the Massachusetts Institute of Technology (MIT). In “classic” Kerberos, users share a secret password with a Key Distribution Center (KDC). The user, Alice, who wishes to communicate with another user, Bob, authenticates to the KDC and is furnished a “ticket” by the KDC to use to authenticate with Bob. When Kerberos authentication is based on passwords, the protocol is known to be vulnerable to off-line dictionary attacks by eavesdroppers who capture the initial user-to-KDC exchange. Longer password length and complexity provide some mitigation to this vulnerability, although sufficiently long passwords tend to be cumbersome for users.Capability
KernelnounThe essential center of a computer operating system, the core that provides basic services for all other parts of the operating system. A synonym is nucleus. A kernel can be contrasted with a shell, the outermost part of an operating system that interacts with user commands. Kernel and shell are terms used more frequently in Unix and some other operating systems than in IBM mainframe systems.System
Kernel modenounUsed for execution of privileged instructions for the internal operation of the system. In kernel mode, there are no protections from errors or malicious activity and all parts of the system and memory are accessible.System
keynounA parameter used in conjunction with a cryptographic algorithm that determines its operation. Examples applicable to this Standard include: 1. The computation of a digital signature from data, and 2. The verification of a digital signature.CredentialRestrictedCUI
Key BundlenounThe three cryptographic keys (Key1, Key2, Key3) that are used with a Triple Data Encryption Algorithm (TDEA) mode.CredentialRestricted
key controlnounA type of internal control designed to detect errors or fraud in financial statements.ControlRegulated
Key Distribution CenternounCOMSEC facility generating and distributing key in electronic form.SystemRegulatedCUI
Key Escrownoun1. The processes of managing (e.g., generating, storing, transferring, auditing) the two components of a cryptographic key by two key component holders. 2. A key recovery technique for storing knowledge of a cryptographic key, or parts thereof, in the custody of one or more third parties called "escrow agents," so that the key can be recovered and used in specified circumstances.ProcessRegulatedCUI
Key Escrow SystemnounA system that entrusts the two components comprising a cryptographic key (e.g., a device unique key) to two key component holders (also called "escrow agents").SystemRegulatedCUI
Key EstablishmentnounThe process by which cryptographic keys are securely established among cryptographic modules using manual transport methods (e.g., key loaders), automated methods (e.g., key transport and/or key agreement protocols), or a combination of automated and manual methods (consists of key transport plus key agreement).ProcessRestrictedCUI
Key ExchangenounProcess of exchanging public keys (and other information) in order to establish secure communications.Process
Key ExpansionnounRoutine used to generate a series of Round Keys from the Cipher Key.ProcessRegulated
Key fobnounA small portable device equipped with chip technology allowing the holder the ability to access network systems, such as those used for payments, and to store personal data.PhysicalRegulatedPII
Key Generation MaterialnounRandom numbers, pseudo-random numbers, and cryptographic parameters used in generating cryptographic keys.DataRegulatedCUI
Key ListnounPrinted series of key settings for a specific cryptonet. Key lists may be produced in list, pad, or printed tape format.ArtifactRegulatedCUI
Key LoadernounA self-contained unit that is capable of storing at least one plaintext or encrypted cryptographic key or a component of a key that can be transferred, upon request, into a cryptographic module.PhysicalRegulatedCUI
Key LoggernounA program designed to record which keys are pressed on a computer keyboard used to obtain passwords or encryption keys and thus bypass other security measures.Threat
Key ManagementnounThe activities involving the handling of cryptographic keys and other related security parameters (e.g., IVs and passwords) during the entire life cycle of the keys, including their generation, storage, establishment, entry and output, and zeroization.ProcessRegulatedCUI
Key Management DevicenounA unit that provides for secure electronic distribution of encryption keys to authorized users.PhysicalRestricted
Key Management InfrastructurenounAll parts – computer hardware, firmware, software, and other equipment and its documentation; facilities that house the equipment and related functions; and companion standards, policies, procedures, and doctrine that form the system that manages and supports the ordering and delivery of cryptographic material and related information products and services to users.SystemRegulatedCUI
key pairnounTwo mathematically related keys having the properties that (1) one key can be used to encrypt a message that can only be decrypted using the other key, and 2) even knowing one key, it is computationally infeasible to discover the other key.CredentialRestricted
Key Production KeynounKey used to initialize a keystream generator for the production of other electronically generated key.CredentialRestrictedCUI
Key RecoverynounMechanisms and processes that allow authorized parties to retrieve the cryptographic key used for data confidentiality.ProcessRestrictedCUI
key resourcenounA publicly or privately controlled asset necessary to sustain continuity of government and/or economic operations, or an asset that is of great historical significance.PhysicalRegulated
Key risk indicatornounA subset of risk indicators that are highly relevant and possess a high probability of predicting or indicating important risk Scope Note: See also Risk Indicator.Metric
Key StreamnounSequence of symbols (or their electrical or mechanical equivalents) produced in a machine or auto-manual cryptosystem to combine with plain text to produce cipher text, control transmission security processes, or produce key.DataRestrictedCUI
Key TagnounIdentification information associated with certain types of electronic key.ArtifactRegulatedCUI
Key TapenounPunched or magnetic tape containing key. Printed key in tape form is referred to as a key list.PhysicalRegulatedCUI
Key TransportnounThe secure transport of cryptographic keys from one cryptographic module to another module.ProcessRegulated
Key WrapnounA method of encrypting keying material (along with associated integrity information) that provides both confidentiality and integrity protection using a symmetric key algorithm.ControlRestricted
Key-Encryption-KeynounKey that encrypts or decrypts other key for transmission or storage.CredentialRestricted
Keyed-hash based message authentication codenounA message authentication code that uses a cryptographic key in conjunction with a hash function.ControlRegulated
Keying MaterialnounKey, code, or authentication information in physical, electronic, or magnetic form.CredentialRestrictedCUI
Keystroke MonitoringnounThe process used to view or record both the keystrokes entered by a computer user and the computer’s response during an interactive session. Keystroke monitoring is usually considered a special case of audit trails.ProcessRegulatedCUI
KiosknounA publicly accessible computer terminal that permits customers to directly communicate with the financial institution via a network.SystemInternalPCI
KMI Operating AccountnounA KMI business relationship that is established 1) to manage the set of user devices that are under the control of a specific KMI customer organization, and 2) to control the distribution of KMI products to those devices.OrganizationRegulatedCUI
KMI Protected ChannelnounA KMI Communication Channel that provides 1) Information Integrity Service; 2) either Data Origin Authentication Service or Peer Entity Authentication Service, as is appropriate to the mode of communications; and 3) optionally, Information Confidentiality Service.NetworkRegulatedCUI
KMI-Aware DevicenounA user device that has a user identity for which the registration has significance across the entire KMI (i.e., the identity’s registration data is maintained in a database at the PRSN level of the system, rather than only at an MGC) and for which a product can be generated and wrapped by a PSN for distribution to the specific device.SystemRegulatedCUI
knowledgenounFacts, information, and skills acquired by a person through experience or education; the theoretical or practical understanding of a subject.Data
Knowledge ManagementnounIn the NICE Workforce Framework, cybersecurity work where a person: Manages and administers processes and tools that enable the organization to identify, document, and access intellectual capital and information content.ProcessIP
KOA AgentnounA user identity that is designated by a KOA manager to access PRSN product delivery enclaves for the purpose of retrieving wrapped products that have been ordered for user devices that are assigned to that KOA.IdentityRegulatedCUI
KOA ManagernounThe Management Role that is responsible for the operation of one or KOA’s (i.e., manages distribution of KMI products to the end cryptographic units, fill devices, and ADPs that are assigned to the manager’s KOA).RoleRegulatedCUI
KOA Registration ManagernounThe individual responsible for performing activities related to registering KOAs.RoleRegulated
Labeled Security ProtectionsnounAccess control protection features of a system that use security labels to make access control decisions.ControlRegulated
Laboratory AttacknounUse of sophisticated signal recovery equipment in a laboratory environment to recover information from data storage media.ThreatRegulatedCUI
Large value funds transfer systemnounA wholesale payment system used primarily by financial institutions in which large values of funds are transferred between parties. Fedwire® and CHIPS are the two large-value transfer systems in the United States.SystemRegulated
LatencynounThe time it takes a system and network delay to respond Scope Note: More specifically, system latency is the time that a system takes to retrieve data. Network latency is the time it takes for a packet to travel from the source to the final destination.Metric
Lattice TechniquesnounLattice Techniques use security designations to determine access to information.Control
Law EnforcementnounThe purpose of this function is to protect people, places, and things from criminal activity due to noncompliance with applicable laws, including patrols, undercover operations, responses to emergency calls, as well as arrests, raids, and seizures of property.Organization
law enforcement authoritynounThe various government agencies responsible for preventing crime, apprehending criminals, and enforcing laws.OrganizationRestricted
Layer 2 Forwarding ProtocolnounAn Internet protocol (originally developed by Cisco Corporation) that uses tunneling of PPP over IP to create a virtual extension of a dial-up link across a network, initiated by the dial-up server and transparent to the dial-up user.Network
Layer 2 switchesnounData link level devices that can divide and interconnect network segments and help to reduce collision domains in Ethernet-based networksNetwork
Layer 2 Tunneling ProtocolnounAn extension of the Point-to-Point Tunneling Protocol used by an Internet service provider to enable the operation of a virtual private network over the Internet.Network
Layer 3 and 4 switchesnounSwitches with operating capabilities at layer 3 and layer 4 of the open systems interconnect (OSI) model. These switches look at the incoming packet’s networking protocol, e.g., IP, and then compare the destination IP address to the list of addresses in their tables, to actively calculate the best way to send a packet to its destination.Network
Layer 4-7 switchesnounUsed for load balancing among groups of servers Scope Note: Also known as content-switches, content services switches, web-switches or application- switches.Network
layered protectionnounAs relying on any single defence against a cyber threat may be inadequate, an FMI can use a series of different defences to cover the gaps in and reinforce other protective measures. For example, the use of firewalls, intrusion detection systems, malware scanners, integrity auditing procedures and local storage encryption tools can serve to protect information assets in a complementary and mutually reinforcing manner. May also be referred to as “defence in depth”.Control
leading standards, guidelines and practicesnounStandards, guidelines and practices which reflect industry best approaches to managing cyber threats, and which incorporate what are generally regarded as the most effective cyber resilience solutions.Framework
least functionality principlenounIn information security, computer science, and configuration management the limiting of access to only that information and resources that are necessary for its legitimate purpose.Requirement
least privilegenounThe principle that a security architecture should be designed so that each entity is granted the minimum system resources and authorizations that the entity needs to perform its function.Requirement
Least TrustnounThe principal that a security architecture should be designed in a way that minimizes 1) the number of components that require trust, and 2) the extent to which each component is trusted.Requirement
Legal Advice and AdvocacynounIn the NICE Workforce Framework, cybersecurity work where a person: Provides legally sound advice and recommendations to leadership and staff on a variety of relevant topics within the pertinent subject domain; advocates legal and policy changes and makes a case on behalf of client via a wide range of written and oral work products, including legal briefs and proceedings.Capability
legal staffnounThe branch of an organization's personnel that is responsible for anything pertaining to law or legalities. Lawyers.Role
lessons learnednounA set of statements captured after completion of a project or a portion of a project that describes in a neutral way what did or did not work, along with a statement regarding the risk of ignoring the lesson.Artifact
Level of ConcernnounRating assigned to an information system indicating the extent to which protection measures, techniques, and procedures must be applied. High, Medium, and Basic are identified levels of concern. A separate Level-of-Concern is assigned to each information system for confidentiality, integrity, and availability.MetricRegulatedCUI
Level of ProtectionnounExtent to which protective measures, techniques, and procedures must be applied to information systems and networks based on risk, threat, vulnerability, system interconnectivity considerations, and information assurance needs. Levels of protection are: 1. Basic: information systems and networks requiring implementation of standard minimum security countermeasures. 2. Medium: information systems and networks requiring layering of additional safeguards above the standard minimum security countermeasures. 3. High: information systems and networks requiring the most stringent protection and rigorous security countermeasures.RequirementRegulatedCUI
Life-cycle processnounThe multi-step process that starts with the initiation, analysis, design, and implementation, and continues through the maintenance and disposal of the system.Process
Lightweight Directory Access ProtocolnounA software protocol for enabling anyone to locate organizations, individuals, and other resources such as files and devices in a network, whether on the public Internet or on a corporate Intranet.Network
Likelihood of OccurrencenounIn Information Assurance risk analysis, a weighted factor based on a subjective analysis of the probability that a given threat is capable of exploiting a given vulnerability.Metric
Limited MaintenancenounCOMSEC maintenance restricted to fault isolation, removal, and replacement of plug-in assemblies. Soldering or unsoldering usually is prohibited in limited maintenance. See Full Maintenance.ProcessRestrictedCUI
Line ConditioningnounElimination of unintentional signals or noise induced or conducted on a telecommunications or information system signal, power, control, indicator, or other external interface line.Control
Line ConductionnounUnintentional signals or noise induced or conducted on a telecommunications or information system signal, power, control, indicator, or other external interface line.VulnerabilityRegulatedCUI
Line of Businessnoun“Lines of business” or “areas of operation” describe the purpose of government in functional terms or describe the support functions that the government must conduct in order to effectively deliver services to citizens. Lines of business relating to the purpose of government and the mechanisms the government uses to achieve its purposes tend to be mission-based. Lines of business relating to support functions and resource management functions that are necessary to conduct government operations tend to be common to most agencies. The recommended information types provided in NIST SP 800-60 are established from the “business areas” and “lines of business” from OMB’s Business Reference Model (BRM) section of Federal Enterprise Architecture (FEA) Consolidated Reference Model Document Version 2.3Organization
Link EncryptionnounLink encryption encrypts all of the data along a communications path (e.g., a satellite link, telephone circuit, or T1 line). Since link encryption also encrypts routing data, communications nodes need to decrypt the data to continue routing.Control
Link StatenounWith link state, routes maintain information about all routers and router-to-router links within a geographic area, and creates a table of best routes with that information.Network
List Based Access ControlnounList Based Access Control associates a list of users and their privileges with each object.Control
List-OrientednounInformation system protection in which each protected object has a list of all subjects authorized to access it.Control
live CDnounA live CD or live disk is a self-contained bootable and fully operational operating system (OS) on a disk, typically a CD or DVD or even a USB drive, depending on the size of the OS. This version of an OS can boot and run on a PC without ever needing to be installed on the computer's hard drive or changing the PC settings, allowing a user to recover files on a computer with a corrupted OS or to simply experiment on different things without fear of corrupting any files on the disk or the OS installation. Some versions of Linux are small and portable enough to function in a live CD.Physical
Loadable Kernel ModulesnounLoadable Kernel Modules allow for the adding of additional functionality directly into the kernel while the system is running.System
Local AccessnounAccess to an organizational information system by a user (or process acting on behalf of a user) communicating through a direct connection without the use of a network.Capability
Local area networknounCommunication network that serves several users within a specified geographic area Scope Note: A personal computer LAN functions as a distributed processing system in which each computer in the network does its own processing and manages some of its data. Shared data are stored in a file server that acts as a remote disk drive for all users in the network.Network
Local AuthoritynounOrganization responsible for generating and signing user certificates in a PKI-enabled environment.OrganizationRegulated
Local Management Device/Key ProcessornounEKMS platform providing automated management of COMSEC material and generating key for designated users.SystemRegulatedCUI
Local Registration AuthoritynounA Registration Authority with responsibility for a local community in a PKI-enabled environment.OrganizationRegulatedCUI
locally mounted hardwarenounHardware installed inside the perimeter of a defined location. This includes but is not limited to motion sensors, electronic lock control mechanisms, and badge readers.PhysicalRegulated
lockverbTo fasten or secure something with a mechanical device used for keeping things fastened.Unclassified
LockboxnounDeposit mechanism used by commercial firms and businesses to facilitate their deposit transaction volume. Typically, commercial firms and businesses direct customers to send payments directly to a financial institution address or post office box controlled by the institution. Financial institution personnel record payments received and prepare deposit slips, and subsequent processing proceeds as with other deposit taking activities.PhysicalRegulatedPCI
LockoutnounThe action of temporarily revoking network or application access privileges, normally due to repeated unsuccessful logon attempts.Control
lognounTo record an event or transaction in an organized record-keeping system, usually sequenced in the order they occurred.Artifact
Log ClippingnounLog clipping is the selective removal of log entries from a system log to hide a compromise.ThreatRegulatedCUI
log managementnounThe process for generating, transmitting, storing, analyzing, and disposing of log data.ProcessRegulated
logging operationnounThe process of collecting and interpreting logs within configured parameters.Process
Logic BombnounA piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met.ThreatRegulated
Logic GatenounA logic gate is an elementary building block of a digital circuit. Most logic gates have two inputs and one output. As digital circuits can only understand binary, inputs and outputs can assume only one of two states, 0 or 1.System
logical accessnounThe ability to interact with data through access control procedures such as identification, authentication, and authorization.Control
Logical access controlsnounThe policies, procedures, organizational structure, and electronic access controls designed to restrict access to computer software and data files.Control
Logical Completeness MeasurenounMeans for assessing the effectiveness and degree to which a set of security and access control mechanisms meets security specifications.Metric
Logical PerimeternounA conceptual perimeter that extends to all intended users of the system, both directly and indirectly connected, who receive output from the system without a reliable human review by an appropriate authority. The location of such a review is commonly referred to as an “air gap.”System
logical securitynounLogical Security consists of software safeguards for an organization's systems, including user identification and password access, authenticating, access rights and authority levels. These measures are to ensure that only authorized users are able to perform actions or access information in a network or a workstation.ControlRegulated
Long positionnounIn respect of a currency balance that is greater than zero, the amount by which such currency balance is greater than zero. A position that appreciates in value if market prices increase. When one buys a currency, their position is long.MetricRegulated
Loopback AddressnounThe loopback address (127.0.0.1) is a pseudo IP address that always refer back to the local host and are never sent out onto a network.Network
Low ImpactnounThe loss of confidentiality, integrity, or availability that could be expected to have a limited adverse effect on organizational operations, organizational assets, individuals, other organizations, or the national security interests of the United States; (i.e., 1) causes a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced; 2) results in minor damage to organizational assets; 3) results in minor financial loss; or 4) results in minor harm to individuals).RequirementRegulated
low impact Bulk Electric System Cyber SystemnounA Bulk Electric System Cyber System in which at least one security objective (i.e., confidentiality, integrity, or availability) is assigned a potential impact value of low, and none are assigned a potential impact value of medium or high.SystemRegulatedCUI
Low Impact Bulk Electric System Cyber System Electronic Access PointnounA Cyber Asset interface that controls Low Impact External Routable Connectivity. The Cyber Asset containing the LEAP may reside at a location external to the asset or assets containing low impact Bulk Electric System (BES) Cyber Systems.SystemRegulatedCUI
Low Impact External Routable ConnectivitynounDirect user-initiated interactive access or a direct device-to-device connection to a low impact BES Cyber System(s) from a Cyber Asset outside the asset containing those low impact BES Cyber System(s) via a bi-directional routable protocol connection. Point-to-point communications between intelligent electronic devices that use routable communication protocols for time-sensitive protection or control functions between Transmission station or substation assets containing low impact BES Cyber Systems are excluded from this definition (examples of this communication include, but are not limited to, IEC 61850 GOOSE or vendor proprietary protocols).NetworkRegulatedCDI
Low Probability of DetectionnounResult of measures used to hide or disguise intentional electromagnetic transmissions.ControlRegulatedCUI
Low Probability of InterceptnounResult of measures to prevent the intercept of intentional electromagnetic transmissions. The objective is to minimize an adversary’s capability of receiving, processing, or replaying an electronic signal.ControlRegulatedCUI
Low-Impact SystemnounAn information system in which all three security objectives (i.e., confidentiality, integrity, and availability) are assigned a FIPS 199 potential impact value of low.SystemRegulated
MAC AddressnounA physical address; a numeric value that uniquely identifies that network device from every other device on the planet.Network
MAC headernounRepresents the hardware address of an network interface controller (NIC) inside a data packetNetwork
machine learning and evolutionnounA field concerned with designing and developing artificial intelligence algorithms for automated knowledge discovery and innovation by information systems.Capability
macro virusnounA virus that attaches itself to documents and uses the macro programming capabilities of the document’s application to execute and propagate.Threat
Magnetic ink character recognition (MICR)nounMagnetic codes found on the bottom of checks, deposit slips, and general ledger debit and credit tickets that allow a machine to scan (capture) the information. MICR encoding on a check includes the account number, the routing number, the serial number of the check, and the amount of the check. The amount of the check is encoded when the proof department processes the check.DataRegulatedPII
Magnetic RemanencenounMagnetic representation of residual information remaining on a magnetic medium after the medium has been cleared. See Clearing.VulnerabilityRegulatedCUI
Mail relay servernounAn electronic mail (e-mail) server that relays messages so that neither the sender nor the recipient is a local userSystem
MainframenounAn industry term for a large computer, typically used for the commercial applications of businesses and other large-scale computing purposes. Generally, a mainframe is associated with centralized rather than distributed computing.System
maintenancenounThe process of making repairs and keeping components of an asset in good condition so that the asset may remain in operating condition and last its entire useful life.Process
Maintenance HooknounSpecial instructions (trapdoors) in software allowing easy maintenance and additional feature development. Since maintenance hooks frequently allow entry into the code without the usual checks, they are a serious security risk if they are not removed prior to live implementation.VulnerabilityRegulatedCUI
Major ApplicationnounAn application that requires special attention to security due to the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application. Note: All federal applications require some level of protection. Certain applications, because of the information in them, however, require special management oversight and should be treated as major. Adequate security for other applications should be provided by security of the systems in which they operate.SystemRegulatedCUI
Major Information SystemnounAn information system that requires special management attention because of its importance to an agency mission; its high development, operating, or maintenance costs; or its significant role in the administration of agency programs, finances, property, or other resources.SystemRegulatedCUI
make use ofverbapply or utilize available resources, tools, or knowledge effectivelyApplyUnclassified
malicious actnounAn intentional, wrongful act performed against another without legal justification or excuse.ThreatRegulated
malicious activitynounActivity with a harmful intent, such as fraud, theft, blackmail, vandalism, looting, sabotage, etc.ThreatRegulated
malicious appletnounA small application program that is automatically downloaded and executed and that performs an unauthorized function on an information system.Threat
malicious codenounSoftware or firmware intended to perform an unauthorized process that will have adverse impact on the confidentiality, integrity, or availability of an information system. A virus, worm, Trojan horse, or other code-based entity that infects a host. Spyware and some forms of adware are also examples of malicious code.ThreatRegulated
Malicious Code PreventionnounThis purpose of policy is to prevent malicious code attacks from happening, and if they should happen, to quarantine the infected systems and eradicate the malicious code before it spreads further.ControlRegulated
malicious logicnounHardware, firmware, or software that is intentionally included or inserted in a system for a harmful purpose.ThreatRegulated
MalwarenounA program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim’s data, applications, or operating system or of otherwise annoying or disrupting the victim.Threat
Man-in-the-middle attacknounA form of active wiretapping attack in which the attacker intercepts and selectively modifies communicated data to masquerade as one or more of the entities involved in a communication association.Threat
managementnounThis role focuses on administering, organizing, and overseeing the organization. Any individuals who are involved in the administration, organization, supervision, and oversight of the organization should be assigned to this role.Role
management authorizationnounOfficial permission or approval given by the senior executives of an organization.RequirementRegulated
Management ClientnounA configuration of a client node that enables a KMI external operational manager to manage KMI products and services by either 1) accessing a PRSN, or 2) exercising locally provided capabilities. An MGC consists of a client platform and an advanced key processor (AKP).SystemRegulatedCUI
Management ControlsnounActions taken to manage the development, maintenance, and use of the system, including system-specific policies, procedures and rules of behavior, individual roles and responsibilities, individual accountability, and personnel security decisions.Control
Management information systems (MIS)nounA general term for the computer systems in an enterprise that provide information about its business operations.System
Management Security ControlsnounThe security controls (i.e., safeguards or countermeasures) for an information system that focus on the management of risk and the management of information systems security.ControlRestrictedCUI
management structurenounThe hierarchical arrangement and relations of managerial roles, power, and responsibilities, how they are delegated, controlled, and coordinated, and how information flows between levels of management.Organization
Mandatory access controlnounA means of restricting access to objects based on the sensitivity (as represented by a security label) of the information contained in the objects and the formal authorization (i.e., clearance, formal access approvals, and need-to-know) of subjects to access information of such sensitivity.Control
Mandatory ModificationnounChange to a COMSEC end-item that NSA requires to be completed and reported by a specified date. See Optional Modification.ControlRegulatedCUI
manipulateverbhandle, control, or modify something skillfully for a specific purposeApplyUnclassified
Manipulative Communications DeceptionnounAlteration or simulation of friendly telecommunications for the purpose of deception. See Communications Deception and Imitative Communications Deception.ThreatRegulatedCUI
manualnounA book of instructions, especially for operating a machine or learning a subject.ArtifactInternal
Manual CryptosystemnounCryptosystem in which the cryptographic processes are performed without the use of crypto-equipment or auto-manual devices.SystemRegulatedCUI
Manual Key TransportnounA non-automated means of transporting cryptographic keys by physically moving a device, document, or person containing or possessing the key or key component.ProcessRegulatedCUI
Manual Remote RekeyingnounProcedure by which a distant crypto-equipment is rekeyed electronically, with specific actions required by the receiving terminal operator. Synonymous with cooperative remote rekeying. See also Automatic Remote Keying.ProcessRegulatedCUI
mapverbTo diagram data that is to be exchanged electronically, including how it is to be used and what business management systems need it; a preliminary step for developing an applications link.Unclassified
Market-wide testsnounMarket-wide tests are also called cross-market tests or "street tests" that are sponsored by the Securities Industry Association, Bond Market Association, and Futures Industry Association. These tests validate the connectivity from alternate sites and include transaction, settlement, and payment processes, to the extent practical.ProcessInternal
MaskingnounA computerized technique of blocking out the display of sensitive information, such as passwords, on a computer terminal or reportControl
Masquerade AttacknounA type of attack in which one system entity illegitimately poses as (assumes the identity of) another entity.Threat
MasqueradingnounA type of threat action whereby an unauthorized entity gains access to a system or performs a malicious act by illegitimately posing as an authorized entity.Threat
Master Cryptographic Ignition KeynounKey device with electronic logic and circuits providing the capability for adding more operational CIKs to a keyset.PhysicalRegulatedCUI
Match/matchingnounThe process of comparing biometric information against a previously stored template(s) and scoring the level of similarity.ProcessRegulatedPII
Matched instructionsnounTwo Instructions in which the information set forth in a specific CLS Bank Rule is matched in accordance with the parameters and procedures set forth in the CLS Bank Rules.ArtifactRegulated
MatchingnounWith respect to compared and non-compared transactions, the process of comparing the trade or settlement details provided by counterparties to ensure they agree with respect to the terms of the transaction. Also called comparison checking.ProcessRegulated
material changenounA change in the affairs of a company that is expected to have a significant effect on the market value of its securities - such as a change in the nature of the business, a change in the Board of Directors or the principal officers, a change in the share ownership of the company that could affect control, or the acquisition or disposition of any securities in another company. A material change must be reported to the applicable self-regulatory organization.EventRegulated
Maximum Tolerable DowntimenounThe amount of time mission/business processes can be disrupted without causing significant harm to the organization’s mission.Metric
measureverbdetermine the size, amount, degree, or quality of something using a standardCreateUnclassified
measurenounTo ascertain the size, amount, or degree of (something) by using an instrument or device marked in standard units or by comparing it with an object of known size.Metric
Measures of EffectivenessnounMeasures of Effectiveness is a probability model based on engineering concepts that allows one to approximate the impact a give action will have on an environment. In Information warfare it is the ability to attack or defend within an Internet environment.Metric
MechanismsnounAn assessment object that includes specific protection-related items (e.g., hardware, software, or firmware) employed within or at the boundary of an information system.Control
MedianounPhysical devices or writing surfaces including but not limited to magnetic tapes, optical disks, magnetic disks, Large Scale Integration (LSI) memory chips, and printouts (but not including display media) onto which information is recorded, stored, or printed within an information system.PhysicalRegulated
Media access controlnounA unique identifier assigned to network interfaces for communications on the physical network segmentNetwork
Media SanitizationnounA general term referring to the actions taken to render data written on media unrecoverable by both ordinary and extraordinary means.ProcessRegulated
medium impact Bulk Electric System Cyber SystemnounA Bulk Electric System Cyber System in which at least one security objective (i.e., confidentiality, integrity, or availability) is assigned a potential impact value of medium, and none are assigned a potential impact value of high.SystemRegulatedCUI
Memorandum of Understanding/AgreementnounA document established between two or more parties to define their respective responsibilities in accomplishing a particular goal or mission. In this guide, an MOU/A defines the responsibilities of two or more organizations in establishing, operating, and securing a system interconnection.ArtifactInternalCUI
Merchant acquirernounBankcard association members that initiate and maintain contractual agreements with merchants for the purpose of accepting and processing bankcard transactions.OrganizationRegulatedPCI
Merchant processingnounActivity for the acceptance and settlement of bankcard products and transactions from merchants through the payment system.ProcessRegulatedPCI
Message authentication codenounA cryptographic checksum on data that uses a symmetric key to detect both accidental and intentional modifications of the data. MACs provide authenticity and integrity protection, but not non-repudiation protection.Control
Message digestnounA digital signature that uniquely identifies data and has the property that changing a single bit in the data will cause a completely different message digest to be generated.Data
Message digest algorithmnounMessage digest algorithms are SHA1, MD2, MD4 and MD5. These algorithms are one-way functions unlike private and public key encryption algorithms. Scope Note: All digest algorithms take a message of arbitrary length and produce a 128-bit message digest.Capability
Message IndicatornounSequence of bits transmitted over a communications system for synchronizing cryptographic equipment.DataRegulatedCUI
methodnounA means or particular procedure for accomplishing or approaching something.ProcessRegulated
methodologynounA particular way of performing an operation designed to produce precise deliverables at the end of each stage.Process
Metropolitan area networknounA data network intended to serve an area the size of a large cityNetwork
Microwave technologynounNarrowband technology that requires a direct line-of-sight to transmit voice and data communications and is used to integrate a broad range of fixed and mobile communication networks.Network
MiddlewarenounSoftware that connects two or more software components or applications. It is another term for an application programmer interface or API, and it allows programmers to access lower- or higher-level services by providing an intermediary layer that includes function calls to the services.System
MidrangenounComputers that are more powerful and capable than personal computers but less powerful and capable than mainframe computers.System
migrationnounThe purpose of this task is to move records from one system or storage medium to another while maintaining authenticity, integrity, reliability, and usability.ProcessRegulated
Millions of instructions per second (MIPS)nounA general measure of computing performance and, by implication, the amount of work a larger computer can do.Metric
Min-EntropynounA measure of the difficulty that an Attacker has to guess the most commonly chosen password used in a system.Metric
mind mapverbcreate a visual diagram that organizes information around a central conceptAnalyzeUnclassified
Miniature fragment attacknounUsing this method, an attacker fragments the IP packet into smaller ones and pushes it through the firewall, in the hope that only the first of the sequence of fragmented packets would be examined and the others would pass without review.Threat
Minimalist CryptographynounCryptography that can be implemented on devices with very limited memory and computing capabilities, such as RFID tags.Capability
Minimum password lengthnounThis policy setting determines the least number of characters that make up a password for a user account. There are many different theories about how to determine the best password length for an organization, but perhaps "pass phrase" is a better term than "password." In Microsoft Windows 2000 or later, pass phrases can be quite long and can include spaces. Therefore, a phrase such as "I want to drink a $5 milkshake" is a valid pass phrase; it is a considerably stronger password than an 8 or 10 character string of random numbers and letters, and yet is easier to remember. Users must be educated about the proper selection and maintenance of passwords, especially with regard to password length. In enterprise environments, the ideal value for the Minimum password length setting is 14 characters, however you should adjust this value to meet your organization's business requirements.Credential
Minor ApplicationnounAn application, other than a major application, that requires attention to security due to the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application. Minor applications are typically included as part of a general support system.SystemRegulated
Mirrored sitenounAn alternate site that contains the same information as the original Scope Note: Mirrored sites are set up for backup and disaster recovery and to balance the traffic load for numerous download requests. Such download mirrors are often placed in different locations throughout the Internet.System
MirroringnounA process that copies data to multiple disks over a computer network in real time or close to real time. Mirroring reduces network traffic, ensures better availability of the website or files, or enables the site or downloaded files to arrive more quickly for users close to the mirror site.Process
Misnamed FilesnounA technique used to disguise a file’s content by changing the file’s name to something innocuous or altering its extension to a different type of file, forcing the examiner to identify the files by file signature versus file extension.ThreatRegulated
Mission Assurance CategorynounA Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) term primarily used to determine the requirements for availability and integrity.RequirementRegulatedCDI
Mission CriticalnounAny telecommunications or information system that is defined as a national security system (Federal Information Security Management Act of 2002 - FISMA) or processes any information the loss, misuse, disclosure, or unauthorized access to or modification of, would have a debilitating impact on the mission of an agency.RequirementRegulatedCUI
Mission/Business SegmentnounElements of organizations describing mission areas, common/shared business services, and organization-wide services. Mission/business segments can be identified with one or more information systems which collectively support a mission/business process.Organization
mitigateverbTo lessen or to try to lessen the severity, pain, seriousness, extent, or gravity of.Unclassified
mitigationnounThe application of one or more measures to reduce the likelihood of an unwanted occurrence and/or lessen its consequences.Control
mitigation actionnounAn action taken by an organization to reduce the impact of a possible problem or incident.Control
MnemonicnounA symbol or expression that can help someone remember something. For example, the phrase "Hello! My name is Bill. I'm 9 years old." might help an individual remember a secure 10-character password of "H!MniBI9yo."ArtifactRestricted
mobile codenounSoftware programs or parts of programs obtained from remote information systems, transmitted across a network, and executed on a local information system without explicit installation or execution by the recipient. Note: Some examples of software technologies that provide the mechanisms for the production and use of mobile code include Java, JavaScript, ActiveX, VBScript, etc.ThreatRegulated
Mobile Code TechnologiesnounSoftware technologies that provide the mechanisms for the production and use of mobile code (e.g., Java, JavaScript, ActiveX, VBScript).Capability
mobile devicenounPortable cartridge/disk-based, removable storage media (e.g., floppy disks, compact disks, USB flash drives, external hard drives, and other flash memory cards/drives that contain nonvolatile memory). Portable computing and communications device with information storage capability (e.g., notebook/laptop computers, personal digital assistants, cellular telephones, digital cameras, and audio recording devices).PhysicalRegulated
Mobile financial servicesnounThe products and services that a financial institution provides to its customers through mobile devices.CapabilityRegulatedPII
Mobile sitenounThe use of a mobile/temporary facility to serve as a business resumption location The facility can usually be delivered to any site and can house information technology and staff.PhysicalRegulated
Mobile Software AgentnounPrograms that are goal-directed and capable of suspending their execution on one platform and moving to another platform where they resume execution.System
Mode of OperationnounDescription of the conditions under which an information system operates based on the sensitivity of information processed and the clearance levels, formal access approvals, and need-to-know of its users. Four modes of operation are authorized for processing or transmitting information: dedicated mode, system high mode, compartmented/partitioned mode, and multilevel mode.RequirementRegulatedCUI
ModelingnounThe process of abstracting information from tangible processes, systems and/or components to create a paper or computer-based representation of an enterprise-wide or business line activity.Process
moderateverbreview and manage content or discussions to ensure quality and appropriatenessEvaluateUnclassified
Moderate ImpactnounThe loss of confidentiality, integrity, or availability that could be expected to have a serious adverse effect on organizational operations, organizational assets, individuals, other organizations, or the national security interests of the United States; (i.e., 1) causes a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; 2) results in significant damage to organizational assets; 3) results in significant financial loss; or 4) results in significant harm to individuals that does not involve loss of life or serious life threatening injuries).MetricRegulatedCUI
Moderate-Impact SystemnounAn information system in which at least one security objective (i.e., confidentiality, integrity, or availability) is assigned a FIPS 199 potential impact value of moderate and no security objective is assigned a FIPS 199 potential impact value of high.SystemRegulated
Module test/exercisenounA test designed to verify the functionality of multiple components of a business line or supporting function at the same time.Process
monitornounTo watch and check the progress or quality of something over a period of time; keep under regular surveillance.Process
Monitoring policynounRules outlining or delineating the way in which information about the use of computers, networks, applications and information is captured and interpretedRequirement
monitoring procedurenounA description of the steps that are necessary to watch and check the progress or quality of something over a period of time according to standards.Requirement
MonoculturenounMonoculture is the case where a large number of users run the same software, and are vulnerable to the same attacks.Vulnerability
Morris WormnounA worm program written by Robert T. Morris, Jr. that flooded the ARPANET in November, 1988, causing problems for thousands of hosts.Threat
moving target defensenounThe presentation of a dynamic attack surface, increasing an adversary's work factor necessary to probe, attack, or maintain presence in a cyber target.Control
Multi-factor authenticationnounThe process of using two or more factors to achieve authentication. Factors include something you know (e.g., password or personal identification number); something you have (e.g., cryptographic identification device or token); and something you are (e.g., biometric).Control
Multi-HomednounYou are "multi-homed" if your network is directly connected to two or more ISP's.Network
Multi-Hop ProblemnounThe security risks resulting from a mobile software agent visiting several platforms.Vulnerability
Multi-ReleasablenounA characteristic of an information domain where access control mechanisms enforce policy-based release of information to authorized users within the information domain.RequirementRegulatedCUI
Multilateral netting settlement systemnounMultilateral netting is an arrangement among three or more parties to net their obligations. In these settlement systems transfers are irrevocable but are only final after the completion of end-of-day-settlement.SystemRegulated
Multilevel DevicenounEquipment trusted to properly maintain and separate data of different security domains.SystemRegulatedCUI
Multilevel ModenounMode of operation wherein all the following statements are satisfied concerning the users who have direct or indirect access to the system, its peripherals, remote terminals, or remote hosts: 1) some users do not have a valid security clearance for all the information processed in the information system; 2) all users have the proper security clearance and appropriate formal access approval for that information to which they have access; and 3) all users have a valid need-to-know only for information to which they have access.ProcessRegulatedCUI
Multilevel SecuritynounConcept of processing information with different classifications and categories that simultaneously permits access by users with different security clearances and denies access to users who lack authorization.CapabilityRegulatedCUI
Multiple Security LevelsnounCapability of an information system that is trusted to contain, and maintain separation between, resources (particularly stored data) of different security domains.CapabilityRegulatedCUI
multiple sourcesnounInformation classified based on two or more source documents, classification guides or combination of both.DataRegulatedCUI
multiplexverbTo combine multiple signals from possibly disparate sources, in order to transmit them over a single path.Unclassified
MultiplexersnounA device that encodes or multiplexes information from two or more data sources into a single channel. They are used in situations where the cost of implementing separate channels for each data source is more expensive than the cost and inconvenience of providing the multiplexing/de-multiplexing functions.Physical
Mutual AuthenticationnounOccurs when parties at both ends of a communication activity authenticate each other.Control
Mutual SuspicionnounCondition in which two information systems need to rely upon each other to perform a service, yet neither trusts the other to properly protect shared data.Threat
namenounThe word or phrase by which an individual, family, organization, or thing is known or referred to.ArtifactPII
Naming AuthoritynounAn organizational entity responsible for assigning distinguished names (DNs) and for assuring that each DN is meaningful and unique within its domain.Organization
National Information Assurance PartnershipnounA U.S. government initiative established to promote the use of evaluated information systems products and champion the development and use of national and international standards for information technology security. NIAP was originally established as a collaboration between the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) in fulfilling their respective responsibilities under P.L. 100-235 (Computer Security Act of 1987). NIST officially withdrew from the partnership in 2007 but NSA continues to manage and operate the program. The key operational component of NIAP is the Common Criteria Evaluation and Validation Scheme (CCEVS) which is the only U.S. government-sponsored and endorsed program for conducting internationally recognized security evaluations of commercial off-the-shelf (COTS) Information Assurance (IA) and IA-enabled information technology products. NIAP employs the CCEVS to provide government oversight or “validation” to U.S. CC evaluations to ensure correct conformance to the International Common Criteria for IT Security Evaluation (ISO/IEC 15408).OrganizationRegulated
National Information InfrastructurenounNationwide interconnection of communications networks, computers, databases, and consumer electronics that make vast amounts of information available to users. It includes both public and private networks, the Internet, the public switched network, and cable, wireless, and satellite communications.NetworkRegulated
National Institute for Standards and TechnologynounDevelops tests, test methods, reference data, proof-of concept implementations, and technical analyses to advance the development and productive use of information technology Scope Note: NIST is a US government entity that creates mandatory standards that are followed by federal agencies and those doing business with them.Organization
National Institute of Standards and TechnologynounNational Institute of Standards and Technology, a unit of the US Commerce Department. Formerly known as the National Bureau of Standards, NIST promotes and maintains measurement standards. It also has active programs for encouraging and assisting industry and science to develop and use these standards.Organization
National Institute of Standards and Technology (NIST)nounAn agency of the U.S. Department of Commerce that works to develop and apply technology, measurements, and standards. NIST developed a voluntary cybersecurity framework based on existing standards, guidelines, and practices for reducing cyber risks to critical infrastructures.Organization
National Security Emergency Preparedness Telecommunications ServicesnounTelecommunications services that are used to maintain a state of readiness or to respond to and manage any event or crisis (local, national, or international) that causes or could cause injury or harm to the population, damage to or loss of property, or degrade or threaten the national security or emergency preparedness posture of the United States.CapabilityRegulatedCUI
National Security InformationnounInformation that has been determined pursuant to Executive Order 12958 as amended by Executive Order 13292, or any predecessor order, or by the Atomic Energy Act of 1954, as amended, to require protection against unauthorized disclosure and is marked to indicate its classified status.DataRegulatedCUI
National Security SystemnounAny information system (including any telecommunications system) used or operated by an agency or by a contractor of any agency, or other organization on behalf of an agency, the function, operation, or use of which: I. involves intelligence activities; II. involves cryptologic activities related to national security; III. Involves command and control of military forces; IV. involves equipment that is an integral part of a weapon or weapon system; or V. subject to subparagraph (B), is critical to the direct fulfillment of military or intelligence missions; or is protected at all times by procedures established for information that have been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy. Subparagraph (B). Does not include a system that is to be used for routine administrative and business applications (including payroll, finance, logistics, and personnel management applications). (Title 44 U.S. Code Section 3542, Federal Information Security Management Act of 2002.)SystemRegulatedCUI
National Settlement Service (NSS)nounAlso referred to as Deferred Net Settlement. The Federal Reserve Banks' multilateral settlement service. NSS is offered to depository institutions that settle for participants in clearinghouses, financial exchanges, and other clearing and settlement groups. Settlement agents acting on behalf of those depository institutions electronically submit settlement files to the Federal Reserve Banks. Files are processed on receipt, and entries are automatically posted to the depository institutions' Reserve Bank accounts. Entries are final when posted.OrganizationRegulated
National Vulnerability DatabasenounThe U.S. government repository of standards-based vulnerability management data. This data enables automation of vulnerability management, security measurement, and compliance (e.g., FISMA).VulnerabilityRegulated
Natural DisasternounAny "act of God" (e.g., fire, flood, earthquake, lightning, or wind) that disables a system component.Event
need to knownounAn administrative action officially declaring a particular individual requires access to specified sensitive or classified information in order to perform their assigned duties.RequirementRegulatedCUI
Need To Know DeterminationnounDecision made by an authorized holder of official information that a prospective recipient requires access to specific official information to carry out official duties.ProcessRegulatedCUI
Needs Assessment for IT Security Awareness and TrainingnounA process that can be used to determine an organization’s awareness and training needs. The results of a needs assessment can provide justification to convince management to allocate adequate resources to meet the identified awareness and training needs.Process
negative effectnounA measure, expressed as a function of the likelihood that an event may occur, how fast the event may impact objectives and the estimated negative impact that an event may have on objectives or the impact that an event had on objectives.MetricRegulated
Net debit capnounThe maximum dollar amount of uncollateralized daylight overdrafts that an institution is authorized to incur in its Federal Reserve account. The net debit cap is generally equal to an institution's capital times the cap multiple for its cap category.RequirementRegulated
Net-centric ArchitecturenounA complex system of systems composed of subsystems and services that are part of a continuously evolving, complex community of people, devices, information and services interconnected by a network that enhances information sharing and collaboration. Subsystems and services may or may not be developed or owned by the same entity, and, in general, will not be continually present during the full life cycle of the system of systems. Examples of this architecture include service-oriented architectures and cloud computing architectures.System
Netmasknoun32-bit number indicating the range of IP addresses residing on a single IP network/subnet/supernet. This specification displays network masks as hexadecimal numbers. For example, the network mask for a class C IP network is displayed as 0xffffff00. Such a mask is often displayed elsewhere in the literature as 255.255.255.0.Network
networkverbestablish and maintain connections with others for information exchangeCreateUnclassified
networknounInformation system(s) implemented with a collection of interconnected components. Such components may include routers, hubs, cabling, telecommunications controllers, key distribution centers, and technical control devices.Network
Network AccessnounAccess to an organizational information system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, Internet).Capability
Network Access ControlnounA feature provided by some firewalls that allows access based on a user’s credentials and the results of health checks performed on the telework client device.Control
network activity baselinenounEstablishing a trusted baseline document involves identifying the following: - network data points of interest - length of the baseline data collection period - methods and tools used to collect and store data Suggested network data points of interest include the following: - a list of predetermined devices a given workstation or server should communicate with - VPN usage, including access times, bandwidth and resources used, source IP addresses, and geolocation information - the known set of ports and protocols in use by the network - firewall and intrusion detection system logs - normal traffic patterns and flows.ArtifactInternalCUI
Network address translationnounA routing technology used by many firewalls to hide internal system addresses from an external network through use of an addressing schema.Network
Network administratornounThe individual responsible for the installation, management, and control of a network.Role
Network attached storage (NAS)nounNAS systems usually contain one or more hard disks that are arranged into logical, redundant storage containers much like traditional file servers. NAS provides readily available storage resources and helps alleviate the bottlenecks associated with access to storage devices.System
Network basic input/output systemnounA program that allows applications on different computers to communicate within a local area network (LAN).Network
network diagramnounA description of any kind of locality in terms of its physical layout. In the context of communication networks, a topology describes pictorially the configuration or arrangement of a network, including its nodes and connecting communication lines.ArtifactConfidential
Network Front-EndnounDevice implementing protocols that allow attachment of a computer system to a network.Network
network integritynounThe state of a computer network where it is performing its intended functions without being degraded or impaired by changes or disruptions in its internal or external environments. A network is functioning properly when several things occur: applications and client get enough network availability, applications and clients get proper bandwidth, network security does its job during both peacetime and attack, and network management has complete control of the entire network.Metric
Network interface cardnounA communication card that when inserted into a computer, allows it to communicate with other computers on a network Scope Note: Most NICs are designed for a particular type of network or protocol.Physical
network mappingverbTo compile an electronic inventory of the systems and the services on your network.Unclassified
Network news transfer protocolnounUsed for the distribution, inquiry, retrieval, and posting of Netnews articles using a reliable stream-based mechanism. For news-reading clients, NNTP enables retrieval of news articles that are stored in a central database, giving subscribers the ability to select only those articles they wish to read. (RFC 3977)Network
network portnounA network port is a process-specific or an application-specific software construct serving as a communication endpoint, which is used by the Transport Layer protocols of Internet Protocol suite, such as User Diagram Protocol (UDP) and Transmission Control Protocol (TCP).NetworkRegulated
network resiliencenounA computing infrastructure that provides continuous business operation (i.e., highly resistant to disruption and able to operate in a degraded mode if damaged), rapid recovery if failure does occur, and the ability to scale to meet rapid or unpredictable demands.Capability
network securitynounThe protection of computer networks and their services from unauthorized entry, modification, destruction, or disclosure, and provision of assurance that the network performs its critical functions correctly and that there are no harmful side effects. Network security includes providing for data integrity.Capability
Network segmentationnounA common technique to implement network security is to segment an organization’s network into separate zones that can be separately controlled, monitored and protected.Control
network segregationnounDeveloping and enforcing a ruleset controlling which computing devices are permitted to communicate with which other computing devices.Control
Network ServicesnounIn the NICE Workforce Framework, cybersecurity work where a person: Installs, configures, tests, operates, maintains, and manages networks and their firewalls, including hardware (e.g., hubs, bridges, switches, multiplexers, routers, cables, proxy servers, and protective distributor systems) and software that permit the sharing and transmission of all spectrum transmissions of information to support the security of information and information systems.Capability
Network SniffingnounA passive technique that monitors network communication, decodes protocols, and examines headers and payloads for information of interest. It is both a review technique and a target identification and analysis technique.Threat
Network SponsornounIndividual or organization responsible for stating the security policy enforced by the network, designing the network security architecture to properly enforce that policy, and ensuring that the network is implemented in such a way that the policy is enforced.Role
Network SystemnounSystem implemented with a collection of interconnected components. A network system is based on a coherent security architecture and design.System
Network TapsnounNetwork taps are hardware devices that hook directly onto the network cable and send a copy of the traffic that passes through it to one or more other networked devices.Physical
Network traffic analysisnounIdentifies patterns in network communications Scope Note: Traffic analysis does not need to have the actual content of the communication but analyzes where traffic is taking place, when and for how long communications occur and the size of information transferred.Capability
Network WeavingnounPenetration technique in which different communication networks are linked to access an information system to avoid detection and trace-back.Threat
Network-Based IDSnounA network-based IDS system monitors the traffic on its network segment as a data source. This is generally accomplished by placing the network interface card in promiscuous mode to capture all network traffic that crosses its network segment. Network traffic on other segments, and traffic on other means of communication (like phone lines) can't be monitored. Network-based IDS involves looking at the packets on the network as they pass by some sensor. The sensor can only see the packets that happen to be carried on the network segment it's attached to. Packets are considered to be of interest if they match a signature.Network-based intrusion detection passively monitors network activity for indications of attacks. Network monitoring offers several advantages over traditional host-based intrusion detection systems. Because many intrusions occur over networks at some point, and because networks are increasingly becoming the targets of attack, these techniques are an excellent method of detecting many attacks which may be missed by host-based intrusion detection mechanisms.Capability
Network-Based Intrusion Detection SystemsnounIDSs which detect attacks by capturing and analyzing network packets. Listening on a network segment or switch, one network-based IDS can monitor the network traffic affecting multiple hosts that are connected to the network segment.Capability
no longer needed for legal, regulatory, or business reasonnounSomething that is not needed anymore for business, regulatory, or legal reasons.RequirementRegulated
No-Lone ZonenounArea, room, or space that, when staffed, must be occupied by two or more appropriately cleared individuals who remain within sight of each other. See Two-Person Integrity.ControlRegulatedCUI
non-compliancenounThe failure to achieve performance criteria of a regulation or authority.FindingRegulated
non-compliance informationnounInformation regarding a failure to act in accordance with applicable standards and regulations.FindingRegulatedCUI
Non-deterministic Random Bit GeneratornounAn RBG that (when working properly) produces outputs that have full entropy. Contrast with a DRBG. Other names for non-deterministic RBGs are True Random Number (or Bit) Generators and, simply, Random Number (or Bit) Generators.Capability
Non-Local MaintenancenounMaintenance activities conducted by individuals communicating through a network; either an external network (e.g., the Internet) or an internal network.ProcessRegulated
noticenounAny documented (in print or electronic format) notice or notification to another person by taking such steps as may be reasonably required to inform the other person in ordinary course, whether or not the other person actually comes to know of it.ArtifactRegulated
notificationnounThe act of giving notice of or reporting something formally or officially.EventRegulated
notification procedurenounA plan of action adopted by the organization for how and when the appropriate individuals are notified.Requirement
notification requirementnounThe obligation to officially inform a party of something important.RequirementRegulated
notifyverbTo give someone facts or information about something, typically in an official or formal manner.Unclassified
NSA-Approved CryptographynounCryptography that consists of: (i) an approved algorithm; (ii) an implementation that has been approved for the protection of classified information in a particular environment; and (iii) a supporting key management infrastructure.Organization
NullnounDummy letter, letter symbol, or code group inserted into an encrypted message to delay or prevent its decryption or to complete encrypted groups for transmission or transmission security purposes.ControlRegulatedCUI
Null SessionnounKnown as Anonymous Logon, it is a way of letting an anonymous user retrieve information such as user names and shares over the network or connect without authentication. It is used by applications such as explorer.exe to enumerate shares on remote servers.VulnerabilityRegulated
numbernounAn arithmetical value, expressed by a word, symbol, or figure , representing a particular quantity and used in counting and making calculations and for showing order in a series or for identification.candidate
ObfuscationnounThe deliberate act of creating source or machine code that is difficult for humans to understandControlIP
objectnounPassive information system-related entity (e.g., devices, files, records, tables, processes, programs, domains) containing or receiving information. Access to an object (by a subject) implies access to the information it contains. See Subject.Data
Object codenounThe machine code generated by a source code language processor such as an assembler or compiler. A file of object code may be executable immediately or it may require linking with other object code files (e.g., libraries, to produce a complete executable program).DataIP
Object IdentifiernounA specialized formatted number that is registered with an internationally recognized standards organization. The unique alphanumeric/numeric identifier registered under the ISO registration standard to reference a specific object or object class. In the federal government PKI, they are used to uniquely identify each of the four policies and cryptographic algorithms supported.ArtifactRegulatedCUI
Object ProgramnounA program that has been translated into machine language and is ready to be run (i.e., executed) by the computer.ArtifactIP
Object ReusenounReassignment and reuse of a storage medium containing one or more objects after ensuring no residual data remains on the storage medium.ControlRegulated
objectivenounA projected state of affairs that a person or a system plans or intends to achieve a personal or organizational desired end-point in some sort of assumed development. Many people endeavor to reach goals within a finite time by setting deadlines.Requirement
objectivitynounThe quality of being not influenced by personal feelings or opinions in considering and representing facts.Requirement
obligationnounA binding agreement committing a person to an immediate or future payment or other action.Requirement
Off-CardnounRefers to data that is not stored within the PIV card or computation that is not done by the Integrated Circuit Chip (ICC) of the PIV card.DataRegulatedCUI
Off-line AttacknounAn attack where the Attacker obtains some data (typically by eavesdropping on an authentication protocol run, or by penetrating a system and stealing security files) that he/she is able to analyze in a system of his/her own choosing.Threat
Off-line CryptosystemnounCryptographic system in which encryption and decryption are performed independently of the transmission and reception functions.Capability
Office of Foreign Asset Control (OFAC)nounThe Office of Foreign Assets Control, United States Department of the Treasury, administers and enforces economic sanctions programs primarily against countries and groups of individuals such as terrorists and narcotics traffickers. The sanctions can be either comprehensive or selective, using the blocking of assets and trade restrictions to accomplish foreign policy and national security goals.OrganizationRegulated
Office of Foreign Assets Control (OFAC)nounThe Office of Foreign Assets Control, Department of the Treasury, administers and enforces economic sanctions programs primarily against countries and groups of individuals such as terrorists and narcotics traffickers. The sanctions can be either comprehensive or selective, using the blocking of assets and trade restrictions to accomplish foreign policy and national security goals.OrganizationRegulated
Official InformationnounAll information in the custody and control of a U.S. government department or agency that was acquired by U.S. government employees as a part of their official duties or because of their official status and has not been cleared for public release.DataRegulatedCUI
offsite backupnounA backup process or facility that stores backup data or applications external to the organization or core IT environmentProcessRegulated
Offsite rotationnounUsed for backup and/or disaster recovery; moving a copy of the most current database, information, file, or tape to an offsite storage facility to be used only in an emergency.ProcessRegulated
On-CardnounRefers to data that is stored within the PIV card or computation that is done by the ICC of the PIV card.DataRegulatedCUI
On-us checksnounChecks that are deposited into the same institution on which they are drawn.DataRegulatedPII
One-part CodenounCode in which plain text elements and their accompanying code groups are arranged in alphabetical, numerical, or other systematic order, so one listing serves for both encoding and decoding. One-part codes are normally small codes used to pass small volumes of low-sensitivity information.Artifact
One-time TapenounPunched paper tape used to provide key streams on a one-time basis in certain machine cryptosystems.PhysicalRegulatedCUI
One-Way EncryptionnounIrreversible transformation of plaintext to cipher text, such that the plaintext cannot be recovered from the cipher text by other than exhaustive procedures even if the cryptographic key is known.Control
One-Way FunctionnounA (mathematical) function, f, which is easy to compute the output based on a given input. However given only the output value it is impossible (except for a brute force attack) to figure out what the input value is.Control
One-Way Hash AlgorithmnounHash algorithms which map arbitrarily long inputs into a fixed-size output such that it is very difficult (computationally infeasible) to find two different hash inputs that produce the same output. Such algorithms are an essential part of the process of producing fixed-size digital signatures that can both authenticate the signer and provide for data integrity checking (detection of input modification after signature).Control
Online AttacknounAn attack against an authentication protocol where the Attacker either assumes the role of a Claimant with a genuine Verifier or actively alters the authentication channel. The goal of the attack may be to gain authenticated access or learn authentication secrets.ThreatRegulated
Online Certificate Status ProtocolnounAn online protocol used to determine the status of a public key certificate.Credential
Online CryptosystemnounCryptographic system in which encryption and decryption are performed in association with the transmitting and receiving functions.CapabilityRegulated
online terminalnounA web-browser-based access to an acquirer, processor or third party service provider website to authorize payment card transactions, where the merchant manually enters payment card data via a securely connected web browser. Unlike physical terminals, virtual payment terminals do not read data directly from a payment card. Because payment card transactions are entered manually, virtual payment terminals are typically used instead of physical terminals in merchant environments with low transaction volumes.SystemRegulatedPCI
Open Checklist Interactive LanguagenounSCAP language for expressing security checks that cannot be evaluated without some human interaction or feedback.Framework
Open market operationsnounThe buying and selling of government securities in the open market in order to expand or contract the amount of money in the banking system.Process
Open Shortest Path FirstnounOpen Shortest Path First is a link state routing algorithm used in interior gateway routing. Routers maintain a database of all routers in the autonomous system with links between the routers, link costs, and link states (up and down).Network
Open StoragenounAny storage of classified national security information outside of approved containers. This includes classified information that is resident on information systems media and outside of an approved storage container, regardless of whether or not that media is in use (i.e., unattended operations).FindingRegulatedCUI
Open Systems InterconnectnounA model for the design of a network. The open systems interconnect (OSI) model defines groups of functionality required to network computers into layers. Each layer implements a standard protocol to implement its functionality. There are seven layers in the OSI model.Framework
Open Systems InterconnectionnounOSI (Open Systems Interconnection) is a standard description or "reference model" for how messages should be transmitted between any two points in a telecommunication network. Its purpose is to guide product implementers so that their products will consistently work with other products. The reference model defines seven layers of functions that take place at each end of a communication. Although OSI is not always strictly adhered to in terms of keeping related functions together in a well-defined layer, many if not most products involved in telecommunication make an attempt to describe themselves in relation to the OSI model. It is also valuable as a single reference view of communication that furnishes everyone a common ground for education and discussion.Framework
Open Vulnerability and Assessment LanguagenounSCAP language for specifying low-level testing procedures used by checklists.Vulnerability
Open Web Application Security ProjectnounAn open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trustedOrganization
Operate & MaintainnounA NICE Workforce Framework category consisting of specialty areas responsible for providing the support, administration, and maintenance necessary to ensure effective and efficient IT system performance and security.Process
operating statenounDistinct operating modes (which typically include specific Information Technology and Operations Technology configurations as well as alternate or modified procedures) that have been designed and implemented for the function and can be invoked by a manual or automated process in response to an event, a changing risk environment, or other sensory and awareness data to provide greater safety, resiliency, reliability, and/or cybersecurity. For example, a shift from the normal state of operation to a high-security operating mode may be invoked in response to a declared cybersecurity incident of sufficient severity. The high-security operating state may trade off efficiency and ease of use in favor of increased security by blocking remote access and requiring a higher level of authentication and authorization for certain commands until a return to the normal state of operation is deemed safe.Process
Operating systemnounThe software 'master control application' that runs the computer. It is the first program loaded when the computer is turned on, and its principal component, the kernel, resides in memory at all times. The OS sets the standards for all application programs (such as the mail server) that run in the computer. The applications communicate with the OS for most user interface and file management operations.System
Operating System FingerprintingnounAnalyzing characteristics of packets sent by a target, such as packet headers or listening ports, to identify the operating system in use on the target.System
operational controlnounThe day-to-day security procedures and mechanisms to protect operational systems. The operational controls consist of the physical, environmental and personnel security controls. These controls deal with the everyday operation of a company or organization to ensure all objectives are achieved.ControlRegulated
operational exercisnounAn action-based exercise where personnel rehearse reactions to an incident scenario, drawing on their understanding of plans and procedures, roles, and responsibilities.Process
operational exercisenounAn action-based exercise where personnel rehearse reactions to an incident scenario, drawing on their understanding of plans and procedures, roles, and responsibilities.Process
Operational IT plannounTypically, the plans that are made by front-line, or low-level, IT managers. Operational IT plans are focused on the specific procedures and processes that implement the larger strategic plan.Process
Operational KeynounKey intended for use over-the-air for protection of operational information or for the production or secure electrical transmission of key streams.CredentialRegulatedCUI
operational performance reportnounA report that details the findings of a performance review of a business's operations.ArtifactInternal
operational resiliencenounThe ability of an FMI to: (i) maintain essential operational capabilities under adverse conditions or stress, even if in a degraded or debilitated state; and (ii) recover to effective operational capability in a time frame consistent with the provision of critical economic services.CapabilityRegulated
Operational risknounThe risk of failure or loss resulting from inadequate or failed processes, people, or systems.ThreatRegulated
Operational Vulnerability InformationnounInformation that describes the presence of an information vulnerability within a specific operational setting or network.VulnerabilityRegulatedCUI
Operational WaivernounAuthority for continued use of unmodified COMSEC end-items pending the completion of a mandatory modification.RequirementRegulatedCUI
Operations CodenounCode composed largely of words and phrases suitable for general communications use.ArtifactRegulatedCUI
Operations SecuritynounSystematic and proven process by which potential adversaries can be denied information about capabilities and intentions by identifying, controlling, and protecting generally unclassified evidence of the planning and execution of sensitive activities. The process involves five steps: identification of critical information, analysis of threats, analysis of vulnerabilities, assessment of risks, and application of appropriate countermeasures.ProcessRegulatedCUI
Operations TechnologynounThe hardware and software systems used to operate industrial control devices.SystemRegulated
Optional ModificationnounNSA-approved modification not required for universal implementation by all holders of a COMSEC end-item. This class of modification requires all of the engineering/doctrinal control of mandatory modification but is usually not related to security, safety, TEMPEST, or reliability. See Mandatory Modification.ControlRegulatedCUI
organizationnounAn entity of any size, complexity, or positioning within an organizational structure (e.g., a federal agency, or, as appropriate, any of its operational elements).Organization
Organizational Information Security Continuous MonitoringnounOngoing monitoring sufficient to ensure and assure effectiveness of security controls related to systems, networks, and cyberspace, by assessing security control implementation and organizational security status in accordance with organizational risk tolerance – and within a reporting structure designed to make real-time, data-driven risk management decisions.Capability
Organizational Registration AuthoritynounEntity within the PKI that authenticates the identity and the organizational affiliation of the users.OrganizationRegulatedPII
organizational risk tolerancenounThe level of risk an organization is willing to take in order to achieve a potential desired result.Metric
Organizational UsernounAn organizational employee or an individual the organization deems to have equivalent status of an employee (e.g., contractor, guest researcher, individual detailed from another organization, individual from allied nation).Identity
organizeverbarrange or structure elements systematically for efficiency or clarityCreateUnclassified
Originating depository financial institution (ODFI)nounA participating financial institution that originates entries at the request of and by agreement with its originators in accordance with the provisions of the NACHA rules.OrganizationRegulated
origination functionnounAny of the processes required to initiate an automated clearing house transaction.ProcessRegulatedPCI
OriginatornounA person that has authorized an ODFI to transmit a credit or debit entry to the deposit account of a receiver at an RDFI.IdentityRegulatedPII
OSI layersnounThe main idea in OSI is that the process of communication between two end points in a telecommunication network can be divided into layers, with each layer adding its own set of special, related functions. Each communicating user or program is at a computer equipped with these seven layers of function. So, in a given message between users, there will be a flow of data through each layer at one end down through the layers in that computer and, at the other end, when the message arrives, another flow of data up through the layers in the receiving computer and ultimately to the end user or program. The actual programming and hardware that furnishes these seven layers of function is usually a combination of the computer operating system, applications (such as your Web browser), TCP/IP or alternative transport and network protocols, and the software and hardware that enable you to put a signal on one of the lines attached to your computer. OSI divides telecommunication into seven layers. The layers are in two groups. The upper four layers are used whenever a message passes from or to a user. The lower three layers (up to the network layer) are used when any message passes through the host computer or router. Messages intended for this computer pass to the upper layers. Messages destined for some other host are not passed up to the upper layers but are forwarded to another host. The seven layers are: Layer 7: The application layer...This is the layer at which communication partners are identified, quality of service is identified, user authentication and privacy are considered, and any constraints on data syntax are identified. (This layer is not the application itself, although some applications may perform application layer functions.) Layer 6: The presentation layer...This is a layer, usually part of an operating system, that converts incoming and outgoing data from one presentation format to another (for example, from a text stream into a popup window with the newly arrived text). Sometimes called the syntax layer. Layer 5: The session layer...This layer sets up, coordinates, and terminates conversations, exchanges, and dialogs between the applications at each end. It deals with session and connection coordination. Layer 4: The transport layer...This layer manages the end-to-end control (for example, determining whether all packets have arrived) and error-checking. It ensures complete data transfer. Layer 3: The network layer...This layer handles the routing of the data (sending it in the right direction to the right destination on outgoing transmissions and receiving incoming transmissions at the packet level). The network layer does routing and forwarding. Layer 2: The data-link layer...This layer provides synchronization for the physical level and does bit-stuffing for strings of 1's in excess of 5. It furnishes transmission protocol knowledge and management. Layer 1: The physical layer...This layer conveys the bit stream through the network at the electrical and mechanical level. It provides the hardware means of sending and receiving data on a carrier.Framework
Out-of-bandnounActivity outside of the primary means of interfacing with the customer. For example, if a user is performing activity online, he or she may be authenticated through a one-time password sent via text message.ControlRegulated
Outcome measurenounRepresents the consequences of actions previously taken; often referred to as a lag indicator Scope Note: Outcome measure frequently focuses on results at the end of a time period and characterize historic performance. They are also referred to as a key goal indicator (KGI) and used to indicate whether goals have been met. These can be measured only after the fact and, therefore, are called lag indicators.Metric
outputnounData or information produced by computer processing, such as graphic display on a terminal or hard copy.Artifact
Outside ThreatnounAn unauthorized entity from outside the domain perimeter that has the potential to harm an Information System through destruction, disclosure, modification of data, and/or denial of service.Threat
outside( r) threatnounA person or group of persons external to an organization who are not authorized to access its assets and pose a potential risk to the organization and its assets.ThreatRestricted
Outsider ThreatnounAn unauthorized entity outside the security domain that has the potential to harm an information system through destruction, disclosure, modification of data, and/or denial of service.Threat
outsourced applicationnounAn application that is contracted out to an external provider for the development, deployment, and management.SystemRegulated
OutsourcingnounThe practice of contracting with another entity to perform services that might otherwise be conducted in-house. Contracted relationship with a third party to provide services, systems, or support.Process
outsourcing arrangementnounA contract between the institution and an audit services firm to provide internal audit services.ProcessRegulated
outsourcing contractnounThe outsourcing contract is one of the most important document in an outsourcing relationship. The contract, terms and the quality of the contract will largely influence the outsourcing relations, governance and overall the success of the outsourcing venture.RequirementConfidential
Outsourcing Service ContractnounThis record contains acquisition or outsourcing contracts for IT services.ArtifactConfidential
Over-The-Air Key DistributionnounProviding electronic key via over-the-air rekeying, over-the-air key transfer, or cooperative key generation.ProcessRestrictedCUI
Over-The-Air Key TransfernounElectronically distributing key without changing traffic encryption key used on the secured communications path over which the transfer is accomplished.ProcessRegulatedCUI
Over-The-Air RekeyingnounChanging traffic encryption key or transmission security key in remote cryptographic equipment by sending new key directly to the remote cryptographic equipment over the communications path it secures.ProcessRegulatedCUI
overdraftnounThe amount by which withdrawals exceed deposits, or the extension of credit by a lending institution to allow for such a situation.DataRegulatedPII
OverloadnounHindrance of system operation by placing excess burden on the performance capabilities of a system component.Threat
Oversight & DevelopmentnounA NICE Workforce Framework category consisting of specialty areas providing leadership, management, direction, and/or development and advocacy so that all individuals and the organization may effectively conduct cybersecurity work.Capability
Overt ChannelnounCommunications path within a computer system or network designed for the authorized transfer of data. See Covert Channel.Network
Overt TestingnounSecurity testing performed with the knowledge and consent of the organization’s IT staff.Process
Overwrite ProcedurenounA software process that replaces data previously stored on storage media with a predetermined set of meaningless data or random patterns.Requirement
Packet FilternounA routing device that provides access control functionality for host addresses and communication sessions.Control
Packet filteringnounControlling access to a network by analyzing the attributes of the incoming and outgoing packets and either letting them pass, or denying them, based on a list of rulesControl
Packet Switched NetworknounA packet switched network is where individual packets each follow their own paths through the network from one endpoint to another.Network
Packet switchingnounThe process of transmitting messages in convenient pieces that can be reassembled at the destinationNetwork
paraphraseverbrestate information in different words while retaining the original meaningUnderstandUnclassified
Partitioned Security ModenounInformation systems security mode of operation wherein all personnel have the clearance, but not necessarily formal access approval and need-to-know, for all information handled by an information system.RequirementRegulatedCUI
passive attacknounAn attack against an authentication protocol where the Attacker intercepts data traveling along the network between the Claimant and Verifier, but does not alter the data (i.e., eavesdropping).Threat
Passive responsenounA response option in intrusion detection in which the system simply reports and records the problem detected, relying on the user to take subsequent actionControl
Passive Security TestingnounSecurity testing that does not involve any direct interaction with the targets, such as sending packets to a target.Process
Passive WiretappingnounThe monitoring or recording of data while it is being transmitted over a communications link, without altering or affecting the data.ThreatRegulated
passwonounA string of characters (letters, numbers, and other symbols) used to authenticate an identity or to verify access authorization.CredentialRestricted
passwordnounA protected/private string of letters, numbers, and/or special characters used to authenticate an identity or to authorize access to data.CredentialRestricted
Password Authentication ProtocolnounPassword Authentication Protocol is a simple, weak authentication mechanism where a user enters the password and it is then sent across the network, usually in the clear.Credential
password complexitynounA set of rules that defines what set of characters and the amount of characters a password must contain.Credential
Password crackernounA tool that tests the strength of user passwords by searching for passwords that are easy to guess It repeatedly tries words from specially crafted dictionaries and often also generates thousands (and in some cases, even millions) of permutations of characters, numbers and symbols.Credential
Password CrackingnounThe process of recovering secret passwords stored in a computer system or transmitted over a network.Credential
password parameternounA setting that defines a condition or requirement that a password must match.Credential
Password ProtectednounThe ability to protect a file using a password access control, protecting the data contents from being viewed with the appropriate viewer unless the proper password is entered.Credential
Password SniffingnounPassive wiretapping, usually on a local area network, to gain knowledge of passwords.Credential
patchnounAn update to an operating system, application, or other software issued specifically to correct particular problems with the software.Artifact
patch and vulnerability management processnounOne of the many process associated with the patching of software applications and the situations when an organization is forced to make emergency configuration changes that may reduce functionality to protect the organization from exploitation of the vulnerability.VulnerabilityRegulated
patch lognounA list that shows patches that been installed and need to be installed to update software.ArtifactInternal
Patch managementnounThe systematic notification, identification, deployment, installation, and verification of operating system and application software code revisions. These revisions are known as patches, hot fixes, and service packs.Process
patch management programnounA documented approach for organizing and directing all activities undertaken to manage patches or upgrades for software and hardware.Process
PatchingnounSoftware code that replaces or updates other code. Frequently patches are used to correct security flaws.Process
Path HistoriesnounMaintaining an authenticatable record of the prior platforms visited by a mobile software agent, so that a newly visited platform can determine whether to process the agent and what resource constraints to apply.ArtifactInternalCUI
Paying banknounA paying bank is the institution where a check is payable and to which it is sent for payment.OrganizationRegulated
PayloadnounThe input data to the CCM generation-encryption process that is both authenticated and encrypted.DataRestricted
payment cardnounA range of different cards that can be used to access cash assets through point-of-sale terminals or other facilities in order to make payments, receive cash money, exchange currency and perform other actions determined by the card issuer and its terms.PhysicalRegulatedPCI
Payment systemnounThe mechanism, the rules, institutions, people, markets, and agreements that make the exchange of payments possible.SystemRegulatedPCI
Payments System Risk Policy (PSR)nounThe Federal Reserve's Payments System Risk (PSR) policy addressing the risks that payment systems present to the Federal Reserve Banks, the banking system, and to other sectors of the economy.RequirementRegulated
Payroll card accountnounA bank account that is established directly or indirectly by an employer on behalf of an employee to which an electronic funds transfers the employee's wages or compensation on a recurring basis. The payroll card, often branded by one of the credit/debit card associations, provides the employee access to the funds.DataRegulatedPII
PCI Security Standards CouncilnounThe governing body, representing key participants of the payment card industry, which establishes and maintains security standards for payment cards.OrganizationRegulatedPCI
Peer Entity AuthenticationnounThe process of verifying that a peer entity in an association is as claimed.Process
Peer-to-peer (P2P)nounPeer-to-peer communication, the communications that travel from one user's computer to another user's computer without being stored for later access on a server. E-mail is not a P2P communication since it travels from the sender to a server, and is retrieved by the recipient from the server. On-line chat, however, is a P2P communication since messages travel directly from one user to another.Network
PenetrationnounGaining unauthorized logical access to sensitive data by circumventing a system's protections.ThreatRegulated
Penetration testnounThe process of using approved, qualified personnel to conduct real-world attacks against a system to identify and correct security weaknesses before they are discovered and exploited by others.ProcessRestricted
Penetration testingnounSecurity testing in which evaluators mimic real-world attacks in an attempt to identify ways to circumvent the security features of an application, system, or network. Penetration testing often involves issuing real attacks on real systems and data, using the same tools and techniques used by actual attackers. Most penetration tests involve looking for combinations of vulnerabilities on a single system or multiple systems that can be used to gain more access than could be achieved through a single vulnerability.ProcessRegulated
Per-Call KeynounUnique traffic encryption key generated automatically by certain secure telecommunications systems to secure single voice or data transmissions. See Cooperative Key Generation.CredentialRegulatedCUI
perceiveverbbecome aware of or recognize something through observation or insightEvaluateUnclassified
Performance Reference ModelnounFramework for performance measurement providing common output measurements throughout the federal government. It allows agencies to better manage the business of government at a strategic level by providing a means for using an agency’s EA to measure the success of information systems investments and their impact on strategic outcomes.FrameworkInternal
performance reviewnounThe purpose of this task is to evaluate one's abilities to execute the required functions of a job and to analyze the system for performance against a known benchmark or design document.Process
Perimeternoun(C&A) Encompasses all those components of the system that are to be accredited by the DAA, and excludes separately accredited systems to which the system is connected. (Authorization) Encompasses all those components of the system or network for which a Body of Evidence is provided in support of a formal approval to operate.SystemRegulatedCUI
period of inactivitynounThe planned or actual time an operation is not engaged in run time, or the active production of a product. Idle time is typically scheduled, for setup, maintenance or other activities, or unscheduled due to lack of a required resource such as material.Metric
Periods ProcessingnounThe processing of various levels of classified and unclassified information at distinctly different times. Under the concept of periods processing, the system must be purged of all information from one processing period before transitioning to the next.ProcessRegulatedCUI
Perishable DatanounInformation whose value can decrease substantially during a specified time. A significant decrease in value occurs when the operational circumstances change to the extent that the information is no longer useful.Data
Permanent virtual circuit (PVC)nounPVC is a pathway through a network that is predefined and maintained by the end systems and nodes along the circuit, but the actual pathway through the network may change due to routing problems. The PVC is a fixed circuit that is defined in advance by the public network carrier. Refer to switched virtual circuit for an additional virtual circuit option.Network
PermutationnounPermutation keeps the same letters but changes the position within a text to scramble the message.Control
PermuternounDevice used in cryptographic equipment to change the order in which the contents of a shift register are used in various nonlinear combining circuits.PhysicalRestrictedCUI
personnounThis role focuses on human individuals, partnerships, corporation, limited liability companies, trusts, estates, cooperatives, associations, sole proprietorships, joint stock companies, joint ventures, or other legal entity. Any process or activity that fits into one of these categories should be assigned to this role.IdentityPII
Person-to-person (P2P) paymentnounOnline payments using electronic mail messages to invoke a transfer of value between the parties over existing proprietary networks as on-us transactions.ProcessRegulatedPCI
Personal digital assistant (PDA)nounA pocket-sized, special-purpose personal computer that lacks a conventional keyboard.PhysicalRegulated
Personal FirewallnounA utility on a computer that monitors network activity and blocks communications that are unauthorized.Network
Personal identification numbernounA secret that a claimant memorizes and uses to authenticate his or her identity. PINs are generally only decimal digits.CredentialRegulatedPII
personal identification number informationnounInformation containing an account-holder's secret code that is used to verify the identity of their identity when trying to access a computer system, network, credit card account, ATM, etc.DataRegulatedPII
Personal Identifying Information / Personally Identifiable InformationnounThe information that permits the identity of an individual to be directly or indirectly inferred.DataRegulatedPII
Personal Identity VerificationnounThe process of creating and using a governmentwide secure and reliable form of identification for federal employees and contractors, in support of HSPD 12, Policy for a Common Identification Standard for Federal Employees and Contractors.ProcessRegulatedCUI
Personal Identity Verification AccreditationnounThe official management decision to authorize operation of a PIV Card Issuer after determining that the Issuer’s reliability has satisfactorily been established through appropriate assessment and certification processes.ProcessRegulatedCUI
Personal Identity Verification Authorizing OfficialnounAn individual who can act on behalf of an agency to authorize the issuance of a credential to an applicant.RoleRegulatedCUI
Personal Identity Verification CardnounPhysical artifact (e.g., identity card, “smart” card) issued to an individual that contains stored identity credentials (e.g., photograph, cryptographic keys, digitized fingerprint representation, etc.) such that a claimed identity of the cardholder may be verified against the stored credentials by another person (human-readable and verifiable) or an automated process (computer-readable and verifiable).PhysicalRegulatedCUI
Personal Identity Verification IssuernounAn authorized identity card creator that procures FIPS-approved blank identity cards, initializes them with appropriate software and data elements for the requested identity verification and access control application, personalizes the cards with the identity credentials of the authorized subjects, and delivers the personalized card to the authorized subjects along with appropriate instructions for protection and use.OrganizationRegulatedCUI
Personal Identity Verification RegistrarnounAn entity that establishes and vouches for the identity of an applicant to a PIV Issuer. The PIV RA authenticates the applicant’s identity by checking identity source documents and identity proofing, and that ensures a proper background check has been completed, before the credential is issued.OrganizationRegulatedPII
Personal Identity Verification SponsornounAn individual who can act on behalf of a department or agency to request a PIV Card for an applicant.RoleRegulatedCUI
Personally identifiable financial informationnounFor purposes of the Information Security Standards, personally identifiable financial information means information (i) a consumer provides to a financial institution to obtain a financial product or service; (ii) about a consumer resulting from any transaction involving a financial product or service between the financial institution and a consumer; or (iii) that a financial institution otherwise obtains about a consumer in connection with providing a financial product or service, such as account balance information, payment history, overdraft history, and credit or debit card purchase information; or the fact that an individual is one of the financial institution’s customers.DataRegulatedPII
Personally Identifiable InformationnounAny information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.DataRegulatedPII
personnel policynounA set of rules that define the manner in which an organization deals with a human resources or personnel-related matter.RequirementInternal
Personnel Registration ManagernounThe management role that is responsible for registering human users, i.e., users that are people.Role
personnel risk assessmentnounThe purpose of this task is to determine the risk that personnel pose to the organization.ProcessRegulatedPII
personnel risk assessment programnounA documented listing of procedures and instructions to be performed to complete a personnel risk assessment.ProcessRegulated
pharmingnounThis is a more sophisticated form of MITM attack. A user’s session is redirected to a masquerading website. This can be achieved by corrupting a DNS server on the Internet and pointing a URL to the masquerading website’s IP. Almost all users use a URL like www.worldbank.com instead of the real IP (192.86.99.140) of the website. Changing the pointers on a DNS server, the URL can be redirected to send traffic to the IP of the pseudo website. At the pseudo website, transactions can be mimicked and information like login credentials can be gathered. With this the attacker can access the real www.worldbank.com site and conduct transactions using the credentials of a valid user on that website.ThreatPII
PhishingnounA digital form of social engineering that uses authentic-looking—but bogus—emails to request information from users or direct them to a fake Web site that requests information.Threat
physical accessnounThe ability of people to physically gain access to a computer system or facility.ControlRegulated
physical access controlnounA mechanism, system, or barrier that prevents unauthorized physical access to an area or a facility.Control
physical access control systemnounPhysical access control enables an authority to control admission to areas and resources in a physical facility. A physical access control system may restrict access via swipe cards, Personal Identity Verification (PIV) 'Smart' cards, and biometric (i.e. fingerprint) readers. Physical access control systems are generally seen as the second layer in the security of a physical facility after fences, doors and barriers.ControlRegulated
Physical Access Control system maintenance and testing programnounA documented listing of procedures, schedules, roles and responsibilities, and plans to be performed to ensure continued maintenance and testing of the Physical Access Control System.ControlRegulatedCUI
physical environmentnounThe physical external surrounding and conditions in which something exists.Physical
physical operating environment authority documentnounStatutes, regulations, safe harbors, audit guidelines, best practices, Service Level Agreements, Contractual Obligations, organizational policies and procedures, and any other documents that defines the temperatures, humidity levels, electromagnetic levels, vibration levels, power levels, and space required for any device to operate properly.RequirementInternal
physical securitynounThe protection of personnel, hardware, programs, networks, and data from physical circumstances and events that could cause serious losses or damage to an enterprise, agency, or institution. This includes protection from fire, natural disasters, burglary, theft, vandalism, and terrorism.ControlRegulated
physical security controlnounDevices that relies on the proper application of physical barriers and deterrents to control behavior. It's through the use of physical controls that an organization controls physical access to facilities and systems. They also assist in maintaining the operating environments necessary to continue information processing and delivery activities.Control
physical security perimeternounA type of gate, door, wall, or fence system that is intended to restrict and control the physical access or egress of personnel.PhysicalRegulated
physical security plannounA formal document that provides an overview of the security requirements for a physical security program and describes the security controls in place or planned for meeting those requirements.ArtifactRegulatedCUI
Physically Isolated NetworknounA network that is not connected to entities or systems outside a physically controlled space.NetworkRestricted
PiconetnounA small Bluetooth network created on an ad hoc basis that includes two or more devices.Network
picture graphicallyverbrepresent information through visual illustrations, charts, or diagramsUnderstandUnclassified
PII Confidentiality Impact LevelnounThe PII confidentiality impact level—low, moderate, or high—indicates the potential harm that could result to the subject individuals and/or the organization if PII were inappropriately accessed, used, or disclosed.MetricRegulatedPII
Ping of DeathnounAn attack that sends an improperly large ICMP echo request packet (a "ping") with the intent of overflowing the input buffers of the destination machine and causing it to crash.Threat
Ping SweepnounAn attack that sends ICMP echo requests ("pings") to a range of IP addresses, with the goal of finding hosts that can be probed for vulnerabilities.Threat
plaintextnounIntelligible data that has meaning and can be understood without the application of decryption.DataRegulated
Plan of Action and MilestonesnounA document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones.ArtifactRegulatedCUI
PlatformnounThe underlying computer system on which applications programs run. A platform consists of an operating system, the computer system's coordinating program, which in turn is built on the instruction set for a processor or microprocessor, and the hardware that performs logic operations and manages data movement in the computer.System
Platform as a ServicenounOffers the capability to deploy onto the cloud infrastructure customer-created or -acquired applications that are created using programming languages and tools supported by the providerSystem
Point Of ContactnounThis role is focused on being a representative of a group who facilitates communications between two or more groups, organizations, etc. on certain issues. Any individual who coordinates communications between groups, organizations, etc. on certain issues that they work on should be assigned to this role.Role
Point-of-sale (POS) networknounA network of institutions, debit cardholders, and merchants that permit consumers to make direct payment electronically at the place of purchase. The funds are withdrawn from the account of the cardholder.NetworkRegulatedPCI
Point-to-Point ProtocolnounA protocol for communication between two computers using a serial interface, typically a personal computer connected by phone line to a server. It packages your computer's TCP/IP packets and forwards them to the server where they can actually be put on the Internet.Network
Point-to-Point Tunneling ProtocolnounA protocol (set of communication rules) that allows corporations to extend their own corporate network through private "tunnels" over the public Internet.Network
Poison ReversenounSplit horizon with poisoned reverse (more simply, poison reverse) does include such routes in updates, but sets their metrics to infinity. In effect, advertising the fact that there routes are not reachable.Control
policies and controlsnounA program that focuses on the policies and management of those policies.Control
policy and procedurenounA set of policies are principles, rules, and guidelines formulated or adopted by an organization to reach its long-term goals and typically published in a booklet or other form that is widely accessible. Policies and procedures are designed to influence and determine all major decisions and actions, and all activities take place within the boundaries set by them. Procedures are the specific methods employed to express policies in action in day-to-day operations of the organization. Together, policies and procedures ensure that a point of view held by the governing body of an organization is translated into steps that result in an outcome compatible with that view.Requirement
Policy Approving AuthoritynounFirst level of the PKI Certification Management Authority that approves the security policy of each PCA.RoleRegulated
Policy Certification AuthoritynounSecond level of the PKI Certification Management Authority that formulates the security policy under which it and its subordinate CAs will issue public key certificates.OrganizationRegulated
Policy Management AuthoritynounBody established to oversee the creation and update of Certificate Policies, review Certification Practice Statements, review the results of CA audits for policy compliance, evaluate non-domain policies for acceptance within the domain, and generally oversee and manage the PKI certificate policies. For the FBCA, the PMA is the Federal PKI Policy Authority.OrganizationRegulated
Policy MappingnounRecognizing that, when a CA in one domain certifies a CA in another domain, a particular certificate policy in the second domain may be considered by the authority of the first domain to be equivalent (but not necessarily identical in all respects) to a particular certificate policy in the first domain.ProcessRegulated
Policy-Based Access ControlnounA form of access control that uses an authorization policy that is flexible in the types of evaluated parameters (e.g., identity, role, clearance, operational need, risk, and heuristics).Control
PolyinstantiationnounPolyinstantiation is the ability of a database to maintain multiple records with the same key. It is used to prevent inference attacks.Control
PolymorphismnounPolymorphism is the process by which malicious software changes its underlying code to avoid detection.Threat
portnounA physical entry or exit point of a cryptographic module that provides access to the module for physical signals, represented by logical information flows (physically separated ports do not share the same physical pin or wire).NetworkRegulated
port rangenounIn computer networking, a designated range of port numbers. Port numbers are divided into three ranges: well-known ports, registered ports, and dynamic or private ports.Network
Port ScannounA port scan is a series of messages sent by someone attempting to break into a computer to learn which computer network services, each associated with a "well-known" port number, the computer provides. Port scanning, a favorite approach of computer cracker, gives the assailant an idea where to probe for weaknesses. Essentially, a port scan consists of sending a message to each port, one at a time. The kind of response received indicates whether the port is used and can therefore be probed for weakness.Threat
Port scanningnounUsing a program to remotely determine which ports on a system are open (e.g., whether systems allow connections through those ports).Threat
Portable Electronic DevicenounAny nonstationary electronic apparatus with singular or multiple capabilities of recording, storing, and/or transmitting data, voice, video, or photo images. This includes but is not limited to laptops, personal digital assistants, pocket personal computers, palmtops, MP3 players, cellular telephones, thumb drives, video cameras, and pagers.PhysicalRegulatedCUI
PortalnounA high-level remote access architecture that is based on a server that offers teleworkers access to one or more applications through a single centralized interface.System
Positive Control MaterialnounGeneric term referring to a sealed authenticator system, permissive action link, coded switch system, positive enable system, or nuclear command and control documents, material, or devices.PhysicalRegulatedCUI
Positive paynounA technique that can reduce check fraud by requesting businesses to send electronic files of information to the financial institution on all checks the business has issued.ControlRegulated
Post Office Protocol, Version 3nounAn Internet Standard protocol by which a client workstation can dynamically access a mailbox on a server host to retrieve mail messages that the server has received and is holding for the client.Network
potential impactnounThe loss of confidentiality, integrity, or availability could be expected to have: 1) a limited adverse effect (FIPS 199 low); 2) a serious adverse effect (FIPS 199 moderate); or 3) a severe or catastrophic adverse effect (FIPS 199 high) on organizational operations, organizational assets, or individuals.Metric
Practical Extraction and Reporting LanguagenounA script programming language that is similar in syntax to the C language and that includes a number of popular Unix facilities such as sed, awk, and tr.Capability
Practice StatementnounA formal statement of the practices followed by an authentication entity (e.g., RA, CSP, or Verifier). It usually describes the policies and practices of the parties and can become legally binding.ArtifactInternal
PreamblenounA preamble is a signal used in network communications to synchronize the transmission timing between two or more systems. Proper timing ensures that all systems are interpreting the start of the information transfer correctly. A preamble defines a specific series of transmission pulses that is understood by communicating systems to mean "someone is about to transmit data". This ensures that systems receiving the information correctly interpret when the data transmission starts. The actual pulses used as a preamble vary depending on the network communication technology in use.Network
Prediction ResistancenounPrediction resistance is provided relative to time T if there is assurance that an adversary who has knowledge of the internal state of the DRBG at some time prior to T would be unable to distinguish between observations of ideal random bitstrings and bitstrings output by the DRBG at or subsequent to time T. The complementary assurance is called Backtracking Resistance.ControlRegulated
Predisposing ConditionnounA condition that exists within an organization, a mission/business process, enterprise architecture, or information system including its environment of operation, which contributes to (i.e., increases or decreases) the likelihood that one or more threat events, once initiated, will result in undesirable consequences or adverse impact to organizational operations and assets, individuals, other organizations, or the Nation.Vulnerability
preliminary examinationnounAn examination taken by graduate students to determine their fitness to continue.Process
prepareverbmake ready for a specific purpose by organizing or assembling requirementsCreateUnclassified
PreparednessnounThe activities to build, sustain, and improve readiness capabilities to prevent, protect against, respond to, and recover from natural or manmade incidents.Process
Preproduction ModelnounVersion of INFOSEC equipment employing standard parts and suitable for complete evaluation of form, design, and performance. Preproduction models are often referred to as beta models.System
Presentment feenounA fee that an institution receiving a check may impose on the institution that presents the check for payment. No presentment fee may be charged for checks presented by 8 a.m. local time.RequirementRegulated
Pretty Good PrivacynounTrademark of Network Associates, Inc., referring to a computer program (and related protocols) that uses cryptography to provide data security for electronic mail and other applications on the Internet.Capability
previous residencenounA location where someone was living before where that person is currently living.DataRegulatedPII
Primary Services NodenounA Key Management Infrastructure core node that provides the users’ central point of access to KMI products, services, and information.SystemRegulatedCUI
Principal Accrediting AuthoritynounSenior official with authority and responsibility for all intelligence systems within an agency.RoleRestrictedCUI
Principal Certification AuthoritynounThe Principal Certification Authority is a CA designated by an agency to interoperate with the FBCA. An agency may designate multiple Principal CAs to interoperate with the FBCA.IdentityRegulatedCUI
Principle of least privilegenounThe security objective of granting users only the access needed to perform official duties.Requirement
Principle of least privilege/accessnounControls used to allow the least privilege access needed to complete a taskControl
Print SuppressionnounEliminating the display of characters in order to preserve their secrecy.ControlRegulated
prior tonounThis limits a Control or Mandate's secondary verb to be put into play before the event takes place.RequirementRegulated
prioritynounA category based on impact and urgency used to identify the relative importance of an incident, problem, or change and the required time for action to be taken. For example, the SLA may state that priority 2 incidents must be resolved within 12 hours.Metric
PrivacynounRestricting access to subscriber or Relying Party information in accordance with federal law and agency policy.RequirementRegulated
Privacy Impact AssessmentnounAn analysis of how information is handled: 1) to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy; 2) to determine the risks and effects of collecting, maintaining, and disseminating information in identifiable form in an electronic information system; and 3) to examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks.ArtifactConfidentialPII
Privacy SystemnounCommercial encryption system that affords telecommunications limited protection to deter a casual listener, but cannot withstand a technically competent cryptanalytic attack.SystemRegulated
Private AddressingnounIANA has set aside three address ranges for use by private or non-Internet connected networks. This is referred to as Private Address Space and is defined in RFC 1918. The reserved address blocks are: 10.0.0.0 to 10.255.255.255 (10/8 prefix) 172.16.0.0 to 172.31.255.255 (172.16/12 prefix) 192.168.0.0 to 192.168.255.255 (192.168/16 prefix)Network
Private branch exchange (PBX)nounA telephone system within an enterprise that switches calls between enterprise users on local lines while allowing all users to share a certain number of external phone lines.System
private keynounA cryptographic key, used with a public key cryptographic algorithm, that is uniquely associated with an entity and is not made public. In an asymmetric (public) cryptosystem, the private key is associated with a public key. Depending on the algorithm, the private key may be used, for example, to: 1) Compute the corresponding public key, 2) Compute a digital signature that may be verified by the corresponding public key, 3) Decrypt keys that were encrypted by the corresponding public key, or 4) Compute a shared secret during a key-agreement transaction.Credential
Private key infrastructure (PKI)nounThe use of public key cryptography in which each customer has a key pair (e.g., a unique electronic value called a public key and a mathematically-related private key). The private key is used to encrypt (sign) a message that can only be decrypted by the cor-responding public key or to decrypt a message previously encrypted with the public key. The public key is used to decrypt a message previously encrypted (signed) using an individual's private key or to encrypt a message so that it can only be decrypted (read) using the intended recipient's private key.Credential
Privilege ManagementnounThe definition and management of policies and processes that define the ways in which the user is provided access rights to enterprise systems. It governs the management of the data that constitutes the user’s privileges and other attributes, including the storage, organization and access to information in directories.Process
Privileged accessnounIndividuals with the ability to override system or application controls.CapabilityRestricted
Privileged AccountnounAn information system account with approved authorizations of a privileged user.IdentityRestricted
Privileged CommandnounA human-initiated command executed on an information system involving the control, monitoring, or administration of the system including security functions and associated security-relevant information.ProcessRegulatedCUI
Privileged ProcessnounA computer process that is authorized (and, therefore, trusted) to perform security-relevant functions that ordinary processes are not authorized to perform.Process
privileged usernounA user that is authorized (and, therefore, trusted) to perform security-relevant functions that ordinary users are not authorized to perform.Role
privileged utility programnounSpecialized system software used to perform a particular function or system maintenance that requires the ability to bypass, modify, or disable the technical or operational system security controls.SystemRestricted
procedurenounAn established or official method for implementing a policy or performing a task or operation which must be executed in the same manner in order to obtain the same results in the same circumstances.Requirement
processing requirementnounA condition that must be fulfilled in order for something to be processed.RequirementRegulated
productnounAn article or substance produced by human or mechanical effort or by a natural process.candidate
Product Source NodenounThe Key Management Infrastructure core node that provides central generation of cryptographic key material.SystemRegulatedCUI
productionnounThe purpose of this task is to transform tangible inputs and intangible inputs into goods or services, to create output or deliverables (goods or services) for another party, and to retrieve documents and make them available for use in a legal proceeding, especially as part of discovery.ProcessRegulated
production environmentnounProduction environment is a term used mostly by developers to describe the setting where software and other products are actually put into operation for their intended uses by end users. A production environment can be thought of as a real-time setting where programs are run and hardware setups are installed and relied on for organization or commercial daily operations.System
ProfilingnounMeasuring the characteristics of expected activity so that changes to it can be more easily identified.ProcessRegulatedPII
programnounA structured grouping of interdependent projects that includes the full scope of business, process, people, technology, and organizational activities that are required (both necessary and sufficient) to achieve a clearly specified business outcome.Process
Program InfectornounA program infector is a piece of malware that attaches itself to existing program files.Threat
Program PolicynounA program policy is a high-level policy that sets the overall tone of an organization's security approach.RequirementInternal
ProjectnounA task involving the acquisition, development, or maintenance of a technology product.Process
Project managementnounThe application of processes, methods, knowledge, skills and experience to complete a project.Process
Promiscuous ModenounA configuration setting for a network interface card that causes it to accept all incoming packets that it sees, regardless of their intended destinations.Control
Proof of deposit (POD)nounThe verification of the dollar amount written on a negotiable instrument being deposited.ArtifactRegulated
Proprietary InformationnounMaterial and information relating to or associated with a company's products, business, or activities, including but not limited to financial information; data or statements; trade secrets; product research and development; existing and future product designs and performance specifications; marketing plans or techniques; schematics; client lists; computer programs; processes; and know-how that has been clearly identified and properly marked by the company as proprietary information, trade secrets, or company confidential information. The information must have been developed by the company and not be available to the government or to the public without restriction from another source.DataRestrictedIP
Protect & DefendnounA NICE Workforce Framework category consisting of specialty areas responsible for the identification, analysis, and mitigation of threats to internal IT systems or networks.Capability
Protect FunctionnounA Cybersecurity Function that focuses on developing and implementing the appropriate safeguards to ensure delivery of critical infrastructure services.Capability
Protected Distribution SystemnounWire line or fiber optic system that includes adequate safeguards and/or countermeasures (e.g., acoustic, electric, electromagnetic, and physical) to permit its use for the transmission of unencrypted information through an area of lesser classification or control.NetworkRegulatedCUI
Protection PhilosophynounInformal description of the overall design of an information system delineating each of the protection mechanisms employed. Combination of formal and informal techniques, appropriate to the evaluation class, used to show the mechanisms are adequate to enforce the security policy.Requirement
Protection ProfilenounCommon Criteria specification that represents an implementation-independent set of security requirements for a category of Target of Evaluations (TOE) that meets specific consumer needs.FrameworkInternal
Protective Distribution SystemnounWire line or fiber optic system that includes adequate safeguards and/or countermeasures (e.g., acoustic, electric, electromagnetic, and physical) to permit its use for the transmission of unencrypted information.SystemRegulatedCUI
protective measurenounAny precautionary action, procedure or installation conceived or undertaken to guard or defend from harm persons, property or the environment.Control
Protective PackagingnounPackaging techniques for COMSEC material that discourage penetration, reveal a penetration has occurred or was attempted, or inhibit viewing or copying of keying material prior to the time it is exposed for use.ControlRegulatedCUI
Protective TechnologiesnounSpecial tamper-evident features and materials employed for the purpose of detecting tampering and deterring attempts to compromise, modify, penetrate, extract, or substitute information processing equipment and keying material.ControlRegulatedCUI
protective technologynounSpecial tamper-evident features and materials employed for the purpose of detecting tampering and deterring attempts to compromise, modify, penetrate, extract, or substitute information processing equipment and keying material.ControlRegulated
ProtocolnounSet of rules and formats, semantic and syntactic, permitting information systems to exchange information.Network
Protocol Data UnitnounA unit of data specified in a protocol and consisting of protocol information and, possibly, user data.Data
Protocol EntitynounEntity that follows a set of rules and formats (semantic and syntactic) that determines the communication behavior of other entities.Network
protocols, ports, applications, and services listnounA compilation of all protocols, ports, applications, and services that are available.ArtifactInternal
proveverbdemonstrate the truth or validity of something through evidence or logicEvaluateUnclassified
provide accessverbTo make something accessible, or make accessible an endeavor someone is to undertake.Unclassified
ProxynounA proxy is an application that “breaks” the connection between client and server. The proxy accepts certain types of traffic entering or leaving a network and processes it and forwards it. This effectively closes the straight path between the internal and external networks making it more difficult for an attacker to obtain internal addresses and other details of the organization’s internal network. Proxy servers are available for common Internet services; for example, a Hyper Text Transfer Protocol (HTTP) proxy used for Web access, and a Simple Mail Transfer Protocol (SMTP) proxy used for email.Network
Proxy AgentnounA software application running on a firewall or on a dedicated proxy server that is capable of filtering a protocol and routing it between the interfaces of the device.Network
Proxy servernounA server that services the requests of its clients by forwarding those requests to other servers.Network
Pseudonymnoun1. A subscriber name that has been chosen by the subscriber that is not verified as meaningful by identity proofing. 2. An assigned identity that is used to protect an individual’s true identity.CredentialRestrictedPII
Pseudorandom number generatornounAn algorithm that produces a sequence of bits that are uniquely determined from an initial value called a seed. The output of the PRNG “appears” to be random, i.e., the output is statistically indistinguishable from random values. A cryptographic PRNG has the additional property that the output is unpredictable, given that the seed is not known.Capability
Public Domain SoftwarenounSoftware not protected by copyright laws of any nation that may be freely used without permission of, or payment to, the creator, and that carries no warranties from, or liabilities to the creator.DataPublicPublicInfo
public keynounA cryptographic key, used with a public key cryptographic algorithm, that is uniquely associated with an entity and may be made public. In an asymmetric (public) cryptosystem, the public key is associated with a private key. The public key may be known by anyone and, depending on the algorithm, may be used, for example, to: 1) Verify a digital signature that is signed by the corresponding private key, 2) Encrypt keys that can be decrypted by the corresponding private key, or 3) Compute a shared secret during a key-agreement transaction.Credential
Public Key Asymmetric Cryptographic AlgorithmnounA cryptographic algorithm that uses two related keys, a public key and a private key. The two keys have the property that deriving the private key from the public key is computationally infeasible.Credential
Public Key CertificatenounA digital document issued and digitally signed by the private key of a Certificate authority that binds the name of a Subscriber to a public key. The certificate indicates that the Subscriber identified in the certificate has sole control and access to the private key.Credential
public key cryptographynounEncryption system that uses a public-private key pair for encryption and/or digital signature.Credential
Public Key EnablingnounThe incorporation of the use of certificates for security services such as authentication, confidentiality, data integrity, and non-repudiation.Credential
Public key encryptionnounA cryptographic system that uses two keys: one is a public key, which is known to everyone, and the second is a private or secret key, which is only known to the recipient of the message See also Asymmetric Key.Credential
Public key infrastructurenounThe framework and services that provide for the generation, production, distribution, control, accounting, and destruction of public key certificates. Components include the personnel, policies, processes, server platforms, software, and workstations used for the purpose of administering certificates and public-private key pairs, including the ability to issue, maintain, recover, and revoke public key certificates.Credential
public networknounA network established and operated by a third party telecommunications provider for specific purpose of providing data transmission services for the public. Data over public networks can be intercepted, modified, and/or diverted while in transit. Examples of public networks include, but are not limited to, the Internet, wireless, and mobile technologies.NetworkPublic
Public RelationsnounThe professional maintenance of a favorable public image by a company or other organization or a famous person.Organization
Public SeednounA starting value for a pseudorandom number generator. The value produced by the random number generator may be made public. The public seed is often called a “salt.”DataPublic
Public switched telephone networknounA communications system that sets up a dedicated channel (or circuit) between two points for the duration of the transmission.Network
Public-Key Forward SecrecynounFor a key agreement protocol based on asymmetric cryptography, the property that ensures that a session key derived from a set of long-term public and private keys will not be compromised if one of the private keys is compromised in the future.Control
QuadrantnounShort name referring to technology that provides tamper-resistant protection to cryptographic equipment.PhysicalRegulatedCUI
qualificationnounAn attribute or accomplishment that makes someone suitable for a particular job or activity.Role
qualified personnelnounA person who is certified or licensed to work in a specific field; competent person.Role
Qualitative AssessmentnounUse of a set of methods, principles, or rules for assessing risk based on nonnumeric categories or levels.Process
Quality AssurancenounThe purpose of this function is to review the software project activities and to test the software products throughout their life cycle in order to determine if they are meeting the functional specifications of the users and are following the established plans, standards, and procedures to maintain a desired level of quality for a service or product.Process
Quality of ServicenounThe measurable end-to-end performance properties of a network service, which can be guaranteed in advance by a Service-Level Agreement between a user and a service provider, so as to satisfy specific customer application requirements. Note: These properties may include throughput (bandwidth), transit delay (latency), error rates, priority, security, packet loss, packet jitter, etc.Capability
Quantitative AssessmentnounUse of a set of methods, principles, or rules for assessing risks based on the use of numbers where the meanings and proportionality of values are maintained inside and outside the context of the assessment.Process
QuarantinenounStore files containing malware in isolation for future disinfection or examination.Control
Race ConditionnounA race condition exploits the small window of time between a security control being applied and when the service is used.Vulnerability
Radiation MonitoringnounRadiation monitoring is the process of receiving images, data, or audio from an unprotected source by listening to radiation signals.ProcessRegulated
Radio Frequency IdentificationnounA form of automatic identification and data capture (AIDC) that uses electric or magnetic fields at radio frequencies to transmit information.Physical
Random Bit GeneratornounA device or algorithm that outputs a sequence of binary bits that appears to be statistically independent and unbiased. An RBG is either a DRBG or an NRBG.Capability
Random Number GeneratornounRandom Number Generators (RNGs) used for cryptographic applications typically produce a sequence of zero and one bits that may be combined into sub-sequences or blocks of random numbers. There are two basic classes: deterministic and nondeterministic. A deterministic RNG consists of an algorithm that produces a sequence of bits from an initial value called a seed. A nondeterministic RNG produces output that is dependent on some unpredictable physical source that is outside human control.CapabilityRestricted
RandomizernounAnalog or digital source of unpredictable, unbiased, and usually independent bits. Randomizers can be used for several different functions, including key generation or to provide a starting state for a key generator.CapabilityRegulated
RansomwarenounA type of malware that is a form of extortion. It works by encrypting a victim's hard drive denying them access to key files. The victim must then pay a ransom to decrypt the files and gain access to them again.Threat
ratingnounA classification according to a comparative assessment of quality, standard, or performance.Metric
ReadnounFundamental operation in an information system that results only in the flow of information from an object to a subject.Capability
Real time gross settlement (RTGS) SystemnounA type of payments system operating in real time rather than batch processing mode. It provides immediate finality of transactions. Gross settlement refers to the settlement of each transfer individually rather than netting. FedwireÒ is an example of a real time gross settlement system.SystemRegulated
Real-time network monitoringnounImmediate response to a penetration attempt that is detected and diagnosed in time to prevent access.Capability
Real-Time ReactionnounImmediate response to a penetration attempt that is detected and diagnosed in time to prevent access.Process
receiptnounA written or printed acknowledgment that something has been paid for or that goods have been received.ArtifactInternal
ReceivernounAn individual, corporation, or other entity that has authorized a company or an originator to initiate a credit or debit entry to a transaction account belonging to the receiver held at its RDFI.IdentityRegulatedPII
Receiving depository financial institution (RDFI)nounAny financial institution qualified to receive debits or credits through its ACH operator in accordance with the ACH rules.OrganizationRegulated
Recipient Usage PeriodnounThe period of time during the cryptoperiod of a symmetric key when protected information is processed.MetricRegulated
Reciprocal agreementnounAn agreement whereby two organizations with similar computer systems agree to provide computer processing time for the other in the event one of the systems is rendered inoperable. Processing time may be provided on a "best effort" or as "time available" basis; therefore, reciprocal agreements are not usually acceptable as a primary recovery option.RequirementInternal
ReciprocitynounMutual agreement among participating organizations to accept each other’s security assessments in order to reuse information system resources and/or to accept each other’s assessed security posture in order to share information.Process
reconcilementnounThe purpose of this task is to reestablish a close relationship or to settle or resolve something.ProcessInternal
ReconnaissancenounReconnaissance is the phase of an attack where an attackers finds new systems, maps out networks, and probes for specific, exploitable vulnerabilities.Threat
Reconverting bank (Check 21)nounThe financial institution that creates a substitute check. With respect to a substitute check that was created by a person that is not a financial institution, the reconverting bank is the first financial institution that transfers, presents, or returns that substitute check or, in lieu thereof, the first paper or electronic representation of that substitute check. The reconverting bank warrants that (1) the substitute check is the legal equivalent of the original check; and (2) the original check cannot be presented again in any form so the customer pays the check only once.OrganizationRegulated
recordnounAnything that is put down in permanent form and preserved as evidence.ArtifactRegulatedPII
Records ManagementnounThe process for tagging information for records-keeping requirements as mandated in the Federal Records Act and the National Archival and Records Requirements.ProcessRegulatedCUI
records management procedurenounA detailed description of the steps necessary to systematically and administratively control records throughout their life cycle in conformance with applicable standards.Requirement
Recover FunctionnounDevelop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.ProcessRegulated
RecoverynounThe phase in the incident response plan that ensures that affected systems or services are restored to a condition specified in the service delivery objectives (SDOs) or business continuity plan (BCP)Process
recovery plannounThe written expression of a recovery process which consists of defining rules, processes, and disciplines to ensure that the critical business processes will continue to function if there is a failure of one or more of the information processing or telecommunications resources upon which their operations depends. The following are key elements to a disaster recovery plan: 1) Establish a planning group, 2) Perform risk assessment and audits, 3) Establish priorities for applications and networks, 4) Develop recovery strategies, 5) Prepare inventory and documentation of the plan, 6) Develop verification criteria and procedures, 5) Implement the plan.ProcessRegulated
recovery planningnounThe activities undertaken to define a recovery process which consists of defining rules, processes, and disciplines to ensure that the critical business processes will continue to function if there is a failure of one or more of the information processing or telecommunications resources upon which their operations depends.ProcessInternal
Recovery point objectivenounThe point in time to which data must be recovered after an outage.Metric
Recovery point objective (RPO)nounThe amount of data that can be lost without severely impacting the recovery of operations or the point in time in which systems and data must be recovered (e.g., the date and time of a business disruption).MetricInternal
Recovery ProceduresnounActions necessary to restore data files of an information system and computational capability after a system failure.ProcessRegulatedCUI
recovery processnounThe steps taken to restore a service, configurable item, etc. to a working state.Process
Recovery service levelsnounCollectively, terms that define the speed, quality, and quantity of recovery capability in response to a disaster, including recovery time objective, recovery point objective, timely notification, percentage of normal production service level agreements (SLAs) that will be delivered during recovery mode, etc.RequirementRegulated
Recovery sitenounAn alternate location for processing information (and possibly conducting business) in an emergency. Usually distinguished as "hot" sites that are fully configured centers with compatible computer equipment and "cold" sites that are operational computer centers without the computer equipment.PhysicalInternal
recovery strategynounA strategy to resume the minimum set of critical services identified in the business impact analysis (e.g. use of another delivery channel to provide the same service.ProcessInternal
Recovery time objectivenounThe overall length of time an information system’s components can be in the recovery phase before negatively impacting the organization’s mission or mission/business functions.Metric
Recovery time objective (RTO)nounThe maximum allowable downtime that can occur without severely impacting the recovery of operations or the time in which systems, applications, or business functions must be recovered after an outage (e.g. the point in time that a process can no longer be inoperable).MetricInternal
Recovery vendorsnounOrganizations that provide recovery sites and support services for a fee.Organization
REDnounIn cryptographic systems, refers to information or messages that contain sensitive or classified information that is not encrypted. See also BLACK.DataRegulatedCUI
Red SignalnounAny electronic emission (e.g., plain text, key, key stream, subkey stream, initial fill, or control signal) that would divulge national security information if recovered.VulnerabilityRegulatedCUI
Red TeamnounA group of people authorized and organized to emulate a potential adversary’s attack or exploitation capabilities against an enterprise’s security posture. The Red Team’s objective is to improve enterprise Information Assurance by demonstrating the impacts of successful attacks and by demonstrating what works for the defenders (i.e., the Blue Team) in an operational environment.Role
Red Team exercisenounAn exercise, reflecting real-world conditions, that is conducted as a simulated adversarial attempt to compromise organizational missions and/or business processes to provide a comprehensive assessment of the security capability of the information system and organization.ProcessRestricted
Red/Black ConceptnounSeparation of electrical and electronic circuits, components, equipment, and systems that handle unencrypted information (Red), in electrical form, from those that handle encrypted information (Black) in the same form.ControlRegulatedCUI
redundancynounAdditional or alternative systems, sub-systems, assets, or processes that maintain a degree of overall functionality in case of loss or failure of another system, sub-system, asset, or process.Control
Redundant array of independent disks (RAID)nounThe use of multiple hard disks to store the same data in different places. By placing data on multiple disks, I/O operations can overlap in a balanced way, improving performance. Since multiple disks increase the mean time between failures (MTBF), storing data redundantly also increases fault-tolerance.System
Redundant sitenounA recovery strategy involving the duplication of key IT components, including data or other key business processes, whereby fast recovery can take placeControl
Reference MonitornounThe security engineering term for IT functionality that— 1) controls all access, 2) cannot be bypassed, 3) is tamper-resistant, and 4) provides confidence that the other three items are true.Control
Reflexive ACLsnounReflexive ACLs for Cisco routers are a step towards making the router act like a stateful firewall. The router will make filtering decisions based on whether connections are a part of established traffic or not.Control
Registered portsnounRegistered ports--1024 through 49151: Listed by the IANA and on most systems can be used by ordinary user processes or programs executed by ordinary usersNetwork
RegistrationnounThe process through which a party applies to become a subscriber of a Credentials Service Provider (CSP) and a Registration Authority validates the identity of that party on behalf of the CSP.ProcessRegulatedPII
Registration authoritynounA trusted entity that establishes and vouches for the identity of a Subscriber to a CSP. The RA may be an integral part of a CSP, or it may be independent of a CSP, but it has a relationship to the CSP(s).OrganizationRegulatedPII
RegistrynounThe Registry in Windows operating systems in the central set of settings and information required to run the Windows computer.System
regression analysisnounThe use of scripted tests which are used to test software for all possible input is should expect. Typically developers will create a set of regression tests that are executed before a new version of a software is released. Also see "fuzzing".Process
RegulationnounA documented rule or directive created and maintained by a governing authority.Requirement
Regulation CCnounA regulation (12 CFR 229) promulgated by the Board of Governors of the Federal Reserve System regarding the availability of funds and the collection of checks. The regulation governs the availability of funds deposited in checking accounts and the collection and return of checks.RequirementRegulated
Regulation EnounA regulation (12 CFR 205) promulgated by the Board of Governors of the Federal Reserve System to ensure consumers a minimum level of protection in disputes arising from electronic fund transfers.RequirementRegulated
Regulation ZnounRegulation Z, the Truth in Lending Act (TILA) (12 CFR 226) promulgated by the Board of Governors of the Federal Reserve System. The regulation prescribes uniform methods for computing the cost of credit, disclosing credit terms, and resolving errors on certain types of credit accounts.RequirementRegulated
regulatornounA person or body that supervises a particular industry, business activity, or legal body.Organization
regulatory agencynounGovernment body formed or mandated under the terms of a legislative act to ensure compliance with the provisions of the act, and in carrying out its purpose.OrganizationInternal
regulatory noticenounAny documented (in print or electronic format) notice used to inform affected parties regarding regulatory issues.ArtifactRegulated
Regulatory requirementsnounRules or laws that regulate conduct and that the enterprise must obey to become compliantRequirementRegulated
rejectverbTo dismiss as inadequate, inappropriate, unacceptable, or faulty; refuse to agree to.Unclassified
rekeyverbTo change the value of a cryptographic key that is being used in a cryptographic system/application.Unclassified
rekey a certificateverbTo change the value of a cryptographic key that is being used in a cryptographic system application; this normally entails issuing a new certificate on the new public key.Unclassified
Release PrefixnounPrefix appended to the short title of U.S.-produced keying material to indicate its foreign releasability. "A" designates material that is releasable to specific allied nations, and "U.S." designates material intended exclusively for U. S. use.ArtifactRegulatedCUI
Relying PartynounAn entity that relies upon the Subscriber's token and credentials or a Verifier's assertion of a Claimant’s identity, typically to process a transaction or grant access to information or a system.Identity
RemanencenounResidual information remaining on storage media after clearing. See Magnetic Remanence and Clearing.VulnerabilityRegulatedCUI
remedial actionnounAction taken to implement long-term restoration of environmental quality.ControlRegulated
remediateverbTo correct or make right a problem or undesirable situation, especially in regards to stopping or reversing environmental damage.Primary
RemediationnounThe act of correcting a vulnerability or eliminating a threat. Three possible types of remediation are installing a patch, adjusting configuration settings, or uninstalling a software application.Process
Remediation PlannounA plan to perform the remediation of one or more threats or vulnerabilities facing an organization’s systems. The plan typically includes options to remove threats and vulnerabilities and priorities for performing the remediation.ArtifactInternal
Remittance cardsnounPayment cards that are typically used to facilitate cross-border movement of funds by individuals and for person-to-person transactions.DataRegulatedPCI
remote accessnounAccess to an organization's nonpublic information system by an authorized user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet).CapabilityRegulated
Remote access servicenounRefers to any combination of hardware and software to enable the remote access to tools or information that typically reside on a network of IT devices Scope Note: Originally coined by Microsoft when referring to their built-in NT remote access tools, RAS was a service provided by Windows NT which allowed most of the services that would be available on a network to be accessed over a modem link. Over the years, many vendors have provided both hardware and software solutions to gain remote access to various types of networked information. In fact, most modern routers include a basic RAS capability that can be enabled for any dial-up interface.SystemRegulated
Remote control softwarenounSoftware that is used to obtain access to a computer or network from a remote distance.SystemRestricted
Remote deletionsnounUse of a technology to remove data from a portable device without touching the device.CapabilityRegulated
Remote deposit capture (RDC)nounA service that enables users at remote locations to scan digital images of checks and transmit the captured data to a financial institution or a merchant that is a customer of a financial institution.CapabilityRegulatedPCI
Remote Diagnostics/MaintenancenounMaintenance activities conducted by authorized individuals communicating through an external network (e.g., the Internet).ProcessRegulated
Remote journalingnounProcess used to transmit journal or transaction logs in real time to a back-up location.ProcessRegulated
remote maintenancenounMaintenance activities conducted by individuals communicating external to an information system security perimeter.ProcessRegulated
Remote RekeyingnounProcedure by which a distant crypto-equipment is rekeyed electrically. See Automatic Remote Rekeying and Manual Remote Rekeying.ProcessRegulatedCUI
Remotely created check (RCC)nounA check that is drawn on a customer account at a financial institution, is created by the payee, and does not bear a signature in the format agreed to by the paying financial institution and customer. RCCs are also known as "demand drafts," "telechecks," "preauthorized drafts," "paper drafts," or "digital checks."DataRegulatedPCI
Removable medianounPortable electronic storage media such as magnetic, optical, and solid-state devices, which can be inserted into and removed from a computing device, and that is used to store text, video, audio, and image information. Such devices have no independent processing capabilities. Examples include hard disks, floppy disks, zip drives, compact disks (CDs), thumb drives, pen drives, and similar USB storage devices.PhysicalRegulated
removable storage medianounPortable electronic storage media such as magnetic, optical, and solid-state devices, which can be inserted into and removed from a computing device, and that is used to store text, video, audio, and image information. Such devices have no independent processing capabilities. Examples include hard disks, floppy disks, zip drives, compact disks (CDs), thumb drives, pen drives, and similar USB storage devices.PhysicalRegulated
Renew a certificatenounThe act or process of extending the validity of the data binding asserted by a public key certificate by issuing a new certificate.Credential
reorganizeverbrestructure or rearrange something into a new, improved organizationCreateUnclassified
Repair ActionnounNSA-approved change to a COMSEC end-item that does not affect the original characteristics of the end-item and is provided for optional application by holders. Repair actions are limited to minor electrical and/or mechanical improvements to enhance operation, maintenance, or reliability. They do not require an identification label, marking, or control but must be fully documented by changes to the maintenance manual.ControlRegulatedCUI
RepeatersnounA physical layer device that regenerates and propagates electrical signals between two network segments Scope Note: Repeaters receive signals from one network segment and amplify (regenerate) the signal to compensate for signals (analog or digital) distorted by transmission loss due to reduction of signal strength during transmission (i.e., attenuation)Network
ReplaynounThe ability to copy a message or stream of messages between two parties and replay (retransmit) them to one or more of the partiesThreat
Replay attacknounThe interception of communications, such as an authentication communication, and subsequently impersonation of the sender by retransmitting the intercepted communication.Threat
reportnounTo give a spoken or written account of something that has been seen, done etc.ArtifactRegulated
Report of ExaminationnounThe report prepared by the Board, or other federal or state financial institution supervisory agency, concerning the examination of a financial institution, and includes reports of inspection and reports of examination of U.S. branches or agencies of foreign banks and representative offices of foreign organizations, and other institutions examined by the Federal Reserve System.ArtifactRegulated
reportable cyber incidentnounA Cyber Security Incident that has compromised or disrupted one or more reliability tasks of a functional entity.EventRegulatedCUI
reporting requirementnounSet by the organization, this requires third parties to provide certain update and other status reports, such as work status, Service Level Agreement status, etc.RequirementRegulated
RepositorynounA database containing information and data relating to certificates as specified in a CP; may also be referred to as a directory.DataRegulated
RepudiationnounThe denial by one of the parties to a transaction of participation in all or part of that transaction or of the content of the communication.RequirementRegulated
reputationnounThe beliefs, opinion, or social evaluation of the public about someone or something.Metric
Request for CommentnounA series of notes about the Internet, started in 1969 (when the Internet was the ARPANET). An Internet Document can be submitted to the IETF by anyone, but the IETF decides if the document becomes an RFC. Eventually, if it gains enough interest, it may evolve into an Internet standard.ArtifactPublicPublicInfo
researchverbconduct systematic investigation to establish facts or reach conclusionsAnalyzeUnclassified
Reserve accountnounA non-interest-earning balance account institutions maintain with the Federal Reserve Bank or with a correspondent bank to satisfy the Federal Reserve's reserve requirements. Reserve account balances play a central role in the exchange of funds between depository institutions.DataRegulated
Reserve Keying MaterialnounKey held to satisfy unplanned needs. See Contingency Key.CredentialRegulatedCUI
Reserve requirementsnounThe percentage of deposits that a depository institution may not lend out or invest and must hold either as vault cash or on deposit at a Federal Reserve Bank. Reserve requirements affect the potential of the banking system to create transaction deposits.RequirementRegulated
Residual risknounThe remaining potential risk after all IT security measures are applied. There is a residual risk associated with each threat.Metric
ResiduenounData left in storage after information-processing operations are complete, but before degaussing or overwriting has taken place.DataRegulatedCUI
resiliencenounThe ability to quickly adapt and recover from any known or unknown changes to the environment through holistic implementation of risk management, contingency, and continuity planning.Capability
resilience by designnounThe embedding of security in technology and system development from the earliest stages of conceptualisation and design.RequirementRegulated
Resilience testingnounTesting of an institution's business continuity and disaster recovery resumption plans.ProcessInternal
Resource EncapsulationnounMethod by which the reference monitor mediates accesses to an information system resource. Resource is protected and not directly accessible by a subject. Satisfies requirement for accurate auditing of resource usage.Control
Resource ExhaustionnounResource exhaustion attacks involve tying up finite resources on a system, making them unavailable to others.Threat
Respond FunctionnounDevelop and implement the appropriate activities to take action regarding a detected cybersecurity event.Process
responsenounAn action taken that addresses an incident and assesses the level of containment and control activity required.ProcessRegulated
response and recovery strategynounA systematic plan of action consisting of documented procedures for mitigating and recovering from a disruptive event.ProcessInternal
response plannounA document detailing the steps that must be taken, or the activities that must be performed well, in response to risk assessment or audit findings.ProcessInternal
response teamnounResponse teams include business, IT, emergency management, public affairs, communications, and continuity personnel.Organization
Responsibility to ProvidenounAn information distribution approach whereby relevant essential information is made readily available and discoverable to the broadest possible pool of potential users.Requirement
responsible entitynounAny group or even individual with an organization that has been given a particular responsibility for a particular process.RoleRegulated
restoreverbTo bring back to previous or normal condition, place, or position; re-establish; repair; renovate; rehabilitate.Unclassified
Restricted DatanounAll data concerning (i) design, manufacture, or utilization of atomic weapons; (ii) the production of special nuclear material; or (iii) the use of special nuclear material in the production of energy, but shall not include data declassified or removed from the Restricted Data category pursuant to Section 142 [of the Atomic Energy Act of 1954].DataRestrictedCUI
resumeverbTo recommence functions following a cyber incident. An FMI should resume critical services as soon as it is safe and practicable to do so without causing unnecessary risk to the wider sector or further detriment to financial stability.Unclassified
Retail paymentsnounPayments, typically small, made in the goods and services market.DataRegulatedPCI
Retention requirementnounRequirement established by a company or by regulation for the length of time and/or for the amount of information that should be retained.RequirementRegulated
Return (ACH)nounAny ACH entry that has been returned to the ODFI by the RDFI or by the ACH operator because it cannot be processed. The reason for each return is included with the return in the form of a "return reason code." (See the NACHA "Operating Rules and Guidelines" for a complete reason code listing.)ArtifactRegulatedPCI
Return on investmentnounA measure of operating performance and efficiency, computed in its simplest form by dividing net income by the total investment over the period being consideredMetric
Return-oriented attacksnounAn exploit technique in which the attacker uses control of the call stack to indirectly execute cherry-picked machine instructions immediately prior to the return instruction in subroutines within the existing program codeThreat
Reverse Address Resolution ProtocolnounRARP (Reverse Address Resolution Protocol) is a protocol by which a physical machine in a local area network can request to learn its IP address from a gateway server's Address Resolution Protocol table or cache. A network administrator creates a table in a local area network's gateway router that maps the physical machine (or Media Access Control - MAC address) addresses to corresponding Internet Protocol addresses. When a new machine is set up, its RARP client program requests from the RARP server on the router to be sent its IP address. Assuming that an entry has been set up in the router table, the RARP server will return the IP address to the machine which can store it for future use.Network
Reverse EngineeringnounAcquiring sensitive data by disassembling and analyzing the design of a system component.ThreatRestrictedIP
Reverse LookupnounFind out the hostname that corresponds to a particular IP address. Reverse lookup uses an IP (Internet Protocol) address to find a domain name.Capability
Reverse ProxynounReverse proxies take public HTTP requests and pass them to back-end webservers to send the content to it, so the proxy can then send the content to the end-user.Network
reviewverbexamine or assess something critically to identify strengths and weaknessesEvaluateSecondary
review and testverbTo assess something and evaluate it for quality, performance, or reliability.Unclassified
review and updateverbTo assess and change something if necessary and keep it up to date based on pertinent criteria.Unclassified
revokeverbTo officially cancel or put an end something, such as a decree, decision, promise, operation, or validity.Unclassified
revoke a certificateverbTo prematurely end the operational period of a certificate effective at a specific date and time.Unclassified
risknounA measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence. [Note: Information system-related security risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or information systems and reflect the potential adverse impacts to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. Adverse impacts to the Nation include, for example, compromises to information systems that support critical infrastructure applications or are paramount to government continuity of operations as defined by the Department of Homeland Security.]Metric
Risk acceptancenounIf the risk is within the enterprise's risk tolerance or if the cost of otherwise mitigating the risk is higher than the potential loss, the enterprise can assume the risk and absorb any lossesControl
risk analysisnounThe process of identifying the risks to system security and determining the likelihood of occurrence, the resulting impact, and the additional safeguards that mitigate this impact. Part of risk management and synonymous with risk assessment.Process
risk assessmentnounThe process of identifying, prioritizing, and estimating risks. This includes determining the extent to which adverse circumstances or events could impact an enterprise. Uses the results of threat and vulnerability assessments to identify risk to organizational operations and evaluates those risks in terms of likelihood of occurrence and impacts if they occur. The product of a risk assessment is a list of estimated potential impacts and unmitigated vulnerabilities. Risk assessment is part of risk management and is conducted throughout the Risk Management Framework (RMF).ProcessRegulated
Risk Assessment MethodologynounA risk assessment process, together with a risk model, assessment approach, and analysis approach.Process
Risk Assessment ReportnounThe report which contains the results of performing a risk assessment or the formal output from the process of assessing risk.ArtifactConfidential
Risk AssessornounThe individual, group, or organization responsible for conducting a risk assessment.Role
Risk AversenounAvoiding risk even if this leads to the loss of opportunity. For example, using a (more expensive) phone call vs. sending an e-mail in order to avoid risks associated with e-mail may be considered "Risk Averse"Requirement
Risk avoidancenounThe process for systematically avoiding risk, constituting one approach to managing riskProcess
risk decisionnounA decision by the leadership of an organization to accept an option having a given risk function in preference to another, or in preference to taking no action.Artifact
Risk ExecutivenounAn individual or group within an organization that helps to ensure that: (i) security risk-related considerations for individual information systems, to include the authorization decisions for those systems, are viewed from an organization-wide perspective with regard to the overall strategic goals and objectives of the organization in carrying out its missions and business functions; and (ii) managing risk from individual information systems is consistent across the organization, reflects organizational risk tolerance, and is considered along with other organizational risks affecting mission/business success.Role
Risk Executive FunctionnounAn individual or group within an organization that helps to ensure that: (i) security risk-related considerations for individual information systems, to include the authorization decisions for those systems, are viewed from an organization-wide perspective with regard to the overall strategic goals and objectives of the organization in carrying out its missions and business functions; and (ii) managing risk from individual information systems is consistent across the organization, reflects organizational risk tolerance, and is considered along with other organizational risks affecting mission/business success.Role
risk exposurenounThe extent of risk faced by an organization that is expressed in terms of either the likelihood or impact of a loss.Metric
risk factornounMeasurable characteristic or element, a change in which can affect the value of an asset, such as exchange rate, interest rate, and market price.Metric
Risk identificationnounThe process of determining risks and existing safeguards. It generally includes inventories of systems and information necessary to operations and defines the potential threats to systems and operations.Process
risk levelnounThe extent to which vulnerability could be exploited or the amount of damage that could be done. Risk levels are usually measured in a qualitative manner as high, moderate, or low.Metric
Risk managementnounThe process of managing risks to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the nation resulting from the operation or use of an information system, and includes: (1) the conduct of a risk assessment; (2) the implementation of a risk mitigation strategy; (3) employment of techniques and procedures for the continuous monitoring of the security state of the information system; and (4) documenting the overall risk management program.Process
risk management controlnounControls associated with instruments that introduce risks that require effective adherence to the relevant clearing house, association, interchange, and regulatory requirements.ControlRegulated
Risk Management FrameworknounA structured approach used to oversee and manage risk for an enterprise.Framework
risk management processnounThe systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context and identifying, analyzing, evaluating, treating,monitoring and reviewing riskProcess
risk management programnounA documented listing of procedures, schedules, roles and responsibilities, and plans to be performed to identify, control, and reduce or eliminate risks to operations, assets, or individuals that are inherent to system development and operations.ProcessRegulated
risk management strategynounA plan of action for analyzing and prioritizing risks to organizational operations, assets, and personal in alignment with the organization's mission and business objectives.Process
Risk measurementnounA process to determine the likelihood of an adverse event or threat occurring and the potential impact of such an event on the institution. The result of risk measurement leads to the prioritization of potential risks based on severity and likelihood of occurrence.ProcessInternal
Risk mitigationnounPrioritizing, evaluating, and implementing the appropriate risk-reducing controls/countermeasures recommended from the risk management process.Control
Risk Mitigation PlannounThis record contains detailed proposals intended to reduce the risks to a critical asset, typically including actions or countermeasures designed to counter the threats to assets.ControlRegulatedCUI
Risk ModelnounA key component of a risk assessment methodology (in addition to assessment approach and analysis approach) that defines key terms and assessable risk factors.Framework
Risk MonitoringnounMaintaining ongoing awareness of an organization’s risk environment, risk management program, and associated activities to support risk decisions.Process
risk monitoring systemverbTo identify at an early point in time potential risks to the survival of a member institution, which therefore allows the persons in charge to intervene or take countermeasures at an early point in time.Unclassified
Risk ProfilenounThis record contains an outline of the number, type, and potential effects of risks to which an asset or organization are exposed.ArtifactRegulated
Risk reductionnounThe implementation of controls or countermeasures to reduce the likelihood or impact of a risk to a level within the organization’s risk tolerance.Process
risk responsenounAccepting, avoiding, mitigating, sharing, or transferring risk to organizational operations (i.e., mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation.Process
Risk tolerancenounThe level of risk an entity is willing to assume in order to achieve a potential desired result.Metric
Risk transfernounThe process of assigning risk to another enterprise, usually through the purchase of an insurance policy or by outsourcing the serviceProcess
Risk treatmentnounThe process of selection and implementation of measures to modify risk (ISO/IEC Guide 73:2002)Process
Risk-Adaptable Access ControlnounA form of access control that uses an authorization policy that takes into account operational need, risk, and heuristics.Control
risk-based approachnounAn approach whereby FMIs identify, assess and understand the risks to which they are exposed to and take measures commensurate with these risks.ProcessRegulated
risk-based auditingnounAn approach that focuses upon how an organization responds to the risks it faces in achieving its goals and objectives.Process
risk-based authenticationnounAny risk-based system of authentication that detects anomalies or changes in the normal use patterns of a Person and require s additional verification of the Person’s identity when such deviations or changes are detected, such as through the use of challenge questions.ControlRegulatedPII
risk-based data managementnounA structured approach to managing risks to data and information by which an organization selects and applies appropriate security controls in compliance with policy and commensurate with the sensitivity and value of the data.Process
Rivest-Shamir-AdlemannounAn algorithm for asymmetric cryptography, invented in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman.Capability
RloginnounRemote login. A UNIX utility that allows a user to login to a remote host on a network, as if it were directly connected, and make use of various services. Remote login is an information exchange between network-connected devices where the information cannot be reliably protected end-to-end by a single organization's security controls.CapabilityRegulated
Robust Security NetworknounA wireless security network that only allows the creation of Robust Security Network Associations (RSNAs).Network
Robust Security Network AssociationnounA logical connection between communicating IEEE 802.11 entities established through the IEEE 802.11i key management scheme, also known as the four-way handshake.Network
RobustnessnounThe ability of an Information Assurance entity to operate correctly and reliably across a wide range of operational conditions, and to fail gracefully outside of that operational range.Capability
rolenounA group attribute that ties membership to function. When an entity assumes a role, the entity is given certain rights that belong to that role. When the entity leaves the role, those rights are removed. The rights given are consistent with the functionality that the entity needs to perform the expected tasks.Role
Role Based Access ControlnounRole based access control assigns users to roles based on their organizational functions and determines authorization based on those roles.Control
roles and responsibilitiesnounThe position and collection of tasks, duties, obligations that participants undertake to complete a project.Requirement
Root cause analysisnounA principle-based, systems approach for the identification of underlying causes associated with a particular set of risks.Process
Root Certification AuthoritynounIn a hierarchical Public Key Infrastructure, the Certification Authority whose public key serves as the most trusted datum (i.e., the beginning of trust paths) for a security domain.CredentialRestricted
RootkitnounA set of tools used by an attacker after gaining root-level access to a host to conceal the attacker’s activities on the host and permit the attacker to maintain root-level access to the host through covert means.Threat
Round KeynounRound keys are values derived from the Cipher Key using the Key Expansion routine; they are applied to the State in the Cipher and Inverse Cipher.CredentialRestricted
RouternounA LAN/WAN device operating at Layers 1 (physical), 2 (data link), and 3 (network) of the OSI 7 Layer Reference Model.Network
Routing Information ProtocolnounRouting Information Protocol is a distance vector protocol used for interior gateway routing which uses hop count as the sole metric of a path's cost.Network
Routing LoopnounA routing loop is where two or more poorly configured routers repeatedly exchange the same packet over and over.Vulnerability
Routing numbernounAlso referred to as the ABA number. A nine-digit number (eight digits and a check digit) that identifies a specific financial institution.DataRegulated
RSAnounA public key cryptosystem developed by R. Rivest, A. Shamir and L. Adleman used for both encryption and digital signatures Scope Note: The RSA has two different keys, the public encryption key and the secret decryption key. The strength of the RSA depends on the difficulty of the prime number factorization. For applications with high- level security, the number of the decryption key bits should be greater than 512 bits.Capability
rulenounA principle, condition, or regulation that customarily governs behavior or procedure within a particular area of activity.RequirementRegulated
Rule Set Based Access ControlnounRule Set Based Access Control targets actions based on rules for entities operating on objects.Control
Rule-Based Security PolicynounA security policy based on global rules imposed for all subjects. These rules usually rely on a comparison of the sensitivity of the objects being accessed and the possession of corresponding attributes by the subjects requesting access. Also known as discretionary access control (DAC).Requirement
Rules of EngagementnounDetailed guidelines and constraints regarding the execution of information security testing. The ROE is established before the start of a security test, and gives the test team authority to conduct defined activities without the need for additional permissions.RequirementInternal
RulesetnounA set of directives that govern the access control functionality of a firewall. The firewall uses these directives to determine how packets should be routed between its interfaces.ControlRegulated
S-boxnounNonlinear substitution table used in several byte substitution transformations and in the Key Expansion routine to perform a one-for-one substitution of a byte value.Control
S/KeynounA security mechanism that uses a cryptographic hash function to generate a sequence of 64-bit, one-time passwords for remote user login. The client generates a one-time password by applying the MD4 cryptographic hash function multiple times to the user's secret key. For each successive authentication of the user, the number of hash applications is reduced by one.CredentialRegulated
S/MIMEnounA set of specifications for securing electronic mail. Secure/ Multipurpose Internet Mail Extensions (S/MIME) is based upon the widely used MIME standard and describes a protocol for adding cryptographic security services through MIME encapsulation of digitally signed and encrypted objects. The basic security services offered by S/MIME are authentication, non-repudiation of origin, message integrity, and message privacy. Optional security services include signed receipts, security labels, secure mailing lists, and an extended method of identifying the signer’s certificate(s).Control
Safeguarding StatementnounStatement affixed to a computer output or printout that states the highest classification being processed at the time the product was produced and requires control of the product, at that level, until determination of the true classification by an authorized individual. Synonymous with banner.ArtifactRegulatedCUI
SafetynounSafety is the need to ensure that the people involved with the company, including employees, customers, and visitors, are protected from harm.Requirement
SaltnounA non-secret value that is used in a cryptographic process, usually to ensure that the results of computations for one instance cannot be reused by an Attacker.Credential
SandboxnounA restricted, controlled execution environment that prevents potentially malicious software, such as mobile code, from accessing any system resources except those for which the software is authorized.SystemInternal
SandboxingnounA method of isolating application modules into distinct fault domains enforced by software. The technique allows untrusted programs written in an unsafe language, such as C, to be executed safely within the single virtual address space of an application. Untrusted machine interpretable code modules are transformed so that all memory accesses are confined to code and data segments within their fault domain. Access to system resources can also be controlled through a unique identifier associated with each domain.Control
SanitizationnounA general term referring to the actions taken to render data written on media unrecoverable by both ordinary and, for some forms of sanitization, extraordinary means.ProcessRegulated
SAS 70 reportnounAn audit report of a servicing institution prepared in accordance with guidance provided in the American Institute of Certified Public Accountant's Statement of Auditing Standards Number 70. Replaced by SSAE 16.ArtifactRegulated
Satellite technologynounThese links efficiently extend the reach of typical communication systems to distant areas and provide alternative traffic routing in an emergency.SystemRegulated
ScalabilitynounA term that refers to how well a hardware and software system can adapt to increased demands. For example, a scalable network system would be one that can start with just a few nodes but can easily expand to thousands of nodes. Scalability can be a very important feature because it means the entity can invest in a system with confidence they will not quickly outgrow it.Capability
ScanningnounSending packets or requests to another system to gain information to be used in a subsequent attack.Threat
ScatternetnounA chain of piconets created by allowing one or more Bluetooth devices to each be a slave in one piconet and act as the master for another piconet simultaneously. A scatternet allows several devices to be networked over an extended distance.Network
Scenario analysisnounThe process of analyzing possible future events by considering alternative possible outcomes.Process
SchedulesnounThis record category contains ordered lists of times at which things are planned to occur.ArtifactInternal
scopenounThe extent or boundary to which a process, configuration item, application, contract, etc. applies.Requirement
Scoping GuidancenounA part of tailoring guidance providing organizations with specific policy/regulatory-related, technology-related, system component allocation-related, operational/environmental-related, physical infrastructure-related, public access-related, scalability-related, common control-related, and security objective-related considerations on the applicability and implementation of individual security controls in the security control baseline.RequirementRegulatedCUI
ScriptnounA file containing active content; for example, commands or instructions to be executed by the computer.Artifact
secret keynounA cryptographic key that is used with a secret-key (symmetric) cryptographic algorithm that is uniquely associated with one or more entities and is not made public. The use of the term “secret” in this context does not imply a classification level, but rather implies the need to protect the key from disclosure.CredentialRestrictedCUI
Secret Key symmetric Cryptographic AlgorithmnounA cryptographic algorithm that uses a single key (i.e., a secret key) for both encryption and decryption.CredentialRestricted
Secret SeednounA secret value used to initialize a pseudorandom number generator.CredentialRestrictedCUI
secure coding practicenounA method used as part of the software development life cycle risk management so that software applications are designed and implemented with appropriate security requirements.Control
Secure Communication ProtocolnounA communication protocol that provides the appropriate confidentiality, authentication, and content-integrity protection.Control
Secure CommunicationsnounTelecommunications deriving security through use of NSA-approved products and/or Protected Distribution Systems.CapabilityRegulatedCUI
secure development practicenounA software development practice where the confidentiality, integrity, and availability of the software code is protected against threats and vulnerabilities.ProcessRegulatedIP
secure disposalnounThe process of erasing or overwriting data stored on media before relinquishing control of said media when no longer required, in a manner that ensures that no data can be recovered from the media.ProcessRegulated
Secure DNSnounConfiguring and operating DNS servers so that the security goals of data integrity and source authentication are achieved and maintained.Network
Secure Electronic TransactionnounA standard that will ensure that credit card and associated payment order information travels safely and securely between the various involved parties on the Internet.FrameworkRegulatedPCI
Secure ErasenounAn overwrite technology using firmware-based process to overwrite a hard drive. Is a drive command defined in the ANSI ATA and SCSI disk drive interface specifications, which runs inside drive hardware. It completes in about 1/8 the time of 5220 block erasure.ControlRegulated
Secure Hash AlgorithmnounA hash algorithm with the property that is computationally infeasible 1) to find a message that corresponds to a given message digest, or 2) to find two different messages that produce the same message digest.Capability
Secure Hash StandardnounThis Standard specifies secure hash algorithms -SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224 and SHA-512/256 -for computing a condensed representation of electronic data (message). When a message of any length less than 264 bits (for SHA-1, SHA-224 and SHA-256) or less than 2128 bits (for SHA-384, SHA-512, SHA-512/224 and SHA-512/256) is input to a hash algorithm, the result is an output called a message digest. The message digests range in length from 160 to 512 bits, depending on the algorithm. Secure hash algorithms are typically used with other cryptographic algorithms, such as digital signature algorithms and keyed-hash message authentication codes, or in the generation of random numbers (bits). The hash algorithms specified in this Standard are called secure because, for a given algorithm, it is computationally infeasible 1) to find a message that corresponds to a given message digest, or 2) to find two different messages that produce the same message digest. Any change to a message will, with a very high probability, result in a different message digest. This will result in a verification failure when the secure hash algorithm is used with a digital signature algorithm or a keyed-hash message authentication algorithm.FrameworkPublic
Secure Multipurpose Internet Mail ExtensionsnounProvides cryptographic security services for electronic messaging applications: authentication, message integrity and non-repudiation of origin (using digital signatures) and privacy and data security (using encryption) to provide a consistent way to send and receive MIME data. (RFC 2311)Control
Secure ShellnounNetwork protocol that uses cryptography to secure communication, remote command line log-in, and remote command execution between two networked computers.Network
Secure Socket LayernounA protocol used for protecting private information during transmission via the Internet. Note: SSL works by using a public key to encrypt data that's transferred over the SSL connection. Most Web browsers support SSL, and many Web sites use the protocol to obtain confidential user information, such as credit card numbers. By convention, URLs that require an SSL connection start with “https:” instead of “http:.”NetworkRegulatedPCI
Secure Socket Layer (SSL)nounA protocol that is used to transmit private documents through the Internet.Network
Secure Sockets LayernounA protocol that is used to transmit private documents through the Internet Scope Note: The SSL protocol uses a private key to encrypt the data that are to be transferred through the SSL connection.NetworkRegulated
Secure StatenounCondition in which no subject can access any object in an unauthorized manner.Control
Secure SubsystemnounSubsystem containing its own implementation of the reference monitor concept for those resources it controls. Secure subsystem must depend on other controls and the base operating system for the control of subjects and the more primitive system objects.SystemRegulated
Secure/Multipurpose Internet Mail ExtensionsnounA set of specifications for securing electronic mail. S/MIME is based upon the widely used MIME standard [MIME] and describes a protocol for adding cryptographic security services through MIME encapsulation of digitally signed and encrypted objects. The basic security services offered by S/MIME are authentication, non-repudiation of origin, message integrity, and message privacy. Optional security services include signed receipts, security labels, secure mailing lists, and an extended method of identifying the signer’s certificate(s).ControlRegulated
Securely ProvisionnounA NICE Workforce Framework category consisting of specialty areas concerned with conceptualizing, designing, and building secure IT systems, with responsibility for some aspect of the systems' development.Process
SecuritynounA condition that results from the establishment and maintenance of protective measures that enable an enterprise to perform its mission or critical functions despite risks posed by threats to its use of information systems. Protective measures may involve a combination of deterrence, avoidance, prevention, detection, recovery, and correction that should form part of the enterprise’s risk management approach.Capability
security alertnounAny form of notification or alert structure that something is amiss with the system's configuration, settings, etc.Event
Security architecturenounA detailed description of all aspects of the system that relate to security, along with a set of principles to guide the design. A security architecture describes how the system is put together to satisfy the security requirements.Framework
Security as a ServicenounThe next generation of managed security services dedicated to the delivery, over the Internet, of specialized information-security services.Capability
Security Assertion Markup LanguagenounA framework for exchanging authentication and authorization information. Security typically involves checking the credentials presented by a party for authentication and authorization. SAML standardizes the representation of these credentials in an XML format called “assertions,” enhancing the interoperability between disparate applications.Framework
security assessment reportnounAny published finding of security component audits such as a vulnerability assessment.ArtifactConfidential
Security AssociationnounA relationship established between two or more entities to enable them to protect data they exchange.Control
Security AttributenounAn abstraction representing the basic properties or characteristics of an entity with respect to safeguarding information; typically associated with internal data structures (e.g., records, buffers, files) within the information system which are used to enable the implementation of access control and flow control policies; reflect special dissemination, handling, or distribution instructions; or support other aspects of the information security policy.DataRegulatedCUI
Security auditnounAn independent review and examination of system records and activities to test for adequacy of system controls, ensure compliance with established policy and operational procedures, and recommend any indicated changes in control, policy, and procedures.ProcessRegulated
security automationnounThe use of information technology in place of manual processes for cyber incident response and management.Capability
Security Automation DomainnounAn information security area that includes a grouping of tools, technologies, and data.Capability
Security Awareness programnounThe documented plan and documented activities to create well-informed interest in being free from danger or threat.ProcessRegulatedCUI
security awareness trainingnounThe process of educating personnel on critical business processes.ProcessInternal
Security BannernounA banner at the top or bottom of a computer screen that states the overall classification of the system in large, bold type. Also can refer to the opening screen that informs users of the security implications of accessing a computer resource.ControlRegulatedCUI
Security breachnounA security event that results in unauthorized access of data, applications, services, networks, or devices by bypassing underlying security mechanisms.EventRegulated
Security CategorizationnounThe process of determining the security category for information or an information system. Security categorization methodologies are described in CNSS Instruction 1253 for national security systems and in FIPS 199 for other than national security systems.ProcessRegulatedCUI
Security CategorynounThe characterization of information or an information system based on an assessment of the potential impact that a loss of confidentiality, integrity, or availability of such information or information system would have on organizational operations, organizational assets, individuals, other organizations, and the Nation.RequirementRegulated
Security Concept of OperationsnounA security-focused description of an information system, its operational policies, classes of users, interactions between the system and its users, and the system’s contribution to the operational mission.ArtifactRestrictedCUI
Security Content Automation ProtocolnounA method for using specific standardized testing methods to enable automated vulnerability management, measurement, and policy compliance evaluation against a standardized set of security requirements.Framework
security controlnounA safeguard or countermeasure to avoid, counteract or minimize security risks relating to personal property, or any company property. For business-to-business facing organizations whose service may affect the financial statements of the other company, the prospect may require successful audit reports of policy controls.ControlRegulated
Security Control AssessmentnounThe testing and/or evaluation of the management, operational, and technical security controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.ControlRegulatedCUI
Security Control AssessornounThe individual, group, or organization responsible for conducting a security control assessment.Role
Security Control BaselinenounOne of the sets of minimum security controls defined for federal information systems in NIST Special Publication 800-53 and CNSS Instruction 1253.ControlRegulated
Security Control EffectivenessnounThe measure of correctness of implementation (i.e., how consistently the control implementation complies with the security plan) and how well the security plan meets organizational needs in accordance with current risk tolerance.Metric
Security Control EnhancementsnounStatements of security capability to: (i) build in additional, but related, functionality to a security control; and/or (ii) increase the strength of the control.Control
Security Control InheritancenounA situation in which an information system or application receives protection from security controls (or portions of security controls) that are developed, implemented, assessed, authorized, and monitored by entities other than those responsible for the system or application; entities either internal or external to the organization where the system or application resides. See Common Control.Control
Security Controls BaselinenounThe set of minimum security controls defined for a low-impact, moderate-impact, or high-impact information system.RequirementRegulatedCUI
Security DomainnounA collection of entities to which applies a single security policy executed by a single authority.Framework
Security EngineeringnounAn interdisciplinary approach and means to enable the realization of secure systems. It focuses on defining customer needs, security protection requirements, and required functionality early in the systems development life cycle, documenting requirements, and then proceeding with design, synthesis, and system validation while considering the complete problem.Capability
security eventnounAn event that potentially compromises the confidentiality, integrity, availability, or accountability of an information system.EventRegulated
Security Event LognounThis record contains records of any security-related and auditing-related events.EventRegulatedCUI
Security Fault AnalysisnounAn assessment, usually performed on information system hardware, to determine the security properties of a device when hardware fault is encountered.Process
Security Features Users GuidenounGuide or manual explaining how the security mechanisms in a specific system work.ArtifactInternal
Security FilternounA secure subsystem of an information system that enforces security policy on the data passing through it.Control
Security FunctionsnounThe hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based.Capability
Security GoalsnounThe five security goals are confidentiality, availability, integrity, accountability, and assurance.Requirement
Security Impact AnalysisnounThe analysis conducted by an organizational official to determine the extent to which changes to the information system have affected the security state of the system.ProcessInternal
security incidentnounAn adverse event where a threat or exploit may compromise a computer system and cause: loss of data confidentiality, disruption of system or data integrity, or disruption or denial of availability of the system and/or data.EventRegulated
security incident response plannounThe steps taken during an incident. An incident response plan brings together and organizes the resources for dealing with any event that harms or threatens the security of information assets. Such an event may be a malicious code attack, an unauthorized access to information or systems, the unauthorized use of services, a denial of service attack, or a hoax.ProcessRegulated
Security Information and Event ManagementnounApplication that provides the ability to gather security data from information system components and present that data as actionable information via a single interface.Capability
Security InspectionnounExamination of an information system to determine compliance with security policy, procedures, and practices.Process
Security KernelnounHardware, firmware, and software elements of a trusted computing base implementing the reference monitor concept. Security kernel must mediate all accesses, be protected from modification, and be verifiable as correct.SystemRegulated
Security LabelnounInformation that represents or designates the value of one or more security relevant-attributes (e.g., classification) of a system resource.ControlRegulated
Security LevelnounA hierarchical indicator of the degree of sensitivity to a certain threat. It implies, according to the security policy being enforced, a specific level of protection.Metric
Security lognounA record that contains log-in and logout activity and other security-related events and that is used to track security-related information on a computer system.ArtifactRegulated
Security Management DashboardnounA tool that consolidates and communicates information relevant to the organizational security posture in near real-time to security management stakeholders.Capability
Security MarkingnounHuman-readable information affixed to information system components, removable media, or output indicating the distribution limitations, handling caveats, and applicable security markings.ArtifactRegulatedCUI
Security MechanismnounA device designed to provide one or more security services usually rated in terms of strength of service and assurance of the design.Control
Security metricsnounA standard of measurement used in management of security-related activitiesMetric
Security Net Control StationnounManagement system overseeing and controlling implementation of network security policy.SystemRegulatedCUI
security operations centrenounA function or service responsible for monitoring, detecting and isolating incidents.Capability
security patchnounComputer code intended to repair or lessen the impact of vulnerabilities within application software.ControlRegulated
security patchingnounThe purpose of this task is to distribute patches to apply security patches to organizational operating systems and applications.ProcessRegulated
security patching processnounThe series of steps taken to acquire, test, and distribute security patches to the appropriate administrators and users throughout the organization.ProcessRegulated
Security perimeternounA physical or logical boundary that is defined for a system, domain, or enclave, within which a particular security policy or security architecture is applied.Control
security personnelnounIndividuals who protect people, facilities, and information for an organization.Role
Security PlannounFormal document that provides an overview of the security requirements for an information system or an information security program and describes the security controls in place or planned for meeting those requirements. See ‘System Security Plan’ or ‘Information Security Program Plan.’ArtifactRestricted
security policynounA set of criteria for the provision of security services. It defines and constrains the activities of a data processing facility in order to maintain a condition of security for systems and data.Requirement
Security PosturenounThe security status of an enterprise’s networks, information, and systems based on IA resources (e.g., people, hardware, software, policies) and capabilities in place to manage the defense of the enterprise and to react as the situation changes.MetricInternal
security practicenounThe actions an organization takes to initiate, implement, and maintain organizational security.ProcessRegulated
Security procedure agreementnounAn agreement between a financial institution and a Federal Reserve Bank whereby the financial institution agrees to certain security procedures if it uses an encrypted communications line with access controls for the transmission or receipt of a payment order to or from a Federal Reserve Bank.Requirement
Security Program ManagementnounIn the NICE Workforce Framework, cybersecurity work where a person: Manages information security (e.g., information security) implications within the organization, specific program, or other area of responsibility, to include strategic, personnel, infrastructure, policy enforcement, emergency planning, security awareness, and other resources (e.g., the role of a Chief Information Security Officer).Process
Security Program PlannounFormal document that provides an overview of the security requirements for an organization-wide information security program and describes the program management security controls and common security controls in place or planned for meeting those requirements.ArtifactRestrictedCUI
Security RangenounHighest and lowest security levels that are permitted in or on an information system, system component, subsystem, or network.RequirementRegulatedCUI
security requirementnounA necessary condition that must be met to ensure the confidentiality, integrity, and availability of the information being processed, stored, or transmitted.RequirementRegulated
Security Requirements BaselinenounDescription of the minimum requirements necessary for an information system to maintain an acceptable level of risk.RequirementRegulated
Security Requirements RequirementsnounRequirements levied on an information system that are derived from applicable laws, Executive Orders, directives, policies, standards, instructions, regulations, or procedures, or organizational mission/business case needs to ensure the confidentiality, integrity, and availability of the information being processed, stored, or transmitted.RequirementRegulated
Security Requirements Traceability MatrixnounMatrix that captures all security requirements linked to potential risks and addresses all applicable C&A requirements. It is, therefore, a correlation statement of a system’s security features and compliance methods for each security requirement.ArtifactRegulatedCUI
Security SafeguardsnounProtective measures and controls prescribed to meet the security requirements specified for an information system. Safeguards may include security features, management constraints, personnel security, and security of physical structures, areas, and devices.Control
Security ServicenounA capability that supports one, or more, of the security requirements (Confidentiality, Integrity, Availability). Examples of security services are key management, access control, and authentication.Capability
Security SpecificationnounDetailed description of the safeguards required to protect an information system.Requirement
Security StrengthnounA measure of the computational complexity associated with recovering certain secret and/or security-critical information concerning a given cryptographic algorithm from known data (e.g. plaintext/ciphertext pairs for a given encryption algorithm).Metric
Security TagnounInformation unit containing a representation of certain security-related information (e.g., a restrictive attribute bit map).DataRegulatedCUI
Security TargetnounCommon Criteria specification that represents a set of security requirements to be used as the basis of an evaluation of an identified Target of Evaluation (TOE).RequirementRegulated
security testnounThe purpose of this task is to determine if the security features of a system are implemented and functioning as designed. This process includes hands on functional testing, penetration testing and vulnerability scanning.Process
Security Test & EvaluationnounExamination and analysis of the safeguards required to protect an information system, as they have been applied in an operational environment, to determine the security posture of that system.ProcessRegulatedCUI
Security TestingnounProcess to determine that an information system protects data and maintains functionality as intended.Process
Security violationnounAn instance in which a user or other person circumvents or defeats the controls of a system to obtain unauthorized access to information or system resources.EventRegulated
Security-Relevant ChangenounAny change to a system’s configuration, environment, information content, functionality, or users which has the potential to change the risk imposed upon its continued operations.Process
Security-Relevant EventnounAn occurrence (e.g., an auditable event or flag) considered to have potential security implications to the system or its environment that may require further action (noting, investigating, or reacting).Event
Security-Relevant InformationnounAny information within the information system that can potentially impact the operation of security functions in a manner that could result in failure to enforce the system security policy or maintain isolation of code and data.DataRestrictedCUI
Segregation/separation of dutiesnounA basic internal control that prevents or detects errors and irregularities by assigning to separate individuals the responsibility for initiating and recording transactions and for the custody of assets Scope Note: Segregation/separation of duties is commonly used in large IT organizations so that no single person is in a position to introduce fraudulent or malicious code without detection.Control
self-regulatory organizationnounAn organization that exercises some degree of regulatory authority over an industry or profession.Organization
Semi-Quantitative AssessmentnounUse of a set of methods, principles, or rules for assessing risk based on bins, scales, or representative numbers whose values and meanings are not maintained in other contexts.Process
Senior Agency Information Security OfficernounOfficial responsible for carrying out the Chief Information Officer responsibilities under the Federal Information Security Management Act (FISMA) and serving as the Chief Information Officer’s primary liaison to the agency’s authorizing officials, information system owners, and information system security officers. SP 800-53 Note: Organizations subordinate to federal agencies may use the term Senior Information Security Officer or Chief Information Security Officer to denote individuals filling positions with similar responsibilities to Senior Agency Information Security Officers.RoleRegulated
senior executivenounA long standing and top ranking member of the management of an organization.Role
senior managementnounThis group focuses on directing and controlling the organization at the highest level. Any individuals or group that is involved in directing and controlling an organization should be assigned to this role.Role
senior managernounA manager who has responsibilities and authority broader in scope than a front-line manager and typically reports into a director or general manager level role. They manage the day-to-day activities of the business by setting direction in-line with the overall business strategy, setting goals and objectives and managing communication throughout their group.Role
Sensitive Compartmented InformationnounClassified information concerning or derived from intelligence sources, methods, or analytical processes, which is required to be handled within formal access control systems established by the Director of National Intelligence.DataRegulatedCUI
Sensitive Compartmented Information FacilitynounAccredited area, room, or group of rooms, buildings, or installation where SCI may be stored, used, discussed, and/or processed.PhysicalRegulatedCUI
Sensitive customer informationnounA customer’s name, address, or telephone number, in conjunction with the customer’s social security number, driver’s license number, account number, credit or debit card number, or personal identification number or password that would permit access to the customer’s account. Sensitive customer information also includes any combination of components of customer information that would allow someone to log into or access the customer’s account, such as user name and password or password and account number.DataRegulatedPII
sensitive datanounInformation whose loss, misuse, unauthorized access to, modification, or destruction, could adversely affect the national interest or the conduct of federal programs, or privacy to which individuals are entitled, but which has not been specifically authorized to be kept secret in the interest of national defense or foreign policy, etc.DataRegulatedCUI
Sensitive InformationnounInformation, the loss, misuse, or unauthorized access to or modification of, that could adversely affect the national interest or the conduct of federal programs, or the privacy to which individuals are entitled under 5 U.S.C. Section 552a (the Privacy Act), but that has not been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy. (Systems that are not national security systems, but contain sensitive information, are to be protected in accordance with the requirements of the Computer Security Act of 1987 [P.L.100-235].)DataRegulatedCUI
SensitivitynounA measure of the importance assigned to information by its owner, for the purpose of denoting its need for protection.Metric
Sensitivity LabelnounInformation representing elements of the security label(s) of a subject and an object. Sensitivity labels are used by the trusted computing base (TCB) as the basis for mandatory access control decisions. See Security Label.DataRegulatedCUI
Separation of DutiesnounSeparation of duties is the principle of splitting privileges among multiple individuals or systems.Control
separation of dutynounPractice of dividing steps in a function among different individuals, so as to keep a single individual from being able to subvert the process.Control
ServernounA computer or other device that manages a network service. An example is a print server, which is a device that manages network printing.System
servicenounSomething of value provided to a customer such as banking, legal support, IT support, etc. that is not a physical thing with material value.Capability
service contractnounA formal agreement between a service provider and consumer that specifies the details of the service performed by the provider.RequirementInternal
Service delivery objectivenounDirectly related to the business needs, SDO is the level of services to be reached during the alternate process mode until the normal situation is restoredRequirement
Service level agreementnounAn agreement, preferably documented, between a service provider and the customer(s)/user(s) that defines minimum performance targets for a service and how they will be measuredRequirement
Service Level Agreement (SLA)nounFormal documents between an institution and its third-party service provider that outline an institution’s predetermined requirements for a service and establish incentives to meet, or penalties for failure to meet, the requirements. SLAs should specify and clarify performance expectations, establish accountability, and detail remedies or consequences if performance or service quality standards are not met.RequirementInternal
service level performancenounThe degree of service expected of a service provider and promised to a client as encapsulated in a contract.Metric
service providernounFor purposes of the Information Security Standards, service provider means any person or entity that maintains, processes, or otherwise is permitted access to customer information or consumer information through its provision of services directly to a financial institution.OrganizationRegulatedPII
sessionnounA session is an encounter between an end-user interface device (e.g., computer, terminal, process) and an application, including a network logon. One user session is the time between starting the application and quitting.Event
Session KeynounIn the context of symmetric encryption, a key that is temporary or is used for a relatively short period of time. Usually, a session key is used for a defined period of communication between two computers, such as for the duration of a single connection or transaction set, or the key is used in an application that protects relatively large amounts of data and, therefore, needs to be re-keyed frequently.CredentialRestricted
SettlementnounThe final step in the transfer of ownership involving the physical exchange of securities or payment. In a banking transaction, settlement is the process of recording the debit and credit positions of the parties involved in a transfer of funds. In a financial instrument transaction, settlement includes both the transfer of securities by the seller and the payment by the buyer. Settlements can be "gross" or "net." Gross settlement means each transaction is settled individually. Net settlement means parties exchanging payments will offset mutual obligations to deliver identical items (e.g., dollars or EUROS), at a specified time, after which only one net amount of each item is exchanged.ProcessRegulated
Settlement date (ACH)nounThe date on which an exchange of funds with respect to an entry is reflected on the books of the Federal Reserve Bank.DataRegulated
Shadow ITnounA term used to describe IT systems or applications used inside institutions without explicit approval.SystemInternal
Shadow Password FilesnounA system file in which encryption user password are stored so that they aren't available to people who try to break into the system.Credential
shared accountnounA single local account created for a group, with one user name and one password.IdentityRegulatedCUI
Shared SecretnounA secret used in authentication that is known to the Claimant and the Verifier.CredentialRestricted
ShellnounA Unix term for the interactive user interface with an operating system. The shell is the layer of programming that understands and executes the commands a user enters. In some systems, the shell is called a command interpreter. A shell usually implies an interface with a command syntax (think of the DOS operating system and its "C:" prompts and user commands such as "dir" and "edit").System
Shielded EnclosurenounRoom or container designed to attenuate electromagnetic radiation, acoustic signals, or emanations.PhysicalRegulatedCUI
Short positionnounIn respect of a currency balance that is less than zero, the amount by which such currency balance is less than zero. An investment position that benefits from a decline in market price. When one sells a currency their position is short.MetricRegulated
Short position limitnounIn respect of an eligible currency, the maximum short position a Settlement Member may have at any time in that eligible currency and, unless otherwise reduced pursuant to the CLS Bank Rules, shall equal (i) the total amount of all available committed liquidity facilities in such eligible currency (or such lesser amount that CLS Bank may determine from time to time) minus (ii) the amount of the largest available committed liquidity facility among such liquidity facilities (after taking into account any amounts already drawn.RequirementRegulated
Short TitlenounIdentifying combination of letters and numbers assigned to certain COMSEC materials to facilitate handling, accounting, and controlling.ArtifactRegulatedCUI
signverbTo write one's name on something, or to provide some other mark to identify oneself or give authorization.ApplyUnclassified
Signals AnalysisnounGaining indirect knowledge of communicated data by monitoring and analyzing a signal that is emitted by a system and that contains the data but is not intended to communicate the data.CapabilityRegulated
signaturenounA recognizable, distinguishing pattern associated with an attack, such as a binary string in a virus or a particular set of keystrokes used to gain unauthorized access to a system.Artifact
Signature CertificatenounA public key certificate that contains a public key intended for verifying digital signatures rather than encrypting data or performing any other cryptographic functions.Credential
Signature GenerationnounThe process of using a digital signature algorithm and a private key to generate a digital signature on data.ProcessRegulated
Signature ValidationnounThe (mathematical) verification of the digital signature and obtaining the appropriate assurances (e.g., public key validity, private key possession, etc.).ControlRegulated
Signature VerificationnounThe process of using a digital signature algorithm and a public key to verify a digital signature on data.Process
Significant firmsnounFirms that process a significant share of transactions in critical financial markets.OrganizationRegulated
Simple Integrity PropertynounIn Simple Integrity Property a user cannot write data to a higher integrity level than their own.Control
Simple Mail Transfer ProtocolnounThe standard electronic mail (e-mail) protocol on the InternetNetwork
Simple Network Management ProtocolnounThe protocol governing network management and the monitoring of network devices and their functions. A set of protocols for managing complex networks.Network
Simple Security PropertynounIn Simple Security Property a user cannot read data of a higher classification than their own.Requirement
Simulated loss of data center site(s) test/exercisenounA type of disaster recovery test that involves the simulation of the loss of the primary, alternate, and/or tertiary data processing sites to verify that the institution can continue its data processing activities.PhysicalInternal
SimulationnounThe process of operating a model of an enterprise-wide or business line activity in order to test the functionality of the model. Computer systems may support the simulation of business models to aid in evaluating the BCP.Process
Single factor authenticationnounAuthentication process that requires only the user ID and password to grant accessControl
Single Point KeyingnounMeans of distributing key to multiple, local crypto equipment or devices from a single fill point.ProcessRegulatedCUI
Single-Entry (ACH)nounA one-time transfer of funds initiated by an originator in accordance with the receiver's authorization for a single ACH credit or debit to the receiver's consumer account.DataRegulatedPCI
Single-Hop ProblemnounThe security risks resulting from a mobile software agent moving from its home platform to another platform.Vulnerability
situational awarenessnounWithin a volume of time and space, the perception of an enterprise’s security posture and its threat environment; the comprehension/meaning of both taken together (risk); and the projection of their status into the near future.Capability
SkimmingnounThe unauthorized use of a reader to read tags without the authorization or knowledge of the tag’s owner or the individual in possession of the tag.ThreatRegulatedPII
Small Computer Systems Interface (SCSI)nounSmall computer systems interface (pronounced "scuzzy"). A standard way of interfacing a computer to disk drives, tape drives, and other devices that require high-speed data transfer. Also, a secondary SAN protocol that allows computer applications to talk to storage devices.Network
Smart cardnounA credit card-sized card with embedded integrated circuits that can store, process, and communicate information.PhysicalRegulated
SmurfnounThe Smurf attack works by spoofing the target address and sending a ping to the broadcast address for a remote network, which results in a large amount of ping replies being sent to the target.Threat
SniffernounA sniffer is a tool that monitors network traffic as it received in a network interface.Capability
Social engineeringnounA general term for attackers trying to trick people into revealing sensitive information or performing certain actions, such as downloading and executing files that appear to be benign but are actually malicious.Threat
SocketnounThe socket tells a host's IP stack where to plug in a data stream so that it connects to the right application.Network
Socket PairnounA way to uniquely specify a connection, i.e., source IP address, source port, destination IP address, destination port.Network
SOCKSnounA protocol that a proxy server can use to accept requests from client users in a company's network so that it can forward them across the Internet. SOCKS uses sockets to represent and keep track of individual connections. The client side of SOCKS is built into certain Web browsers and the server side can be added to a proxy server.Network
softwarenounComputer programs and associated data that may be dynamically written or modified during execution.System
Software as a servicenounOffers the capability to use the provider’s applications running on cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web- based e-mail).System
software assurancenounLevel of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at any time during its life cycle, and that the software functions in the intended manner.CapabilityRegulated
Software Assurance and Security EngineeringnounIn the NICE Workforce Framework, cybersecurity work where a person: Develops and writes/codes new (or modifies existing) computer applications, software, or specialized utility programs following software assurance best practices.Capability
software platformnounA major piece of software, as an operating system, an operating environment, or a database, under which various smaller application programs can be designed to run.System
software releasenounThe public or private distribution of an initial or upgraded version of a computer software product.Artifact
software security controlnounThe software and procedures used to assist in the protection of information systems and the files created, communicated and stored by individuals and organization.Control
Software System Test and Evaluation ProcessnounProcess that plans, develops, and documents the qualitative/quantitative demonstration of the fulfillment of all baseline functional performance, operational, and interface requirements.ProcessRegulated
Software-Based Fault IsolationnounA method of isolating application modules into distinct fault domains enforced by software. The technique allows untrusted programs written in an unsafe language, such as C, to be executed safely within the single virtual address space of an application. Untrusted machine interpretable code modules are transformed so that all memory accesses are confined to code and data segments within their fault domain. Access to system resources can also be controlled through a unique identifier associated with each domain.Control
Sound practicesnounDefined in the "Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System," which was issued by the Board of Governors of the Federal Reserve System, Office of the Comptroller of the Currency, and Securities and Exchange Commission.RequirementRegulated
Source codenounSoftware program instructions written in a format (language) readable by humans.DataConfidentialIP
Source PortnounThe port that a host uses to connect to a server. It is usually a number greater than or equal to 1024. It is randomly generated and is different each time a connection is made.Network
Source programnounA program written in a programming language (such as C, Pascal, or COBOL). A compiler translates the source code into a machine-language object program.ArtifactIP
Source routing specificationnounA transmission technique where the sender of a packet can specify the route that packet should follow through the networkNetwork
SpamnounElectronic junk mail or the abuse of electronic messaging systems to indiscriminately send unsolicited bulk messages.Threat
spam filtering softwarenounA program that analyzes emails to look for characteristics of spam, and typically places messages that appear to be spam in a separate email folder.Capability
Spear phishingnounAn attack targeting a specific user or group of users, and attempts to deceive the user into performing an action that launches an attack, such as opening a document or clicking a link. Spear phishers rely on knowing some personal piece of information about their target, such as an event, interest, travel plans, or current issues. Sometimes this information is gathered by hacking into the targeted network.Threat
Special Access ProgramnounA program established for a specific class of classified information that imposes safeguarding and access requirements that exceed those normally required for information at the same classification level.ProcessRegulatedCUI
Special Access Program FacilitynounFacility formally accredited by an appropriate agency in accordance with DCID 6/9 in which SAP information may be processed.PhysicalRegulatedCDI
Special CharacternounAny non-alphanumeric character that can be rendered on a standard American-English keyboard. Use of a specific special character may be application-dependent. The list of special characters follows: ` ~ ! @ # $ % ^ & * ( ) _ + | } { “ : ? [ ] \ ; ’ , . / - =Requirement
SpecificationnounAn assessment object that includes document-based artifacts (e.g., policies, procedures, plans, system security requirements, functional specifications, and architectural designs) associated with an information system.Artifact
SpillagenounSecurity incident that results in the transfer of classified or CUI information onto an information system not accredited (i.e., authorized) for the appropriate security level.EventRegulatedCUI
Spiral developmentnounAn iterative project management model that focuses on the identification of project and product risks and the selection of project management techniques that best control the identified risks.Process
Split HorizonnounSplit horizon is a algorithm for avoiding problems caused by including routes in updates sent to the gateway from which they were learned.Control
Split KeynounA cryptographic key that is divided into two or more separate data items that individually convey no knowledge of the whole key that results from combining the items.CredentialRestricted
Split Knowledgenoun1. Separation of data or information into two or more parts, each part constantly kept under control of separate authorized individuals or teams so that no one individual or team will know the whole data. 2. A process by which a cryptographic key is split into multiple key components, individually sharing no knowledge of the original key, which can be subsequently input into, or output from, a cryptographic module by separate entities and combined to recreate the original cryptographic key.ControlRegulatedCUI
Split ProcessingnounThe ongoing operational practice of dividing production processing between two or more geographically dispersed facilities.Process
SpoofnounAttempt by an unauthorized entity to gain access to a system by posing as an authorized user.Threat
Spoofingnoun1. Faking the sending address of a transmission to gain illegal entry into a secure system. Impersonating, masquerading, piggybacking, and mimicking are forms of spoofing. 2. The deliberate inducement of a user or resource to take incorrect action.Threat
SpotnounThe most common foreign exchange transaction. Spot or spot date refers to the spot transaction value date that requires settlement within two business days, subject to value date calculation.ProcessRegulated
Spread SpectrumnounTelecommunications techniques in which a signal is transmitted in a bandwidth considerably greater than the frequency content of the original information. Frequency hopping, direct sequence spreading, time scrambling, and combinations of these techniques are forms of spread spectrum.Capability
SpywarenounSoftware that is secretly or surreptitiously installed into an information system to gather information on individuals or organizations without their knowledge; a type of malicious code.Threat
SQL injectionnounResults from failure of the application to appropriately validate input. When specially crafted user-controlled input consisting of SQL syntax is used without proper validation as part of SQL queries, it is possible to glean information from the database in ways not envisaged during application design. (MITRE)Threat
SQL injection attacknounAn exploit of target software that constructs structure query language (SQL) statements based on user input. An attacker crafts input strings so that when the target software constructs SQL statements based on the input, the resulting SQL statement performs actions other than those the application intended. SQL injection enables an attacker to talk directly to the database, thus bypassing the application completely. Successful injection can cause information disclosure as well as ability to add or modify data in the database.Threat
Sreen scrapingnounA process used by information aggregators to gather information from a customer's website, whereby the aggregator accesses the target site by logging in as the customer, electronically reads and copies selected information from the displayed webpage(s), then redisplays the information on the aggregator's site. The process is analogous to "scraping" the information off the computer screen.ProcessRegulatedPII
Stack MashingnounStack mashing is the technique of using a buffer overflow to trick a computer into executing arbitrary code.Threat
stakeholdernounAn individual who has an interest in something, e.g., a corporation, and is affected by decisions and activities regarding that issue.Organization
StandardnounA published statement on a topic specifying characteristics, usually measurable, that must be satisfied or achieved in order to comply with the standard.RequirementInternal
Standard ACLsnounStandard ACLs on Cisco routers make packet filtering decisions based on Source IP address only.Control
Standard Entry Class (SEC) codenounThree-character code in an ACH company/batch header record used to identify the payment type within an ACH batch.DataRegulated
Star PropertynounIn Star Property, a user cannot write data to a lower classification level without logging in at that lower classification level.Control
Start-Up KEKnounKey-encryption-key held in common by a group of potential communicating entities and used to establish ad hoc tactical networks.CredentialRegulatedCUI
StatenounIntermediate Cipher result that can be pictured as a rectangular array of bytes.DataRegulated
Stateful inspectionnounA firewall inspection technique that examines the claimed purpose of a communication for validity. For example, a communication claiming to respond to a request is compared to a table of outstanding requests.Control
Static Host TablesnounStatic host tables are text files that contain hostname and address mapping.Data
Static KeynounA key that is intended for use for a relatively long period of time and is typically intended for use in many instances of a cryptographic key establish schemeCredentialRegulated
Static RoutingnounStatic routing means that routing table entries contain information that does not change.Network
Status MonitoringnounMonitoring the information security metrics defined by the organization in the information security ISCM strategy.Process
StealthingnounStealthing is a term that refers to approaches used by malicious code to conceal its presence on the infected system.Threat
SteganalysisnounSteganalysis is the process of detecting and defeating the use of steganography.Capability
SteganographynounThe art and science of communicating in a way that hides the existence of the communication. For example, a child pornography image can be hidden inside another graphic image file, audio file, or other file format.ThreatRegulatedPHI
stepnounA measure or action, especially one of a series taken in order to deal with or achieve a particular thing.Process
stipulationnoun(law) an agreement or concession made by parties in a judicial proceeding (or by their attorneys) relating to the business before the court; must be in writing unless they are part of the court record.ArtifactRegulated
Storage area network (SAN)nounA high-speed special-purpose network (or sub-network) that connects different types of data storage devices with associated data servers on behalf of a larger network of users.Network
Storage virtualizationnounThe process of taking many different physical storage networks and devices, and making them appear as one "virtual" entity for purposes of management and administration.System
Store cardnounA credit card issued by a financial institution for a specific merchant or vendor that does not carry a bankcard association logo. Store cards can only be used at the merchant or vendor whose name appears on the front of the card.PhysicalRegulatedPCI
Store-and-ForwardnounStore-and-Forward is a method of switching where the entire packet is read by a switch to determine if it is intact before forwarding it.Capability
Stored-value cardnounA card-based payment system that assigns a value to the card. The card's value can be stored on the card itself (i.e., on the magnetic stripe or in a computer chip) or in a network database. As the card is used for transactions, the transaction amounts are subtracted from the card's balance. As the balance approaches zero, some cards can be "reloaded" through various methods and others are designed to be discarded. These cards are often used in closed systems for specific types of purchases.PhysicalRegulatedPCI
Stovepipe applicationnounStand-alone programs that may not easily integrate with other applications or systems.System
Straight-Through CablenounA straight-through cable is where the pins on one side of the connector are wired to the same pins on the other end. It is used for interconnecting nodes on the network.Network
strategic planningnounThe purpose of this task is to determine long-term goals and identify the best method to achieve these goals.Process
Strategic Planning and Policy DevelopmentnounIn the NICE Workforce Framework, cybersecurity work where a person: Applies knowledge of priorities to define an entity.Process
Stream CiphernounA stream cipher works by encryption a message a single bit, byte, or computer word at a time.Capability
Street testsnounStreet tests are also called cross-market tests or market-wide tests that are sponsored by the Securities Industry Association, Bond Market Association, and Futures Industry Association. These tests validate the connectivity from alternate sites and include transaction, settlement, and payment processes, to the extent practical.ProcessInternal
Striped CorenounA network architecture in which user data traversing a core IP network is decrypted, filtered and re-encrypted one or more times. Note: The decryption, filtering, and re-encryption are performed within a “Red gateway”; consequently, the core is “striped” because the data path is alternately Black, Red, and Black.NetworkRegulatedCUI
Strong AuthenticationnounThe requirement to use multiple factors for authentication and advanced technology, such as dynamic passwords or digital certificates, to verify an entity’s identity.ControlRegulated
strong cryptographynounCryptographic techniques that make it almost impossible to decrypt without having the key. The strength relies on the cryptographic key used. Effective size of the key should meet the minimum key size of comparable strengths recommendations based on industry-tested and accepted algorithms and strong key lengths. Examples of industry-tested and accepted standards and algorithms for encryption include AES (128 bits and higher), TDES (minimum double-length keys), RSA (1024 bits and higher), ECC (160 bits and higher), and ElGamal (1024 bits and higher). See NIST Special Publication 800-57 (http://csrc.nist.gov/publications/) for more information.ControlRegulated
Strong Star PropertynounIn Strong Star Property, a user cannot write data to higher or lower classifications levels than their own.RequirementRegulated
Sub NetworknounA separately identifiable part of a larger network that typically represents a certain limited number of host computers, the hosts in a building or geographic area, or the hosts on an individual local area network.Network
SubassemblynounMajor subdivision of an assembly consisting of a package of parts, elements, and circuits that perform a specific function.Physical
subdivideverbdivide something that has already been divided into even smaller partsAnalyzeUnclassified
subjectnounAn active entity (generally an individual, process, or device) that causes information to flow among objects or changes the system state. See also Object.Identity
Subject Security LevelnounSensitivity label(s) of the objects to which the subject has both read and write access. Security level of a subject must always be dominated by the clearance level of the user associated with the subject.IdentityRegulatedCUI
submitverbTo present a proposal, application, or document to a person or body for approval, consideration, or judgment.Unclassified
Subnet MasknounA subnet mask (or number) is used to determine the number of bits used for the subnet and host portions of the address. The mask is a 32-bit value that uses one-bits for the network and subnet portions and zero-bits for the host portion.Network
Subordinate Certification AuthoritynounIn a hierarchical PKI, a Certification Authority whose certificate signature key is certified by another CA, and whose activities are constrained by that other CA.SystemRegulatedCUI
SubscribernounA party who receives a credential or token from a CSP (Credentials Service Provider) and becomes a claimant in an authentication protocol.IdentityRegulated
Substitute check (Check 21)nounAlso known as the Image Replacement Document (IRD). A paper reproduction of an original check that (1) contains an image of the front and back of the original check; (2) bears a MICR line that, except as provided under ANS X9.100-140, contains all the information appearing on the MICR line of the original check when it was issued and any additional information that was encoded on the original check's MICR line before an image of the original check was captured; (3) conforms in paper stock, dimension, and otherwise with ANS X9.100-140; and (4) is suitable for automated processing in the same manner as the original check. The Federal Reserve Board of Governors can by rule or order determine different standards.ArtifactRegulatedPCI
SubsystemnounA major subdivision or component of an information system consisting of information, information technology, and personnel that perform one or more specific functions.System
Suite AnounA specific set of classified cryptographic algorithms used for the protection of some categories of restricted mission-critical information.RequirementRegulatedCUI
Suite BnounA specific set of cryptographic algorithms suitable for protecting national security systems and information throughout the U.S. government and to support interoperability with allies and coalition partners.RequirementRegulatedCUI
SuperencryptionnounProcess of encrypting encrypted information. Occurs when a message, encrypted off-line, is transmitted over a secured, online circuit, or when information encrypted by the originator is multiplexed onto a communications trunk, which is then bulk encrypted.ProcessRegulatedCUI
Superior Certification AuthoritynounIn a hierarchical PKI, a Certification Authority who has certified the certificate signature key of another CA, and who constrains the activities of that CA.SystemRestrictedCUI
SupersessionnounScheduled or unscheduled replacement of COMSEC material with a different edition.ProcessRegulatedCUI
supervisory agencynounThis role focuses on the examination or auditing of financial records of financial institutions. Any state authority that is required by law to examine or audit financial records should be assigned to this role.OrganizationRegulated
Supervisory control and data acquisitionnounA generic name for a computerized system that is capable of gathering and processing data and applying operational controls over long distances. Typical uses include power transmission and distribution and pipeline systems. SCADA was designed for the unique communication challenges (delays, data integrity, etc.) posed by the various media that must be used, such as phone lines, microwave, and satellite. Usually shared rather than dedicated.SystemRegulatedCUI
Supplementation Assessment ProceduresnounThe process of adding assessment procedures or assessment details to assessment procedures in order to adequately meet the organization’s risk management needs.Process
Supplementation Security ControlsnounThe process of adding security controls or control enhancements to a security control baseline from NIST Special Publication 800-53 or CNSS Instruction 1253 in order to adequately meet the organization’s risk management needs.ProcessInternal
suppliernounProduct and service providers used for an organization’s internal purposes (e.g., IT infrastructure) or integrated into the products of services provided to that organization’s Buyers.OrganizationInternal
supply chainnounA system of organizations, people, activities, information, and resources, possibly international in scope, that provides products or services to consumers.Process
Supply Chain AttacknounAttacks that allow the adversary to utilize implants or other vulnerabilities inserted prior to installation in order to infiltrate data, or manipulate information technology hardware, software, operating systems, peripherals (information technology products) or services at any point during the life cycle.ThreatRegulatedCUI
supply chain risknounA risk measured by the likelihood and severity of damage if an Information Technology or Operations Technology system is compromised by a supply chain attack, and takes into account the importance of the system and the impact of compromise on organizational operations and assets, individuals, other organizations, and the Nation. Supply chain attacks may involve manipulating computing system hardware, software, or services at any point during the life cycle. Supply chain attacks are typically conducted or facilitated by individuals or organizations that have access through commercial ties, leading to stolen critical data and technology, corruption of the system/ infrastructure, and/or disabling of mission-critical operations.ThreatRegulated
Supply Chain Risk ManagementnounThe process of identifying, analyzing, and assessing supply chain risk and accepting, avoiding, transferring or controlling it to an acceptable level considering associated costs and benefits of any actions taken.ProcessRegulated
supply chain risk management processnounThe implementation through controls and structures of strategies to manage both everyday and exceptional risks along the supply chain based on continuous risk assessment with the objective of reducing vulnerability and ensuring continuity.ProcessRegulated
Suppression MeasurenounAction, procedure, modification, or device that reduces the level of, or inhibits the generation of, compromising emanations in an information system.ControlRegulatedCUI
suspicious activitynounActivities that give the idea or impression that they are of questionable, dishonest, or of dangerous character or conditions.Event
Suspicious activity report (SAR)nounReports required to be filed by the Bank Secrecy Act when a financial institution identifies or suspects fraudulent activity.ArtifactRegulated
SustainabilitynounThe period of time for which operations can continue at an alternate processing facility.Metric
SwitchnounA device that connects more than two LAN segments that use the same data link and network protocol.Network
Switched NetworknounA communications network, such as the public switched telephone network, in which any user may be connected to any other user through the use of message, circuit, or packet switching and control devices. Any network providing switched communications service.Network
Switched virtual circuit (SVC)nounSVC is a temporary connection between workstations that is disabled after communication is complete. Refer to Permanent Virtual Circuit (PVC) for an additional communication method using circuits.Network
SwitchesnounTypically associated as a data link layer device, switches enable local area network (LAN) segments to be created and interconnected, which has the added benefit of reducing collision domains in Ethernet-based networks.Network
SyllabarynounList of individual letters, combination of letters, or syllables, with their equivalent code groups, used for spelling out words or proper names not present in the vocabulary of a code. A syllabary may also be a spelling table.Artifact
symmetric cryptographynounA branch of cryptography in which a cryptographic system or algorithms use the same secret key (a shared secret key).Capability
Symmetric Encryption AlgorithmnounEncryption algorithms using the same secret key for encryption and decryption.Capability
symmetric keynounA cryptographic key that is used to perform both the cryptographic operation and its inverse, for example to encrypt and decrypt, or create a message authentication code and to verify the code.CredentialRestrictedCUI
Symmetric key encryptionnounSystem in which a different key (or set of keys) is used by each pair of trading partners to ensure that no one else can read their messages The same key is used for encryption and decryption. See also Private Key Cryptosystem.Control
SYN FloodnounA denial of service attack that sends a host more TCP SYN packets (request to synchronize sequence numbers, used when opening a connection) than the protocol implementation can handle.Threat
SynchronizationnounSynchronization is the signal made up of a distinctive pattern of bits that network hardware looks for to signal that start of a frame.Network
Synchronous Crypto-OperationnounEncryption algorithms using the same secret key for encryption and decryption.CapabilityRegulated
Synchronous data replicationnounA process for copying data from one source to another in which an acknowledgement of the receipt of data at the copy location is required for application processing to continue. Consequently, the content of databases stored in alternate facilities is identical to those at the original storage site, and copies of data contain current information at the time of a disruption in processing.ProcessRegulated
Synchronous Optical NETwork (SONET)nounSONET is a standard for telecommunications transmissions over fiber optic cables. SONET is self-healing so that if a break occurs in the lines, it can use a back-up redundant ring to ensure that the transmission continues. SONET networks can transmit voice and data over optical networks.Network
synthesizeverbcombine multiple elements, ideas, or sources into a coherent new wholeCreateUnclassified
systemnounAny organized assembly of resources and procedures united and regulated by interaction or interdependence to accomplish a set of specific functions.System
System AdministrationnounThe process of maintaining, configuring, and operating computer systems.Process
System AdministratornounIndividual responsible for the installation and maintenance of an information system, providing effective information system utilization, adequate security parameters, and sound implementation of established Information Assurance policy and procedures.Role
system and network monitoringnounSystem and Network Monitoring supports all activities related to the real-time monitoring of systems and networks for optimal performance. System and network monitoring describes the use of tools and observation to determine the performance and status of information systems and is closely tied to other Information and Technology Management sub-functions.Capability
System AssetsnounAny software, hardware, data, administrative, physical, communications, or personnel resource within an information system.System
system configurationnounThe setting of various switches and jumpers for hardware and the defining of values of parameters for software.Data
System Development Life CyclenounThe scope of activities associated with a system, encompassing the system’s initiation, development and acquisition, implementation, operation and maintenance, and ultimately its disposal that instigates another system initiation.Process
System Development MethodologiesnounMethodologies developed through software engineering to manage the complexity of system development. Development methodologies include software engineering aids and high-level design analysis tools.Process
system development methodologynounMethodologies developed through software engineering to manage the complexity of system development. Development methodologies include software engineering aids and high-level design analysis tools.Process
system documentationnounDetailed information about a computer system its architecture, design, data flow, and programming logic.ArtifactInternalIP
System hardeningnounConfiguring all configurable items within an entire system to reduce the host’s security weaknesses.ProcessRegulated
System High ModenounInformation systems security mode of operation wherein each user, with direct or indirect access to the information system, its peripherals, remote terminals, or remote hosts, has all of the following: a. valid security clearance for all information within an information system; b. formal access approval and signed nondisclosure agreements for all the information stored and/or processed (including all compartments, subcompartments and/or special access programs); and c. valid need-to-know for some of the information contained within the information system.ProcessRegulatedCUI
system implementationnounThe process of putting a planned system into action; the stage of systems development in which hardware and software are acquired, developed and installed, the system is tested and documented, people are trained to operate and used the system, and an organization converts to the use of a newly developed system.Process
System IndicatornounSymbol or group of symbols in an off-line encrypted message identifying the specific cryptosystem or key used in the encryption.DataRegulatedCUI
system integritynounThe quality that a system has when it performs its intended function in an unimpaired manner, free from unauthorized manipulation of the system, whether intentional or accidental.Requirement
System InterconnectionnounThe direct connection of two or more IT systems for the purpose of sharing data and other information resources.NetworkRegulated
System Of RecordsnounA group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual.DataRegulatedPII
system operationnounThe day to day processes of using a system according to its design and development criteria.Process
System OwnernounPerson or organization having responsibility for the development, procurement, integration, modification, operation and maintenance, and/or final disposition of an information system.Role
System ProfilenounDetailed security description of the physical structure, equipment component, location, relationships, and general operating environment of an information system.ArtifactRegulatedCUI
take actionverbTo do something official in order to achieve an objective or handle a problem.Unclassified
tamperverbTo deliberately alter a system's logic, data, or control information to cause the system to perform unauthorized functions or services.RememberUnclassified
TEMPEST ZonenounDesignated area within a facility where equipment with appropriate TEMPEST characteristics (TEMPEST zone assignment) may be operated.PhysicalRegulatedCUI
terminalnounAn input or output device that operates independently of the system to which it is linked.Physical
Terminal servicesnounA component of Microsoft Windows operating systems (both client and server versions) that allows a user to access applications or data stored on a remote computer over a network connection.SystemRestricted
testnounA type of assessment method that is characterized by the process of exercising one or more assessment objects under specified conditions to compare actual with expected behavior, the results of which are used to support the determination of security control effectiveness over time.Process
Test and EvaluationnounIn the NICE Workforce Framework, cybersecurity work where a person: Develops and conducts tests of systems to evaluate compliance with specifications and requirements by applying principles and methods for cost-effective planning, evaluating, verifying, and validating of technical, functional, and performance characteristics (including interoperability) of systems or elements of systems incorporating information technology.Process
test environmentnounA controlled environment in which tests will be run on configuration items, builds, processes, IT services, etc.System
test forverbexamine or investigate to determine the presence or nature of somethingAnalyzeUnclassified
Test plannounA document that is based on the institution's test scope and objectives and includes various testing methods.ArtifactInternal
test resultnounA formal document defining the subject of the test, the test plan, approach, analysis tools, and conclusions found during the testing process.ArtifactRegulated
Test scenarionounA potential event, identified as the operating environment for a business continuity or disaster recovery test, which the institution's recovery and resumption plan must address.ArtifactInternal
Test scriptsnounDocuments that define the specific activities, tasks, and steps that test participants will conduct during the testing process.Artifact
Test strategynounTesting strategies establish expectations for individual business lines across the testing life cycle of planning, execution, measurement, reporting, and test process improvement. Testing strategies include the testing scope and objectives, which clearly define what functions, systems, or processes are going to be tested and what will constitute a successful test.ProcessInternal
The process of both entities involved in a transaction verifying each other.nounSource: CNSSI-4009ProcessRegulated
third partynounA person or group besides the two primarily involved in a situation, agreement, business, etc.IdentityRegulated
third party and supply chain managementnounSupply chain management is the oversight of materials, information, and finances as they move in a process from supplier to manufacturer to wholesaler to retailer to consumer. Supply chain management involves coordinating and integrating these flows both within and among companies, i.e., Third Parties. Third party management is the process whereby companies monitor and manage interactions with all external parties with which it has a relationship.ProcessRegulated
third party contractnounMeans a contract or purchase order awarded by the Recipient or subrecipient to a vendor or contractor.RequirementConfidential
third party dependencynounA third party that may have no interest in an organization's project or operations, but can can have an impact on them.RequirementRegulated
third party managementnounAn arrangement where a company will assume the day-to-day management of a property or package of properties it does not own for another company or institution in return for a fee.ProcessRegulated
third party management policynounThe guidelines and rules on how an organization should to direct and supervise business activities and relations with a third party.RequirementRegulated
third party risk assessmentnounThe process of identifying and determining the risk associated to a specific third party.ProcessInternal
Third Party Service ProvidernounAs defined in the PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms, a service provider is a business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This also includes companies that provide services that control or could impact the security of cardholder data. There are many types of businesses that could fall into the category of “service provider,” dependent on the services provided. Most commonly, a TPSP could be a legally separate entity; but it can also be a separate business unit or component of the entity under assessment—for example, an internal service provider—where the provider is outside the direct management control of the entity assessed.OrganizationRegulatedPCI
Third Party Service Provider ListnounThis record contains lists of all third party service providers and their contacts within each organization.ArtifactInternal
Third-party relationshipnounAny business arrangement between a financial institution and another entity, by contract or otherwise.ProcessRegulated
Third-party sendernounA special subset of a technology service provider that is authorized to transmit ACH files on behalf of an originator. Typically, the ODFI must rely upon warranties by the third- party sender regarding the originators' identity and credit worthiness, which places additional risks on the ODFI.IdentityRegulated
Third-party service provider (ACH)nounA third party, other than the ODFI or RDFI, that performs any function on behalf of the ODFI or the RDFI related to ACH processing. These functions would include the creation and sending of ACH files or acting as a sending or receiving point on behalf of a participating depository financial institution.OrganizationRegulatedPCI
threatnounAny circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. Also, the potential for a threat-source to successfully exploit a particular information system vulnerability.Threat
Threat agentnounMethods and things used to exploit a vulnerability Scope Note: Examples include determination, capability, motive and resources.Threat
Threat analysisnounThe examination of threat sources against system vulnerabilities to determine the threats for a particular system in a particular operational environment.Process
Threat and Vulnerability Management processnounA process that includes vulnerability assessments, vulnerability scanning, penetration testing. Also included in the process is the cataloging of the assets that are in scope, assigning value and importance to those resources, and mitigating or eliminating any vulnerabilities discovered during the process.VulnerabilityRestricted
threat assessmentnounProcess of formally evaluating the degree of threat to an information system or enterprise and describing the nature of the threat.Process
Threat eventnounAn event or situation that has the potential for causing undesirable consequences or impact.Event
threat informationnounInformation about a potential source of danger or undesirable event.ThreatInternal
threat information sharingnounThe act of providing threat information between two or more parties for the mutual benefit to use such information to mitigate risks.ProcessInternal
Threat intelligencenounThe acquisition and analysis of information to identify, track, and predict cyber capabilities, intentions, and activities that offer courses of action to enhance decision-making.Capability
threat intelligence servicenounA service that provides threat intelligence so that organizations can mitigate threats and remediate vulnerabilities.Capability
Threat ModelnounA threat model is used to describe a given threat and the harm it could to do a system if it has a vulnerability.Artifact
Threat MonitoringnounAnalysis, assessment, and review of audit trails and other information collected for the purpose of searching out system events that may constitute violations of system security.Capability
threat monitoring processnounA particular series of actions or steps to analyze, assess and review audit trails and other information collected for the purpose of searching out system events that may constitute violations of system security.ProcessInternal
Threat ScenarionounA set of discrete threat events, associated with a specific threat source or multiple threat sources, partially ordered in time.Threat
Threat ShiftingnounResponse from adversaries to perceived safeguards and/or countermeasures (i.e., security controls), in which the adversaries change some characteristic of their intent to do harm in order to avoid and/or overcome those safeguards/countermeasures.Threat
Threat SourcenounThe intent and method targeted at the intentional exploitation of a vulnerability or a situation and method that may accidentally trigger a vulnerability. Synonymous with Threat Agent.Threat
thresholdnounThe level which must be exceeded in order for a certain reaction, phenomenon, result, or condition to occurred or be manifested.Metric
ticketnounIn access control, data that authenticates the identity of a client or a service and, together with a temporary encryption key (a session key), forms a credential.ArtifactRestricted
Time BombnounResident computer program that triggers an unauthorized act at a predefined time.Threat
time framenounA specified period of time for something to be done or take place.RequirementRegulated
Time to LivenounA value in an Internet Protocol packet that tells a network router whether or not the packet has been in the network too long and should be discarded.Network
Time-Compliance DatenounDate by which a mandatory modification to a COMSEC end-item must be incorporated if the item is to remain approved for operational use.RequirementRegulatedCUI
Time-Dependent PasswordnounPassword that is valid only at a certain time of day or during a specified interval of time.Credential
TimelinesnounChronological graphs where events related to an incident can be mapped to look for relationships in complex cases Scope Note: Timelines can provide simplified visualization for presentation to management and other non- technical audiences.Artifact
timelinessnounPublic and private parties, nationally and internationally, should act in a timely coordinately manner to prevent and respond to breaches of security of information systems.RequirementRegulated
Tiny Fragment AttacknounWith many IP implementations it is possible to impose an unusually small fragment size on outgoing packets. If the fragment size is made small enough to force some of a TCP packet's TCP header fields into the second fragment, filter rules that specify patterns for those fields will not match. If the filtering implementation does not enforce a minimum fragment size, a disallowed packet might be passed because it didn't hit a match in the filter. STD 5, RFC 791 states: Every Internet module must be able to forward a datagram of 68 octets without further fragmentation. This is because an Internet header may be up to 60 octets, and the minimum fragment is 8 octets.Threat
TOE Security FunctionsnounSet consisting of all hardware, software, and firmware of the TOE that must be relied upon for the correct enforcement of the TOE Security Policy (TSP).CapabilityRegulatedCUI
TOE Security PolicynounSet of rules that regulate how assets are managed, protected, and distributed within the TOE.Requirement
TokennounSomething that the claimant possesses and controls (such as a key or password) that is used to authenticate a claim. See also Cryptographic Token.Credential
Token RingnounA token ring network is a local area network in which all computers are connected in a ring or star topology and a binary digit or token-passing scheme is used in order to prevent the collision of data between two computers that want to send messages at the same time.Credential
Token-Based Access ControlnounToken based access control associates a list of objects and their privileges with each user. (The opposite of list based.)Credential
Token-Based DevicesnounA token-based device is triggered by the time of day, so every minute the password changes, requiring the user to have the token with them when they log in.Credential
Total cost of ownershipnounIncludes the original cost of the computer plus the cost of: software, hardware and software upgrades, maintenance, technical support, training, and certain activities performed by usersMetric
Total cost of ownership (TCO)nounThe true cost of ownership of a computer or other technology system that includes original cost of the computer and software, hardware and software upgrades, maintenance, technical support, and training.Metric
Total RisknounThe potential for the occurrence of an adverse event if no mitigating action is taken (i.e., the potential for any applicable threat to exploit a system vulnerability).Metric
TraceroutenounTraceroute is a tool the maps the route a packet takes from the local machine to a remote destination.Capability
Tracking CookienounA cookie placed on a user’s computer to track the user’s activity on different Web sites, creating a detailed profile of the user’s behavior.DataRegulatedPII
Tradecraft IdentitynounAn identity used for the purpose of work-related interactions that may or may not be synonymous with an individual’s true identity.IdentityRestrictedCUI
Traditional INFOSEC ProgramnounProgram in which NSA acts as the central procurement agency for the development and, in some cases, the production of INFOSEC items. This includes the Authorized Vendor Program. Modifications to the INFOSEC end-items used in products developed and/or produced under these programs must be approved by NSA.ProcessRegulatedCUI
Traffic AnalysisnounThe analysis of patterns in communications for the purpose of gaining intelligence about a system or its users. It does not require examination of the content of the communications, which may or may not be decipherable. For example, an adversary may be able to detect a signal from a reader that could enable it to infer that a particular activity is occurring (e.g., a shipment has arrived, someone is entering a facility) without necessarily learning an identifier or associated data.Threat
Traffic Encryption KeynounKey used to encrypt plain text or to superencrypt previously encrypted text and/or to decrypt cipher text.CredentialRestrictedCUI
traffic light protocolnounA set of designations employing four colors (RED, AMBER, GREEN, and WHITE) used to ensure that sensitive information is shared with the correct audience.Control
Traffic PaddingnounGeneration of mock communications or data units to disguise the amount of real data units being sent.Control
trainnounTo teach a person or animal a particular skill or type of behavior through sustained practice and instruction.Process
trainingnounOrganized activity aimed at imparting information and/or instructions to improve the recipient's performance or to help him or her attain a required level of knowledge or skill.ProcessRegulated
Training EffectivenessnounA measurement of what a given student has learned from a specific course or training event.Metric
Training Effectiveness EvaluationnounInformation collected to assist employees and their supervisors in assessing individual students’ subsequent on-the-job performance, to provide trend data to assist trainers in improving both learning and teaching, and to be used in return-on-investment statistics to enable responsible officials to allocate limited resources in a thoughtful, strategic manner among the spectrum of IT security awareness, security literacy, training, and education options for optimal results among the workforce as a whole.MetricInternalPII
TranquilitynounProperty whereby the security level of an object cannot change while the object is being processed by an information system.Control
transactionnounIn Computing: data and operations related to a specific task that must be processed completely or rejected.Data
transaction filenounA group of one or more computerized records containing current business activity and processed with an associated master file. Transaction files are sometimes accumulated during the day and processed in batch production overnight or during off-peak processing periods.DataRegulated
Transaction testingnounA testing activity designed to validate the continuity of business transactions and the replication of associated data.Process
transient cyber assetnounA Cyber Asset that (i) is capable of transmitting or transferring executable code, (ii) is not included in a BES Cyber System, (iii) is not a Protected Cyber Asset (PCA), and (iv) is directly connected (e.g., using Ethernet, serial, Universal Serial Bus, or wireless, including near field or Bluetooth communication) for 30 consecutive calendar days or less to a BES Cyber Asset, a network within an ESP, or a PCA. Examples include, but are not limited to, Cyber Assets used for data transfer, vulnerability assessment, maintenance, or troubleshooting purposes.SystemRegulatedCUI
translateverbconvert information from one language, form, or representation to anotherCreateUnclassified
TransmissionnounThe state that exists when information is being electronically sent from one location to one or more other locations.Network
Transmission Control ProtocolnounA connection-based Internet protocol that supports reliable data transfer connections Scope Note: Packet data are verified using checksums and retransmitted if they are missing or corrupted. The application plays no part in validating the transfer.Network
Transmission Control Protocol/Internet ProtocolnounProvides the basis for the Internet; a set of communication protocols that encompass media access, packet transport, session communication, file transfer, electronic mail (e-mail), terminal emulation, remote file access and network managementNetwork
Transmission control protocol/Internet protocol (TCP/IP)nounA communication standard for transmitting data packets from one computer to another. TCP/IP is used on the Internet and other networks. The two parts of TCP/IP are TCP, which deals with constructions of data packets, and IP, which routes them from machine to machine.Network
transmission equipmentnounAny instruments required to electronically transfer data over a network.PhysicalRegulated
Transmission SecuritynounMeasures (security controls) applied to transmissions in order to prevent interception, disruption of reception, communications deception, and/or derivation of intelligence by analysis of transmission characteristics such as signal parameters or message externals. Note: TRANSEC is that field of COMSEC which deals with the security of communication transmissions, rather than that of the information being communicated.ControlRegulatedCUI
Transport Layer SecuritynounAn authentication and security protocol widely implemented in browsers and Web servers.Network
Trap Doornoun1. A means of reading cryptographically protected information by the use of private knowledge of weaknesses in the cryptographic algorithm used to protect the data. 2. In cryptography, one-to-one function that is easy to compute in one direction, yet believed to be difficult to invert without special information.VulnerabilityRegulatedCUI
Triple DESnounAn implementation of the Data Encryption Standard (DES) algorithm that uses three passes of the DES algorithm instead of one as used in ordinary DES applications. Triple DES provides much stronger encryption than ordinary DES but it is less secure than AES.Control
Triple-WrappednounS/MIME usage: data that has been signed with a digital signature, and then encrypted, and then signed again.DataRegulated
Trojan horsenounA computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the program.Threat
Truncating bank (Check 21)nounThe financial institution that truncates the original check. If a person other than a financial institution truncates the original check, the truncating bank is the first financial institution that transfers, presents, or returns, in lieu of such original check, a substitute check or, by agreement with the recipient, information relating to the original check (including data taken from the MICR line of the original check or an electronic image of the original check), whether with or without the subsequent delivery of the original check.OrganizationRegulatedPCI
TrunkingnounTrunking is connecting switched together so that they can share VLAN information between them.Network
TrustnounTrust determine which permissions and what actions other systems or users can perform on remote machines.Control
Trust AnchornounAn established point of trust (usually based on the authority of some person, office, or organization) from which an entity begins the validation of an authorized process or authorized (signed) package. A "trust anchor" is sometimes defined as just a public key used for different purposes (e.g., validating a Certification Authority, validating a signed software package or key, validating the process [or person] loading the signed software or key).CredentialRestricted
Trust ListnounThe collection of trusted certificates used by Relying Parties to authenticate other certificates.ArtifactRegulated
Trusted AgentnounEntity authorized to act as a representative of an agency in confirming Subscriber identification during the registration process. Trusted Agents do not have automated interfaces with Certification Authorities.RoleRestrictedCUI
Trusted CertificatenounA certificate that is trusted by the Relying Party on the basis of secure and authenticated delivery. The public keys included in trusted certificates are used to start certification paths. Also known as a "trust anchor."Credential
Trusted ChannelnounA channel where the endpoints are known and data integrity is protected in transit. Depending on the communications protocol used, data privacy may be protected in transit. Examples include SSL, IPSEC, and secure physical connection.Network
Trusted Computer SystemnounA system that employs sufficient hardware and software assurance measures to allow its use for processing simultaneously a range of sensitive or classified information.SystemRegulatedCUI
Trusted Computing BasenounTotality of protection mechanisms within a computer system, including hardware, firmware, and software, the combination responsible for enforcing a security policy.System
Trusted DistributionnounMethod for distributing trusted computing base (TCB) hardware, software, and firmware components that protects the TCB from modification during distribution.ProcessRegulatedCUI
Trusted FoundrynounFacility that produces integrated circuits with a higher level of integrity assurance.PhysicalRegulatedCDI
Trusted Identification ForwardingnounIdentification method used in information system networks whereby the sending host can verify an authorized user on its system is attempting a connection to another host. The sending host transmits the required user authentication information to the receiving host.ControlRegulatedCUI
Trusted PathnounA mechanism by which a user (through an input device) can communicate directly with the security functions of the information system with the necessary confidence to support the system security policy. This mechanism can only be activated by the user or the security functions of the information system and cannot be imitated by untrusted software.ControlRegulated
Trusted Platform Module ChipnounA tamper-resistant integrated circuit built into some computer motherboards that can perform cryptographic operations (including key generation) and protect small amounts of sensitive information, such as passwords and cryptographic keys.PhysicalRestricted
Trusted PortsnounTrusted ports are ports below number 1024 usually allowed to be opened by the root user.Network
Trusted TimestampnounA digitally signed assertion by a trusted authority that a specific digital object existed at a particular time.ArtifactRegulated
Trusted zonenounA channel in which the end points are known and data integrity is protected in transit. Depending on the communications protocol used, data privacy may be protected in transit. Examples include secure socket layer, internet protocol security and a secure physical connection.Network
TrustworthinessnounThe attribute of a person or organization that provides confidence to others of the qualifications, capabilities, and reliability of that entity to perform specific tasks and fulfill assigned responsibilities.Metric
Trustworthy SystemnounComputer hardware, software and procedures that— 1) are reasonably secure from intrusion and misuse; 2) provide a reasonable level of availability, reliability, and correct operation; 3) are reasonably suited to performing their intended functions; and 4) adhere to generally accepted security procedures.System
TSEC NomenclaturenounSystem for identifying the type and purpose of certain items of COMSEC material.FrameworkRestrictedCUI
Tunnel modenounUsed to protect traffic between different networks when traffic must travel through intermediate or untrusted networks. Tunnel mode encapsulates the entire IP packet with and AH or ESP header and an additional IP header.Network
TunnelingnounTechnology enabling one network to send its data via another network’s connections. Tunneling works by encapsulating a network protocol within packets carried by the second network.Network
twonounThe cardinal number that is the sum of one and one or a numeral representing this number.candidate
Two-factor authenticationnounThe use of two independent mechanisms for authentication, (e.g., requiring a smart card and a password) typically the combination of something you know, are or haveControl
Two-Part CodenounCode consisting of an encoding section, in which the vocabulary items (with their associated code groups) are arranged in alphabetical or other systematic order, and a decoding section, in which the code groups (with their associated meanings) are arranged in a separate alphabetical or numeric order.Artifact
Two-Person ControlnounContinuous surveillance and control of positive control material at all times by a minimum of two authorized individuals, each capable of detecting incorrect and unauthorized procedures with respect to the task being performed and each familiar with established security and safety requirements.ControlRegulatedCUI
Two-Person IntegritynounSystem of storage and handling designed to prohibit individual access by requiring the presence of at least two authorized individuals, each capable of detecting incorrect or unauthorized security procedures with respect to the task being performed. See No-Lone Zone.ControlRegulatedCUI
Two-way pollingnounAn emergency notification system that allows management to ensure that all employees are contacted and have confirmed delivery of pertinent messages.ProcessInternal
Type 1 KeynounGenerated and distributed under the auspices of NSA for use in a cryptographic device for the protection of national security information.CredentialRegulatedCUI
Type 1 ProductnounCryptographic equipment, assembly or component classified or certified by NSA for encrypting and decrypting national security information when appropriately keyed. Developed using established NSA business processes and containing NSA-approved algorithms. Used to protect systems requiring the most stringent protection mechanisms.PhysicalRegulatedCUI
Type 2 KeynounGenerated and distributed under the auspices of NSA for use in a cryptographic device for the protection of unclassified information.CredentialRegulatedCUI
Type 2 ProductnounCryptographic equipment, assembly, or component certified by NSA for encrypting or decrypting sensitive information when appropriately keyed. Developed using established NSA business processes and containing NSA-approved algorithms. Used to protect systems requiring protection mechanisms exceeding best commercial practices including systems used for the protection of unclassified information.PhysicalRegulatedCUI
Type 3 KeynounUsed in a cryptographic device for the protection of unclassified sensitive information, even if used in a Type 1 or Type 2 product.CredentialRegulatedCUI
Type 3 ProductnounUnclassified cryptographic equipment, assembly, or component used, when appropriately keyed, for encrypting or decrypting unclassified sensitive U.S. government or commercial information, and to protect systems requiring protection mechanisms consistent with standard commercial practices. Developed using established commercial standards and containing NIST-approved cryptographic algorithms/modules or successfully evaluated by the National Information Assurance Partnership (NIAP).PhysicalRegulatedCUI
Type 4 KeynounUsed by a cryptographic device in support of its Type 4 functionality, i.e., any provision of key that lacks U.S. government endorsement or oversight.CredentialRegulatedCUI
Type 4 ProductnounUnevaluated commercial cryptographic equipment, assemblies, or components that neither NSA nor NIST certify for any government usage. These products are typically delivered as part of commercial offerings and are commensurate with the vendor’s commercial practices. These products may contain either vendor proprietary algorithms, algorithms registered by NIST, or algorithms registered by NIST and published in a FIPS.ArtifactRegulatedCUI
Type AccreditationnounA form of accreditation that is used to authorize multiple instances of a major application or general support system for operation at approved locations with the same type of computing environment. In situations where a major application or general support system is installed at multiple locations, a type accreditation will satisfy C&A requirements only if the application or system consists of a common set of tested and approved hardware, software, and firmware.ProcessRegulated
Type CertificationnounThe certification acceptance of replica information systems based on the comprehensive evaluation of the technical and nontechnical security features of an information system and other safeguards, made as part of and in support of the formal approval process, to establish the extent to which a particular design and implementation meet a specified set of security requirements.ProcessRegulatedCUI
U.S. Computer Emergency Readiness Team (US-CERT)nounUS-CERT is part of the U.S. Department of Homeland Security's National Cybersecurity and Communications Integration Center. US-CERT is a partnership between the Department of Homeland Security and the public and private sectors, established to protect the nation's Internet infrastructure. US-CERT coordinates defense against and responses to cyber attacks across the nation.Organization
U.S. PersonnounFederal law and Executive Order define a U.S. Person as: a citizen of the United States; an alien lawfully admitted for permanent residence; an unincorporated association with a substantial number of members who are citizens of the U.S. or are aliens lawfully admitted for permanent residence; and/or a corporation that is incorporated in the U.S.IdentityRegulatedPII
U.S.-Controlled FacilitynounBase or building to which access is physically controlled by U.S. individuals who are authorized U.S. government or U.S. government contractor employees.PhysicalRegulatedCUI
U.S.-Controlled SpacenounRoom or floor within a facility that is not a U.S.-controlled facility, access to which is physically controlled by U.S. individuals who are authorized U.S. government or U.S. government contractor employees. Keys or combinations to locks controlling entrance to U.S.-controlled spaces must be under the exclusive control of U.S. individuals who are U.S. government or U.S. government contractor employees.PhysicalRegulatedCUI
Ultra forward servicenounThis service allows control over the re-routing of incoming phone calls to pre-determined alternate locations in the event of a telecommunications outage.CapabilityInternal
unapproved Information Technology resourcenounAn unsanctioned Information Technology resource.SystemRegulated
unauthorized accessnounOccurs when a user, legitimate or unauthorized, accesses a resource that the user is not permitted to use.EventRegulated
unauthorized access is detectednounThis Triggering Event takes place when a person, legitimate or unauthorized, accesses a resource that the person is not permitted to use or enters a facility or area the person is not permitted to enterEventRegulated
unauthorized attemptnounA try at gaining access to a system without authorization or approval.EventRegulated
unauthorized changenounA purposeful and perhaps unlawful modification of financial data to hide wrong-doing, loss or other disclosure.EventRegulated
Unauthorized DisclosurenounAn event involving the exposure of information to entities not authorized access to the information.EventRegulated
unauthorized mobile codenounA program (e.g., script, macro, or other portable instruction) that can be shipped unchanged to a heterogeneous collection of platforms and executed with identical semantics -- that has not been permitted by the controlling authority.ThreatRegulated
unauthorized personnelnounEmployees who do not have the right or permission to access data (or a facility containing data).Identity
unauthorized physical accessnounAccess to a building, room, site, etc that is not permitted.EventRegulated
unauthorized softwarenounAn application or device driver who use is not been permitted by the controlling authority.ThreatRegulated
unauthorized usenounUse of an asset for a person's own purpose without the consent of the owner.ThreatRegulated
UncertaintynounThe difficulty of predicting an outcome due to limited knowledge of all componentsMetric
UnclassifiednounInformation that has not been determined pursuant to E.O. 12958, as amended, or any predecessor order, to require protection against unauthorized disclosure and that is not designated as classified.RequirementRegulatedCUI
underlineverbmark or emphasize text or key information by drawing a line beneath itRememberUnclassified
understandverbTo perceive the intended meaning, significance, explanation, or cause of something.Unclassified
unescorted accessnounNot having to be escorted to gain access to a facility, area, or system.ControlRegulated
Uniform Rating System For Information TechnologynounAn internal rating system used by federal and state regulators to uniformly assess financial institution and service provider risks introduced by IT.FrameworkRegulated
Uniform Resource IdentifiernounThe generic term for all types of names and addresses that refer to objects on the World Wide Web.Data
Uniform Resource Locator (URL)nounAbbreviation for "Uniform (or Universal) Resource Locator." A way of specifying the location of publicly available information on the Internet, in the form: protocol://machine:port number/filename. Often the port number and/or filename are unnecessary.Network
Uninterruptible power supply (UPS)nounA device that allows your computer to keep running for at least a short time when the primary power source is lost. A UPS may also provide protection from power surges. A UPS contains a battery that "kicks in" when the device senses a loss of power from the primary source allowing the user time to save any data they are working on and to exit before the secondary power source (the battery) runs out. When power surges occur, a UPS intercepts the surge so that it doesn't damage your computer.Physical
United States Government Configuration BaselinenounThe United States Government Configuration Baseline (USGCB) provides security configuration baselines for Information Technology products widely deployed across the federal agencies. The USGCB baseline evolved from the federal Desktop Core Configuration mandate. The USGCB is a Federal government-wide initiative that provides guidance to agencies on what should be done to improve and maintain an effective configuration settings focusing primarily on security.FrameworkRegulatedCUI
UnixnounA popular multi-user, multitasking operating system developed at Bell Labs in the early 1970s. Created by just a handful of programmers, Unix was designed to be a small, flexible system used exclusively by programmers.System
unlessnounThis limits a Control or Mandate's secondary verb to be put into play upon the occasion of the event not taking place.candidate
unnecessary default accountnounDefault accounts that are not necessary to be installed on the system.VulnerabilityRegulated
unpatched softwarenounSoftware which has not undergone a vulnerability correction, a defect correction, or an improvement of code function.VulnerabilityRegulated
unposted suspense itemnounA transaction that has not yet been processed, but may affect the amount of credit available.ArtifactRegulatedPCI
Unprotected SharenounIn Windows terminology, a "share" is a mechanism that allows a user to connect to file systems and printers on other systems. An "unprotected share" is one that allows anyone to connect to it.VulnerabilityRestricted
Unsigned datanounData included in an authentication token, in addition to a digital signature.DataRestricted
unsuccessful authentication attemptnounA failed attempt to receive authentication to access a system.EventRegulated
Untrusted ProcessnounProcess that has not been evaluated or examined for correctness and adherence to the security policy. It may include incorrect or malicious code that attempts to circumvent the security mechanisms.ProcessRegulated
updateverbAutomatic or manual cryptographic process that irreversibly modifies the state of a COMSEC key.RememberUnclassified
Update a CertificatenounThe act or process by which data items bound in an existing public key certificate, especially authorizations granted to the subject, are changed by issuing a new certificate.Credential
updatingnounThe act of changing something to bring it up to date (usually by adding something).Process
uploadverbtransfer data or files from a local device to a remote system or platformApplyUnclassified
US-CERTnounA partnership between the Department of Homeland Security and the public and private sectors, established to protect the nation's Internet infrastructure. US-CERT coordinates defense against and responses to cyber attacks across the nation.Organization
USA Patriot ActnounThe USA PATRIOT Act (Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (Public Law Pub.L. 107-56), commonly known as the "Patriot Act", was enacted by Congress to deter and punish terrorist acts in the United States and around the world by enhancing the law enforcement investigatory tools of both domestic law enforcement and foreign intelligence agencies.RequirementRegulatedCUI
usagenounThe action of being used, the manner in which something is used, or the amount of something that is used.Metric
usernounAn individual or a process (subject) acting on behalf of the individual that accesses a cryptographic module in order to obtain cryptographic services.Identity
user access privilegenounAn identified entitlement that an end-user has to a particular system resource, such as a file folder, the use of certain system commands, or an amount of storage.Capability
user access reviewnounA process that an organization implements to actively monitor and verify the appropriateness of a users' access to systems and applications based on an understanding of the minimum necessary for users to perform or support business activities or functions. The responsibility for granting access and performing periodic verification of the appropriateness of that access rests with the system and/or business owner of the system or application.ProcessRegulated
user accountnounInformation that tells a computer which files and folders to access for a specific user, which personal preferences to have in place, and what can be accessed by the user.IdentityRegulated
User account activitynounAll events and processes executed including logons and logouts associated with a system user account.IdentityRegulated
User Account ManagementnounInvolves 1) the process of requesting, establishing, issuing, and closing user accounts; 2) tracking users and their respective access authorizations; and 3) managing these functions.Process
User Contingency PlannounUser contingency plan is the alternative methods of continuing business operations if IT systems are unavailable.ProcessInternal
User Datagram ProtocolnounA connectionless Internet protocol that is designed for network efficiency and speed at the expense of reliability Scope Note: A data request by the client is served by sending packets without testing to verify whether they actually arrive at the destination, not whether they were corrupted in transit. It is up to the application to determine these factors and request retransmissions.Network
User IDnounUnique symbol or character string used by an information system to identify a specific user.IdentityRegulatedPII
User IdentificationnounThe process, control, or information by which a user identifies himself or herself to the system as a valid user (as opposed to authentication).ProcessRegulatedPII
User InitializationnounA function in the life cycle of keying material; the process whereby a user initializes its cryptographic application (e.g., installing and initializing software and hardware).ProcessRegulatedCUI
User interface impersonationnounCan be a pop-up ad that impersonates a system dialog, an ad that impersonates a system warning, or an ad that impersonates an application user interface in a mobile device.Threat
user manualnounA user guide or user's guide, also commonly known as a manual, is a technical communication document intended to give assistance to people using a particular system.Artifact
User Partnership ProgramnounPartnership between the NSA and a U.S. government agency to facilitate development of secure information system equipment incorporating NSA-approved cryptography. The result of this program is the authorization of the product or system to safeguard national security information in the user’s specific application.ProcessRegulatedCUI
User provisioningnounA process to create, modify, disable and delete user accounts and their profiles across IT infrastructure and business applicationsProcess
User RegistrationnounA function in the life cycle of keying material; a process whereby an entity becomes a member of a security domain.Process
User RepresentativenounIndividual authorized by an organization to order COMSEC keying material and interface with the keying system, provide information to key users, and ensure the correct type of key is ordered.RoleRegulatedCUI
User Representative for Risk ManagementnounThe person that defines the system’s operational and functional requirements, and who is responsible for ensuring that user operational interests are met throughout the systems authorization process.Role
UtilitynounA program used to configure or maintain systems, or to make changes to stored or transmitted data.System
Valid Data ElementnounA payload, an associated data string, or a nonce that satisfies the restrictions of the formatting function.Data
ValidationnounConfirmation (through the provision of strong, sound, objective evidence) that requirements for a specific intended use or application have been fulfilled (e.g., a trustworthy credential has been presented, or data or information has been formatted in accordance with a defined set of rules, or a specific process has demonstrated that an entity under consideration meets, in all respects, its defined attributes or requirements).Process
ValuenounThe relative worth or importance of an investment for an enterprise, as perceived by its key stakeholders, expressed as total life cycle benefits net of related costs, adjusted for risk and (in the case of financial value) the time value of moneyMetric
VerificationnounConfirmation, through the provision of objective evidence, that specified requirements have been fulfilled (e.g., an entity’s requirements have been correctly defined, or an entity’s attributes have been correctly presented; or a procedure or function performs as intended and leads to the expected outcome).Process
VerifiernounAn entity that verifies the Claimant’s identity by verifying the Claimant’s possession and control of a token using an authentication protocol. To do this, the Verifier may also need to validate credentials that link the token and identity and check their status.Identity
Verifier Impersonation AttacknounA scenario where the Attacker impersonates the Verifier in an authentication protocol, usually to capture information that can be used to masquerade as a Claimant to the real Verifier.ThreatRegulated
Vertical defense-in depthnounControls are placed at different system layers – hardware, operating system, application, database or user levelsCapability
Very early smoke detection alert (VESDA)nounA system that samples the air on a continuing basis and can detect fire at the pre-combustion stage.EventRestricted
video blogverbcreate and publish video content documenting ideas, processes, or reflectionsCreateUnclassified
Virtual local area networknounLogical segmentation of a LAN into different broadcast domains Scope Note: A VLAN is set up by configuring ports on a switch, so devices attached to these ports may communicate as if they were attached to the same physical network segment, although the devices are located on different LAN segments. A VLAN is based on logical rather than physical connections.Network
Virtual local area network (VLAN)nounLogical segmentation of a LAN into different broadcast domains.Network
Virtual MachinenounSoftware that allows a single host to run one or more guest operating systems.System
Virtual MallnounAn Internet website offering products and services from multiple vendors or suppliers.System
Virtual private networknounProtected information system link utilizing tunneling, security controls (see Information Assurance), and endpoint address translation giving the impression of a dedicated lineNetworkRegulated
Virtual private network (VPN)nounA computer network that uses public telecommunication infrastructure, such as the Internet, to provide remote offices or individual users with secure access to their organization's network.Network
virtual private network accessnounPermission or ability for an external user to connect to a Virtual Private Network.ControlRegulated
VirtualizationnounThe process of adding a guest application and data onto a virtual server, recognizing that the guest application will ultimately part company from this physical serverProcess
VirusnounA computer program that can copy itself and infect a computer without permission or knowledge of the user. A virus might corrupt or delete data on a computer, use email programs to spread itself to other computers, or even erase everything on a hard disk.Threat
Virus signature filenounThe file of virus patterns that are compared with existing files to determine whether they are infected with a virus or wormThreat
visitor accessnounThe processes and mechanisms of ensuring visitors are allowed in specific areas and with specific permissions. Mechanisms such as guarded entries, logged entry, badges, and escorting of visitors are common.ProcessRegulated
visitor control programnounA documented listing of procedures, schedules, roles and responsibilities, and plans to be performed to identify, control, and reduce or eliminate the risks inherent to visitors.ProcessRegulated
visitor lognounA paper or electronic record of any non-employee entering a facility, construction site, structure or website.ArtifactRegulatedCUI
visualizeverbform a mental image or create a visual representation of informationUnderstandUnclassified
Voice FirewallnounA physical discontinuity in a voice network that monitors, alerts and controls inbound and outbound voice network activity based on user-defined call admission control (CAC) policies, voice application layer security threats or unauthorized service use violations.Network
Voice Intrusion Prevention SystemnounVoice IPS is a security management system for voice networks which monitors voice traffic for multiple calling patterns or attack/abuse signatures to proactively detect and prevent toll fraud, Denial of Service, telecom attacks, service abuse, and other anomalous activity.Capability
Voice over Internet Protocol (VoIP)nounThe transmission of voice telephone conversations using the Internet or Internet Protocol networks.Network
Voice-over Internet ProtocolnounAlso called IP Telephony, Internet Telephony and Broadband Phone, a technology that makes it possible to have a voice conversation over the Internet or over any dedicated Internet Protocol (IP) network instead of over dedicated voice transmission linesNetwork
Volatile datanounData that changes frequently and can be lost when the system's power is shut downData
vulnerabilitynounWeakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.Vulnerability
Vulnerability analysisnounSystematic examination of an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation.Vulnerability
Vulnerability AssessmentnounSystematic examination of an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation.VulnerabilityRegulated
Vulnerability Assessment and ManagementnounIn the NICE Workforce Framework, cybersecurity work where a person: Conducts assessments of threats and vulnerabilities, determines deviations from acceptable configurations, enterprise or local policy, assesses the level of risk, and develops and/or recommends appropriate mitigation countermeasures in operational and non-operational situations.Vulnerability
Vulnerability Management plannounThis purpose of this plan is to establish the organization's assessment and testing process to ensure systems are less susceptible to cyber attack.VulnerabilityInternal
vulnerability mitigationnounThe purpose of this task is to prioritize, evaluate, and implement measures and controls to counteract a weakness or vulnerability.Vulnerability
vulnerability scannounThe check of a system for known vulnerabilities from beginning to end with resultant errors, and status information.VulnerabilityRegulated
Vulnerability scanningnounAn automated process to proactively identify security weaknesses in a network or individual systemVulnerability
Walk-through drill/simulation testnounThis test represents a preliminary step in the overall testing process that may be used for training employees but not as a preferred testing methodology. During this test, participants choose a specific scenario and apply the BCP to it.Process
Wallet cardnounPortable information cards that provide emergency communications information for customers and employees.PhysicalInternal
War ChalkingnounWar chalking is marking areas, usually on sidewalks with chalk, that receive wireless signals that can be accessed.Threat
War DialernounA computer program that automatically dials a series of telephone numbers to find lines connected to computer systems, and catalogs those numbers so that a cracker can try to break into the systems.Threat
War DialingnounWar dialing is a simple means of trying to identify modems in a telephone exchange that may be susceptible to compromise in an attempt to circumvent perimeter security.Threat
War DrivingnounWar driving is the process of traveling around looking for wireless access point signals that can be used to get network access.Threat
Warm sitenounBackup site which typically contains the data links and preconfigured equipment necessary to rapidly start operations, but does not contain live data. Thus commencing operations at a warm site will (at a minimum) require the restoration of current data.PhysicalInternal
warrantynounA written guarantee, issued to the purchaser of a product or service by its manufacturer, that promises the good condition of the product or service and to repair or replace it within a specified period of time.Requirement
weaknessnounAn exception noted in tests of properly designed internal controls that may indicate ineffectiveness. Management must consider the extent of a weakness in such cases. Weaknesses can be classified as a simple deficiency, significant deficiency, or a material weakness.VulnerabilityRegulated
Web BugnounMalicious code, invisible to a user, placed on Web sites in such a way that it allows third parties to track use of Web servers and collect information about the user, including IP address, host name, browser type and version, operating system name and version, and Web browser cookie.ThreatRegulatedPII
Web Content Filtering SoftwarenounA program that prevents access to undesirable Web sites, typically by comparing a requested Web site address to a list of known bad Web sites.Control
Web hostingnounThe business of providing the equipment and services required to host and maintain files for one or more web sites and provide fast Internet connections to those sites Scope Note: Most hosting is shared, which means that web sites of multiple companies are on the same server to share/reduce costs.System
Web of TrustnounA web of trust is the trust that naturally evolves as a user starts to trust other's signatures, and the signatures that they trust.Control
Web Risk AssessmentnounProcesses for ensuring Web sites are in compliance with applicable policies.Process
WEB SEC codenounAn ACH debit entry initiated by an originator resulting from the receiver's authorization through the Internet to make a transfer of funds from a consumer account of the receiver.ArtifactRegulatedPII
Web servernounUsing the client-server model and the World Wide Web's HyperText Transfer Protocol (HTTP), Web Server is a software program that serves web pages to users.System
WebsitenounA webpage or set of webpages designed, presented, and linked together to form a logical information resource and/or transaction initiation function.System
Website hostingnounThe service of providing ongoing support and monitoring of an Internet-addressable computer that stores webpages and processes transactions initiated over the Internet.SystemRegulated
Well-know portsnounWell-known ports--0 through 1023: Controlled and assigned by the Internet Assigned Numbers Authority (IANA), and on most systems can be used only by system (or root) processes or by programs executed by privileged users. The assigned ports use the first portion of the possible port numbers. Initially, these assigned ports were in the range 0-255. Currently, the range for assigned ports managed by the IANA has been expanded to the range 0-1023.NetworkPublicInfo
whenverbidentify or describe the time or conditions under which something occursRememberUnclassified
whennounThis limits a Control or Mandate's secondary verb to be put into play as something is happening.Requirement
White Teamnoun1. The group responsible for refereeing an engagement between a Red Team of mock attackers and a Blue Team of actual defenders of their enterprise’s use of information systems. In an exercise, the White Team acts as the judges, enforces the rules of the exercise, observes the exercise, scores teams, resolves any problems that may arise, handles all requests for information or questions, and ensures that the competition runs fairly and does not cause operational problems for the defender's mission. The White Team helps to establish the rules of engagement, the metrics for assessing results and the procedures for providing operational security for the engagement. The White Team normally has responsibility for deriving lessons-learned, conducting the post engagement assessment, and promulgating results. 2. Can also refer to a small group of people who have prior knowledge of unannounced Red Team activities. The White Team acts as observers during the Red Team activity and ensures the scope of testing does not exceed a predefined threshold.Organization
whitelistnounA list of discrete entities, such as hosts or applications that are known to be benign and are approved for use within an organization and/or information system.Data
Wi-Fi protected accessnounA class of systems used to secure wireless (Wi-Fi) computer networks. Scope Note: WPA was created in response to several serious weaknesses that researchers found in the previous system, Wired Equivalent Privacy (WEP). WPA implements the majority of the IEEE 802.11i standard, and was intended as an intermediate measure to take the place of WEP while 802.11i was prepared. WPA is designed to work with all wireless network interface cards, but not necessarily with first generation wireless access points. WPA2 implements the full standard, but will not work with some older network cards. Both provide good security with two significant issues. First, either WPA or WPA2 must be enabled and chosen in preference to WEP; WEP is usually presented as the first security choice in most installation instructions. Second, in the personal mode, the most likely choice for homes and small offices, a pass phrase is required that, for full security, must be longer than the typical six to eight character passwords users are taught to employ.Control
Wi-Fi protected access IInounWireless security protocol that supports 802.11i encryption standards to provide greater security. This protocol uses Advanced Encryption Standards (AES) and Temporal Key Integrity Protocol (TKIP) for stronger encryption.Control
Wi-Fi Protected Access-2nounThe approved Wi-Fi Alliance interoperable implementation of the IEEE 802.11i security standard. For federal government use, the implementation must use FIPS-approved encryption, such as AES.ControlRegulated
Wide area networknounA computer network connecting different remote locations that may range from short distances, such as a floor or building, to extremely long transmissions that encompass a large region or several countriesNetwork
Wide-scale disruptionnounAn event that disrupts business operations in a broad geographic area.Event
WikinounWeb applications or similar tools that allow identifiable users to add content (as in an Internet forum) and allow anyone to edit that content collectively.System
WindowingnounA windowing system is a system for sharing a computer's graphical display presentation resources among multiple applications at the same time. In a computer that has a graphical user interface (GUI), you may want to use a number of applications at the same time (this is called task). Using a separate window for each application, you can interact with each application and go from one application to another without having to reinitiate it. Having different information or activities in multiple windows may also make it easier for you to do your work. A windowing system uses a window manager to keep track of where each window is located on the display screen and its size and status. A windowing system doesn't just manage the windows but also other forms of graphical user interface entities.System
WindumpnounWindump is a freeware tool for Windows that is a protocol analyzer that can monitor network traffic on a wire.Capability
wire servicernounA financial institution that offers electronic funds transfer serviceOrganizationRegulatedPCI
Wired Equivalent PrivacynounA security protocol, specified in the IEEE 802.11 standard, that is designed to provide a WLAN with a level of security and privacy comparable to what is usually expected of a wired LAN. WEP is no longer considered a viable encryption mechanism due to known weaknesses.Control
Wireless Access PointnounA device that acts as a conduit to connect wireless communication devices together to allow them to communicate and create a wireless network.Network
Wireless Application ProtocolnounA standard that defines the way in which Internet communications and other advanced services are provided on wireless mobile devices.Network
Wireless application protocol (WAP)nounA data transmission standard to deliver wireless markup language (WML) content.Network
Wireless communicationnounThe transfer of signals from place to place without cables, usually using infrared light or radio waves.Network
Wireless gateway servernounA computer (server) that transmits messages between a computer network and a cellular telephone or other wireless access device.Network
Wireless local area networknounA group of wireless networking devices within a limited geographic area, such as an office building, that exchange data through radio communications. The security of each WLAN is heavily dependent on how well each WLAN component—including client devices, APs, and wireless switches—is secured throughout the WLAN lifecycle, from initial WLAN design and deployment through ongoing maintenance and monitoring.Network
Wireless TechnologynounTechnology that permits the transfer of information between separated points without physical connection. Note: Currently wireless technologies use infrared, acoustic, radio frequency, and optical.Network
WiretappingnounMonitoring and recording data that is flowing between two points in a communication system.ThreatRegulated
work factornounEstimate of the effort or time needed by a potential perpetrator, with specified expertise and resources, to overcome a protective measure.Metric
work papernounThe written record of the basis for the auditor's conclusions that provides the support for the auditor's representations, whether those representations are contained in the auditor's report or otherwise.ArtifactRegulated
Work transfernounWork-transfer is a process whereby the staff located at a recovery site accepts the workload of staff located at a primary production site, and a data center located at a recovery site accepts the workload of the primary data processing site.ProcessRegulated
workforcenounThe individuals engaged in or available for work in a country, industry or organization.Organization
World Wide WebnounThe global, hypermedia-based collection of information and services that is available on Internet servers and is accessed by browsers using Hypertext Transfer Protocol and other information retrieval mechanisms.Network
WormnounA self-replicating, self-propagating, self-contained program that uses networking mechanisms to spread itself. See Malicious Code.Threat
WORM (Acronym)nounWrite once, read many times. A type of optical disk where a computer can save information once, can then read that information, but cannot change it.Threat
WritenounFundamental operation in an information system that results only in the flow of information from a subject to an object. See Access Type.Capability
Write blockernounA devices that allows the acquisition of information on a drive without creating the possibility of accidentally damaging the drivePhysicalRegulated
Write protectnounThe use of hardware or software to prevent data to be overwritten or deletedControl
X.509 CertificatenounThe X.509 public-key certificate or the X.509 attribute certificate, as defined by the ISO/ITU-T X.509 standard. Most commonly (including in this document), an X.509 certificate refers to the X.509 public-key certificate.Credential
X.509 Public Key CertificatenounA digital certificate containing a public key for entity and a name for the entity, together with some other information that is rendered unforgeable by the digital signature of the certification authority that issued the certificate, encoded in the format defined in the ISO/ITU-T X.509 standard.Credential
Zero DaynounThe "Day Zero" or "Zero Day" is the day a new vulnerability is made known. In some cases, a "zero day" exploit is referred to an exploit for which no patch is available yet. ("day one" - day at which the patch is made available).Vulnerability
zero fillverbTo fill unused storage locations in an information system with the representation of the character denoting "0."Unclassified
Zero-day attacknounAn attack on a piece of software that has a vulnerability for which there is no known patch.Vulnerability
Zero-day-exploitnounA vulnerability that is exploited before the software creator/vendor is even aware of it's existenceVulnerabilityRestricted
ZeroizationnounA method of erasing electronically stored data, cryptographic keys, and Credentials Service Providers (CSPs) by altering or deleting the contents of the data storage to prevent recovery of the data.ControlRegulatedCUI
zeroizeverbOverwrite a memory location with data consisting entirely of bits with the value zero so that the data is destroyed and not recoverable. This is often contrasted with deletion methods that merely destroy reference to data within a file system rather than the data itself.RememberUnclassified
Zone Of ControlnounThree-dimensional space surrounding equipment that processes classified and/or sensitive information within which TEMPEST exploitation is not considered practical or where legal authority to identify and remove a potential TEMPEST exploitation exists.PhysicalRestrictedCUI